Resource: awsRoute53HostedZoneDnssec

Manages Route 53 Hosted Zone Domain Name System Security Extensions (DNSSEC). For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

!> WARNING: If you disable DNSSEC signing for your hosted zone before the DNS changes have propagated, your domain could become unavailable on the internet. When you remove the DS records, you must wait until the longest TTL for the DS records that you remove has expired before you complete the step to disable DNSSEC signing. Please refer to the Route 53 Developer Guide - Disable DNSSEC for a detailed breakdown on the steps required to disable DNSSEC safely for a hosted zone.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.provider.AwsProvider(this, "aws", {
  region: "us-east-1",
});
const awsKmsKeyExample = new aws.kmsKey.KmsKey(this, "example", {
  customerMasterKeySpec: "ECC_NIST_P256",
  deletionWindowInDays: 7,
  keyUsage: "SIGN_VERIFY",
  policy:
    '${jsonencode({\n    Statement = [\n      {\n        Action = [\n          "kms:DescribeKey",\n          "kms:GetPublicKey",\n          "kms:Sign",\n          "kms:Verify",\n        ],\n        Effect = "Allow"\n        Principal = {\n          Service = "dnssec-route53.amazonaws.com"\n        }\n        Resource = "*"\n        Sid      = "Allow Route 53 DNSSEC Service",\n      },\n      {\n        Action = "kms:*"\n        Effect = "Allow"\n        Principal = {\n          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"\n        }\n        Resource = "*"\n        Sid      = "Enable IAM User Permissions"\n      },\n    ]\n    Version = "2012-10-17"\n  })}',
});
const awsRoute53ZoneExample = new aws.route53Zone.Route53Zone(
  this,
  "example_2",
  {
    name: "example.com",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53ZoneExample.overrideLogicalId("example");
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const awsRoute53KeySigningKeyExample =
  new aws.route53KeySigningKey.Route53KeySigningKey(this, "example_4", {
    hostedZoneId: awsRoute53ZoneExample.id,
    keyManagementServiceArn: awsKmsKeyExample.arn,
    name: "example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53KeySigningKeyExample.overrideLogicalId("example");
const awsRoute53HostedZoneDnssecExample =
  new aws.route53HostedZoneDnssec.Route53HostedZoneDnssec(this, "example_5", {
    depends_on: [`\${${awsRoute53KeySigningKeyExample.fqn}}`],
    hostedZoneId: awsRoute53KeySigningKeyExample.hostedZoneId,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53HostedZoneDnssecExample.overrideLogicalId("example");

Argument Reference

The following arguments are required:

hostedZoneId - (Required) Identifier of the Route 53 Hosted Zone.

The following arguments are optional:

signingStatus - (Optional) Hosted Zone signing status. Valid values: signing, NOT_SIGNING. Defaults to signing.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - Route 53 Hosted Zone identifier.

Import

awsRoute53HostedZoneDnssec resources can be imported by using the Route 53 Hosted Zone identifier, e.g.,

$ terraform import aws_route53_hosted_zone_dnssec.example Z1D633PJN98FT9