AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
							locals {
  # I decided to get fancy here. For the list of domains, if any are parents of the others, I create the associated NS records
  # to delegate it.

  # Grabs the parent domains
  parent_domains_all = { for domain in local.hosted_public_dns_zones : domain => regex("^[^\\.]*\\.(.+)$", domain)[0] }
  # filters out those that aren't in our list
  domains_with_parents = {
    for domain, parent in local.parent_domains_all :
    domain => parent if contains(local.hosted_public_dns_zones, parent)
  }

  # delegated parent domains
  delegated_parent_domains_all = { for domain, value in local.delegated_public_dns_zones : domain => regex("^[^\\.]*\\.(.+)$", domain)[0] }
  # filters out those that aren't in our list
  delegated_domain_parents = {
    for domain, parent in local.delegated_parent_domains_all :
    domain => parent if contains(local.hosted_public_dns_zones, parent)
  }
}

# These outputs are useful for debugging, but commenting them out for now.
#output parent_domains {
#  value = local.parent_domains_all
#}
#output domains_with_parents {
#  value = local.domains_with_parents
#}
#output delegated_parent_domains {
#  value = local.delegated_parent_domains_all
#}
#output delegated_domain_parents {
#  value = local.delegated_domain_parents
#}

# Create the public zones
resource "aws_route53_zone" "public" {
  for_each = toset(local.hosted_public_dns_zones)
  name     = each.value
  tags     = merge(local.standard_tags, var.tags)
}

#output "domains" {
#  value = aws_route53_zone.public
#}

resource "aws_route53_record" "soa" {
  for_each = local.domains_with_parents

  allow_overwrite = true
  name            = each.key
  ttl             = 60
  type            = "NS"
  zone_id         = aws_route53_zone.public[each.value].id

  records = aws_route53_zone.public[each.key].name_servers
}

# At this point, I don't know where to point these websites, so these are dummy addresses. But the below is
# tested and functional when we have a web presence.
#resource "aws_route53_record" "at" {
#  for_each = toset(local.hosted_public_dns_zones)
#  zone_id = aws_route53_zone.public[each.value].id
#  name    = ""
#  type    = "A"
#  ttl     = "300"
#  records = [ "1.1.1.1" ]
#}
#
#resource "aws_route53_record" "www" {
#  for_each = toset(local.hosted_public_dns_zones)
#  zone_id = aws_route53_zone.public[each.value].id
#  name    = "www"
#  type    = "CNAME"
#  ttl     = "300"
#  records = [ each.value ]
#}

# Create delegations for domains hosted in other accounts
resource "aws_route53_record" "soa_for_delegated" {
  for_each = local.delegated_public_dns_zones

  allow_overwrite = true
  name            = each.key
  ttl             = 60
  type            = "NS"
  zone_id         = aws_route53_zone.public[local.delegated_domain_parents[each.key]].id

  records = each.value
}

resource "aws_route53_record" "dnstest" {
  for_each = toset(local.hosted_public_dns_zones)
  zone_id  = aws_route53_zone.public[each.value].id
  name     = "dnstest"
  type     = "A"
  ttl      = "300"
  # Non-routable Test IP: https://tools.ietf.org/html/rfc5737
  records = ["203.0.113.1"]
}

resource "aws_route53_record" "dmarc" {
  for_each = toset(local.hosted_public_dns_zones)
  zone_id  = aws_route53_zone.public[each.value].id
  name     = "_dmarc"
  type     = "TXT"
  ttl      = "600"
  records  = ["v=DMARC1; p=quarantine; sp=quarantine; pct=100; fo=1; ruf=mailto:DmarcRUF@AccentureFederal.com; rua=mailto:DmarcRUA@AccentureFederal.com,mailto:reports@dmarc.cyber.dhs.gov; aspf=s; adkim=s"]
}