Feature - create DS record for dnssec (#31)

* major overhaul of the route53 dnssec module * Continuous Integration - terraform fmt and terraform-docs * toset for the record * fromset to a list * changing the input to be dnskey_record from ds_record * temporarily removing the DS record * Continuous Integration - terraform fmt and terraform-docs * cleaned up the useless resource for the DS record * updated the readme with details on how to use the module to set DNSSEC * Continuous Integration - terraform fmt and terraform-docs * updated comment headers --------- Co-authored-by: zachreborn <[email protected]>
zachreborn · Aug 21, 2023 · b460840 · b460840
1 parent 177b7f4
commit b460840
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 46 deletions.
diff --git a/modules/aws/route53/dnssec/README.md b/modules/aws/route53/dnssec/README.md
@@ -28,11 +28,11 @@
 
 <h3 align="center">Route53 DNSSEC Module</h3>
   <p align="center">
-    This module configures DNSSEC on a Route53 zone.
-    <br />
+    This module configures DNSSEC on a Route53 zone. You will need to use the DNSSEC DS record settings and public key output to configure your registrar. If you're registrar is Route53 Domains, you need to manually configure DNSSEC on the domain in the AWS Console. There is not currently an API for enabling DNSSEC on Route53 Domains.
+    <br/>
     <a href="https://github.com/zachreborn/terraform-modules"><strong>Explore the docs »</strong></a>
-    <br />
-    <br />
+    <br/>
+    <br/>
     <a href="https://zacharyhill.co">Zachary Hill</a>
     ·
     <a href="https://github.com/zachreborn/terraform-modules/issues">Report Bug</a>
@@ -62,6 +62,9 @@
 
 <!-- USAGE EXAMPLES -->
 ## Usage
+This module creates a KMS key for signing, the KMS key alias, and the signing configuration. It also outputs the public key, DS record, and DNSKEY record. You will need to use the DS record settings and public key output to configure your registrar. If you're registrar is Route53 Domains, you need to manually configure DNSSEC on the domain in the AWS Console. There is not currently an API for enabling DNSSEC on Route53 Domains.
+
+See the [AWS Route53 Documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html) for more information.
 
 ```
 module "example_com_dnssec" {
@@ -71,11 +74,23 @@ module "example_com_dnssec" {
     name           = "example_com_signing_key"
     tags           = {
         terraform   = "true"
-        created_by  = "YOUR NAME"
+        created_by  = "YOUR_NAME"
         environment = "prod"
         role        = "dns"
         }
 }
+
+output "example_com_dnssec_flag" {
+    value = module.example_com_dnssec.flag
+}
+
+output "example_com_dnssec_signing_algorithm_type" {
+    value = module.example_com_dnssec.signing_algorithm_type
+}
+
+output "example_com_dnssec_public_key" {
+    value = module.example_com_dnssec.public_key
+}
 ```
 
 _For more examples, please refer to the [Documentation](https://github.com/zachreborn/terraform-modules)_
@@ -106,10 +121,10 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_alias.dnssec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.dnssec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_route53_hosted_zone_dnssec.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
-| [aws_route53_key_signing_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_key_signing_key) | resource |
+| [aws_route53_hosted_zone_dnssec.dnssec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
+| [aws_route53_key_signing_key.dnssec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_key_signing_key) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -124,7 +139,7 @@ No modules.
 | <a name="input_hosted_zone_id"></a> [hosted\_zone\_id](#input\_hosted\_zone\_id) | (Required) Identifier of the Route 53 Hosted Zone. | `string` | n/a | yes |
 | <a name="input_is_enabled"></a> [is\_enabled](#input\_is\_enabled) | (Optional) Specifies whether the key is enabled. Defaults to true. | `bool` | `true` | no |
 | <a name="input_key_usage"></a> [key\_usage](#input\_key\_usage) | (Optional) Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, or GENERATE\_VERIFY\_MAC. Defaults to ENCRYPT\_DECRYPT. | `string` | `"SIGN_VERIFY"` | no |
-| <a name="input_name"></a> [name](#input\_name) | (Required) Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) Name to use for resources such as the key-signing key (KSK), DS record, . Must be unique for each key-singing key in the same hosted zone. | `string` | n/a | yes |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | (Optional) Creates an unique alias beginning with the specified prefix. The name must start with the word alias followed by a forward slash (alias/). | `string` | `"alias/dnssec_"` | no |
 | <a name="input_signing_status"></a> [signing\_status](#input\_signing\_status) | (Optional) Hosted Zone signing status. Valid values: SIGNING, NOT\_SIGNING. Defaults to SIGNING. | `string` | `"SIGNING"` | no |
 | <a name="input_status"></a> [status](#input\_status) | (Optional) Status of the key-signing key (KSK). Valid values: ACTIVE, INACTIVE. Defaults to ACTIVE. | `string` | `"ACTIVE"` | no |

diff --git a/modules/aws/route53/dnssec/main.tf b/modules/aws/route53/dnssec/main.tf
@@ -11,15 +11,13 @@ terraform {
 ###########################
 # Data Sources
 ###########################
+
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 ########################################
 # KMS Keys
 ########################################
-####################
-# DNSSEC Key
-####################
 
 resource "aws_kms_key" "dnssec" {
   customer_master_key_spec = var.customer_master_key_spec
@@ -28,7 +26,7 @@ resource "aws_kms_key" "dnssec" {
   enable_key_rotation      = var.enable_key_rotation
   key_usage                = var.key_usage
   is_enabled               = var.is_enabled
-  tags                     = var.tags
+  tags                     = merge(var.tags, { "Name" = "${var.name}" })
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -80,22 +78,36 @@ resource "aws_kms_key" "dnssec" {
   })
 }
 
-resource "aws_kms_alias" "this" {
+resource "aws_kms_alias" "dnssec" {
   name_prefix   = var.name_prefix
   target_key_id = aws_kms_key.dnssec.key_id
 }
 
-resource "aws_route53_key_signing_key" "this" {
+########################################
+# Route 53 Signing Key
+########################################
+
+resource "aws_route53_key_signing_key" "dnssec" {
   hosted_zone_id             = var.hosted_zone_id
   key_management_service_arn = aws_kms_key.dnssec.arn
   name                       = var.name
   status                     = var.status
 }
 
-resource "aws_route53_hosted_zone_dnssec" "this" {
+########################################
+# Route 53 DNSSEC
+########################################
+
+resource "aws_route53_hosted_zone_dnssec" "dnssec" {
   depends_on = [
-    aws_route53_key_signing_key.this
+    aws_route53_key_signing_key.dnssec
   ]
-  hosted_zone_id = aws_route53_key_signing_key.this.hosted_zone_id
+  hosted_zone_id = aws_route53_key_signing_key.dnssec.hosted_zone_id
   signing_status = var.signing_status
 }
+
+########################################
+# Route 53 DS Record
+# The DS record must be set upstream as a chain of trust with the parent zone. For example, if you're
+# enabling DNSSEC for example.org., the DS record is defined at .org. not in your example.org. zone.
+########################################
diff --git a/modules/aws/route53/dnssec/outputs.tf b/modules/aws/route53/dnssec/outputs.tf
@@ -1,39 +1,39 @@
 output "digest_algorithm_mnemonic" {
-  value = aws_route53_key_signing_key.this.digest_algorithm_mnemonic
+  value = aws_route53_key_signing_key.dnssec.digest_algorithm_mnemonic
 }
 
 output "digest_algorithm_type" {
-  value = aws_route53_key_signing_key.this.digest_algorithm_type
+  value = aws_route53_key_signing_key.dnssec.digest_algorithm_type
 }
 
 output "digest_value" {
-  value = aws_route53_key_signing_key.this.digest_value
+  value = aws_route53_key_signing_key.dnssec.digest_value
 }
 
 output "dnskey_record" {
-  value = aws_route53_key_signing_key.this.dnskey_record
+  value = aws_route53_key_signing_key.dnssec.dnskey_record
 }
 
 output "ds_record" {
-  value = aws_route53_key_signing_key.this.ds_record
+  value = aws_route53_key_signing_key.dnssec.ds_record
 }
 
 output "flag" {
-  value = aws_route53_key_signing_key.this.flag
+  value = aws_route53_key_signing_key.dnssec.flag
 }
 
 output "key_tag" {
-  value = aws_route53_key_signing_key.this.key_tag
+  value = aws_route53_key_signing_key.dnssec.key_tag
 }
 
 output "public_key" {
-  value = aws_route53_key_signing_key.this.public_key
+  value = aws_route53_key_signing_key.dnssec.public_key
 }
 
 output "signing_algorithm_mnemonic" {
-  value = aws_route53_key_signing_key.this.signing_algorithm_mnemonic
+  value = aws_route53_key_signing_key.dnssec.signing_algorithm_mnemonic
 }
 
 output "signing_algorithm_type" {
-  value = aws_route53_key_signing_key.this.signing_algorithm_type
+  value = aws_route53_key_signing_key.dnssec.signing_algorithm_type
 }
diff --git a/modules/aws/route53/dnssec/variables.tf b/modules/aws/route53/dnssec/variables.tf
@@ -1,3 +1,7 @@
+########################################
+# KMS Key Variables
+########################################
+
 variable "customer_master_key_spec" {
   type        = string
   description = "(Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide."
@@ -42,29 +46,15 @@ variable "is_enabled" {
   default     = true
 }
 
-variable "tags" {
-  type        = map(any)
-  description = "(Optional) A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."
-  default = {
-    terraform = "true"
-  }
-}
-
 variable "name_prefix" {
   description = "(Optional) Creates an unique alias beginning with the specified prefix. The name must start with the word alias followed by a forward slash (alias/)."
   default     = "alias/dnssec_"
   type        = string
 }
 
-variable "hosted_zone_id" {
-  type        = string
-  description = "(Required) Identifier of the Route 53 Hosted Zone."
-}
-
-variable "name" {
-  type        = string
-  description = "(Required) Name of the key-signing key (KSK). Must be unique for each key-singing key in the same hosted zone."
-}
+########################################
+# Route 53 Signing Key Variables
+########################################
 
 variable "status" {
   type        = string
@@ -76,6 +66,10 @@ variable "status" {
   }
 }
 
+########################################
+# Route 53 DNSSEC Variables
+########################################
+
 variable "signing_status" {
   type        = string
   description = "(Optional) Hosted Zone signing status. Valid values: SIGNING, NOT_SIGNING. Defaults to SIGNING."
@@ -84,4 +78,26 @@ variable "signing_status" {
     condition     = contains(["SIGNING", "NOT_SIGNING"], var.signing_status)
     error_message = "The value must be one of SIGNING or NOT_SIGNING."
   }
-}
+}
+
+########################################
+# Global Variables
+########################################
+
+variable "hosted_zone_id" {
+  type        = string
+  description = "(Required) Identifier of the Route 53 Hosted Zone."
+}
+
+variable "name" {
+  type        = string
+  description = "(Required) Name to use for resources such as the key-signing key (KSK), DS record, . Must be unique for each key-singing key in the same hosted zone."
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "(Optional) A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."
+  default = {
+    terraform = "true"
+  }
+}