NTC Route53 (DNS)

Release Notes Source Code Implementation Blueprint

Description

NTC Route53 automates the setup and management of DNS infrastructure using AWS Route 53. This building block provides a scalable and reliable solution for managing hosted zones, and cross-account DNS configurations. With support for hybrid environments, NTC Route53 simplifies DNS resolution between AWS and on-premises networks.

Designed to integrate seamlessly with your existing infrastructure, this building block ensures efficient and secure DNS operations while maintaining alignment with best practices for availability and performance.

info

DNSSEC requires a chain of trust, which means a DS record must be configured in the parent domain (e.g. company.com → meeting.company.com), unless the current domain is the root domain. If the parent domain is also managed in AWS, you can use zone_delegation_list to configure both subdomain delegation and the DS record in the parent domain.

Verify if DNSSEC is set up correctly by using a tool like DNSSEC Debugger from VeriSign Labs.

Usage

Latest Release	1.3.0

Private Hosted Zone

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - PRIVATE HOSTED ZONE
# --------------------------------------------------------------------------------------------------
module "ntc_route53_private" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53?ref=X.X.X"

  zone_force_destroy = false

  # name of the route53 hosted zone
  zone_name        = "company.internal"
  zone_description = "Managed by Terraform"

  # private hosted zones require at least one vpc to be associated
  # public hosted zones cannot have any vpc associated
  zone_type = "private"

  # private hosted zones require at least one vpc to be associated
  # public hosted zones cannot have any vpc associated
  zone_type = "private"
  zone_vpc_associations = [
    {
      vpc_id = "vpc-01234567890abcdef"
      # (optional) by default the provider region will be used
      vpc_region = null
    }
  ]

  # list of dns records which should be created in hosted zone. alias records are a special type of records
  # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
  dns_records = [
    {
      name = "endpoint1"
      type = "A"
      ttl  = 300
      values = [
        "192.168.1.1",
        "192.168.2.2"
      ]
    }
  ]
}

Public Hosted Zone

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - PUBLIC HOSTED ZONE
# --------------------------------------------------------------------------------------------------
module "ntc_route53_public" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53?ref=X.X.X"

  zone_force_destroy = false

  # name of the route53 hosted zone
  zone_name        = "company.com"
  zone_description = "Managed by Terraform"

  # private hosted zones require at least one vpc to be associated
  # public hosted zones cannot have any vpc associated
  zone_type = "public"

  # list of dns records which should be created in hosted zone. alias records are a special type of records
  # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
  dns_records = [
    {
      name = ""
      type = "TXT"
      ttl  = 300
      values = [
        "https://xkcd.com/1361/"
      ]
    }
  ]

  # (optional) List of subdomains with corresponding nameservers which should be delegated
  # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html
  zone_delegation_list = [
    {
      subdomain_zone_name = "int"
      subdomain_nameserver_list = [
        "ns-999.awsdns-00.co.uk.",
        "ns-888.awsdns-00.org.",
        "ns-777.awsdns-00.com.",
        "ns-666.awsdns-00.net.",
      ]
      dnssec_enabled   = true
      dnssec_ds_record = "26175 13 2 44444A317DAEC3A213AB156BE09A22E333DDD10903B666B3A2301ECFB3C55555"
    }
  ]
}

DNSSEC

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - DNSSEC
# --------------------------------------------------------------------------------------------------
# WARNING: disabling DNSSEC before DS records expire can lead to domain becoming unavailable on the internet
# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-disable.html
module "ntc_route53_dnssec" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53//modules/dnssec?ref=X.X.X"

  # DNSSEC is only supported for public hosted zones
  zone_id = module.ntc_route53_public.zone_id

  # DNSSEC key can be rotated by creating a new key-signing-key and adding new DS records in root domain
  # WARNING: old key should stay active until new key-signing-key is provisioned and new DS records are propagated
  key_signing_keys = [
    {
      ksk_name   = "ksk-1"
      ksk_status = "active"
    },
    # {
    #   ksk_name   = "ksk-2"
    #   ksk_status = "inactive"
    # }
  ]

  providers = {
    # dnssec requires the kms key to be in us-east-1
    aws.us_east_1 = aws.use1
  }
}

Query Logging

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - QUERY LOGGING
# --------------------------------------------------------------------------------------------------
module "ntc_route53_query_logging" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53//modules/query-logs?ref=X.X.X"

  # query logging is only supported for public hosted zones
  zone_id = module.ntc_route53_public.zone_id

  cloudwatch_name_prefix          = "/aws/route53/"
  # cloudwatch_resource_policy_name = "route53-query-logs"
  # cloudwatch_retention_in_days    = null
  # cloudwatch_kms_key_use_existing = false
  # cloudwatch_kms_key_arn          = ""

  providers = {
    # cloudwatch log group must be in us-east-1
    aws.us_east_1 = aws.use1
  }
}

Resolver Endpoints

# Route53 Resolver Endpoints are required for Hybrid DNS
# https://docs.aws.amazon.com/whitepapers/latest/hybrid-cloud-dns-options-for-vpc/route-53-resolver-endpoints-and-forwarding-rules.html

# ---------------------------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - RESOLVER ENDPOINTS
# ---------------------------------------------------------------------------------------------------------------------
module "ntc_route53_resolver" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53//modules/resolver?ref=1.3.0"

  # inbound resolver endpoints are required for conditional dns forwarding from on-premise dns servers to aws
  resolver_endpoint_inbound = {
    create_endpoint = true
    resolver_name   = "r53-inbound-resolver-endpoint"
    # (optional) you can attach existing security groups instead of creating a new one
    security_group_ids = []
    subnets = [for index, id in module.ntc_vpc_central_endpoints.subnet_ids["hybrid-private"] :
      {
        subnet_id = id
        # (optional but recommended) set a static ip for the resolver endpoint
        static_ip = cidrhost(module.ntc_vpc_central_endpoints.subnet_cidr_blocks["hybrid-private"][index], 4)
      }
    ]
  }

  # outbound resolver endpoints are required for dns forwarding rules from aws to on-premise dns servers
  resolver_endpoint_outbound = {
    create_endpoint = true
    resolver_name   = "r53-outbound-resolver-endpoint"
    # (optional) you can attach existing security groups instead of creating a new one
    security_group_ids = []
    subnets = [for index, id in module.ntc_vpc_central_endpoints.subnet_ids["hybrid-private"] :
      {
        subnet_id = id
        # (optional but recommended) set a static ip for the resolver endpoint
        static_ip = cidrhost(module.ntc_vpc_central_endpoints.subnet_cidr_blocks["hybrid-private"][index], 5)
      }
    ]
  }

  # only allow dns traffic for resolver endpoints (by default tcp/udp 53)
  resolver_endpoint_security_group = {
    create_security_group = true
    name                  = "r53-resolver-endpoint-sg"
    description           = "DNS traffic inbound and outbound resolvers"
    vpc_id                = module.ntc_vpc_central_endpoints.vpc_id

    ingress_rules = [
      {
        protocol = "tcp"
        # add cidrs or prefix list of on-premises dns servers (if omitted default is 0.0.0.0/0)
        cidr_blocks = [
          # "192.168.8.8/32",
          # "192.168.9.9/32"
        ]
        prefix_list_ids = [
          module.ntc_vpc_central_endpoints.customer_managed_prefix_lists["onprem-dns-servers"].id
        ]
        # (optional) allow outbound resolver to forward to inbound resolver
        self = true
      },
      {
        protocol = "udp"
        # add cidrs or prefix list of on-premises dns servers (if omitted default is 0.0.0.0/0)
        cidr_blocks = []
        prefix_list_ids = [
          module.ntc_vpc_central_endpoints.customer_managed_prefix_lists["onprem-dns-servers"].id
        ]
        # (optional) allow outbound resolver to forward to inbound resolver
        self = true
      }
    ]

    egress_rules = [
      {
        protocol = "tcp"
        # add cidrs or prefix list of on-premises dns servers (if omitted default is 0.0.0.0/0)
        cidr_blocks = []
        prefix_list_ids = [
          module.ntc_vpc_central_endpoints.customer_managed_prefix_lists["onprem-dns-servers"].id
        ]
        # (optional) allow outbound resolver to forward to inbound resolver
        self = true
      },
      {
        protocol = "udp"
        # add cidrs or prefix list of on-premises dns servers (if omitted default is 0.0.0.0/0)
        cidr_blocks = []
        prefix_list_ids = [
          module.ntc_vpc_central_endpoints.customer_managed_prefix_lists["onprem-dns-servers"].id
        ]
        # (optional) allow outbound resolver to forward to inbound resolver
        self = true
      }
    ]
  }

  resolver_rules = [
    {
      domain_name = "domain.onprem"
      rule_name   = "forward onprem dns domain"
      rule_type   = "FORWARD"
      vpc_ids = [
        module.ntc_vpc_central_endpoints.vpc_id
      ]
      target_ips = [
        # add ips of on-premises dns servers (default port is 53)
        "192.168.8.8",
        "192.168.9.9"
      ]
      # (optional) share resolver rule with Organizations, OUs or Accounts - requires RAM to be enabled for Organizations
      # ram_share_principals = ["o-m29e8d9awz", "ou-6gf5-6ltp3mjf", "945766593056"]
      # ram_share_allow_external_principals = false
    },
    {
      domain_name = "domain.cloud"
      rule_name   = "do not forward cloud domain"
      rule_type   = "SYSTEM"
      vpc_ids = [
        module.ntc_vpc_central_endpoints.vpc_id
      ]
      # (optional) share resolver rule with Organizations, OUs or Accounts - requires RAM to be enabled for Organizations
      # ram_share_principals = ["o-m29e8d9awz", "ou-6gf5-6ltp3mjf", "945766593056"]
      # ram_share_allow_external_principals = false
    }
  ]

  providers = {
    aws = aws.euc1
  }
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.3.0)

• aws (>= 4.0)

Providers

The following providers are used by this module:

• aws (>= 4.0)

Modules

The following Modules are called:

dns_records

Source: ./modules/records

Version:

Resources

The following resources are used by this module:

• aws_route53_record.ntc_subdomain (resource)
• aws_route53_record.ntc_subdomain_dnssec (resource)
• aws_route53_zone.ntc_root (resource)
• aws_route53_zone.ntc_root_exception (resource)

Required Inputs

The following input variables are required:

zone_name

Description: This is the name of the hosted zone.

Type: string

zone_type

Description: The type (public or private) of hosted zone where the records will be created.

Type: string

Optional Inputs

The following input variables are optional (have default values):

dns_records

Description: List of Route53 DNS Records.

Type:

list(object({
    name   = string
    type   = string
    ttl    = optional(number, 300)
    values = optional(list(string), [])
    alias = optional(object({
      enable_alias           = optional(bool, false)
      target_dns_name        = optional(string, "")
      target_hosted_zone_id  = optional(string, "")
      evaluate_target_health = optional(bool, false)
    }), {})
  }))

Default: []

zone_delegation_list

Description: List of subdomains with corresponding nameservers which should be delegated.

Type:

list(object({
    subdomain_zone_name       = string
    subdomain_nameserver_list = list(string)
    dnssec_enabled            = optional(bool, false)
    dnssec_ds_record          = optional(string, "")
  }))

Default: []

zone_description

Description: Description for the hosted zone. Defaults to 'Managed by Terraform'.

Type: string

Default: "Managed by Terraform"

zone_force_destroy

Description: Whether to destroy all records (possibly managed outside of Terraform) in the zone when destroying the zone.

Type: bool

Default: false

zone_vpc_association_exception

Description: Set to true if you need to use vpc zone associations from another account. Warning: This will recreate the hosted zone and the initially set VPC associations cannot be updated anymore.

Type: bool

Default: false

zone_vpc_associations

Description: A list of VPCs to associate the private hosted zone with. Required if "zone_type" is private.

Type:

list(object({
    vpc_id     = optional(string, "")
    vpc_region = optional(string, null)
  }))

Default: []

Outputs

The following outputs are exported:

zone_arn

Description: The Amazon Resource Name (ARN) of the Hosted Zone.

zone_id

Description: The Hosted Zone ID. This can be referenced by zone records.

zone_name

Description: The name of the hosted zone.

zone_nameservers

Description: A list of name servers in associated (or default) delegation set.

zone_records_fqdn

Description: A map of FQDN DNS records.

zone_subdomains

Description: A list of delegated subdomains on the Hosted Zone.