Created
December 12, 2018 16:17
-
-
Save syntaqx/34b1c3b61ddf86f47278d99c546258d1 to your computer and use it in GitHub Desktop.
G Suite Terraform Definition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
gsuite_services = ["calendar", "drive", "groups", "mail", "sites"] | |
} | |
// host -a domain.io | |
resource "google_dns_managed_zone" "domain_io" { | |
name = "domain-io" | |
dns_name = "domain.io." | |
} | |
resource "google_dns_record_set" "domain_io_apex" { | |
name = "${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "A" | |
ttl = 15 | |
rrdatas = ["127.0.0.1"] | |
} | |
resource "google_dns_record_set" "domain_io_www" { | |
name = "www.${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "CNAME" | |
ttl = 15 | |
rrdatas = ["${google_dns_managed_zone.domain_io.dns_name}"] | |
} | |
resource "google_dns_record_set" "domain_io_api" { | |
name = "api.${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "A" | |
ttl = 15 | |
rrdatas = ["${google_compute_address.default.address}"] | |
} | |
resource "google_dns_record_set" "domain_io_caa" { | |
name = "${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "CAA" | |
ttl = 15 | |
// https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ | |
rrdatas = [ | |
"0 issue \"comodoca.com\"", | |
"0 issuewild \"comodoca.com\"", | |
"0 issue \"digicert.com\"", | |
"0 issuewild \"digicert.com\"", | |
"0 issue \"globalsign.com\"", | |
"0 issuewild \"globalsign.com\"", | |
"0 issue \"google.com\"", | |
"0 issuewild \"google.com\"", | |
"0 issue \"letsencrypt.org\"", | |
"0 issuewild \"letsencrypt.org\"", | |
"0 iodef \"mailto:security@domain.com\"", | |
] | |
} | |
# G Suite service URLs | |
# https://support.google.com/a/answer/53340?hl=en | |
resource "google_dns_record_set" "domain_io_gsuite" { | |
count = "${length(local.gsuite_services)}" | |
name = "${element(local.gsuite_services, count.index)}.${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "CNAME" | |
ttl = 300 | |
rrdatas = ["ghs.googlehosted.com."] | |
} | |
resource "google_dns_record_set" "domain_io_mx" { | |
name = "${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "MX" | |
ttl = 15 | |
rrdatas = [ | |
"1 aspmx.l.google.com.", | |
"5 alt1.aspmx.l.google.com.", | |
"5 alt2.aspmx.l.google.com.", | |
"10 alt3.aspmx.l.google.com.", | |
"10 alt4.aspmx.l.google.com.", | |
] | |
} | |
# Email Security | |
# https://support.google.com/a/topic/7556597?hl=en&ref_topic=7556782 | |
# SPF | |
# https://support.google.com/a/answer/33786?hl=en | |
resource "google_dns_record_set" "domain_io_spf" { | |
name = "${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "TXT" | |
ttl = 3600 | |
rrdatas = ["\"v=spf1 include:_spf.google.com ~all\""] | |
} | |
# DKIM | |
# @TODO: Generate the key & enable this (count: 0) | |
# Gmail uses default DKIM when this isn't enabled | |
# https://support.google.com/a/answer/174124?hl=en | |
resource "google_dns_record_set" "domain_io_dkim" { | |
count = 0 | |
name = "google._domainkey.${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "TXT" | |
ttl = 300 | |
rrdatas = ["\"v=DKIM1; k=rsa; p=XXXXXXX\""] | |
} | |
# DMARC | |
# https://support.google.com/a/answer/2466563 | |
resource "google_dns_record_set" "domain_io_dmarc" { | |
name = "_dmarc.${google_dns_managed_zone.domain_io.dns_name}" | |
managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
type = "TXT" | |
ttl = 300 | |
rrdatas = ["\"v=DMARC1; p=none; rua=mailto:postmaster@domain.io\""] | |
} |
I know this is a very old gist but did you manage to get anywhere with the DKIM record. I'm trying to see if there is a nice way to pull the generated records from google workspace
This was unfortunately about as much as was needed for my usecase. If you end up finding a solution I'm happy to update the gist with any good additions though so that it can be helpful for others.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I know this is a very old gist but did you manage to get anywhere with the DKIM record. I'm trying to see if there is a nice way to pull the generated records from google workspace