AWS Route53 Terraform modules

Terraform modules which creates Route53 resources.

Usage

Public Hosted Zone

module "zone" {
  source = "terraform-aws-modules/route53/aws"

  name    = "terraform-aws-modules-example.com"
  comment = "Public zone for terraform-aws-modules example"

  records = {
    s3 = {
      name = "s3-bucket-z1bkctxd74ezpe.terraform-aws-modules-example.com"
      type = "A"
      alias = {
        name    = "s3-website-eu-west-1.amazonaws.com"
        zone_id = "Z1BKCTXD74EZPE"
      }
    }
    mail = {
      full_name = "terraform-aws-modules-example.com"
      type = "MX"
      ttl  = 3600
      records = [
        "1 aspmx.l.google.com",
        "5 alt1.aspmx.l.google.com",
        "5 alt2.aspmx.l.google.com",
        "10 alt3.aspmx.l.google.com",
        "10 alt4.aspmx.l.google.com",
      ]
    }
    geo = {
      type           = "CNAME"
      ttl            = 5
      records        = ["europe.test.example.com."]
      set_identifier = "europe"
      geolocation_routing_policy = {
        continent = "EU"
      }
    }
    geoproximity-aws-region = {
      type           = "CNAME"
      ttl            = 5
      records        = ["us-east-1.test.example.com."]
      set_identifier = "us-east-1-region"
      geoproximity_routing_policy = {
        aws_region = "us-east-1"
        bias       = 0
      }
    }
    geoproximity-coordinates = {
      type           = "CNAME"
      ttl            = 5
      records        = ["nyc.test.example.com."]
      set_identifier = "nyc"
      geoproximity_routing_policy = {
        coordinates = [{
          latitude  = "40.71"
          longitude = "-74.01"
        }]
      }
    }
    cloudfront_ipv4 = {
      name = "cloudfront"
      type = "A"
      alias = {
        name    = "d3778kt32cqdww.cloudfront.net"
        zone_id = "EF3T6981F7M1"
      }
    }
    cloudfront_ipv6 = {
      name = "cloudfront"
      type = "AAAA"
      alias = {
        name    = "d3778kt32cqdww.cloudfront.net"
        zone_id = "EF3T6981F7M1"
      }
    }
    blue = {
      name           = "test"
      type           = "CNAME"
      ttl            = 5
      records        = ["test.example.com."]
      set_identifier = "test-primary"
      weighted_routing_policy = {
        weight = 90
      }
    }
    green = {
      name           = "test"
      type           = "CNAME"
      ttl            = 5
      records        = ["test2.example.com."]
      set_identifier = "test-secondary"
      weighted_routing_policy = {
        weight = 10
      }
    }
    failover-primary = {
      type            = "A"
      set_identifier  = "failover-primary"
      health_check_id = "d641c34c-a992-4edd-8a63-c540a4b18d0a"
      alias = {
        name    = "d3778kt32cqdww.cloudfront.net"
        zone_id = "EF3T6981F7M1"
      }
      failover_routing_policy = {
        type = "PRIMARY"
      }
    }
    failover-secondary = {
      type           = "A"
      set_identifier = "failover-secondary"
      alias = {
        name    = "s3-website-eu-west-1.amazonaws.com"
        zone_id = "Z1BKCTXD74EZPE"
      }
      failover_routing_policy = {
        type = "SECONDARY"
      }
    }
    latency-test = {
      type           = "A"
      set_identifier = "latency-test"
      alias = {
        name    = "d3778kt32cqdww.cloudfront.net"
        zone_id = "EF3T6981F7M1"
        evaluate_target_health = true
      }
      latency_routing_policy = {
        region = "eu-west-1"
      }
    }
  }

  tags = {
    Environment = "example"
    Project     = "terraform-aws-route53"
  }
}

Private Hosted Zone

module "zone" {
  source = "terraform-aws-modules/route53/aws"

  name    = "terraform-aws-modules-example.com"
  comment = "Private zone for terraform-aws-modules example"

  records = {
    "apigateway1" = {
      type    = "A"
      alias   = {
        name    = "d-10qxlbvagl.execute-api.eu-west-1.amazonaws.com"
        zone_id = "ZLY8HYME6SFAD"
      }
    }
    ip_alias = {
      name    = "terraform-aws-modules-example.com"
      type    = "A"
      ttl     = 3600
      records = [
        "10.10.10.10",
      ]
    }
  }

  vpc = {
    one = {
      vpc_id     = "vpc-1234556abcdef"
      vpc_region = "eu-west-1"
    }
  }

  tags = {
    Environment = "example"
    Project     = "terraform-aws-route53"
  }
}

Sub-Modules

The following independent sub-modules are available:

• delegation-sets creates AWS Route53 Delegation Sets
• resolver-endpoint creates an AWS Route53 Resolver Endpoint and associated resources
• resolver-firewall-rule-group creates an AWS Route53 Resolver Firewall Rule Group and associated resources

See the respective module directories for examples and documentation.

Examples

• Complete

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.3

Providers

Name	Version
aws	>= 6.3

Modules

Name	Source	Version
route53_dnssec_kms	terraform-aws-modules/kms/aws	4.0.0

Resources

Name	Type
aws_route53_hosted_zone_dnssec.this	resource
aws_route53_key_signing_key.this	resource
aws_route53_record.this	resource
aws_route53_vpc_association_authorization.this	resource
aws_route53_zone.this	resource
aws_route53_zone.this	data source

Inputs

Name	Description	Type	Default	Required
comment	A comment for the hosted zone. Defaults to Managed by Terraform	string	null	no
create	Whether to create Route53 zone	bool	true	no
create_dnssec_kms_key	Whether to create a KMS key for DNSSEC signing	bool	true	no
create_zone	Determines whether to create the Route53 zone or lookup an existing zone	bool	true	no
delegation_set_id	The ID of the reusable delegation set whose NS records you want to assign to the hosted zone. Conflicts with vpc as delegation sets can only be used for public zones	string	null	no
dnssec_kms_key_aliases	A list of aliases to create. Note - due to the use of toset(), values must be static strings and not computed values	list(string)	[]	no
dnssec_kms_key_arn	The ARN of the KMS key to use for DNSSEC signing. Required when create_dnssec_kms_key is false	string	null	no
dnssec_kms_key_description	The description of the key as viewed in AWS console	string	"Route53 DNSSEC KMS Key"	no
dnssec_kms_key_tags	Additional tags to apply to the KMS key created for DNSSEC signing	map(string)	{}	no
enable_dnssec	Whether to enable DNSSEC for the Route53 zone	bool	false	no
force_destroy	Whether to destroy all records (possibly managed outside of Terraform) in the zone when destroying the zone	bool	null	no
name	This is the name of the hosted zone	string	""	no
private_zone	Whether the hosted zone is private. Only applicable when create_zone = false	bool	false	no
records	A map of Route53 records to create in the zone. The key can be used as the subdomain name, or name can be used to specify the full name	map(object({ alias = optional(object({ evaluate_target_health = optional(bool, false) name = string zone_id = string })) allow_overwrite = optional(bool) cidr_routing_policy = optional(object({ collection_id = string location_name = string })) failover_routing_policy = optional(object({ type = string })) geolocation_routing_policy = optional(object({ continent = optional(string) country = optional(string) subdivision = optional(string) })) geoproximity_routing_policy = optional(object({ aws_region = optional(string) bias = optional(number) coordinates = optional(list(object({ latitude = number longitude = number }))) local_zone_group = optional(string) })) health_check_id = optional(string) latency_routing_policy = optional(object({ region = string })) multivalue_answer_routing_policy = optional(bool) name = optional(string) full_name = optional(string) records = optional(list(string)) set_identifier = optional(string) ttl = optional(number) type = string weighted_routing_policy = optional(object({ weight = number })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) })) }))	{}	no
tags	Tags added to all zones. Will take precedence over tags from the 'zones' variable	map(string)	{}	no
timeouts	Timeouts for the Route53 zone operations	object({ create = optional(string) update = optional(string) delete = optional(string) })	null	no
vpc	Configuration block(s) specifying VPC(s) to associate with a private hosted zone. Conflicts with the delegation_set_id argument in this resource and any aws_route53_zone_association resource specifying the same zone ID	map(object({ vpc_id = string vpc_region = optional(string) }))	null	no
vpc_association_authorizations	A map of VPC association authorizations to create for the Route53 zone	map(object({ vpc_id = string vpc_region = optional(string) }))	null	no
vpc_id	The ID of the VPC associated with the existing hosted zone. Only applicable when create_zone = false	string	null	no

Outputs

Name	Description
arn	Zone ARN of Route53 zone
dnssec_kms_key_arn	The Amazon Resource Name (ARN) of the key
dnssec_kms_key_id	The globally unique identifier for the key
dnssec_kms_key_policy	The IAM resource policy set on the key
dnssec_kms_key_region	The region for the key
dnssec_signing_key_digest_value	A cryptographic digest of a DNSKEY resource record (RR). DNSKEY records are used to publish the public key that resolvers can use to verify DNSSEC signatures that are used to secure certain kinds of information provided by the DNS system
dnssec_signing_key_dnskey_record	A string that represents a DNSKEY record
dnssec_signing_key_ds_record	A string that represents a delegation signer (DS) record
dnssec_signing_key_id	Route 53 Hosted Zone identifier and KMS Key identifier, separated by a comma (,)
dnssec_signing_key_public_key	The public key, represented as a Base64 encoding, as required by RFC-4034 Page 5
dnssec_signing_key_tag	An integer used to identify the DNSSEC record for the domain name. The process used to calculate the value is described in RFC-4034 Appendix B
id	Zone ID of Route53 zone
name	Name of Route53 zone
name_servers	Name servers of Route53 zone
primary_name_server	The Route 53 name server that created the SOA record.
records	Records created in the Route53 zone

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

• Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
• Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
• Putin khuylo!