G Suite Terraform Definition

dns.tf

locals {
  gsuite_services = ["calendar", "drive", "groups", "mail", "sites"]
}

// host -a domain.io

resource "google_dns_managed_zone" "domain_io" {
  name     = "domain-io"
  dns_name = "domain.io."
}

resource "google_dns_record_set" "domain_io_apex" {
  name         = "${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "A"
  ttl          = 15
  rrdatas      = ["127.0.0.1"]
}

resource "google_dns_record_set" "domain_io_www" {
  name         = "www.${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "CNAME"
  ttl          = 15
  rrdatas      = ["${google_dns_managed_zone.domain_io.dns_name}"]
}

resource "google_dns_record_set" "domain_io_api" {
  name         = "api.${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "A"
  ttl          = 15
  rrdatas      = ["${google_compute_address.default.address}"]
}

resource "google_dns_record_set" "domain_io_caa" {
  name         = "${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "CAA"
  ttl          = 15

  // https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ
  rrdatas = [
    "0 issue \"comodoca.com\"",
    "0 issuewild \"comodoca.com\"",
    "0 issue \"digicert.com\"",
    "0 issuewild \"digicert.com\"",
    "0 issue \"globalsign.com\"",
    "0 issuewild \"globalsign.com\"",
    "0 issue \"google.com\"",
    "0 issuewild \"google.com\"",
    "0 issue \"letsencrypt.org\"",
    "0 issuewild \"letsencrypt.org\"",
    "0 iodef \"mailto:security@domain.com\"",
  ]
}

# G Suite service URLs
# https://support.google.com/a/answer/53340?hl=en
resource "google_dns_record_set" "domain_io_gsuite" {
  count        = "${length(local.gsuite_services)}"
  name         = "${element(local.gsuite_services, count.index)}.${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "CNAME"
  ttl          = 300
  rrdatas      = ["ghs.googlehosted.com."]
}

resource "google_dns_record_set" "domain_io_mx" {
  name         = "${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "MX"
  ttl          = 15

  rrdatas = [
    "1 aspmx.l.google.com.",
    "5 alt1.aspmx.l.google.com.",
    "5 alt2.aspmx.l.google.com.",
    "10 alt3.aspmx.l.google.com.",
    "10 alt4.aspmx.l.google.com.",
  ]
}

# Email Security
# https://support.google.com/a/topic/7556597?hl=en&ref_topic=7556782

# SPF
# https://support.google.com/a/answer/33786?hl=en
resource "google_dns_record_set" "domain_io_spf" {
  name         = "${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "TXT"
  ttl          = 3600
  rrdatas      = ["\"v=spf1 include:_spf.google.com ~all\""]
}

# DKIM
# @TODO: Generate the key & enable this (count: 0)
# Gmail uses default DKIM when this isn't enabled
# https://support.google.com/a/answer/174124?hl=en
resource "google_dns_record_set" "domain_io_dkim" {
  count        = 0
  name         = "google._domainkey.${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "TXT"
  ttl          = 300
  rrdatas      = ["\"v=DKIM1; k=rsa; p=XXXXXXX\""]
}

# DMARC
# https://support.google.com/a/answer/2466563
resource "google_dns_record_set" "domain_io_dmarc" {
  name         = "_dmarc.${google_dns_managed_zone.domain_io.dns_name}"
  managed_zone = "${google_dns_managed_zone.domain_io.name}"
  type         = "TXT"
  ttl          = 300
  rrdatas      = ["\"v=DMARC1; p=none; rua=mailto:postmaster@domain.io\""]
}