NTC Route53 (DNS)

Release Notes Source Code Implementation Blueprint

Description

NTC Route53 automates the setup and management of DNS infrastructure using AWS Route 53. This building block provides a scalable and reliable solution for managing hosted zones, and cross-account DNS configurations. With support for hybrid environments, NTC Route53 simplifies DNS resolution between AWS and on-premises networks.

Designed to integrate seamlessly with your existing infrastructure, this building block ensures efficient and secure DNS operations while maintaining alignment with best practices for availability and performance.

Usage

Latest Release	1.3.0

Route53 (DNS)
DNSSEC
Query Logging

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - PUBLIC HOSTED ZONE
# --------------------------------------------------------------------------------------------------
module "ntc_route53" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53?ref=X.X.X"

  zone_force_destroy = false

  # name of the route53 hosted zone
  zone_name        = "company.com"
  zone_description = "Managed by Terraform"

  # private hosted zones require at least one vpc to be associated
  # public hosted zones cannot have any vpc associated
  zone_type = "public"

  # list of dns records which should be created in hosted zone. alias records are a special type of records
  # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
  dns_records = [
    {
      name = ""
      type = "TXT"
      ttl  = 300
      values = [
        "https://xkcd.com/1361/"
      ]
    }
  ]

  # (optional) List of subdomains with corresponding nameservers which should be delegated
  # https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-routing-traffic-for-subdomains.html
  zone_delegation_list = [
    {
      subdomain_zone_name = "int"
      subdomain_nameserver_list = [
        "ns-999.awsdns-00.co.uk.",
        "ns-888.awsdns-00.org.",
        "ns-777.awsdns-00.com.",
        "ns-666.awsdns-00.net.",
      ]
      dnssec_enabled   = true
      dnssec_ds_record = "26175 13 2 44444A317DAEC3A213AB156BE09A22E333DDD10903B666B3A2301ECFB3C55555"
    }
  ]
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - DNSSEC
# --------------------------------------------------------------------------------------------------
# WARNING: disabling DNSSEC before DS records expire can lead to domain becoming unavailable on the internet
# https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-disable.html
module "ntc_route53_dnssec" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53//modules/dnssec?ref=X.X.X"

  zone_id = module.ntc_route53.zone_id

  # dnssec key can be rotated by creating a new 'inactive' key-signing-key and adding new DS records in root domain
  # WARNING: old key should stay active until new key-signing-key is provisioned and new DS records are propagated
  key_signing_keys = [
    {
      ksk_name   = "ksk-1"
      ksk_status = "active"
    },
    {
      ksk_name   = "ksk-2"
      ksk_status = "inactive"
    }
  ]

  providers = {
    # dnssec requires the kms key to be in us-east-1
    aws.us_east_1 = aws.use1
  }
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC ROUTE53 - QUERY LOGGING
# --------------------------------------------------------------------------------------------------
module "ntc_route53_query_logging" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-route53//modules/query-logs?ref=X.X.X"

  # query logging requires a public hosted zone
  zone_id = module.ntc_route53.zone_id

  cloudwatch_name_prefix          = "/aws/route53/"
  # cloudwatch_resource_policy_name = "route53-query-logs"
  # cloudwatch_retention_in_days    = null
  # cloudwatch_kms_key_use_existing = false
  # cloudwatch_kms_key_arn          = ""

  providers = {
    # cloudwatch log group must be in us-east-1
    aws.us_east_1 = aws.use1
  }
}

Requirements

The following requirements are needed by this module:

terraform (>= 1.3.0)
aws (>= 4.0)

Providers

The following providers are used by this module:

aws (>= 4.0)

Modules

The following Modules are called:

dns_records

Source: ./modules/records

Version:

Resources

The following resources are used by this module:

aws_route53_record.ntc_subdomain (resource)
aws_route53_record.ntc_subdomain_dnssec (resource)
aws_route53_zone.ntc_root (resource)
aws_route53_zone.ntc_root_exception (resource)

Required Inputs

The following input variables are required:

zone_name

Description: This is the name of the hosted zone.

Type: string

zone_type

Description: The type (public or private) of hosted zone where the records will be created.

Type: string

Optional Inputs

The following input variables are optional (have default values):

dns_records

Description: List of Route53 DNS Records.

Type:

list(object({
    name   = string
    type   = string
    ttl    = optional(number, 300)
    values = optional(list(string), [])
    alias = optional(object({
      enable_alias           = optional(bool, false)
      target_dns_name        = optional(string, "")
      target_hosted_zone_id  = optional(string, "")
      evaluate_target_health = optional(bool, false)
    }), {})
  }))

Default: []

zone_delegation_list

Description: List of subdomains with corresponding nameservers which should be delegated.

Type:

list(object({
    subdomain_zone_name       = string
    subdomain_nameserver_list = list(string)
    dnssec_enabled            = optional(bool, false)
    dnssec_ds_record          = optional(string, "")
  }))

Default: []

zone_description

Description: Description for the hosted zone. Defaults to 'Managed by Terraform'.

Type: string

Default: "Managed by Terraform"

zone_force_destroy

Description: Whether to destroy all records (possibly managed outside of Terraform) in the zone when destroying the zone.

Type: bool

Default: false

zone_vpc_association_exception

Description: Set to true if you need to use vpc zone associations from another account. Warning: This will recreate the hosted zone and the initially set VPC associations cannot be updated anymore.

Type: bool

Default: false

zone_vpc_associations

Description: A list of VPCs to associate the private hosted zone with. Required if "zone_type" is private.

Type:

list(object({
    vpc_id     = optional(string, "")
    vpc_region = optional(string, null)
  }))

Default: []

Outputs

The following outputs are exported:

zone_arn

Description: The Amazon Resource Name (ARN) of the Hosted Zone.

zone_id

Description: The Hosted Zone ID. This can be referenced by zone records.

zone_name

Description: The name of the hosted zone.

zone_nameservers

Description: A list of name servers in associated (or default) delegation set.

zone_records_fqdn

Description: A map of FQDN DNS records.

zone_subdomains

Description: A list of delegated subdomains on the Hosted Zone.

Description​

Usage​

Requirements​

Providers​

Modules​

dns_records​

Resources​

Required Inputs​

zone_name​

zone_type​

Optional Inputs​

dns_records​

zone_delegation_list​

zone_description​

zone_force_destroy​

zone_vpc_association_exception​

zone_vpc_associations​

Outputs​

zone_arn​

zone_id​

zone_name​

zone_nameservers​

zone_records_fqdn​

zone_subdomains​

Description

Usage

Requirements

Providers

Modules

dns_records

Resources

Required Inputs

zone_name

zone_type

Optional Inputs

dns_records

zone_delegation_list

zone_description

zone_force_destroy

zone_vpc_association_exception

zone_vpc_associations

Outputs

zone_arn

zone_id

zone_name

zone_nameservers

zone_records_fqdn

zone_subdomains