A Terraform module for building a public/private DNS pair in AWS.
This consists of:
- A public DNS zone
- A private DNS zone
To use the module, include something like the following in your Terraform configuration:
module "dns-zones" {
source = "infrablocks/dns-zones/aws"
version = "2.0.0"
domain_name = "example.com"
private_domain_name = "example.net"
# Default VPC
private_zone_vpc_id = "vpc-6e12c307"
private_zone_vpc_region = "us-east-2"
}
See the Terraform registry entry for more details.
Name | Description | Default | Required |
---|---|---|---|
domain_name |
The domain name for the public DNS zone. | - | Yes |
private_domain_name |
The domain name for the private DNS zone. | - | Yes |
private_zone_vpc_id |
The VPC to attach the private DNS zone to. | - | Yes |
private_zone_vpc_region |
The region for the VPC. | - | Yes |
Name | Description |
---|---|
public_zone_id |
The ID of the created public zone. |
public_zone_name_servers |
The name servers of the created public zone. |
private_zone_id |
The ID of the created private zone. |
private_zone_name_servers |
The name servers of the created private zone. |
This module is compatible with Terraform versions greater than or equal to Terraform 1.0 and Terraform AWS provider versions greater than or equal to 3.29.
In order for the build to run correctly, a few tools will need to be installed on your development machine:
- Ruby (3.1)
- Bundler
- git
- git-crypt
- gnupg
- direnv
- aws-vault
Installing the required tools is best managed by homebrew.
To install homebrew:
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Then, to install the required tools:
# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 3.1.1
rbenv rehash
rbenv local 3.1.1
gem install bundler
# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg
# aws-vault
brew cask install
# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"
direnv allow <repository-directory>
Running the build requires an AWS account and AWS credentials. You are free to configure credentials however you like as long as an access key ID and secret access key are available. These instructions utilise aws-vault which makes credential management easy and secure.
To run the full build, including unit and integration tests, execute:
aws-vault exec <profile> -- ./go
To run the unit tests, execute:
aws-vault exec <profile> -- ./go test:unit
To run the integration tests, execute:
aws-vault exec <profile> -- ./go test:integration
To provision the module prerequisites:
aws-vault exec <profile> -- ./go deployment:prerequisites:provision[<deployment_identifier>]
To provision the module contents:
aws-vault exec <profile> -- ./go deployment:root:provision[<deployment_identifier>]
To destroy the module contents:
aws-vault exec <profile> -- ./go deployment:root:destroy[<deployment_identifier>]
To destroy the module prerequisites:
aws-vault exec <profile> -- ./go deployment:prerequisites:destroy[<deployment_identifier>]
Configuration parameters can be overridden via environment variables. For
example, to run the unit tests with a seed of "testing"
, execute:
SEED=testing aws-vault exec <profile> -- ./go test:unit
When a seed is provided via an environment variable, infrastructure will not be destroyed at the end of test execution. This can be useful during development to avoid lengthy provision and destroy cycles.
To subsequently destroy unit test infrastructure for a given seed:
FORCE_DESTROY=yes SEED=testing aws-vault exec <profile> -- ./go test:unit
To generate an SSH key pair:
ssh-keygen -m PEM -t rsa -b 4096 -C integration-test@example.com -N '' -f config/secrets/keys/bastion/ssh
To generate a self signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
To decrypt the resulting key:
openssl rsa -in key.pem -out ssl.key
To encrypt a GPG key for use by CircleCI:
openssl aes-256-cbc \
-e \
-md sha1 \
-in ./config/secrets/ci/gpg.private \
-out ./.circleci/gpg.private.enc \
-k "<passphrase>"
To check decryption is working correctly:
openssl aes-256-cbc \
-d \
-md sha1 \
-in ./.circleci/gpg.private.enc \
-k "<passphrase>"
Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/terraform-aws-dns-zones. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The library is available as open source under the terms of the MIT License.