| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134 |
- locals {
- domains_to_secure = toset([ "accenturefederalcyber.net", "xdrtest.accenturefederalcyber.net", "accenturefederalcyber.com", "xdrtest.accenturefederalcyber.com" ]) # for testing
- #domains_to_secure = var.hosted_public_dns_zones
- }
- resource "aws_kms_key" "dnssec" {
- customer_master_key_spec = "ECC_NIST_P256"
- deletion_window_in_days = 30
- key_usage = "SIGN_VERIFY"
- policy = jsonencode({
- Statement = [
- {
- Action = [
- "kms:DescribeKey",
- "kms:GetPublicKey",
- "kms:Sign",
- ],
- Effect = "Allow"
- Principal = {
- Service = "api-service.dnssec.route53.aws.internal"
- }
- Sid = "Route 53 DNSSEC Permissions"
- },
- {
- Action = "kms:*"
- Effect = "Allow"
- Principal = {
- AWS = "*"
- }
- Resource = "*"
- Sid = "IAM User Permissions"
- },
- ]
- Version = "2012-10-17"
- })
- }
- # For rotation, uncomment the following
- #resource "aws_kms_key" "dnssec_2" {
- # customer_master_key_spec = "ECC_NIST_P256"
- # deletion_window_in_days = 30
- # key_usage = "SIGN_VERIFY"
- # policy = jsonencode({
- # Statement = [
- # {
- # Action = [
- # "kms:DescribeKey",
- # "kms:GetPublicKey",
- # "kms:Sign",
- # ],
- # Effect = "Allow"
- # Principal = {
- # Service = "api-service.dnssec.route53.aws.internal"
- # }
- # Sid = "Route 53 DNSSEC Permissions"
- # },
- # {
- # Action = "kms:*"
- # Effect = "Allow"
- # Principal = {
- # AWS = "*"
- # }
- # Resource = "*"
- # Sid = "IAM User Permissions"
- # },
- # ]
- # Version = "2012-10-17"
- # })
- #}
- resource "aws_route53_key_signing_key" "dnssec" {
- for_each = local.domains_to_secure
- hosted_zone_id = aws_route53_zone.public[each.value].id
- key_management_service_arn = aws_kms_key.dnssec.arn
- name = "202105"
- }
- # For rotation, uncomment the following
- #resource "aws_route53_key_signing_key" "dnssec_2" {
- # for_each = local.domains_to_secure
- # hosted_zone_id = aws_route53_zone.public[each.value].id
- # key_management_service_arn = aws_kms_key.dnssec.arn
- # name = "UPDATEME"
- #}
- output "public_keys_note" {
- value = "You must *MANUALLY* add the public keys to the 'registered domains' page on the route53 console."
- }
- output "manually_entered_information" {
- value = { for domain in local.domains_to_secure:
- domain => {
- "KeyType": aws_route53_key_signing_key.dnssec[domain].flag,
- "Algorithm": aws_route53_key_signing_key.dnssec[domain].signing_algorithm_type,
- "PublicKey": aws_route53_key_signing_key.dnssec[domain].public_key
- "DS_Record": aws_route53_key_signing_key.dnssec[domain].ds_record
- }
- }
- }
- # For rotation, uncomment the following
- #output "manually_entered_information_1" {
- # value = { for domain in local.domains_to_secure:
- # domain => {
- # "KeyType": aws_route53_key_signing_key.dnssec_2[domain].flag,
- # "Algorithm": aws_route53_key_signing_key.dnssec_2[domain].signing_algorithm_type,
- # "PublicKey": aws_route53_key_signing_key.dnssec_2[domain].public_key
- # "DS_Record": aws_route53_key_signing_key.dnssec_2[domain].ds_record
- # }
- # }
- #}
- resource "aws_route53_hosted_zone_dnssec" "dnssec" {
- for_each = local.domains_to_secure
- # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
- hosted_zone_id = aws_route53_key_signing_key.dnssec[each.value].hosted_zone_id
- }
- resource "aws_route53_record" "ds" {
- #for_each = local.domains_with_parents
- for_each = {
- "xdrtest.accenturefederalcyber.net" = "accenturefederalcyber.net",
- "xdrtest.accenturefederalcyber.com" = "accenturefederalcyber.com",
- }
- allow_overwrite = true
- name = each.key
- ttl = 300
- type = "DS"
- zone_id = aws_route53_zone.public[each.value].id
- # AFTER rotating the key, applying, and adding to the registar, update this to `dnssec_2` and re-apply.
- records = [ aws_route53_key_signing_key.dnssec[each.key].ds_record ]
- }
|
