Fred Damstra [afs macbook] 7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules		3 years ago
..
README.md	25999d6a07 Adds dnssec module to enable DNSSEC for hosted domains	4 years ago
config.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago
constants.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago
dnssec.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago
globals.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago
main.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago
outputs.tf	baa1f43824 Applied `terraform fmt` to all modules	3 years ago
vars.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 years ago

Key Rotation

Keys should be rotated annually.

To do so:

Update dnssec.tf:. Uncomment the _# resources, where # is an incremental update, but do not update the aws_route53_hosted_zone_dnssec or aws_route53_record resources yet.
terragrunt apply those resources to create a new KMS key and DNSSEC signing key.
Add the updated Key information as a second key to the domain information in route53: AWS Commercial->MDR Common Sevices->Route 53->Registered Domains->domain->Manage Keys
Wait for confirmation email
Update dnssec.tf with the aws_route53_hosted_zone_dnssec and aws_route53_record updated the latest #.
PR and apply.

In 2-7 days, come back and remove the previous _# resources. Do future engineers a favor and create a copy just like you had.