Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nozaq/terraform-aws-parked-domain-baseline
A terraform module to set up DNS records to harden the parked(unused) domain using AWS Route53.
https://github.com/nozaq/terraform-aws-parked-domain-baseline
aws devops dns domain email-security hardening security security-hardening terraform terraform-module
Last synced: 12 days ago
JSON representation
A terraform module to set up DNS records to harden the parked(unused) domain using AWS Route53.
- Host: GitHub
- URL: https://github.com/nozaq/terraform-aws-parked-domain-baseline
- Owner: nozaq
- License: mit
- Created: 2022-11-19T11:39:42.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-01-14T06:47:17.000Z (almost 2 years ago)
- Last Synced: 2024-10-06T01:41:25.843Z (about 1 month ago)
- Topics: aws, devops, dns, domain, email-security, hardening, security, security-hardening, terraform, terraform-module
- Language: HCL
- Homepage:
- Size: 12.7 KB
- Stars: 3
- Watchers: 2
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# terraform-aws-parked-domain-baseline
[](https://github.com/nozaq/terraform-aws-parked-domain-baseline/actions/workflows/main.yml)
[](https://github.com/nozaq/terraform-aws-parked-domain-baseline/releases/latest)
[Terraform Module Registry](https://registry.terraform.io/modules/nozaq/parked-domain-baseline/aws)
A terraform module to set up DNS records to harden the parked(unused) domain using AWS Route53.
Domains should be protected for email spoofing even if they are not intended to be actively used.
This module configures DNS records to protect such domain based on [M3AAWG Protecting Parked Domains Best Common Practices].
## Features
This module creates the following DNS records.
- Null MX record([RFC 7505]) to indicate the domain does not accept any email.
- SPF record to indicate no IP is authorized to send email on behalf of this domain.
- DMARC record to enforce receiving domains to reject any email forging this domain.
- Optionally adds `rua` tag in the DMARC record to receive aggregate feedback reports via email.
- Optionally creates Null MX and DMARC records for wildcard subdomains as well as the root domain(enabled by default).
## Usage
```hcl
provider "aws" {
}
data "aws_route53_zone" "this" {
name = "example.com"
}
module "parked_domain" {
source = "nozaq/parked-domain-baseline/aws"
zone_id = data.aws_route53_zone.this.zone_id
ttl = 86400 # One day
}
```
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3 |
| [aws](#requirement\_aws) | >= 4.40 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 4.40 |
## Inputs
| Name | Description | Type | Required |
|------|-------------|------|:--------:|
| [aggregate\_feedback\_email](#input\_aggregate\_feedback\_email) | The email address to which aggregate feedback is to be sent. | `string` | no |
| [include\_subdomains](#input\_include\_subdomains) | Configure all subdomains as well as the root domain. | `bool` | no |
| [ttl](#input\_ttl) | The TTL of the DNS records. | `number` | no |
| [zone\_id](#input\_zone\_id) | The DNS zone ID to add the records to. Either zone\_name or zone\_id need to be given. | `string` | no |
## Outputs
No outputs.
## Related modules
- [terraform-cloudflare-parked-domain-baseline](https://github.com/nozaq/terraform-cloudflare-parked-domain-baseline): The module to accomplish same outcome with Cloudflare DNS instead of AWS Route53.
- [terraform-google-parked-domain-baseline](https://github.com/nozaq/terraform-google-parked-domain-baseline): The module to accomplish same outcome with GCP Cloud DNS instead of AWS Route53.
[M3AAWG Protecting Parked Domains Best Common Practices]: https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bcp-2022-06.pdf
[RFC 7505]: https://datatracker.ietf.org/doc/rfc7505/