Skip to main content

NTC Route53 (DNS)

Release Notes Implementation Blueprint 🔒   Source Code
Migrating to v2?

NTC Route53 v2 introduces major improvements including AWS Provider v6 support, AWS European Sovereign Cloud compatibility, and simplified multi-region configuration.

📖 Read the Migration Guide for step-by-step instructions.

Description​

NTC Route53 automates the setup and management of DNS infrastructure using AWS Route 53. This building block provides a scalable and reliable solution for managing hosted zones, and cross-account DNS configurations. With support for hybrid environments, NTC Route53 simplifies DNS resolution between AWS and on-premises networks.

Designed to integrate seamlessly with your existing infrastructure, this building block ensures efficient and secure DNS operations while maintaining alignment with best practices for availability and performance.

info

DNSSEC requires a chain of trust, which means a DS record must be configured in the parent domain (e.g. company.com → meeting.company.com), unless the current domain is the root domain. If the parent domain is also managed in AWS, you can use zone_delegation_list to configure both subdomain delegation and the DS record in the parent domain.

Verify if DNSSEC is set up correctly by using a tool like DNSSEC Debugger from VeriSign Labs.

Usage​

Latest Release2.0.1
Loading usage example from blueprint...

Requirements​

The following requirements are needed by this module:

  • terraform (>= 1.5.0)

  • aws (>= 6.0)

Providers​

The following providers are used by this module:

  • aws (>= 6.0)

Modules​

The following Modules are called:

dns_records​

Source: ./modules/records

Version:

dnssec​

Source: ./modules/dnssec

Version:

query_logs​

Source: ./modules/query-logs

Version:

Resources​

The following resources are used by this module:

Required Inputs​

The following input variables are required:

zone_name​

Description: This is the name of the hosted zone (e.g. 'example.com' or 'subdomain.example.com').

Type: string

zone_type​

Description: The type (public or private) of hosted zone where the records will be created.

Type: string

Optional Inputs​

The following input variables are optional (have default values):

dns_records​

Description: List of Route53 DNS Records.

Type:

list(object({
    name   = string
    type   = string
    ttl    = optional(number, 300)
    values = optional(list(string), [])
    alias = optional(object({
      enable_alias           = optional(bool, false)
      target_dns_name        = optional(string, "")
      target_hosted_zone_id  = optional(string, "")
      evaluate_target_health = optional(bool, false)
    }), {})
  }))

Default: []

dnssec_config​

Description: Configure DNSSEC signing for the hosted zone.

Type:

object({
    enabled = optional(bool, false)
    key_signing_keys = optional(list(object({
      ksk_name   = string
      ksk_status = optional(string, "active")
    })), [])
  })

Default: {}

query_logs_config​

Description: Configure Route53 query logging for the hosted zone.

Type:

object({
    enabled                         = optional(bool, false)
    cloudwatch_resource_policy_name = optional(string, "route53-query-logs")
    cloudwatch_name_prefix          = optional(string, "/aws/route53/")
    cloudwatch_retention_in_days    = optional(number, null)
    cloudwatch_use_existing_kms_key = optional(bool, false)
    cloudwatch_kms_key_arn          = optional(string, "")
  })

Default: {}

zone_delegation_list​

Description: List of subdomains with corresponding nameservers which should be delegated.

Type:

list(object({
    subdomain_zone_name       = string
    subdomain_nameserver_list = list(string)
    dnssec_enabled            = optional(bool, false)
    dnssec_ds_record          = optional(string, "")
  }))

Default: []

zone_description​

Description: Description for the hosted zone. Defaults to 'Managed by Terraform'.

Type: string

Default: "Managed by Terraform"

zone_force_destroy​

Description: Whether to destroy all records (possibly managed outside of Terraform) in the zone when destroying the zone.

Type: bool

Default: false

zone_vpc_association_exception​

Description: Set to true if you need to use vpc zone associations from another account. Warning: This will recreate the hosted zone and the initially set VPC associations cannot be updated anymore.

Type: bool

Default: false

zone_vpc_associations​

Description: A list of VPCs to associate the private hosted zone with. Required if "zone_type" is private.

Type:

list(object({
    vpc_id     = optional(string, "")
    vpc_region = optional(string, null)
  }))

Default: []

Outputs​

The following outputs are exported:

dnssec_key_signing_keys_by_name​

Description: A map of DNSSEC Key Signing Keys by their names.

query_logs_cloudwatch_kms_key_arn​

Description: The ARN of the KMS Key for CloudWatch Log Group for Route53 Query Logs.

query_logs_cloudwatch_log_group_arn​

Description: The ARN of the CloudWatch Log Group for Route53 Query Logs.

zone_arn​

Description: The Amazon Resource Name (ARN) of the Hosted Zone.

zone_id​

Description: The Hosted Zone ID. This can be referenced by zone records.

zone_name​

Description: The name of the hosted zone.

zone_nameservers​

Description: A list of name servers in associated (or default) delegation set.

zone_records_fqdn​

Description: A map of FQDN DNS records.

zone_subdomains​

Description: A list of delegated subdomains on the Hosted Zone.