Route53 "DS" ResourceRecordSet Type

[swies0wl]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.4
AWS Provider v3.23.0
aws-cli: 2.1.17

Description

With the announcement of DNSSEC and to support, #16836,
Requesting feature for "DS" record creation.

DS record creation is supported through AWS CLI and JSON with the following:

AWS CLI:

aws route53 change-resource-record-sets --hosted-zone-id <parent-zone-id> --change-batch file://new_record.json

new_record.json:

  {
    "Comment": "string",
    "Changes": [
      {
        "Action": "CREATE"|"DELETE"|"UPSERT",
        "ResourceRecordSet": {
          "Name": "<dns-subzone>",
          "Type": "DS",
          "TTL": 300,
          "ResourceRecords": [
            {
              "Value": "<ds-record>"
            }
          ]
          }
        }
      ]
  }

New or Affected Resource(s)

• aws_route53_record

Potential Terraform Configuration

resource "aws_route53_record" "myzone" {
  zone_id = var.zone_id
  name    = var.zone_name
  type    = "DS"
  ttl     = 300
  records = var.dsrecord
}

Current output during creation attempt with type="DS":

error when attempting:
Error: expected type to be one of [SOA A TXT NS CNAME MX NAPTR PTR SRV SPF AAAA CAA], got DS
  on ds_record/main.tf line 8, in resource "aws_route53_record" "myzone":
   8:   type     = "DS"

References

• https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-route-53-support-dnssec/

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record

• https://docs.aws.amazon.com/Route53/latest/APIReference/API_ResourceRecordSet.html

• #0000

[anGie44]

Thanks for raising this issue @swies0wl. Noting here we can catch this new type ("DS") by updating the ValidateFunc associated w/the type argument in the resource schema e.g.

ValidateFunc: validation.StringInSlice([]string{route53.RRType_Values()...

as currently we list out the possible values.

[bflad]

For anyone working on this implementation, I believe to test the new DS value requires enabling DNSSEC on the Route 53 Hosted Zone before the API will accept this record type, which is the second part of #16836. We can however accept the above mentioned change as long as it passes the existing regression testing, which there's no reason it shouldn't.

[swies0wl]

Hi All. Just checking in. Looks like there's a pull request. Will this be reviewed and merged?

[bflad]

Support for this functionality has been merged and will release with version 3.31.0 of the Terraform AWS Provider, later this week. Thank you to @khanhhongpham for the implementation. 👍