AWS Route 53 Key Signing Key
This page shows how to write Terraform and CloudFormation for Route 53 Key Signing Key and write them securely.
aws_route53_key_signing_key (Terraform)
The Key Signing Key in Route 53 can be configured in Terraform with the resource name aws_route53_key_signing_key. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_route53_key_signing_key" "zone" {
hosted_zone_id = aws_route53_zone.zone.id
key_management_service_arn = var.kms-key.arn
name = var.name
}
resource "aws_route53_key_signing_key" "this" {
hosted_zone_id = aws_route53_zone.this.id
key_management_service_arn = aws_kms_key.this.arn
name = "key"
}
resource "aws_route53_key_signing_key" "this" {
for_each = toset(var.zone_ids)
hosted_zone_id = random_string.ksk[each.key].keepers.hosted_zone_id
key_management_service_arn = aws_kms_key.this.arn
name = random_string.ksk[each.key].id
resource "aws_route53_key_signing_key" "zone_signing_key" {
name = format("%s-ksk", replace(var.route53_zone_name, ".", "-"))
hosted_zone_id = data.aws_route53_zone.route53_zone.id
key_management_service_arn = aws_kms_key.kms_key.arn
}
resource "aws_route53_key_signing_key" "sandbox_key" {
hosted_zone_id = aws_route53_zone.sandbox.id
key_management_service_arn = aws_kms_key.dns_kms_key.arn
name = "sandbox_key"
}
Parameters
-
digest_algorithm_mnemonicoptional computed - string -
digest_algorithm_typeoptional computed - number -
digest_valueoptional computed - string -
dnskey_recordoptional computed - string -
ds_recordoptional computed - string -
flagoptional computed - number -
hosted_zone_idrequired - string -
idoptional computed - string -
key_management_service_arnrequired - string -
key_tagoptional computed - number -
namerequired - string -
public_keyoptional computed - string -
signing_algorithm_mnemonicoptional computed - string -
signing_algorithm_typeoptional computed - number -
statusoptional - string
Explanation in Terraform Registry
Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the
aws_route53_hosted_zone_dnssecresource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.
AWS::Route53::KeySigningKey (CloudFormation)
The KeySigningKey in Route53 can be configured in CloudFormation with the resource name AWS::Route53::KeySigningKey. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Route53::KeySigningKey
Properties:
HostedZoneId: !Ref HostedZoneId
KeyManagementServiceArn: !GetAtt KskMasterKey.Arn
Name: key_signing_key # Cannot include hyphens. See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-keysigningkey.html#cfn-route53-keysigningkey-name
Status: ACTIVE
Type: 'AWS::Route53::KeySigningKey'
Properties:
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
KeyManagementServiceArn: {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
Name: 'ksk_01'
Status: 'ACTIVE'
Type: AWS::Route53::KeySigningKey
Properties:
HostedZoneId:
Ref: HostedZoneId
KeyManagementServiceArn:
Fn::GetAtt:
"Type": "AWS::Route53::KeySigningKey",
"Properties": {
"HostedZoneId": {
"Ref": "HostedZoneId"
},
"KeyManagementServiceArn": {
"AWS::Route53::KeySigningKey": {
"Type": "AWS::Route53::KeySigningKey",
"Properties": {}
},
"AWS::IoTCoreDeviceAdvisor::SuiteDefinition": {
"Type": "AWS::IoTCoreDeviceAdvisor::SuiteDefinition",
Parameters
HostedZoneId
The unique string (ID) that is used to identify a hosted zone. For example: Z00001111A1ABCaaABC11.
Required: Yes
Type: String
Update requires: Replacement
KeyManagementServiceArn
The Amazon resource name (ARN) for a customer managed customer master key (CMK) in AWS Key Management Service (AWS KMS ). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. For example: arn:aws:kms:us-east-1:111122223333:key/111a2222-a11b-1ab1-2ab2-1ab21a2b3a111.
Required: Yes
Type: String
Update requires: Replacement
Name
A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.
Required: Yes
Type: String
Minimum: 3
Maximum: 128
Update requires: Replacement
Status
A string that represents the current key-signing key (KSK) status.
Status can have one of the following values:
ACTIVE
The KSK is being used for signing.
INACTIVE
The KSK is not being used for signing.
DELETING
The KSK is in the process of being deleted.
ACTIONNEEDED
There is a problem with the KSK that requires you to take action to resolve. For example, the customer managed key might have been deleted, or the permissions for the customer managed key might have been changed.
INTERNAL_FAILURE
There was an error during a request. Before you can continue to work with DNSSEC signing, including actions that involve this KSK, you must correct the problem. For example, you may need to activate or deactivate the KSK.
_Required: Yes
Type: String
Minimum: 5
Maximum: 150
Update requires: No interruption
Explanation in CloudFormation Registry
The
AWS::Route53::KeySigningKeyresource creates a new key-signing key (KSK) in a hosted zone. The hosted zone ID is passed as a parameter in the KSK properties. You can specify the properties of this KSK using theName,Status, andKeyManagementServiceArnproperties of the resource.
Frequently asked questions
What is AWS Route 53 Key Signing Key?
AWS Route 53 Key Signing Key is a resource for Route 53 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Route 53 Key Signing Key?
For Terraform, the kwiniaskaridge/terraform-dns, ManagedKube/kubernetes-ops and UGNS/terraform-aws-route53-dnssec source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the DerploidEntertainment/Website, widdix/aws-cf-templates and kalrish/area51 source code examples are useful. See the CloudFormation Example section for further details.
