From 6a27418af5432719070764f6153cca3495e3692d Mon Sep 17 00:00:00 2001 From: John Ake Date: Mon, 18 Dec 2023 11:43:41 +0000 Subject: [PATCH] Update default CAA records to globalsign and digicert Refactor the dns module to handle multiple CAA records --- dns/Readme.md | 4 ++-- dns/zones/resources.tf | 33 ++++++++++++++++++++++++++++- dns/zones/tfdocs.md | 1 + domains/infrastructure/variables.tf | 8 +------ 4 files changed, 36 insertions(+), 10 deletions(-) diff --git a/dns/Readme.md b/dns/Readme.md index 60e8436..6eab579 100644 --- a/dns/Readme.md +++ b/dns/Readme.md @@ -61,7 +61,7 @@ So we add the following 3 records to indicate we don't send mail from these doma - CAA record ``` -0 issue "amazon.com" +0 issue "globalsign.com" ``` # Records @@ -82,7 +82,7 @@ To create (or update) records to an existing zone - Run the make command with DNS_ENV set to the environment you are adding records too - make ${zone} dnsrecord-plan DNS_ENV=${env} - - make ${zone} dnsrecord-apply DNS_ENV=$env} + - make ${zone} dnsrecord-apply DNS_ENV=${env} - e.g. make register dnsrecord-plan DNS_ENV=qa Note; diff --git a/dns/zones/resources.tf b/dns/zones/resources.tf index 5c9f14c..79e5196 100644 --- a/dns/zones/resources.tf +++ b/dns/zones/resources.tf @@ -14,9 +14,10 @@ resource "azurerm_dns_zone" "dns_zone" { # CAA record locals { + # caa_records is deprecated. Use caa_record_list instead caa_records = flatten([ for zone_name, zone_cfg in var.hosted_zone : [ - for record_name, record_cfg in zone_cfg["caa_records"] : { + for record_name, record_cfg in try(zone_cfg["caa_records"], {}) : { record_name = record_name zone_name = zone_name resource_group_name = zone_cfg["resource_group_name"] @@ -26,8 +27,15 @@ locals { } ] ]) + + hosted_zone_with_caa_record_list = { + for zone_name, zone_cfg in var.hosted_zone : + zone_name => zone_cfg + if length(try(zone_cfg.caa_record_list, [])) > 0 + } } +# caa_records is deprecated. Use caa_record_list instead resource "azurerm_dns_caa_record" "caa_records" { for_each = { for zone in local.caa_records : "${zone.zone_name}.${zone.record_name}" => zone @@ -50,6 +58,29 @@ resource "azurerm_dns_caa_record" "caa_records" { } +resource "azurerm_dns_caa_record" "caa_record_list" { + for_each = local.hosted_zone_with_caa_record_list + + name = "@" + zone_name = each.key + resource_group_name = each.value.resource_group_name + ttl = 300 + + dynamic "record" { + for_each = toset(each.value.caa_record_list) + content { + flags = 0 + tag = "issue" + value = record.value + } + } + + depends_on = [ + azurerm_dns_zone.dns_zone + ] + +} + # TXT record locals { diff --git a/dns/zones/tfdocs.md b/dns/zones/tfdocs.md index bf03685..1f6f8ef 100644 --- a/dns/zones/tfdocs.md +++ b/dns/zones/tfdocs.md @@ -16,6 +16,7 @@ No modules. | Name | Type | |------|------| +| [azurerm_dns_caa_record.caa_record_list](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource | | [azurerm_dns_caa_record.caa_records](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource | | [azurerm_dns_txt_record.txt_records](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_txt_record) | resource | | [azurerm_dns_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | diff --git a/domains/infrastructure/variables.tf b/domains/infrastructure/variables.tf index 46c4542..52c654d 100644 --- a/domains/infrastructure/variables.tf +++ b/domains/infrastructure/variables.tf @@ -22,13 +22,7 @@ variable "azure_enable_monitoring" { locals { default_records = { - "caa_records" = { - "@" = { - "flags" = 0, - "tag" = "issue", - "value" = "digicert.com" - } - } + "caa_record_list" = ["globalsign.com", "digicert.com"], "txt_records" = { "@" = { "value" = "v=spf1 -all"