This terraform module manages a Route53 zone, optionally including the query log configuration, and the name server delegation record if it is a "subzone."
In order to support cross-account delegations, this module requires two aws
providers. The default aws provider will manage the Route53 zone, and the
aliased aws.ns provider with credentials to ns_zone_id will manage the
delegation records. You must pass both the aws and aws.ns providers even
if you are not using the subzone delegation option, in which case you can
simply pass the same provider to both aws and aws.ns.
In order to support cross-account private zone association, you need to call the submodule directly: terraform apply -target module.vpc_association and specify you provider configuration
Manual testing:
# Replace "xxx" with an actual AWS profile, then execute the integration tests.
export AWS_PROFILE=xxx
make terraform/pytest PYTEST_ARGS="-v --nomock"
For automated testing, PYTEST_ARGS is optional and no profile is needed:
make mockstack/up
make terraform/pytest PYTEST_ARGS="-v"
make mockstack/clean
| Name | Version |
|---|---|
| terraform | >= 0.15 |
| aws | >= 3.0 |
No providers.
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name of the zone | string |
n/a | yes |
| create_route53_delegation | Controls whether to create Route53 delegation records in the ns_zone_id. Provider aws.ns is used to create the records |
bool |
false |
no |
| create_route53_query_log | Controls whether to create a Route53 query log configuration | bool |
false |
no |
| iam_role_arn_cloudwatch | IAM Role ARN for Cloudwatch service permissions | string |
null |
no |
| iam_role_arn_firehose | IAM Role ARN for Firehose service permissions | string |
null |
no |
| ns_zone_id | Zone ID of the name server zone. Delegation records for the sub-zone will be created here. Provider aws.ns is used to create the records |
string |
null |
no |
| query_log_bucket | Sets the destination bucket for Route53 Query Logs delivered by Kinesis Firehose | string |
null |
no |
| query_log_bucket_kms_key | ARN of the KMS Key ID or Alias associated with bucket encryption of route53_query_log_bucket. Required if bucket is encrypted and iam_role_arn_firehose is null |
string |
null |
no |
| query_log_retention | Specifies the number of days you want to retain log events in the CloudWatch log group. | number |
7 |
no |
| tags | A map of tags to add to the Route53 zone and other resources | map(string) |
{} |
no |
| vpcs | List of objects of VPC IDs associate to the Private Hosted Zone. NOTE: At least one VPC object is required to create a Private Hosted Zone | list(object({ |
[] |
no |
| Name | Description |
|---|---|
| id | ID of the Route53 zone |
| name | Name of the Route53 zone |
| name_servers | List of name servers for the zone |