Situation:
I have different A and AAAA records that go to the same subdomain-name.
Like
xxx.xxx.xxx.xxx (ipv4)
and
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (ipv6)
that go to the same subdomain like xxxx.yyyyy.com
Now I use the following snippet in Terraform:
resource "aws_route53_record" "blablubb" {
zone_id = ""
name = "blablubb.something.com."
type = "A"
ttl = "3600"
records = [
"xxx.xxx.xxx.xxx"
]
}
I cannot find any hint in the docs by now:
Terraform AWS Route53
Assuption:
I assume that I have to put both A and AAAA in the snippet.
Question:
How should that look if I am right?
Related
I have 2 AWS accounts: dev and prod.
In the prod account, I setup a DNS domain (example.com), as well as 2 public Hosted Zone: example.com and prod.example.com. 2 ACM certificates are also issued for these domains internal.prod.example.com and eks.prod.example.com. Those certificates are correctly validated by DNS.
In the dev account, I have created 2 public Hosted Zones: dev.example.com and example.com. I issued 2 ACM certificates for internal.dev.example.com and eks.dev.example.com which, as far as I understand need to be validated with the DNS in the prod account.
These certificated are in pending state.
How can I validate them?
What I did so far:
I added a NS record called dev.example.com in the prod account for the example.com Hosted Zone. The value of the NS record are the ones of the dev.example.com Hosted Zone created in the dev account. This is to delegate the ownership of the R53 Hosted Zone in prod. See here.
In the dev account, the CNAME of the requested domain from ACM have been added in the dev.example.com Hosted Zone for validation.
The following code is how it's been done (and working) on the prod account.
Note - this is a code that I took over, so I'm not aware if any manual steps have been taken.
data "aws_route53_zone" "dns-zone" {
name = "${var.environment}.${var.zone_name}"
}
resource "aws_acm_certificate" "cert" {
domain_name = "*.${var.environment}.${var.zone_name}"
validation_method = "DNS"
subject_alternative_names = list("*.internal.${var.environment}.${var.zone_name}", "*.eks.${var.environment}.${var.zone_name}")
lifecycle {
create_before_destroy = true
prevent_destroy = true
}
}
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
zone_id = data.aws_route53_zone.dns-zone.zone_id
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = each.value.zone_id
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
Ps - Should you need more clarification, please let me know.
dev & prod account you have example.com? Only 1 can be used properly. Wherever the registrar is for example.com ... that registrar can only use the name servers from 1 of those hosted zones.
You mentioned you have 2 ACM certs for internal.dev.example.com & eks.dev.example.com ... those should be validated in the DEV Account if that's where their domains are created.
Also I recommend you just create 1 wild card cert in ACM for *.dev.example.com & validate that 1 in the DEV account. Any subdomains such as eks.dev.example.com will be able to use it.
I got a microservice in an ECS instance in AWS behind a WAF, I want to create these rules:
Allow specific IPs (done)
Allow all connections from inside the VPN (done)
Deny all the other requests.
The first two IP set are created, but I can't make the last one to work. I tried creating the IP set with 0.0.0.0/0 and another combinations without success.
This is my code, I removed ipset 1 and 2 (that are working), this is the ipset 3:
resource "aws_wafv2_ip_set" "ipset" {
name = "${var.app_name}-${var.environment_name}-whitelist-ips"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["0.0.0.0/0"]
}
module "alb_wafv2" {
source = "trussworks/wafv2/aws"
version = "~> 2.0"
name = "${var.app_name}-${var.environment_name}"
scope = "REGIONAL"
alb_arn = aws_lb.app_lb.arn
associate_alb = true
ip_sets_rule = [
{
name = "${var.app_name}-${var.environment_name}-ip-blacklist"
action = "deny"
priority = 1
ip_set_arn = aws_wafv2_ip_set.ipset.arn
}
]
}
{
RespMetadata: {
StatusCode: 400,
RequestID: "c98b2d3a-ebd0-44e0-a80a-702bc698598b"
},
Field: "IP_ADDRESS",
Message_: "Error reason: The parameter contains formatting that is not valid., field: IP_ADDRESS, parameter: 0.0.0.0/0",
Parameter: "0.0.0.0/0",
Reason: "The parameter contains formatting that is not valid."
}
Tried to create an IP Set from the AWS Console with the same error:
So I got two questions, first, how can I do this? And the second one, is this the best approach?
Thanks in advance
You don't need to block 0.0.0.0/0. After you created two IP rules, look "Default web ACL action for requests that don't match any rules" on WAF console and set Action to Block.
Consider using this trick to bypass the 0.0.0.0/0 limitation:
Divide the IPv4 address space into two chunks: 0.0.0.0/1 and 128.0.0.0/1
The following terraform snippet was accepted and the ip set was created by TF (Terraform 0.15.4 and aws provider version 3.42.0):
resource "aws_wafv2_ip_set" "ipset" {
name = "all_internet_kludge"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = ["0.0.0.0/1", "128.0.0.0/1"]
}
You can't block all addresses (CIDR /0). It is not supported. From docs:
AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
Instead, you can use network ACL to deny all traffic, or security groups.
resource "aws_acm_certificate" "cert" {
domain_name = "atlantis.mydomain"
validation_method = "DNS"
}
data "cloudflare_zones" "this" {
filter {
name = "myzone.com"
status = "active"
paused = false
}
}
resource "cloudflare_record" "cert_validation" {
zone_id = data.cloudflare_zones.this.zones[0].id
name = aws_acm_certificate.cert.domain_validation_options.0.resource_record_name
type = aws_acm_certificate.cert.domain_validation_options.0.resource_record_type
value = aws_acm_certificate.cert.domain_validation_options.0.resource_record_value
ttl = 3600
proxied = false
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [cloudflare_record.cert_validation.hostname]
}
1 error occurred:
* missing atlantis.mydomain DNS validation record: _1002e16ebd84cda6c12a865cf899175a.atlantis.mydomain
i don't know how to resolve this error
i have a problem when i want create a certificat ACM and validate with cloudflare in aws and with terraform.
i have an error during the deployment about dns vérification
the record and the certificate have been created , but not validate
my cloudflare module is working well and for months
You need to use the values from the Terraform aws_acm_certificate resource's domain_validation_options values to create validation DNS records in CloudFlare. These will be entirely separate from the DNS record you are creating to point to your load balancer.
I currently have 2 workspaces within Terraform, one for Prod and one for Dev.
In prod my Terraform code creates a Route53 entry and then add's a cert as a CNAME to the Route53 hosted zone and then attaches the cert to my load balancer.
resource "aws_acm_certificate" "default" {
domain_name = "www.test.uk"
validation_method = "DNS"
}
resource "aws_route53_record" "validation" {
name = aws_acm_certificate.default.domain_validation_options[0].resource_record_name
type = aws_acm_certificate.default.domain_validation_options[0].resource_record_type
zone_id = "Z0725470IF9R8J77LPTU"
records = [
aws_acm_certificate.default.domain_validation_options[0].resource_record_value]
ttl = "60"
}
resource "aws_acm_certificate_validation" "default" {
certificate_arn = aws_acm_certificate.default.arn
validation_record_fqdns = [
aws_route53_record.validation.fqdn,
]
}
When I switch my workspace to dev and run terraform apply it tries to creates this Route53 entry again and errors. Is there a way to tell Terraform to ignore this?
I tried adding a count of 0 but it gave me this error
Error: Missing resource instance key
on alb.tf line 12, in resource "aws_route53_record" "validation":
12: type =
aws_acm_certificate.default.domain_validation_options[0].resource_record_type
Because aws_acm_certificate.default has "count" set, its attributes
must be accessed on specific instances.
For example, to correlate with indices of a referring resource, use:
aws_acm_certificate.default[count.index]
Error: Missing resource instance key
on alb.tf line 15, in resource "aws_route53_record" "validation":
15:
aws_acm_certificate.default.domain_validation_options[0].resource_record_value]
Because aws_acm_certificate.default has "count" set, its attributes
must be accessed on specific instances.
For example, to correlate with indices of a referring resource, use:
aws_acm_certificate.default[count.index]
The best solution I've come up with is to comment out the Route53 stuff when I run terraform apply in the staging workspace, this obviously isn't an ideal solution.
Untested below but I think you can use a conditional (based on your workspace name) and use count to create (or not create) the resources.
locals {
create_me = terraform.workspace == "dev" ? 0 : 1
}
resource "aws_acm_certificate" "default" {
count = local.create_me
domain_name = "www.test.uk"
validation_method = "DNS"
}
resource "aws_route53_record" "validation" {
count = local.create_me
name = aws_acm_certificate.default.domain_validation_options[count.index].resource_record_name
type = aws_acm_certificate.default.domain_validation_options[count.index].resource_record_type
zone_id = "Z0725470IF9R8J77LPTU"
records = [
aws_acm_certificate.default.domain_validation_options[count.index].resource_record_value]
ttl = "60"
}
resource "aws_acm_certificate_validation" "default" {
count = local.create_me
certificate_arn = aws_acm_certificate.default[count.index].arn
validation_record_fqdns = [
aws_route53_record.validation[count.index].fqdn,
]
}
I want to create a new alb and a route53 record that points to it.
I see I have the DNS name: ${aws_lb.MYALB.dns_name}
Is it possible to create a cname to the public DNS name with aws_route53_record resource?
See the Terraform Route53 Record docs
You can add a basic CNAME entry with the following:
resource "aws_route53_record" "cname_route53_record" {
zone_id = aws_route53_zone.primary.zone_id # Replace with your zone ID
name = "www.example.com" # Replace with your subdomain, Note: not valid with "apex" domains, e.g. example.com
type = "CNAME"
ttl = "60"
records = [aws_lb.MYALB.dns_name]
}
Or if you're are using an "apex" domain (e.g. example.com) consider using an Alias (AWS Alias Docs):
resource "aws_route53_record" "alias_route53_record" {
zone_id = aws_route53_zone.primary.zone_id # Replace with your zone ID
name = "example.com" # Replace with your name/domain/subdomain
type = "A"
alias {
name = aws_lb.MYALB.dns_name
zone_id = aws_lb.MYALB.zone_id
evaluate_target_health = true
}
}
Yes, it is possible to create CNAME to the public DNS name ${aws_lb.MYALB.dns_name} or aws_lb.MYALB.dns_name with aws_route53_record resource if you use the domain with a subdomain but not apex domain(naked domain, root domain).
So the code below in Terraform(v0.15.0) works properly for CNAME with the domain which has a subdomain. *CNAME with apex domain(naked domain, root domain) causes error.
resource "aws_route53_zone" "myZone" {
name = "example.com"
}
resource "aws_route53_record" "myRecord" {
zone_id = aws_route53_zone.myZone.zone_id
name = "www.example.com"
type = "CNAME"
ttl = 60
records = [aws_lb.MYALB.dns_name]
}
In addition, the code below in Terraform(v0.15.0) works properly for A or AAAA with apex domain(naked domain, root domain) even for the domain with a subdomain.
resource "aws_route53_zone" "myZone" {
name = "example.com"
}
resource "aws_route53_record" "myRecord" {
zone_id = aws_route53_zone.myZone.zone_id
name = "example.com" # OR "www.example.com"
type = "A" # OR "AAAA"
alias {
name = aws_lb.MYALB.dns_name
zone_id = aws_lb.MYALB.zone_id
evaluate_target_health = true
}
}