Skip to main content
Sponsor @cloudposse

Module: route53-resolver-dns-firewall

Terraform module to provision Route 53 Resolver DNS Firewall, domain lists, firewall rules, rule groups, and logging configurations.

Usage

For a complete example, see examples/complete

For automated tests of the complete example using bats and Terratest (which tests and deploys the example on AWS), see test.

provider "aws" {
  region = var.region
}

module "vpc" {
  source  = "cloudposse/vpc/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  ipv4_primary_cidr_block                   = "172.19.0.0/16"
  dns_hostnames_enabled                     = true
  dns_support_enabled                       = true
  internet_gateway_enabled                  = false
  ipv6_egress_only_internet_gateway_enabled = false
  assign_generated_ipv6_cidr_block          = false

  context = module.this.context
}

module "s3_log_storage" {
  source  = "cloudposse/s3-log-storage/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  force_destroy = true
  attributes    = ["logs"]

  context = module.this.context
}

module "route53_resolver_firewall" {
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  vpc_id = module.vpc.vpc_id

  firewall_fail_open        = "ENABLED"
  query_log_enabled         = true
  query_log_destination_arn = module.s3_log_storage.bucket_arn

  domains_config = {
    "not-secure-domains" = {
      # The dot at the end of domain names is required by Route53 DNS Firewall
      # If not added, AWS adds it automatically and terraform shows permanent drift
      domains = [
        "not-secure-domain-1.com.",
        "not-secure-domain-2.com.",
        "not-secure-domain-3.com."
      ]
    },
    "alert-domains" = {
      domains = [
        "alert-domain-1.com.",
        "alert-domain-2.com.",
        "alert-domain-3.com."
      ]
    },
    "blacklisted-domains" = {
      # Concat the lists of domains passed in the `domains` field and loaded from the file `domains_file`
      domains = [
        "blacklisted-domain-1.com.",
        "blacklisted-domain-2.com.",
        "blacklisted-domain-3.com."
      ]
      domains_file = "config/blacklisted_domains.txt"
    }
  }

  rule_groups_config = {
    "not-secure-domains-rule-group" = {
      # 'priority' must be between 100 and 9900 exclusive
      priority = 101
      rules = {
        "block-not-secure-domains" = {
          # 'priority' must be between 100 and 9900 exclusive
          priority                  = 101
          firewall_domain_list_name = "not-secure-domains"
          action                    = "BLOCK"
          block_response            = "NXDOMAIN"
        }
      }
    },
    "alert-and-blacklisted-domains-rule-group" = {
      # 'priority' must be between 100 and 9900 exclusive
      priority = 200
      rules = {
        "alert-domains" = {
          # 'priority' must be between 100 and 9900 exclusive
          priority                  = 101
          firewall_domain_list_name = "alert-domains"
          action                    = "ALERT"
        },
        "block-and-override-blacklisted-domains" = {
          # 'priority' must be between 100 and 9900 exclusive
          priority                  = 200
          firewall_domain_list_name = "blacklisted-domains"
          action                    = "BLOCK"
          block_response            = "OVERRIDE"
          block_override_dns_type   = "CNAME"
          block_override_domain     = "go-here.com"
          block_override_ttl        = 1
        }
      }
    }
  }

  context = module.this.context
}