diff --git a/dns.tf b/dns.tf index b4db1da..5a0ce71 100644 --- a/dns.tf +++ b/dns.tf @@ -1,27 +1,5 @@ -# TODO create NS and SOA records - -resource "aws_route53_zone" "apex" { - name = "seagl.org" -} - -resource "aws_ses_domain_identity" "seagl" { - domain = "seagl.org" -} - -# SPF -resource "aws_route53_record" "route_53_root_txt" { - zone_id = aws_route53_zone.apex.id - name = "" - type = "TXT" - ttl = "300" - records = [ - "v=spf1 include:_spf.google.com include:amazonses.com include:40081384.spf02.hubspotemail.net include:_spf.osuosl.org ~all", - "google-site-verification=9Hrl69xXhSeoBOVlnmpOYOSS6fYeiuGehZjHlyPZx3g" - ] -} - resource "aws_route53_record" "route_53_cloud_txt" { - zone_id = aws_route53_zone.apex.id + zone_id = module.production_env.zone_id name = "cloud.seagl.org" type = "TXT" ttl = "300" @@ -30,32 +8,12 @@ resource "aws_route53_record" "route_53_cloud_txt" { ] } -# DKIM -resource "aws_ses_domain_identity" "email_domain_identity" { - domain = var.email_domain_name -} - -resource "aws_ses_domain_dkim" "email_dkim" { - domain = aws_ses_domain_identity.email_domain_identity.domain -} - -resource "aws_route53_record" "email_dkim_records" { - count = 3 - zone_id = aws_route53_zone.apex.id - name = "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}._domainkey.${var.email_domain_name}" - type = "CNAME" - ttl = "300" - records = [ - "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}.dkim.amazonses.com", - ] -} - resource "aws_route53_record" "email_dkim_hubspot_records" { for_each = { "hs1-40081384" : "seagl-org.hs12a.dkim.hubspotemail.net", "hs2-40081384" : "seagl-org.hs12b.dkim.hubspotemail.net" } - zone_id = aws_route53_zone.apex.id + zone_id = module.production_env.zone_id name = "${each.key}._domainkey.${var.email_domain_name}" type = "CNAME" ttl = "300" @@ -64,32 +22,19 @@ resource "aws_route53_record" "email_dkim_hubspot_records" { ] } -resource "aws_route53_record" "route_53_dmarc_txt" { - zone_id = aws_route53_zone.apex.id - name = "_dmarc.${var.email_domain_name}" - type = "TXT" - ttl = "300" - records = [ - "v=DMARC1;p=quarantine;rua=mailto:dmarc-rpt@seagl.org" - ] +# TODO remove this; we do DKIM-based verification instead. +resource "aws_ses_domain_identity" "email_domain_identity" { + domain = var.email_domain_name } +# TODO remove this. It's unnecessary because the domain is verified. +# It's still here only to make a refactoring `plan` clean. resource "aws_ses_email_identity" "email" { email = "sre@seagl.org" } -resource "aws_route53_record" "dokku_wildcard" { - zone_id = aws_route53_zone.apex.id - name = "*.seagl.org" - type = "CNAME" - ttl = "300" - records = [ - "dokku.seagl.org" - ] -} - resource "aws_route53_record" "cloud-a" { - zone_id = aws_route53_zone.apex.id + zone_id = module.production_env.zone_id name = "cloud.seagl.org" type = "A" ttl = "300" @@ -99,7 +44,7 @@ resource "aws_route53_record" "cloud-a" { } resource "aws_route53_record" "cloud-aaaa" { - zone_id = aws_route53_zone.apex.id + zone_id = module.production_env.zone_id name = "cloud.seagl.org" type = "AAAA" ttl = "300" @@ -107,86 +52,3 @@ resource "aws_route53_record" "cloud-aaaa" { "2605:bc80:3010:104::8cd3:935" ] } - -resource "aws_route53_record" "mailu-test-a" { - zone_id = aws_route53_zone.apex.id - name = "mail.mail-test.seagl.org" - type = "A" - # TODO increase all these Mailu TTLs - ttl = "300" - records = [ - "140.211.167.146" - ] -} - -resource "aws_route53_record" "mailu-test-mx" { - zone_id = aws_route53_zone.apex.id - name = "mail-test.seagl.org" - type = "MX" - ttl = "300" - records = [ - "10 mail.mail-test.seagl.org." - ] -} - -resource "aws_route53_record" "mailu-test-spf" { - zone_id = aws_route53_zone.apex.id - name = "mail-test.seagl.org" - type = "TXT" - ttl = "300" - records = [ - # This diverges from Mailu's rec: they wanted to include a:mail.mail-test.seagl.org too - "v=spf1 mx ~all" - ] -} - -resource "aws_route53_record" "mailu-test-autoconfig-srv" { - # grep SRV | sed -e 's/ 600 IN SRV /": "/' -e 's/^/"/' -e 's/$/",/' -e 's/ mail.mail-test.seagl.org.//' -e 's/.mail-test.seagl.org.//' - for_each = { - "_imap._tcp" : "20 1 143", - "_pop3._tcp" : "20 1 110", - "_submission._tcp" : "20 1 587", - "_autodiscover._tcp" : "10 1 443", - "_submissions._tcp" : "10 1 465", - "_imaps._tcp" : "10 1 993", - "_pop3s._tcp" : "10 1 995" - } - zone_id = aws_route53_zone.apex.id - name = "${each.key}.mail-test.seagl.org" - type = "SRV" - ttl = "300" - records = [ - "${each.value} mail.mail-test.seagl.org." - ] -} - -resource "aws_route53_record" "mailu-test-autoconfig-cname" { - zone_id = aws_route53_zone.apex.id - name = "autoconfig.mail-test.seagl.org" - type = "CNAME" - ttl = "300" - records = [ - "mail.mail-test.seagl.org." - ] -} - -resource "aws_route53_record" "mailu-test-dkim" { - zone_id = aws_route53_zone.apex.id - name = "dkim._domainkey.mail-test.seagl.org" - type = "TXT" - ttl = "300" - records = [ - "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Jw/diiAFRmarcHsr/KkGvfr22CVA5xTJTWRInvKi2My7PbWjhLSGNx7XcJw1DCcfOGb1cdArjNmYDmmG6VRRTQjCr2RWBSihIRLodnc+KPeS2Xnipi0JdNg7CTCNVQfA+znlKoWqalTT0nKrlDf87vhLmltU4wOYnrmvtZvtHkdwd9GA7hxMdHu4LnW\"\"X2VK0itMcPCBqIUvyOSIHJ8c7i8VPmcV+G6VDquepNsmFN0zcvNXAosqaWOHCnzCGzvQiwm6Lbq4vMxUsU6BLUv1JiPq3zXtqQ4tp6VynpLIy5VaF4XI5fyibsKTPuzI0d58tuiCrgCCMy5T9BmkCnQAzQIDAQAB" - ] -} - -resource "aws_route53_record" "mailu-test-dmarc" { - zone_id = aws_route53_zone.apex.id - name = "_dmarc.mail-test.seagl.org" - type = "TXT" - ttl = "300" - records = [ - # TODO this email doesn't seem to be created automatically - "v=DMARC1; p=reject; rua=mailto:dmarc@mail-test.seagl.org; ruf=mailto:dmarc@mail-test.seagl.org; adkim=s; aspf=s" - ] -} diff --git a/env/dns.tf b/env/dns.tf new file mode 100644 index 0000000..2095062 --- /dev/null +++ b/env/dns.tf @@ -0,0 +1,149 @@ +# TODO create NS and SOA records + +resource "aws_route53_zone" "apex" { + name = var.zone_name +} + +resource "aws_route53_record" "delegation-ns" { + count = var.attach_to_zone != null ? 1 : 0 + zone_id = var.attach_to_zone.zone_id + name = aws_route53_zone.apex.name + type = "NS" + ttl = "300" + records = aws_route53_zone.apex.name_servers +} + +resource "aws_ses_domain_identity" "main" { + domain = var.zone_name +} + +# SPF +resource "aws_route53_record" "route_53_root_txt" { + zone_id = aws_route53_zone.apex.id + name = "" + type = "TXT" + ttl = "300" + records = concat([ + "v=spf1 include:_spf.google.com include:amazonses.com include:40081384.spf02.hubspotemail.net include:_spf.osuosl.org ~all", + ], var.additional_root_txts) +} + +# DKIM +resource "aws_ses_domain_dkim" "email_dkim" { + domain = aws_ses_domain_identity.main.domain +} + +resource "aws_route53_record" "email_dkim_records" { + count = 3 + zone_id = aws_route53_zone.apex.id + name = "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}._domainkey.${var.zone_name}" + type = "CNAME" + ttl = "300" + records = [ + "${element(aws_ses_domain_dkim.email_dkim.dkim_tokens, count.index)}.dkim.amazonses.com", + ] +} + +resource "aws_route53_record" "route_53_dmarc_txt" { + zone_id = aws_route53_zone.apex.id + name = "_dmarc.${var.zone_name}" + type = "TXT" + ttl = "300" + records = [ + "v=DMARC1;p=quarantine;rua=mailto:dmarc-rpt@${var.zone_name}" + ] +} + +resource "aws_route53_record" "dokku_wildcard" { + zone_id = aws_route53_zone.apex.id + name = "*.${var.zone_name}" + type = "CNAME" + ttl = "300" + records = [ + "dokku.${var.zone_name}" + ] +} + +resource "aws_route53_record" "mailu-test-a" { + zone_id = aws_route53_zone.apex.id + name = "mail.mail-test.${var.zone_name}" + type = "A" + # TODO increase all these Mailu TTLs + ttl = "300" + records = [ + "140.211.167.146" + ] +} + +resource "aws_route53_record" "mailu-test-mx" { + zone_id = aws_route53_zone.apex.id + name = "mail-test.${var.zone_name}" + type = "MX" + ttl = "300" + records = [ + "10 mail.mail-test.${var.zone_name}." + ] +} + +resource "aws_route53_record" "mailu-test-spf" { + zone_id = aws_route53_zone.apex.id + name = "mail-test.${var.zone_name}" + type = "TXT" + ttl = "300" + records = [ + # This diverges from Mailu's rec: they wanted to include a:mail.mail-test.seagl.org too + "v=spf1 mx ~all" + ] +} + +resource "aws_route53_record" "mailu-test-autoconfig-srv" { + # grep SRV | sed -e 's/ 600 IN SRV /": "/' -e 's/^/"/' -e 's/$/",/' -e 's/ mail.mail-test.seagl.org.//' -e 's/.mail-test.seagl.org.//' + for_each = { + "_imap._tcp" : "20 1 143", + "_pop3._tcp" : "20 1 110", + "_submission._tcp" : "20 1 587", + "_autodiscover._tcp" : "10 1 443", + "_submissions._tcp" : "10 1 465", + "_imaps._tcp" : "10 1 993", + "_pop3s._tcp" : "10 1 995" + } + zone_id = aws_route53_zone.apex.id + name = "${each.key}.mail-test.${var.zone_name}" + type = "SRV" + ttl = "300" + records = [ + "${each.value} mail.mail-test.${var.zone_name}." + ] +} + +resource "aws_route53_record" "mailu-test-autoconfig-cname" { + zone_id = aws_route53_zone.apex.id + name = "autoconfig.mail-test.${var.zone_name}" + type = "CNAME" + ttl = "300" + records = [ + "mail.mail-test.${var.zone_name}." + ] +} + +resource "aws_route53_record" "mailu-test-dkim" { + zone_id = aws_route53_zone.apex.id + name = "dkim._domainkey.mail-test.${var.zone_name}" + type = "TXT" + ttl = "300" + records = [ + # TODO parameterize this + "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Jw/diiAFRmarcHsr/KkGvfr22CVA5xTJTWRInvKi2My7PbWjhLSGNx7XcJw1DCcfOGb1cdArjNmYDmmG6VRRTQjCr2RWBSihIRLodnc+KPeS2Xnipi0JdNg7CTCNVQfA+znlKoWqalTT0nKrlDf87vhLmltU4wOYnrmvtZvtHkdwd9GA7hxMdHu4LnW\"\"X2VK0itMcPCBqIUvyOSIHJ8c7i8VPmcV+G6VDquepNsmFN0zcvNXAosqaWOHCnzCGzvQiwm6Lbq4vMxUsU6BLUv1JiPq3zXtqQ4tp6VynpLIy5VaF4XI5fyibsKTPuzI0d58tuiCrgCCMy5T9BmkCnQAzQIDAQAB" + ] +} + +resource "aws_route53_record" "mailu-test-dmarc" { + zone_id = aws_route53_zone.apex.id + name = "_dmarc.mail-test.${var.zone_name}" + type = "TXT" + ttl = "300" + records = [ + # TODO this email doesn't seem to be created automatically + "v=DMARC1; p=reject; rua=mailto:dmarc@mail-test.${var.zone_name}; ruf=mailto:dmarc@mail-test.${var.zone_name}; adkim=s; aspf=s" + ] +} diff --git a/mailu.tf b/env/mailu.tf similarity index 73% rename from mailu.tf rename to env/mailu.tf index a60394e..dde00be 100644 --- a/mailu.tf +++ b/env/mailu.tf @@ -1,9 +1,9 @@ module "mailu-vm" { - source = "./simple_vm" + source = "../simple_vm" name = "mailu" ports = [22, 25, 80, 110, 143, 443, 465, 587, 993, 995] instance_type = "m1.medium" network = "general_servers2" disk_size = 30 - dns_zone = aws_route53_zone.apex + dns_zone = aws_route53_zone.apex } diff --git a/nextcloud-office.tf b/env/nextcloud-office.tf similarity index 90% rename from nextcloud-office.tf rename to env/nextcloud-office.tf index d29d63e..fded963 100644 --- a/nextcloud-office.tf +++ b/env/nextcloud-office.tf @@ -1,5 +1,5 @@ module "nc-office-vm" { - source = "./simple_vm" + source = "../simple_vm" name = "nc-office" ports = [22, 80, 443] instance_type = "m1.small" diff --git a/env/outputs.tf b/env/outputs.tf new file mode 100644 index 0000000..74fc9ad --- /dev/null +++ b/env/outputs.tf @@ -0,0 +1,3 @@ +output "zone_id" { + value = aws_route53_zone.apex.id +} diff --git a/env/variables.tf b/env/variables.tf new file mode 100644 index 0000000..8bf5fcb --- /dev/null +++ b/env/variables.tf @@ -0,0 +1,17 @@ +variable "zone_name" { + description = "FQDN that will be suffixed to all hosts in the environment" + type = string +} + +variable "attach_to_zone" { + description = "Route 53 zone object to attach (via NS record) the environment's zone to" + default = null + type = object({ + zone_id = string + }) +} + +variable "additional_root_txts" { + description = "Additional TXT records to publish at the root of the zone" + type = list(string) +} diff --git a/imports.tf b/imports.tf deleted file mode 100644 index 2403315..0000000 --- a/imports.tf +++ /dev/null @@ -1,4 +0,0 @@ -import { - to = aws_route53_zone.apex - id = "Z0173878287JIU5M4KB8R" -} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..42c87fc --- /dev/null +++ b/main.tf @@ -0,0 +1,7 @@ +module "production_env" { + source = "./env" + zone_name = "seagl.org" + additional_root_txts = [ + "google-site-verification=9Hrl69xXhSeoBOVlnmpOYOSS6fYeiuGehZjHlyPZx3g" + ] +} diff --git a/moved.tf b/moved.tf index 74a76de..9c06091 100644 --- a/moved.tf +++ b/moved.tf @@ -97,3 +97,82 @@ moved { to = module.nc-office-vm.openstack_compute_instance_v2.instance } +moved { + from = aws_route53_zone.apex + to = module.production_env.aws_route53_zone.apex +} + +moved { + from = aws_ses_domain_identity.seagl + to = module.production_env.aws_ses_domain_identity.main +} + +moved { + from = aws_route53_record.route_53_root_txt + to = module.production_env.aws_route53_record.route_53_root_txt +} + +moved { + from = aws_ses_domain_dkim.email_dkim + to = module.production_env.aws_ses_domain_dkim.email_dkim +} + +moved { + from = aws_route53_record.email_dkim_records + to = module.production_env.aws_route53_record.email_dkim_records +} + +moved { + from = aws_route53_record.route_53_dmarc_txt + to = module.production_env.aws_route53_record.route_53_dmarc_txt +} + +moved { + from = aws_route53_record.dokku_wildcard + to = module.production_env.aws_route53_record.dokku_wildcard +} + +moved { + from = aws_route53_record.mailu-test-a + to = module.production_env.aws_route53_record.mailu-test-a +} + +moved { + from = aws_route53_record.mailu-test-mx + to = module.production_env.aws_route53_record.mailu-test-mx +} + +moved { + from = aws_route53_record.mailu-test-spf + to = module.production_env.aws_route53_record.mailu-test-spf +} + +moved { + from = aws_route53_record.mailu-test-autoconfig-srv + to = module.production_env.aws_route53_record.mailu-test-autoconfig-srv +} + +moved { + from = aws_route53_record.mailu-test-autoconfig-cname + to = module.production_env.aws_route53_record.mailu-test-autoconfig-cname +} + +moved { + from = aws_route53_record.mailu-test-dkim + to = module.production_env.aws_route53_record.mailu-test-dkim +} + +moved { + from = aws_route53_record.mailu-test-dmarc + to = module.production_env.aws_route53_record.mailu-test-dmarc +} + +moved { + from = module.mailu-vm + to = module.production_env.module.mailu-vm +} + +moved { + from = module.nc-office-vm + to = module.production_env.module.nc-office-vm +}