Skip to main content

Setting up DNS

Requirements

Before deploying DNS, first purchase your chosen vanity and service domains in the core-dns account or in your chosen registrar. Refer back to the Decide on Vanity (Branded) Domain and Decide on Service Discovery Domain design decisions for more information.

When registering a new domain, we have the option of using Route53’s built-in registrar or using an existing registrar. Many enterprise-scale organizations use MarkMonitor to manage their domain portfolio. Our convention is to use the core-dns account as the registrar. This allows us to use AWS IAM roles and policies to manage access to the registered domains and to centralized DNS management.

NOTE:
the AWS Route53 Registrar cannot be automated with Terraform, so ClickOps is still required for domain registration.

Registering domain names using Amazon Route 53 - Amazon Route 53

We recommend checking with your legal department on where they want to consolidate domain ownership. It has larger ramifications as to IP/trademark defense.

0 Deploy DNS Components

The DNS stacks are broken up into primary and delegated deployments. Primary DNS zones only start with an NS record among other defaults and expect the the owner of their associated domain to add these NS records to whatever console manages the respective domain. Consult the dns-primary component documentation for more information.

The delegated DNS zones insert their NS records into the primary DNS zone; thus they are mostly automated. Consult the dns-delegated component documentation for more information.

To start the dns setup, run atmos workflow deploy/dns -f network. This will go through creating primaries, and then follow up with establishing the delegates.

0 Configure Registrar NS Records for Domain (Click Ops)

In order to connect the newly provisioned Hosted Zone to the purchased domains, add the NS records to the chosen Domain Registrar. Retrieve these with the output of dns-primary. These will need to be manually added to the registered domain.

  • Delegate Shared Service Domain, acme-svc.com

    atmos terraform output dns-primary -s core-gbl-dns
  • Delegate Platform Sandbox Vanity Domain, acme-sandbox.com

    atmos terraform output dns-primary -s plat-gbl-sandbox
  • Delegate Platform Dev Vanity Domain, acme-dev.com

    atmos terraform output dns-primary -s plat-gbl-dev
  • Delegate Platform Staging Vanity Domain, acme-stage.com

    atmos terraform output dns-primary -s plat-gbl-staging
  • Delegate Platform Prod Vanity Domain, acme-prod.com

    atmos terraform output dns-primary -s plat-gbl-prod

For more on NS records

ACM

Each domain managed by the dns-primary component will create its own ACM certificate. However, we need additional ACM certificates to validate delegated domains. We use a separate instance of the acm component to provision each service domain certificate.

We can deploy all required ACM certificates with the following command:

atmos workflow deploy/acm -f network