Hosted
Manages Route 53 Hosted Zone Domain Name System Security Extensions (DNSSEC). For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide. !>WARNING: If you disable DNSSEC signing for your hosted zone before the DNS changes have propagated, your domain could become unavailable on the internet. When you remove the DS records, you must wait until the longest TTL for the DS records that you remove has expired before you complete the step to disable DNSSEC signing. Please refer to the Route 53 Developer Guide - Disable DNSSEC for a detailed breakdown on the steps required to disable DNSSEC safely for a hosted zone.
Note: Route53 hosted zones are global resources, and as such any
aws.kms.Keythat you use as part of a signing key needs to be located in theus-east-1region. In the example below, the main AWS provider declaration is forus-east-1, however if you are provisioning your AWS resources in a different region, you will need to specify a provider alias and use that attached to theaws.kms.Keyresource as described in the provider alias documentation.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.route53.Zone;
import com.pulumi.aws.route53.KeySigningKey;
import com.pulumi.aws.route53.KeySigningKeyArgs;
import com.pulumi.aws.route53.HostedZoneDnsSec;
import com.pulumi.aws.route53.HostedZoneDnsSecArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.customerMasterKeySpec("ECC_NIST_P256")
.deletionWindowInDays(7)
.keyUsage("SIGN_VERIFY")
.policy(serializeJson(
jsonObject(
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:GetPublicKey",
"kms:Sign",
"kms:Verify"
)),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("Service", "dnssec-route53.amazonaws.com")
)),
jsonProperty("Resource", "*"),
jsonProperty("Sid", "Allow Route 53 DNSSEC Service")
),
jsonObject(
jsonProperty("Action", "kms:*"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:aws:iam::%s:root", current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.accountId())))
)),
jsonProperty("Resource", "*"),
jsonProperty("Sid", "Enable IAM User Permissions")
)
)),
jsonProperty("Version", "2012-10-17")
)))
.build());
var exampleZone = new Zone("exampleZone");
var exampleKeySigningKey = new KeySigningKey("exampleKeySigningKey", KeySigningKeyArgs.builder()
.hostedZoneId(exampleZone.id())
.keyManagementServiceArn(exampleKey.arn())
.build());
var exampleHostedZoneDnsSec = new HostedZoneDnsSec("exampleHostedZoneDnsSec", HostedZoneDnsSecArgs.builder()
.hostedZoneId(exampleKeySigningKey.hostedZoneId())
.build(), CustomResourceOptions.builder()
.dependsOn(exampleKeySigningKey)
.build());
}
}Import
Using pulumi import, import aws_route53_hosted_zone_dnssec resources using the Route 53 Hosted Zone identifier. For example:
$ pulumi import aws:route53/hostedZoneDnsSec:HostedZoneDnsSec example Z1D633PJN98FT9