This repository contains a Terraform configuration that will provision
the DNS zone cyber.dhs.gov within the COOL. It creates an IAM role
that allows sufficient permissions to modify resources records in this
zone. This role has a trust relationship with the users account.
- Run the command
terraform init. - Run the command
terraform apply.
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 3.38 |
| Name | Version |
|---|---|
| aws | ~> 3.38 |
| aws.acmresourcechange | ~> 3.38 |
| aws.dnsprovisionaccount | ~> 3.38 |
| aws.organizationsreadonly | ~> 3.38 |
| aws.route53resourcechange | ~> 3.38 |
| terraform | n/a |
| Name | Source | Version |
|---|---|---|
| read_terraform_state | github.com/cisagov/terraform-state-read-role-tf-module | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acmresourcechange_role_description | The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to modify ACM (AWS Certificate Manager) resources in the DNS account. | string |
"Allows sufficient permissions to modify ACM resources in the DNS account." |
no |
| acmresourcechange_role_name | The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to modify ACM (AWS Certificate Manager) resources in the DNS account. | string |
"ACMResourceChange" |
no |
| additional_remote_state_account_ids | A list of account IDs corresponding to additional accounts that should have permission to assume the role to read this root module's remote state (e.g. ["123456789012"]). | list(string) |
[] |
no |
| additional_ses_sendemail_account_ids | A list of account IDs corresponding to additional accounts that should have permission to assume the role to send email via AWS SES (e.g. ["123456789012"]). | list(string) |
[] |
no |
| aws_region | The AWS region to communicate with. | string |
"us-east-1" |
no |
| cloudfront_zone_id | The ID of the Cloudfront hosted zone. This is set by AWS and is a constant across all Cloudfront distributions. | string |
"Z2FDTNDATAQYW2" |
no |
| cyhy_account_id | The ID of the CyHy account. | string |
n/a | yes |
| read_terraform_state_role_name | The name to assign the IAM role and policy that allows read-only access to the cool-dns-cyber.dhs.gov state in the S3 bucket where Terraform state is stored. | string |
"ReadCyberDhsGovTerraformState" |
no |
| route53resourcechange_role_description | The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to modify resource records in the DNS zone. | string |
"Allows sufficient permissions to modify resource records in the DNS zone." |
no |
| route53resourcechange_role_name | The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to modify resource records in the DNS zone. | string |
"Route53ResourceChange-cyber.dhs.gov" |
no |
| sesmanagesuppressionlist_role_description | The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to manage the suppression list. | string |
"Allows sufficient permissions to manage the suppression list." |
no |
| sesmanagesuppressionlist_role_name | The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to manage the suppression list. | string |
"SesManageSuppressionList-cyber.dhs.gov" |
no |
| sessendemail_role_description | The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to send email via AWS SES. | string |
"Allows sufficient permissions to send email via AWS SES." |
no |
| sessendemail_role_name | The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to send email via AWS SES. | string |
"SesSendEmail-cyber.dhs.gov" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| acmresourcechange_role | IAM role that allows sufficient permissions to modify ACM (AWS Certificate Manager) resources in the DNS account. |
| cyber_dhs_gov_zone | The cyber.dhs.gov public hosted zone. |
| route53resourcechange_role | IAM role that allows sufficient permissions to modify resource records in the cyber.dhs.gov zone. |
| sesmanagesuppressionlist_role | IAM role that allows sufficient permissions to manage the AWS SES suppression list. |
| sessendemail_role | IAM role that allows sufficient permissions to send email via AWS SES. |
Running pre-commit requires running terraform init in every
directory that contains Terraform code. In this repository, this is
just the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.