From e9868e47504c48c7696df4936240d53836b1559d Mon Sep 17 00:00:00 2001 From: Sven Kirschbaum Date: Sat, 16 Mar 2024 18:32:32 +0100 Subject: [PATCH] chore: Refactor DNS Stack --- bin/dns.ts | 15 - lib/constructs/CommonRecords.ts | 109 ++++--- lib/constructs/constants.ts | 101 ++++++ lib/dns-stack.ts | 540 ++++++++------------------------ 4 files changed, 293 insertions(+), 472 deletions(-) create mode 100644 lib/constructs/constants.ts diff --git a/bin/dns.ts b/bin/dns.ts index b705af0..9e5e882 100644 --- a/bin/dns.ts +++ b/bin/dns.ts @@ -5,20 +5,5 @@ import {dnsAccountEnv} from "./constants"; const app = new cdk.App(); new DNSStack(app, 'DNSStack', { - // WARNING: The Zones have been manually created with a reusable delegation set. - // Further zones should follow the same procedure, to use the same white-label nameservers. - // The create-hosted-zone script can be used to create a new zone, and the update-default-records - // script can be used to update the SOA and NS records. - domains: [ - 'elite12.de', - 'kirschbaum.me', - 'kirschbaum.cloud', - 'bund-von-theramore.de', - 'theramo.re', - 'markus-dope.de', - 'grillteller42.de', - 'trigardon-rg.de', - 'westerwald-esport.de', - ], env: dnsAccountEnv }) \ No newline at end of file diff --git a/lib/constructs/CommonRecords.ts b/lib/constructs/CommonRecords.ts index 14d22e5..e177081 100644 --- a/lib/constructs/CommonRecords.ts +++ b/lib/constructs/CommonRecords.ts @@ -9,86 +9,58 @@ import { RecordTarget, TxtRecord } from "aws-cdk-lib/aws-route53"; +import { + DEFAULT_TTL, HOSTS, LONG_TTL, +} from "./constants"; import {Duration} from "aws-cdk-lib"; -export const DEFAULT_TTL = Duration.hours(1); - -/** - * @Deprecated - */ -export const E12_OLD_SERVER_IPV4 = "89.58.11.239"; -/** - * @Deprecated - */ -export const E12_OLD_SERVER_IPV6 = "2a03:4000:5f:ba0::1"; - -export const MAIN_01_NUE_NC_IPV4 = "89.58.34.152"; - -export const MAIN_01_NUE_NC_IPV6 = "2a03:4000:64:95::1"; -export const E12_MONITORING_IPV4 = "152.53.19.135"; -export const E12_MONITORING_IPV6 = "2a0a:4cc0:1:11b6::1"; - export interface CommonRecordProps { zone: IHostedZone, + ttl?: Duration } export interface NameableCommonRecordProps extends CommonRecordProps { name?: string } -export class E12MainRecord extends Construct { - constructor(scope: Construct, id: string, props: NameableCommonRecordProps) { - super(scope, id); - - new ARecord(this, 'ARecord', { - zone: props.zone, - ttl: DEFAULT_TTL, - recordName: props.name, - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV4), - }); - new AaaaRecord(this, 'AAAARecord', { - zone: props.zone, - ttl: DEFAULT_TTL, - recordName: props.name, - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV6), - }); - } +export interface HostRecordProps extends NameableCommonRecordProps { + host: string } -export class E12MonitoringRecord extends Construct { +export class HostRecord extends Construct { - constructor(scope: Construct, id: string, props: NameableCommonRecordProps) { + constructor(scope: Construct, id: string, props: HostRecordProps) { super(scope, id); new ARecord(this, 'ARecord', { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, recordName: props.name, - target: RecordTarget.fromIpAddresses(E12_MONITORING_IPV4), + target: RecordTarget.fromIpAddresses(HOSTS[props.host].V4), }); new AaaaRecord(this, 'AAAARecord', { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, recordName: props.name, - target: RecordTarget.fromIpAddresses(E12_MONITORING_IPV6), + target: RecordTarget.fromIpAddresses(HOSTS[props.host].V6), }); } } -export class LetsencryptCAARecord extends Construct { +export class DefaultCAARecord extends Construct { constructor(scope: Construct, id: string, props: NameableCommonRecordProps) { super(scope, id); new CaaRecord(this, 'CAA', { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? LONG_TTL, recordName: props.name, values: [ { tag: CaaTag.IODEF, flag: 0, - value: 'mailto:caa@kirschbaum.me' + value: 'mailto:caa@elite12.de' }, { tag: CaaTag.ISSUE, @@ -99,6 +71,16 @@ export class LetsencryptCAARecord extends Construct { tag: CaaTag.ISSUEWILD, flag: 0, value: 'letsencrypt.org' + }, + { + tag: CaaTag.ISSUE, + flag: 0, + value: 'amazonaws.com' + }, + { + tag: CaaTag.ISSUEWILD, + flag: 0, + value: 'amazonaws.com' } ] }); @@ -115,7 +97,7 @@ export class GoogleMailRecords extends Construct { new MxRecord(this, 'MXRecord', { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, values: [ { priority: 1, @@ -144,7 +126,7 @@ export class GoogleMailRecords extends Construct { for (let domainKeyName in props.domainKeys) { new TxtRecord(this, `DomainKey-${domainKeyName}`, { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, recordName: `${domainKeyName}._domainkey`, values: [ props.domainKeys[domainKeyName] @@ -155,7 +137,7 @@ export class GoogleMailRecords extends Construct { new TxtRecord(this, `SPFRecord`, { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, values: [ `v=spf1 include:_spf.google.com ~all` ] @@ -163,7 +145,7 @@ export class GoogleMailRecords extends Construct { new TxtRecord(this, `DMARCRecord`, { zone: props.zone, - ttl: DEFAULT_TTL, + ttl: props.ttl ?? DEFAULT_TTL, recordName: '_dmarc', values: [ 'v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:mailauth-reports-rua@elite12.de' @@ -171,3 +153,36 @@ export class GoogleMailRecords extends Construct { }); } } + +interface DefaultDomainRecordsProps extends CommonRecordProps, GoogleMailRecordProps { + +} + +export class DefaultDomainRecords extends Construct { + + constructor(scope: Construct, id: string, props: DefaultDomainRecordsProps) { + super(scope, id); + + new HostRecord(this, 'Root', { + zone: props.zone, + host: 'main-01-nue-nc' + }); + + new HostRecord(this, 'Wildcard', { + zone: props.zone, + host: 'main-01-nue-nc', + name: '*' + }); + + new DefaultCAARecord(this, 'CAA', { + zone: props.zone + }); + + if(props.domainKeys) { + new GoogleMailRecords(this, 'Mail', { + zone: props.zone, + domainKeys: props.domainKeys + }); + } + } +} \ No newline at end of file diff --git a/lib/constructs/constants.ts b/lib/constructs/constants.ts new file mode 100644 index 0000000..51443be --- /dev/null +++ b/lib/constructs/constants.ts @@ -0,0 +1,101 @@ +import {Duration} from "aws-cdk-lib"; + +export const DEFAULT_TTL = Duration.hours(1); +export const LONG_TTL = Duration.days(2); + +interface HostProperties { + V4: string; + V6: string; +} + +export const HOSTS: {[key: string]: HostProperties} = { + 'main-01-nue-nc': { + V4: "89.58.34.152", + V6: "2a03:4000:64:95::1" + }, + 'obs-01-vie-nc': { + V4: "152.53.19.135", + V6: "2a0a:4cc0:1:11b6::1" + }, + 'gw-01-nue-nc': { + V4: "188.68.49.21", + V6: "2a03:4000:6:d0e1::1" + }, + // These are technically not Hostnames, but it is convenient to have them here + 'ns1': { + V4: "205.251.197.240", + V6: "2600:9000:5305:f000::1", + }, + 'ns2': { + V4: "205.251.193.155", + V6: "2600:9000:5301:9b00::1", + }, + 'ns3': { + V4: "205.251.194.127", + V6: "2600:9000:5302:7f00::1", + }, + 'ns4': { + V4: "205.251.199.225", + V6: "2600:9000:5307:e100::1", + }, +} + +interface DomainProperties { + defaultRecords: boolean; + domainKeys?: {[key: string]: string} +} + +// WARNING: The Zones have been manually created with a reusable delegation set before being imported into CDK management. +// Further zones should follow the same procedure, to use the same white-label nameservers. +// The create-hosted-zone script can be used to create a new zone, and the update-default-records +// script can be used to update the SOA and NS records. +export const DOMAINS: {[key: string]: DomainProperties} = { + 'elite12.de': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgA2tuBVL5JhYkCqF0Qh4Z97GyDnvt5uQefZx6hXycGMCXfZaCI5XpFo0ey0+H/Uqc19woo53PWxrTxsXAK6N0mK2vRHMI9eHsAS3ZK6KSy/PzK2QDObZl2E+lrYtwSss6IZBMOhgRHglw0ZOtmzfabBV2KJGepIDUvBAtFqC3lPBAuNXC5kxUj6IArMp6T8OWoirJ3gpE1DRi8YcyNnHx8ZpbcQ9hQRq1h3njcZsBwKRUprSYobkiX/LMaxHHpI4YrLyhT59vy8R/THNSU7Me61UB1prcjMb+ohfAyHpyJuSX3RX/T0AvZQV2XCUSpQPfk1h4mMGHCtw6FzC63hYZwIDAQAB' + } + }, + 'kirschbaum.me': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXDuLMb7IB4eLodktPplslADR7WfUSt1Q/aLAATiAqdsT9rcVOIFkdTYNq6pUS0gnGvUrgzKxiN44ggqn7J5k0WcX6sCOeHkPhv2T9BXJOYeA0wv14XKaePCGopmLCbVh/18aZah065xFhF9Ohp1KCzVM211ZNtpCcgDqXaQadsfCbSXKBM7dcplYnp9HR1xm0Y8H5vv3hXdwLTFMmIeJXPHs3LD+3opY836HprDcR9fEA5TT20832J227cYD6ZzQCmO3YSgHpxZ9VVX+xU8LtkUjvfr+6xzvx148h6zKwRCZOvvicOdOqpNy+X7XJVzGLMJVUmY55U57Q8W7WWRawIDAQAB' + } + }, + 'kirschbaum.cloud': { + defaultRecords: false, + }, + 'bund-von-theramore.de': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjS+3U6bERFAUDhJ+yfafjwEELCERab3MLCVF8+FCz46qBkUsoQlim68MSL37ShUT34FsYSMAsTdRKJVCtdbk79Za2yuzh/0uZ3jsC/+QCpC06VAZKdWzZB4Myept0fPUjmseCjZfSVOvPN0fNrngxUmXxKNHuqSLA9UQS5ex8MB4UJl7m7/ixUsvjHQdJdi2usO6TdGnadKlS+2gYl+VYrzf+R/z9eEy8edhp+BkBlSlGVmzCSPYAV5Ykp9iC7fJz7p2w9etYytTG8U7Jh4jh75KzSojGgWz6miU9DXdroczEdsYATJyTE5O981er89Tzm0mFdbTuKPbSHMFZXncmQIDAQAB' + } + }, + 'theramo.re': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCxnyi5zDkB3iDdXvh2hl5Facm4bokGQvILLpmKxHq7ti3YWJHJUfyQ02tQVvfjMKEP7DK7UOAmN9bexUJsq9GBAHP10fx66D2FHjuu5vfwm3xp65vN27t5iM8HEfqKX7dTG+oRKM1eO0fGKhliwyJlHQti9trFnzUKlkxU+7N1m/B/5EGu53fxpGQu1UQY2Jas/UOEU+YLVoogSyZTM8htB5efUF8d0f6Ggbpb4CJN6ZPIcUg5Qr+K/sipJsiUyk4Xdoi3I/FZhNptK/dDglpB8UCUTtIfyH0ms4qXRKjQvnqbj9m+H2XKkC65LcIiT7OxKNyEqejnvs2fSLaViFwIDAQAB' + } + }, + 'markus-dope.de': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqgcZiSEkHo/0X/CziEz8eEklImh1mN5x7PXrNTGiahujwWzTiBLfpDjgacvsHIMpXUShi3Tl+e7X52m0DsBSK6DMkgzIFnQvJ2PbJ8giCh5k3iTaxGd6WuqcCQHg5ARrqmvgZyQegLWxLMXfgQi3SaVTsez+0OGhYDsdcdHEMpI9fud3XRN8QvNumlPz3SuNJ0VvDvFCY9GglQhi5z8K1MT6DBJQgK05BHCeXc9ltoBD4/GzXR+/zZ5v1jBmMONvoYbQgrt1jZ84WCucR54YmdpGlgMXFCqfaW72ZFKtpaJbeseR3ycVv0iKU5+BbXYlVMjeGKXcJewWmLH2gl2lhQIDAQAB' + } + }, + 'grillteller42.de': { + defaultRecords: true, + }, + 'trigardon-rg.de': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8ldG7q9BR5mgn1IevBpxKT7OBWBd6T209+C7SXXHIJH4lUqSyRnLxq4MHFKUARxABZUV3K8sZ3GQvJI1/HLD9LEGXpCxVvdUJMv//TuKdzRug+awIW4t9fl1yovoC4w1zQN0pIGvwafrhtniZYAJrvOZVhF5ngTDUvqjo8ue4dAvRyfD6cxWZb70t4m4gOD3pnAsM4OuONOy06joCuNQosV4XQ/aR0iCXlli8LcaZSwihY6tx8eZkqprjgKmx1/pPcdePzmx9NOOi9iAGiGfC6qesFUBq8eMy3Qk5oyGijxh75S2MRkmRwEVZy/aXwnUI0OLRoWyZgMd4z6w5uVdQIDAQAB' + } + }, + 'westerwald-esport.de': { + defaultRecords: true, + domainKeys: { + 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApsvZT6MOvasdtSnTz38y1Zwxcaq/FYV5zP789JyoUHuLktY9lRgYGIXeJrxaSjo+RlCrqN3g4cfHX/MGkwxwpp3Qal7zDvRBERWyyj169s8N8UWi8AIsMzFqAymJPkCDU3nW99WXafJrFZvmX1lVpY1cctA/G4pjx1RCT7Ixcv72hWR8lRgUWlc2lEIykZQ9s4tUd3+NbsreUnxgkvN4PD0M7w9ORU7b7iIAR2N5DAwgD5FiTQ84JiqZILzQ69y6CS/FCdlLSxPcq7yYO+OsQ8zj/RAAvfG4CrRykxMHAi3GTo8RHWyxgt8MHmZpcgtJQU0Vz+MZiaM0Dx6KdWRpmwIDAQAB' + } + }, +}; \ No newline at end of file diff --git a/lib/dns-stack.ts b/lib/dns-stack.ts index b619d1e..486226a 100644 --- a/lib/dns-stack.ts +++ b/lib/dns-stack.ts @@ -1,36 +1,25 @@ -import {CfnResource, Duration, RemovalPolicy, Stack, StackProps} from "aws-cdk-lib"; +import {CfnResource, RemovalPolicy, Stack, StackProps} from "aws-cdk-lib"; import {Construct} from "constructs"; import { - AaaaRecord, - ARecord, CaaAmazonRecord, - CaaRecord, - CaaTag, CfnDNSSEC, CfnKeySigningKey, IPublicHostedZone, PublicHostedZone, - RecordTarget, RecordType, SrvRecord, TxtRecord, } from "aws-cdk-lib/aws-route53"; import {AccountPrincipal, Effect, PolicyStatement, ServicePrincipal} from "aws-cdk-lib/aws-iam"; import { - DEFAULT_TTL, - E12_OLD_SERVER_IPV4, - E12_OLD_SERVER_IPV6, - E12MonitoringRecord, - E12MainRecord, - GoogleMailRecords, - LetsencryptCAARecord, MAIN_01_NUE_NC_IPV4, MAIN_01_NUE_NC_IPV6 + DefaultDomainRecords, + HostRecord, } from "./constructs/CommonRecords"; import {CrossAccountRoute53Role, Route53User} from "@fallobst22/cdk-cross-account-route53"; import {Key, KeySpec, KeyUsage} from "aws-cdk-lib/aws-kms"; - -export interface RootDnsProps extends StackProps { - domains: string[] -} +import { + DEFAULT_TTL, DOMAINS, HOSTS, LONG_TTL, +} from "./constructs/constants"; class DnsStackUSEast1ResourcesStack extends Stack { public cmk: Key; @@ -77,7 +66,7 @@ class DnsStackUSEast1ResourcesStack extends Stack { export class DNSStack extends Stack { - constructor(scope: Construct, id: string, props: RootDnsProps) { + constructor(scope: Construct, id: string, props: StackProps) { super(scope, id, { ...props, crossRegionReferences: true @@ -93,117 +82,30 @@ export class DNSStack extends Stack { }); const hostedZones = Object.fromEntries( - props.domains.map((domain) => [ + Object.keys(DOMAINS).map((domain) => [ domain, this.createHostedZone(domain, usEast1Resources.cmk) ]) ); - this.createNameserverRecords(hostedZones['elite12.de']); + Object.entries(hostedZones) + .filter(([domain, _]) => DOMAINS[domain].defaultRecords) + .forEach(([_, zone]) => { + new DefaultDomainRecords(zone, 'DefaultRecords', { + zone + }); + }); + this.createHostnameRecords(hostedZones['elite12.de']); + this.createElite12Records(hostedZones['elite12.de']); this.createKirschbaumMeRecords(hostedZones['kirschbaum.me']); this.createKirschbaumCloudRecords(hostedZones['kirschbaum.cloud']); this.createBundvonTeramoreDeRecords(hostedZones['bund-von-theramore.de']); this.createTheramoReRecords(hostedZones['theramo.re']); - this.createMarkusDopeRecords(hostedZones['markus-dope.de']); - this.createGrillteller42DeRecords(hostedZones['grillteller42.de']); this.createTrigardonRgDeRecords(hostedZones['trigardon-rg.de']); - this.createWesterwaldEsportDeRecords(hostedZones['westerwald-esport.de']); - new CrossAccountRoute53Role(this, 'DomainPlaceholderDnsDelegation', { - zone: hostedZones['kirschbaum.cloud'], - assumedBy: new AccountPrincipal('362408963076'), - roleName: 'DomainPlaceholderDnsDelegationRole', - records: [ - { - types: [RecordType.A, RecordType.AAAA], - domains: ['kirschbaum.cloud'] - }, - { - types: [RecordType.CNAME], - domains: ['_*.kirschbaum.cloud'] - } - ] - }); - - new CrossAccountRoute53Role(this, 'LogsDnsDelegation', { - zone: hostedZones['theramo.re'], - assumedBy: new AccountPrincipal('362408963076'), - roleName: 'LogsDnsDelegationRole', - records: [ - { - types: [RecordType.A, RecordType.AAAA], - domains: ['logs.theramo.re'] - }, - { - types: [RecordType.CNAME], - domains: ['_*.logs.theramo.re'] - } - ] - }); - - new CrossAccountRoute53Role(this, 'PrimeScoutDnsDelegation', { - zone: hostedZones['westerwald-esport.de'], - assumedBy: new AccountPrincipal('362408963076'), - roleName: 'PrimeScoutDnsDelegationRole', - records: [ - { - types: [RecordType.A, RecordType.AAAA], - domains: ['scout.westerwald-esport.de', '*.scout.westerwald-esport.de'] - }, - { - types: [RecordType.CNAME], - domains: ['*.scout.westerwald-esport.de'] - } - ] - }); - - new CrossAccountRoute53Role(this, 'CloudshareStagingDNSDelegation', { - zone: hostedZones['kirschbaum.cloud'], - assumedBy: new AccountPrincipal('276098254089'), - roleName: 'CloudshareStagingDnsDelegationRole', - records: [ - { - types: [RecordType.A, RecordType.AAAA, RecordType.NS, RecordType.CNAME, RecordType.TXT], - domains: ['share-staging.kirschbaum.cloud', '*.share-staging.kirschbaum.cloud'] - } - ] - }); - - new CrossAccountRoute53Role(this, 'CloudshareProdDNSDelegation', { - zone: hostedZones['kirschbaum.cloud'], - assumedBy: new AccountPrincipal('743848950232'), - roleName: 'CloudshareProdDnsDelegationRole', - records: [ - { - types: [RecordType.A, RecordType.AAAA, RecordType.NS, RecordType.CNAME, RecordType.TXT], - domains: ['share.kirschbaum.cloud', '*.share.kirschbaum.cloud'] - } - ] - }); - - new Route53User(this, 'extGWDelegation', { - zone: hostedZones['kirschbaum.me'], - secretName: 'extGw-Accesskey', - records: [ - { - types: [RecordType.TXT], - domains: ['_acme-challenge.ext-gw.home.kirschbaum.me','_acme-challenge.ext-gw.kirschbaum.me'] - } - ] - }); - - new Route53User(this, 'homeDelegation', { - zone: hostedZones['kirschbaum.me'], - secretName: 'home-Accesskey', - records: [ - { - types: [RecordType.TXT], - domains: ['_acme-challenge.home.kirschbaum.me','_acme-challenge.*.home.kirschbaum.me'] - } - ] - }); + this.createDelegations(hostedZones); } private createHostedZone(domain: string, cmk: Key) { @@ -228,205 +130,56 @@ export class DNSStack extends Stack { return hostedZone; } - private createNameserverRecords(zone: PublicHostedZone) { - new ARecord(zone, 'Ns1ARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns1', - target: RecordTarget.fromIpAddresses('205.251.197.240') - }); - new AaaaRecord(zone, 'Ns1AAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns1', - target: RecordTarget.fromIpAddresses('2600:9000:5305:f000::1') - }); - - new ARecord(zone, 'Ns2ARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns2', - target: RecordTarget.fromIpAddresses('205.251.193.155') - }); - new AaaaRecord(zone, 'Ns2AAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns2', - target: RecordTarget.fromIpAddresses('2600:9000:5301:9b00::1') - }); - - new ARecord(zone, 'Ns3ARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns3', - target: RecordTarget.fromIpAddresses('205.251.194.127') - }); - new AaaaRecord(zone, 'Ns3AAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns3', - target: RecordTarget.fromIpAddresses('2600:9000:5302:7f00::1') - }); - - new ARecord(zone, 'Ns4ARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns4', - target: RecordTarget.fromIpAddresses('205.251.199.225') - }); - new AaaaRecord(zone, 'Ns4AAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'ns4', - target: RecordTarget.fromIpAddresses('2600:9000:5307:e100::1') - }); - } - private createHostnameRecords(zone: IPublicHostedZone) { - new ARecord(zone, 'ServerHostnameARecord', { - zone, - ttl: Duration.days(2), - recordName: 'server', - target: RecordTarget.fromIpAddresses(E12_OLD_SERVER_IPV4) - }); - new AaaaRecord(zone, 'ServerHostnameAAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'server', - target: RecordTarget.fromIpAddresses(E12_OLD_SERVER_IPV6) - }); - new ARecord(zone, 'Main01NueNcARecord', { - zone, - ttl: Duration.days(2), - recordName: 'main-01-nue-nc', - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV4) - }); - new AaaaRecord(zone, 'Main01NueNcAAAARecord', { - zone, - ttl: Duration.days(2), - recordName: 'main-01-nue-nc', - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV6) - }); + for (let hostname in HOSTS) { + new HostRecord(zone, hostname+"HostnameRecord", { + zone, + ttl: LONG_TTL, + name: hostname, + host: hostname + }); + } } private createElite12Records(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new E12MonitoringRecord(zone, 'E12MonitoringRoot', { + new HostRecord(zone, 'MonitoringRoot', { zone, + host: 'obs-01-vie-nc', name: 'monitoring' }); - new E12MonitoringRecord(zone, 'E12MonitoringWild', { + + new HostRecord(zone, 'MonitoringWildcard', { zone, + host: 'obs-01-vie-nc', name: '*.monitoring' }); - new ARecord(zone, 'Ipv4Record', { - zone, - ttl: DEFAULT_TTL, - recordName: 'ipv4', - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV4), - }); - new AaaaRecord(zone, 'Ipv6Record', { - zone, - ttl: DEFAULT_TTL, - recordName: 'ipv6', - target: RecordTarget.fromIpAddresses(MAIN_01_NUE_NC_IPV6), - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFZEoeJve+IS0GMc0p2G n2rf3HAi9TayBciz04Xx2j/anys/HxCHiw48Sz36BkQqxE83dh5OR7PGLhwHjY5T HlxtOdY3bIdsO2exKyHz38A/Eu2xHDKqCo3fGdAa+3FHoiMeigbZ/9++gBZmXiFs 9h0b7T/qzP4W3jKdlGbZ2zk8kuu8sZQjcwSSPlpnyHckV0XDzl6RzOlilXsIZtoH bxa6Nwj+ool5ygFwpTdMLnpuxvYV23PiJUos4LKN7O50iiScTGlb8MiF6EIeXi58 ZAsq4Bhu0Zf69tn2vsEaEr8GuG1twSRcB7h3Kqy1ZRprNStIUYCpbY7IHOkHozMK zQIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgA2tuBVL5JhYkCqF0Qh4Z97GyDnvt5uQefZx6hXycGMCXfZaCI5XpFo0ey0+H/Uqc19woo53PWxrTxsXAK6N0mK2vRHMI9eHsAS3ZK6KSy/PzK2QDObZl2E+lrYtwSss6IZBMOhgRHglw0ZOtmzfabBV2KJGepIDUvBAtFqC3lPBAuNXC5kxUj6IArMp6T8OWoirJ3gpE1DRi8YcyNnHx8ZpbcQ9hQRq1h3njcZsBwKRUprSYobkiX/LMaxHHpI4YrLyhT59vy8R/THNSU7Me61UB1prcjMb+ohfAyHpyJuSX3RX/T0AvZQV2XCUSpQPfk1h4mMGHCtw6FzC63hYZwIDAQAB' - } - }); - new TxtRecord(this, `DmarcAllowMailBundRecord`, { - zone, - ttl: DEFAULT_TTL, - recordName: 'bund-von-theramore.de._report._dmarc', - values: [ - 'v=DMARC1' - ] - }); - new TxtRecord(this, `DmarcAllowMailKirschbaumRecord`, { - zone, - ttl: DEFAULT_TTL, - recordName: 'kirschbaum.me._report._dmarc', - values: [ - 'v=DMARC1' - ] + Object.keys(DOMAINS).filter((domain) => domain !== 'elite12.de').forEach((domain) => { + new TxtRecord(zone, `${domain}DmarcAllowReports`, { + zone, + ttl: LONG_TTL, + recordName: `${domain}._report._dmarc`, + values: [ + 'v=DMARC1' + ] + }); }); - new TxtRecord(this, `DmarcAllowMailTrigardonRecord`, { + } + private createKirschbaumMeRecords(zone: IPublicHostedZone) { + new HostRecord(zone, 'ExtGW', { zone, - ttl: DEFAULT_TTL, - recordName: 'trigardon-rg.de._report._dmarc', - values: [ - 'v=DMARC1' - ] + host: 'gw-01-nue-nc', + name: 'ext-gw' }); + } + private createKirschbaumCloudRecords(zone: IPublicHostedZone) { new CaaAmazonRecord(zone, 'CaaAmazon', { zone }); } - private createKirschbaumMeRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwepCfXq8h3A9BALXUmj0 7xUvr7jsSDkAxuX8y30jJ9NzzcQkuAHVlg6OJ8VCFIcWXsWTfPbp79msag8TndRT jaCH4+nFpUoRBtrHhDmQ1CCTaXDB97tvNshk63x+5qnn9X221OTgg3TA0PL6lJjK 7Nyyra72emnC1NGNA15Jbh9WBHU+ZFWJL6mgS2aCQISabfR4YZE9wCI73e4D9BCu NnANjmJbQcY37BgR+FWyjNIXUT6lDAebJeLqffbU9cYmjtuCTWZMs/2lTxDcmHAt /Gcwg3NWw9IaKVSCyAlPn03keuGNN18NUSyeXm8MbSISoRbf7hrU1qvQJh8E0TgB RwIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvXDuLMb7IB4eLodktPplslADR7WfUSt1Q/aLAATiAqdsT9rcVOIFkdTYNq6pUS0gnGvUrgzKxiN44ggqn7J5k0WcX6sCOeHkPhv2T9BXJOYeA0wv14XKaePCGopmLCbVh/18aZah065xFhF9Ohp1KCzVM211ZNtpCcgDqXaQadsfCbSXKBM7dcplYnp9HR1xm0Y8H5vv3hXdwLTFMmIeJXPHs3LD+3opY836HprDcR9fEA5TT20832J227cYD6ZzQCmO3YSgHpxZ9VVX+xU8LtkUjvfr+6xzvx148h6zKwRCZOvvicOdOqpNy+X7XJVzGLMJVUmY55U57Q8W7WWRawIDAQAB' - } - }); - new ARecord(zone, 'ExtGWARecord', { - zone, - ttl: DEFAULT_TTL, - recordName: 'ext-gw', - target: RecordTarget.fromIpAddresses('188.68.49.21'), - }); - new AaaaRecord(zone, 'ExtGWAAAARecord', { - zone, - ttl: DEFAULT_TTL, - recordName: 'ext-gw', - target: RecordTarget.fromIpAddresses('2a03:4000:6:d0e1::1'), - }); - } private createBundvonTeramoreDeRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/ngPRGO8bFfZt7UlOOiw40M2PCOLg1zadL+oYrzSh7WO9an8jRf2FOdp1hWC+/n7Gd2vvHRfzvuBA/XublIWafo1j2v/7GkfmIDwiYiXPKYMziI0ddrNib7AKOOEOmBCFUP+UsI4Z1iuL60F/k4UI/+W6VpfFkZKKQNezBS7Qcdv5ejum5eSafqEHyUhVjODdc/darzxgNKu3Q22dcxqu1q2N96n1sL6sdlzDxXd6kO4cEBdLkTWujOK7A7SeUulpXYHBkVFnexRSQmu9DHpz/qrRwcrJFVepzIIr5DpIOGYw5/ChLnsiI7lVaAr29wdrr5v0Yz+99FzdHHSziE9wIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjS+3U6bERFAUDhJ+yfafjwEELCERab3MLCVF8+FCz46qBkUsoQlim68MSL37ShUT34FsYSMAsTdRKJVCtdbk79Za2yuzh/0uZ3jsC/+QCpC06VAZKdWzZB4Myept0fPUjmseCjZfSVOvPN0fNrngxUmXxKNHuqSLA9UQS5ex8MB4UJl7m7/ixUsvjHQdJdi2usO6TdGnadKlS+2gYl+VYrzf+R/z9eEy8edhp+BkBlSlGVmzCSPYAV5Ykp9iC7fJz7p2w9etYytTG8U7Jh4jh75KzSojGgWz6miU9DXdroczEdsYATJyTE5O981er89Tzm0mFdbTuKPbSHMFZXncmQIDAQAB' - } - }); new SrvRecord(zone, 'TS3SRV', { zone, ttl: DEFAULT_TTL, @@ -442,46 +195,6 @@ export class DNSStack extends Stack { }); } private createTheramoReRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new CaaRecord(this, 'CAA', { - zone, - ttl: DEFAULT_TTL, - values: [ - { - tag: CaaTag.IODEF, - flag: 0, - value: 'mailto:caa@kirschbaum.me' - }, - { - tag: CaaTag.ISSUE, - flag: 0, - value: 'amazon.com' - }, - { - tag: CaaTag.ISSUE, - flag: 0, - value: 'letsencrypt.org' - }, - { - tag: CaaTag.ISSUEWILD, - flag: 0, - value: 'letsencrypt.org' - } - ] - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvYhbJ58gS+fxyUgcIOr 0sUvJfw4e38ly7CQ1AzJ2mZqYzU2x6DmzgHfN3rhr3ReUqiF+n5v8x2VEE5N0M3H KRMwHdUG2rOMG8w6+uSBnzeyT21Wu6/Qivc+0N9SV2SmY1jRuvqsQ9i06MQ1Qo60 k9vn6BL1TXZREpcEbIzABb/88G0zj7yWhBYAYgmZmZAnKT8EoDkH8MFTdeI0RCi/ VjfL+QvW0tC1YNlLN5s2xthINpbozUzKo2CZ9GxnXh5cxiLLxwuGTTV4g90rZGEA C4L+vh2hME0BmICjTLPOJb0yvviYhsUcMVO6OTK7xn41TjG3riumCGV6J002Drja uwIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCxnyi5zDkB3iDdXvh2hl5Facm4bokGQvILLpmKxHq7ti3YWJHJUfyQ02tQVvfjMKEP7DK7UOAmN9bexUJsq9GBAHP10fx66D2FHjuu5vfwm3xp65vN27t5iM8HEfqKX7dTG+oRKM1eO0fGKhliwyJlHQti9trFnzUKlkxU+7N1m/B/5EGu53fxpGQu1UQY2Jas/UOEU+YLVoogSyZTM8htB5efUF8d0f6Ggbpb4CJN6ZPIcUg5Qr+K/sipJsiUyk4Xdoi3I/FZhNptK/dDglpB8UCUTtIfyH0ms4qXRKjQvnqbj9m+H2XKkC65LcIiT7OxKNyEqejnvs2fSLaViFwIDAQAB' - } - }); new SrvRecord(zone, 'TS3SRV', { zone, ttl: DEFAULT_TTL, @@ -496,55 +209,7 @@ export class DNSStack extends Stack { ] }); } - private createMarkusDopeRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Xc8E00/FDJ6l1u1TeoGXGD8+aibm8SGKSuoNEYiLE0pfpUokWwzQEIFoR9NHvAqaJgjVYpJJ7azecXOqfNzYMEe5RiEsZ7vFRinozaIpliGCkDtYL3lTYsMuLcF45fW9Vdxuxk59JVSy4gvavgiqtdhSwCfg/Fut6mhwlXXcVJ5opB0vCk62lt5NwyVLA/TyIvA7hPffjgx1mw6798JlLHVoJcq7LEDfgguHmsEgTmxSGteU/U/+so6OJtIfIaNsxvy9hEcoiAWL00JAER7WKNN0jaTF8CgtpS5QDdewQ78XLouanyUp3okaK5ojHpBX6VFq6UOWbXdYoH1kgZGhQIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqgcZiSEkHo/0X/CziEz8eEklImh1mN5x7PXrNTGiahujwWzTiBLfpDjgacvsHIMpXUShi3Tl+e7X52m0DsBSK6DMkgzIFnQvJ2PbJ8giCh5k3iTaxGd6WuqcCQHg5ARrqmvgZyQegLWxLMXfgQi3SaVTsez+0OGhYDsdcdHEMpI9fud3XRN8QvNumlPz3SuNJ0VvDvFCY9GglQhi5z8K1MT6DBJQgK05BHCeXc9ltoBD4/GzXR+/zZ5v1jBmMONvoYbQgrt1jZ84WCucR54YmdpGlgMXFCqfaW72ZFKtpaJbeseR3ycVv0iKU5+BbXYlVMjeGKXcJewWmLH2gl2lhQIDAQAB' - } - }); - } - private createGrillteller42DeRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - } private createTrigardonRgDeRecords(zone: IPublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new LetsencryptCAARecord(zone, 'CAA', { - zone - }); - new GoogleMailRecords(zone, 'MailRecords', { - zone, - domainKeys: { - '18102016': 'v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWnLdm+Hsg2DoceRpEKHV9zvAQEMwORGaOEc3BoNUaItQ/lg07AjWlaH+afEaf1G9QTVxodWBVwx2euV+yxuVdqmU43cPty3YzdHQv/GBLXafrAY4TqGWo8qCKpPazvmxv1R5hIYnXKa+jKNxqcEDzDOtZzT4jMFmh4CoGnpUQ3QIDAQAB', - 'g18102016': 'v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8ldG7q9BR5mgn1IevBpxKT7OBWBd6T209+C7SXXHIJH4lUqSyRnLxq4MHFKUARxABZUV3K8sZ3GQvJI1/HLD9LEGXpCxVvdUJMv//TuKdzRug+awIW4t9fl1yovoC4w1zQN0pIGvwafrhtniZYAJrvOZVhF5ngTDUvqjo8ue4dAvRyfD6cxWZb70t4m4gOD3pnAsM4OuONOy06joCuNQosV4XQ/aR0iCXlli8LcaZSwihY6tx8eZkqprjgKmx1/pPcdePzmx9NOOi9iAGiGfC6qesFUBq8eMy3Qk5oyGijxh75S2MRkmRwEVZy/aXwnUI0OLRoWyZgMd4z6w5uVdQIDAQAB' - } - }); new SrvRecord(zone, 'TS3SRV', { zone, ttl: DEFAULT_TTL, @@ -560,42 +225,97 @@ export class DNSStack extends Stack { }); } - private createWesterwaldEsportDeRecords(zone: PublicHostedZone) { - new E12MainRecord(zone, 'E12Root', { - zone - }); - new E12MainRecord(zone, 'E12Wild', { - zone, - name: '*' - }); - new CaaRecord(this, 'CAA-Custom', { - zone: zone, - ttl: DEFAULT_TTL, - values: [ + private createDelegations(hostedZones: { [key: string]: IPublicHostedZone }) { + new CrossAccountRoute53Role(this, 'DomainPlaceholderDnsDelegation', { + zone: hostedZones['kirschbaum.cloud'], + assumedBy: new AccountPrincipal('362408963076'), + roleName: 'DomainPlaceholderDnsDelegationRole', + records: [ { - tag: CaaTag.IODEF, - flag: 0, - value: 'mailto:caa@kirschbaum.me' + types: [RecordType.A, RecordType.AAAA], + domains: ['kirschbaum.cloud'] }, { - tag: CaaTag.ISSUE, - flag: 0, - value: 'letsencrypt.org' - }, + types: [RecordType.CNAME], + domains: ['_*.kirschbaum.cloud'] + } + ] + }); + + new CrossAccountRoute53Role(this, 'LogsDnsDelegation', { + zone: hostedZones['theramo.re'], + assumedBy: new AccountPrincipal('362408963076'), + roleName: 'LogsDnsDelegationRole', + records: [ { - tag: CaaTag.ISSUEWILD, - flag: 0, - value: 'letsencrypt.org' + types: [RecordType.A, RecordType.AAAA], + domains: ['logs.theramo.re'] }, { - tag: CaaTag.ISSUE, - flag: 0, - value: 'amazonaws.com' + types: [RecordType.CNAME], + domains: ['_*.logs.theramo.re'] + } + ] + }); + + new CrossAccountRoute53Role(this, 'PrimeScoutDnsDelegation', { + zone: hostedZones['westerwald-esport.de'], + assumedBy: new AccountPrincipal('362408963076'), + roleName: 'PrimeScoutDnsDelegationRole', + records: [ + { + types: [RecordType.A, RecordType.AAAA], + domains: ['scout.westerwald-esport.de', '*.scout.westerwald-esport.de'] }, { - tag: CaaTag.ISSUEWILD, - flag: 0, - value: 'amazonaws.com' + types: [RecordType.CNAME], + domains: ['*.scout.westerwald-esport.de'] + } + ] + }); + + new CrossAccountRoute53Role(this, 'CloudshareStagingDNSDelegation', { + zone: hostedZones['kirschbaum.cloud'], + assumedBy: new AccountPrincipal('276098254089'), + roleName: 'CloudshareStagingDnsDelegationRole', + records: [ + { + types: [RecordType.A, RecordType.AAAA, RecordType.NS, RecordType.CNAME, RecordType.TXT], + domains: ['share-staging.kirschbaum.cloud', '*.share-staging.kirschbaum.cloud'] + } + ] + }); + + new CrossAccountRoute53Role(this, 'CloudshareProdDNSDelegation', { + zone: hostedZones['kirschbaum.cloud'], + assumedBy: new AccountPrincipal('743848950232'), + roleName: 'CloudshareProdDnsDelegationRole', + records: [ + { + types: [RecordType.A, RecordType.AAAA, RecordType.NS, RecordType.CNAME, RecordType.TXT], + domains: ['share.kirschbaum.cloud', '*.share.kirschbaum.cloud'] + } + ] + }); + + new Route53User(this, 'extGWDelegation', { + zone: hostedZones['kirschbaum.me'], + secretName: 'extGw-Accesskey', + records: [ + { + types: [RecordType.TXT], + domains: ['_acme-challenge.ext-gw.home.kirschbaum.me','_acme-challenge.ext-gw.kirschbaum.me'] + } + ] + }); + + new Route53User(this, 'homeDelegation', { + zone: hostedZones['kirschbaum.me'], + secretName: 'home-Accesskey', + records: [ + { + types: [RecordType.TXT], + domains: ['_acme-challenge.home.kirschbaum.me','_acme-challenge.*.home.kirschbaum.me'] } ] });