xdr-terraform-modules/base/dns/public_dns/dnssec.tf

locals {
  domains_to_secure = toset(local.hosted_public_dns_zones)
}

resource "aws_kms_key" "dnssec" {
  customer_master_key_spec = "ECC_NIST_P256"
  deletion_window_in_days  = 30
  key_usage                = "SIGN_VERIFY"
  policy = jsonencode({
    Statement = [
      {
        Action = [
          "kms:DescribeKey",
          "kms:GetPublicKey",
          "kms:Sign",
        ],
        Effect = "Allow"
        Principal = {
          Service = "api-service.dnssec.route53.aws.internal"
        }
        Sid = "Route 53 DNSSEC Permissions"
      },
      {
        Action = "kms:*"
        Effect = "Allow"
        Principal = {
          AWS = "*"
        }
        Resource = "*"
        Sid      = "IAM User Permissions"
      },
    ]
    Version = "2012-10-17"
  })
}

# For rotation, uncomment the following
#resource "aws_kms_key" "dnssec_2" {
#  customer_master_key_spec = "ECC_NIST_P256"
#  deletion_window_in_days  = 30
#  key_usage                = "SIGN_VERIFY"
#  policy = jsonencode({
#    Statement = [
#      {
#        Action = [
#          "kms:DescribeKey",
#          "kms:GetPublicKey",
#          "kms:Sign",
#        ],
#        Effect = "Allow"
#        Principal = {
#          Service = "api-service.dnssec.route53.aws.internal"
#        }
#        Sid = "Route 53 DNSSEC Permissions"
#      },
#      {
#        Action = "kms:*"
#        Effect = "Allow"
#        Principal = {
#          AWS = "*"
#        }
#        Resource = "*"
#        Sid      = "IAM User Permissions"
#      },
#    ]
#    Version = "2012-10-17"
#  })
#}

resource "aws_route53_key_signing_key" "dnssec" {
  for_each                   = local.domains_to_secure
  hosted_zone_id             = aws_route53_zone.public[each.value].id
  key_management_service_arn = aws_kms_key.dnssec.arn
  name                       = "202105"
}

# For rotation, uncomment the following
#resource "aws_route53_key_signing_key" "dnssec_2" {
#  for_each = local.domains_to_secure
#  hosted_zone_id             = aws_route53_zone.public[each.value].id
#  key_management_service_arn = aws_kms_key.dnssec.arn
#  name                       = "UPDATEME"
#}

output "public_keys_note" {
  value = "You must *MANUALLY* add the public keys to the 'registered domains' page on the route53 console."
}

output "manually_entered_information" {
  value = { for domain in local.domains_to_secure :
    domain => {
      "KeyType" : aws_route53_key_signing_key.dnssec[domain].flag,
      "Algorithm" : aws_route53_key_signing_key.dnssec[domain].signing_algorithm_type,
      "PublicKey" : aws_route53_key_signing_key.dnssec[domain].public_key
      "DS_Record" : aws_route53_key_signing_key.dnssec[domain].ds_record
    }
  }
}

# For rotation, uncomment the following
#output "manually_entered_information_1" {
#  value = { for domain in local.domains_to_secure:
#    domain => {
#      "KeyType": aws_route53_key_signing_key.dnssec_2[domain].flag,
#      "Algorithm": aws_route53_key_signing_key.dnssec_2[domain].signing_algorithm_type,
#      "PublicKey": aws_route53_key_signing_key.dnssec_2[domain].public_key
#      "DS_Record": aws_route53_key_signing_key.dnssec_2[domain].ds_record
#    }
#  }
#}

resource "aws_route53_hosted_zone_dnssec" "dnssec" {
  for_each = local.domains_to_secure
  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
  hosted_zone_id = aws_route53_key_signing_key.dnssec[each.value].hosted_zone_id
}

resource "aws_route53_record" "ds" {
  for_each = local.domains_with_parents

  allow_overwrite = true
  name            = each.key
  ttl             = 300
  type            = "DS"
  zone_id         = aws_route53_zone.public[each.value].id

  # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
  records = [aws_route53_key_signing_key.dnssec[each.key].ds_record]
}