Created
December 12, 2018 16:17
-
-
Save syntaqx/34b1c3b61ddf86f47278d99c546258d1 to your computer and use it in GitHub Desktop.
G Suite Terraform Definition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| locals { | |
| gsuite_services = ["calendar", "drive", "groups", "mail", "sites"] | |
| } | |
| // host -a domain.io | |
| resource "google_dns_managed_zone" "domain_io" { | |
| name = "domain-io" | |
| dns_name = "domain.io." | |
| } | |
| resource "google_dns_record_set" "domain_io_apex" { | |
| name = "${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "A" | |
| ttl = 15 | |
| rrdatas = ["127.0.0.1"] | |
| } | |
| resource "google_dns_record_set" "domain_io_www" { | |
| name = "www.${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "CNAME" | |
| ttl = 15 | |
| rrdatas = ["${google_dns_managed_zone.domain_io.dns_name}"] | |
| } | |
| resource "google_dns_record_set" "domain_io_api" { | |
| name = "api.${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "A" | |
| ttl = 15 | |
| rrdatas = ["${google_compute_address.default.address}"] | |
| } | |
| resource "google_dns_record_set" "domain_io_caa" { | |
| name = "${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "CAA" | |
| ttl = 15 | |
| // https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ | |
| rrdatas = [ | |
| "0 issue \"comodoca.com\"", | |
| "0 issuewild \"comodoca.com\"", | |
| "0 issue \"digicert.com\"", | |
| "0 issuewild \"digicert.com\"", | |
| "0 issue \"globalsign.com\"", | |
| "0 issuewild \"globalsign.com\"", | |
| "0 issue \"google.com\"", | |
| "0 issuewild \"google.com\"", | |
| "0 issue \"letsencrypt.org\"", | |
| "0 issuewild \"letsencrypt.org\"", | |
| "0 iodef \"mailto:security@domain.com\"", | |
| ] | |
| } | |
| # G Suite service URLs | |
| # https://support.google.com/a/answer/53340?hl=en | |
| resource "google_dns_record_set" "domain_io_gsuite" { | |
| count = "${length(local.gsuite_services)}" | |
| name = "${element(local.gsuite_services, count.index)}.${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "CNAME" | |
| ttl = 300 | |
| rrdatas = ["ghs.googlehosted.com."] | |
| } | |
| resource "google_dns_record_set" "domain_io_mx" { | |
| name = "${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "MX" | |
| ttl = 15 | |
| rrdatas = [ | |
| "1 aspmx.l.google.com.", | |
| "5 alt1.aspmx.l.google.com.", | |
| "5 alt2.aspmx.l.google.com.", | |
| "10 alt3.aspmx.l.google.com.", | |
| "10 alt4.aspmx.l.google.com.", | |
| ] | |
| } | |
| # Email Security | |
| # https://support.google.com/a/topic/7556597?hl=en&ref_topic=7556782 | |
| # SPF | |
| # https://support.google.com/a/answer/33786?hl=en | |
| resource "google_dns_record_set" "domain_io_spf" { | |
| name = "${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "TXT" | |
| ttl = 3600 | |
| rrdatas = ["\"v=spf1 include:_spf.google.com ~all\""] | |
| } | |
| # DKIM | |
| # @TODO: Generate the key & enable this (count: 0) | |
| # Gmail uses default DKIM when this isn't enabled | |
| # https://support.google.com/a/answer/174124?hl=en | |
| resource "google_dns_record_set" "domain_io_dkim" { | |
| count = 0 | |
| name = "google._domainkey.${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "TXT" | |
| ttl = 300 | |
| rrdatas = ["\"v=DKIM1; k=rsa; p=XXXXXXX\""] | |
| } | |
| # DMARC | |
| # https://support.google.com/a/answer/2466563 | |
| resource "google_dns_record_set" "domain_io_dmarc" { | |
| name = "_dmarc.${google_dns_managed_zone.domain_io.dns_name}" | |
| managed_zone = "${google_dns_managed_zone.domain_io.name}" | |
| type = "TXT" | |
| ttl = 300 | |
| rrdatas = ["\"v=DMARC1; p=none; rua=mailto:postmaster@domain.io\""] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This was unfortunately about as much as was needed for my usecase. If you end up finding a solution I'm happy to update the gist with any good additions though so that it can be helpful for others.