Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Route53 DNSSEC Signing #1976

Open
1 task done
rvgate opened this issue Feb 14, 2024 · 4 comments · May be fixed by #2412 or #2421
Open
1 task done

Allow Route53 DNSSEC Signing #1976

rvgate opened this issue Feb 14, 2024 · 4 comments · May be fixed by #2412 or #2421
Labels
feature This issue/PR relates to a feature request jira

Comments

@rvgate
Copy link

rvgate commented Feb 14, 2024

Summary

Route53 allows enabling DNSSEC keys on registered domain, and also enable DNSSEC signing per hosted zone. It would be amazing if this was configurable through Ansible as well.

It would probably be a combination of using kms module to create the key and then applying it to the zone.

kms_key: seems to be missing the action GetPublicKey to configure this correctly
route53_zone: allow DNSSEC to be enabled, referring to a key

the final step would be to enable the trust chain somehow, which is configured at the "Registered domains" section within AWS. I dont think there is currently an Ansible module for that.

Issue Type

Feature Idea

Component Name

route53_zone, route53, kms_key

Additional Information

The feature would combine multiple modules to fully enable DNSSEC signing for a domain.

Step 1)
Configure an KMS key using the kms_key module, ending up with the required policy (principal/serviceaccount masked):

{
    "Version": "2012-10-17",
    "Id": "dnssec-policy",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXX:YYY"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow Route 53 DNSSEC Service",
            "Effect": "Allow",
            "Principal": {
                "Service": "dnssec-route53.amazonaws.com"
            },
            "Action": [
                "kms:DescribeKey",
                "kms:GetPublicKey",
                "kms:Sign"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "XXX"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:route53:::hostedzone/*"
                }
            }
        },
        {
            "Sid": "Allow Route 53 DNSSEC to CreateGrant",
            "Effect": "Allow",
            "Principal": {
                "Service": "dnssec-route53.amazonaws.com"
            },
            "Action": "kms:CreateGrant",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

Step 2)
Configure the hosted zone, enabling DNSSEC signing:

- name: create hosted zone
  amazon.aws.route53_zone:
    access_key: "{{ aws.access_key_id }}"
    aws_secret_access_key: "{{ aws.secret_access_key }}"
    zone: mydomain.com
    dnssec:
      enabled: yes
      ksk_name: "{{ ksk.name }}"
      signing_key: "{{ kms.arn }}"

Step 3)
Establish a chain of trust for the domain (i dont think there is a module currently available that does anything related to TLD requests)

- name: update chain
  amazon.aws.??????:
    access_key: "{{ aws.access_key_id }}"
    aws_secret_access_key: "{{ aws.secret_access_key }}"
    domain: mydomain.com
    dnssec_keys:
        - tag: 12345
          key_type:  "{{ kms.type }}"
          algorithm: "{{ kms.algorithm }}"
          public_key: "{{ kms.public_key }}"

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@hakbailey
Copy link
Contributor

@rvgate Thanks for the feature idea! Is this something you'd be willing to open a pull request for?

@hakbailey hakbailey added the waiting_on_contributor Needs help. Feel free to engage to get things unblocked label Feb 20, 2024
@rvgate
Copy link
Author

rvgate commented Feb 25, 2024

@hakbailey Personally I never touched these modules so would have no idea what the best way is to implement these features. Not sure if I'm the right person to make a PR on this request.

@hakbailey
Copy link
Contributor

@rvgate No problem, thanks for letting us know. We can add this to our backlog.

@hakbailey hakbailey added jira feature This issue/PR relates to a feature request and removed needs_triage labels Feb 27, 2024
@GomathiselviS GomathiselviS removed the waiting_on_contributor Needs help. Feel free to engage to get things unblocked label May 20, 2024
@alinabuzachis alinabuzachis linked a pull request Dec 4, 2024 that will close this issue
@alinabuzachis
Copy link
Collaborator

@rvgate Hi, I created this PR #2412 for the scenario you've mentions. Can you please give it a try and let me know?

Enabling DNSSEC for a route53 hosted zone will look like:

   - name: Create a KMS key
      amazon.aws.kms_key:
        alias: "{{ resource_prefix }}-kms-route53"
        policy: "{{ lookup('template', 'kms_policy.j2') }}"
        state: present
        enabled: true
        customer_master_key_spec: "ECC_NIST_P256"
        key_usage: "SIGN_VERIFY"
      register: kms_key

    - name: Create a Route53 public zone
      amazon.aws.route53_zone:
        zone: "{{ resource_prefix }}.public"
        comment: "Route53 Zone for KSK Testing"
        state: present
      register: _hosted_zone

    - name: Create a Key Signing Key request
      amazon.aws.route53_ksk:
        name: "{{ resource_prefix }}-ksk"
        hosted_zone_id: "{{ _hosted_zone.zone_id }}"
        key_management_service_arn: "{{ kms_key.key_arn }}"
        caller_reference: "{{ aws_caller_info.arn }}"
        status: "ACTIVE"
        state: present
      register: _ksk_request

    - name: Enable DNSSEC for Route53 public zone
      amazon.aws.route53_zone:
        zone: "{{ resource_prefix }}.public"
        state: present
        dnssec: true
      register: _hosted_zone_dnssec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature This issue/PR relates to a feature request jira
Projects
None yet
4 participants