Cloudformation common template: add delegation public subzone

Guillaume Coré

2018-11-16 6708f66973ceedbb0ac265768679476f892503e4

Cloudformation common template: add delegation public subzone

Let the user control its subzone, for example:

  guid.example.opentlc.com

The stack output now contains the IAM user to control the subzone.

 ansible/roles/infra-ec2-template-generate/defaults/main.yml

@@ -71,6 +71,9 @@
aws_dns_zone_private: "{{ guid }}.internal."
aws_dns_zone_private_chomped: "{{ guid }}.internal"

# Public DNS Zone dedicated to the environment
aws_dns_zone_public: "{{ guid }}.{{ aws_dns_zone_root }}"

aws_dns_ttl_public: 900
aws_dns_ttl_private: 3600


 ansible/roles/infra-ec2-template-generate/templates/cloud_template.j2

@@ -122,6 +122,27 @@
      HostedZoneConfig:
        Comment: "{{ aws_comment }}"

  DnsZonePublic:
    Type: "AWS::Route53::HostedZone"
    Properties:
      Name: "{{ aws_dns_zone_public }}"
      HostedZoneConfig:
        Comment: "{{ aws_comment }}"

  DnsPublicDelegation:
    Type: "AWS::Route53::RecordSetGroup"
    DependsOn:
      - DnsZonePublic
    Properties:
      HostedZoneName: "{{ aws_dns_zone_root }}"
      RecordSets:
        - Name: "{{ aws_dns_zone_public }}"
          Type: NS
          TTL: {{ aws_dns_ttl_public }}
          ResourceRecords:
            "Fn::GetAtt":
              - DnsZonePublic
              - NameServers

{% for instance in instances %}
{% if instance['dns_loadbalancer'] | d(false) | bool
@@ -136,9 +157,10 @@
      {% endif %}
    {% endfor %}
    Properties:
      HostedZoneName: {{ aws_dns_zone_root }}
      HostedZoneId:
        Ref: DnsZonePublic
      RecordSets:
      - Name: "{{instance['name']}}.{{ guid }}.{{ aws_dns_zone_root }}"
      - Name: "{{instance['name']}}.{{ aws_dns_zone_public }}"
        Type: A
        TTL: {{ aws_dns_ttl_public }}
        ResourceRecords:
@@ -249,7 +271,8 @@
    DependsOn:
      - {{instance['name']}}{{loop.index}}EIP
    Properties:
      HostedZoneName: "{{ aws_dns_zone_root }}"
      HostedZoneId:
        Ref: DnsZonePublic
      RecordSets:
      {% if instance['unique'] | d(false) | bool %}
        - Name: "{{instance['name']}}.{{subdomain_base}}."
@@ -266,8 +289,59 @@
{% endfor %}
{% endfor %}

  Route53User:
    Type: AWS::IAM::User
    Properties:
      Policies:
        - PolicyName: Route53Access
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action: route53:GetHostedZone
                Resource: arn:aws:route53:::change/*

              - Effect: Allow
                Action: route53:ListHostedZones
                Resource: "*"

              - Effect: Allow
                Action:
                  - route53:ChangeResourceRecordSets
                  - route53:ListResourceRecordSets
                  - route53:GetHostedZone
                Resource:
                  Fn::Join:
                    - ""
                    - - "arn:aws:route53:::hostedzone/"
                      - Ref: DnsZonePublic

              - Effect: Allow
                Action: route53:GetChange
                Resource: arn:aws:route53:::change/*

  Route53UserAccessKey:
      DependsOn: Route53User
      Type: AWS::IAM::AccessKey
      Properties:
        UserName:
          Ref: Route53User

Outputs:
  Route53internalzoneOutput:
    Description: The ID of the internal route 53 zone
    Value:
      Ref: DnsZonePrivate
  Route53User:
    Value:
      Ref: Route53User
    Description: IAM User for Route53 (Let's Encrypt)
  Route53UserAccessKey:
    Value:
      Ref: Route53UserAccessKey
    Description: IAM User for Route53 (Let's Encrypt)
  Route53UserSecretAccessKey:
    Value:
      Fn::GetAtt:
        - Route53UserAccessKey
        - SecretAccessKey
    Description: IAM User for Route53 (Let's Encrypt)