AWS Route 53 Key Signing Key

This page shows how to write Terraform and CloudFormation for Route 53 Key Signing Key and write them securely.

aws_route53_key_signing_key (Terraform)

The Key Signing Key in Route 53 can be configured in Terraform with the resource name aws_route53_key_signing_key. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

github-iconkwiniaskaridge/terraform-dns
resource "aws_route53_key_signing_key" "zone" {
  hosted_zone_id             = aws_route53_zone.zone.id
  key_management_service_arn = var.kms-key.arn
  name                       = var.name
}

github-iconManagedKube/kubernetes-ops
resource "aws_route53_key_signing_key" "this" {
  hosted_zone_id             = aws_route53_zone.this.id
  key_management_service_arn = aws_kms_key.this.arn
  name                       = "key"
}

github-iconUGNS/terraform-aws-route53-dnssec
resource "aws_route53_key_signing_key" "this" {
  for_each = toset(var.zone_ids)

  hosted_zone_id             = random_string.ksk[each.key].keepers.hosted_zone_id
  key_management_service_arn = aws_kms_key.this.arn
  name                       = random_string.ksk[each.key].id
github-iconaleksandarknezevic/terraform-aws-route53-dnssec
resource "aws_route53_key_signing_key" "zone_signing_key" {
  name                       = format("%s-ksk", replace(var.route53_zone_name, ".", "-"))
  hosted_zone_id             = data.aws_route53_zone.route53_zone.id
  key_management_service_arn = aws_kms_key.kms_key.arn
}

github-iconmethridge/me-aws-sandbox-dns
resource "aws_route53_key_signing_key" "sandbox_key" {
  hosted_zone_id             = aws_route53_zone.sandbox.id
  key_management_service_arn = aws_kms_key.dns_kms_key.arn
  name                       = "sandbox_key"
}

Parameters

Explanation in Terraform Registry

Manages a Route 53 Key Signing Key. To manage Domain Name System Security Extensions (DNSSEC) for a Hosted Zone, see the aws_route53_hosted_zone_dnssec resource. For more information about managing DNSSEC in Route 53, see the Route 53 Developer Guide.

AWS::Route53::KeySigningKey (CloudFormation)

The KeySigningKey in Route53 can be configured in CloudFormation with the resource name AWS::Route53::KeySigningKey. The following sections describe how to use the resource and its parameters.

Parameters

HostedZoneId The unique string (ID) that is used to identify a hosted zone. For example: Z00001111A1ABCaaABC11.
Required: Yes
Type: String
Update requires: Replacement

KeyManagementServiceArn The Amazon resource name (ARN) for a customer managed customer master key (CMK) in AWS Key Management Service (AWS KMS ). The KeyManagementServiceArn must be unique for each key-signing key (KSK) in a single hosted zone. For example: arn:aws:kms:us-east-1:111122223333:key/111a2222-a11b-1ab1-2ab2-1ab21a2b3a111.
Required: Yes
Type: String
Update requires: Replacement

Name A string used to identify a key-signing key (KSK). Name can include numbers, letters, and underscores (_). Name must be unique for each key-signing key in the same hosted zone.
Required: Yes
Type: String
Minimum: 3
Maximum: 128
Update requires: Replacement

Status A string that represents the current key-signing key (KSK) status.
Status can have one of the following values:
ACTIVE
The KSK is being used for signing.
INACTIVE
The KSK is not being used for signing.
DELETING
The KSK is in the process of being deleted.
ACTIONNEEDED
There is a problem with the KSK that requires you to take action to resolve. For example, the customer managed key might have been deleted, or the permissions for the customer managed key might have been changed.
INTERNAL_FAILURE
There was an error during a request. Before you can continue to work with DNSSEC signing, including actions that involve this KSK, you must correct the problem. For example, you may need to activate or deactivate the KSK. _Required
: Yes
Type: String
Minimum: 5
Maximum: 150
Update requires: No interruption

Explanation in CloudFormation Registry

The AWS::Route53::KeySigningKey resource creates a new key-signing key (KSK) in a hosted zone. The hosted zone ID is passed as a parameter in the KSK properties. You can specify the properties of this KSK using the Name, Status, and KeyManagementServiceArn properties of the resource.

Frequently asked questions

What is AWS Route 53 Key Signing Key?

AWS Route 53 Key Signing Key is a resource for Route 53 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Route 53 Key Signing Key?

For Terraform, the kwiniaskaridge/terraform-dns, ManagedKube/kubernetes-ops and UGNS/terraform-aws-route53-dnssec source code examples are useful. See the Terraform Example section for further details.