Recently, I have been working for a customer that has lots of different domains/DNS zones. A few of them are managed through code with Terraform, though most of them are managed manually across differential DNS management portals.
The question arose if it would be interesting to manage all of them through code (Infrastructure as Code – IaC) and take the time to migrate to one centralized DNS management provider. My answer? Yes!
Then, why?
Managing your DNS zone through code with the combination of Git has some advantages:
- With version control you can keep track of DNS record changes over time. In case of issues or errors you can easily rollback.
- You can reduce the likelihood of human errors by using a Git branching strategy, so every change needs to be approved and validated before its pushed to production.
- Auditablity, every change/commit is always linked to a certain account. That way you can always verify who made a certain change.
- Disaster recovery, in case a DNS-record or worse, your complete DNS-zone was removed, you can easily recover it with your IaC-code.
- Last but not least, granular access control. With certain tools like Bitbucket, you can provide access to only certain files. By doing, so you can easily delagate the management of DNS-zones.
Well, how do I get started?
Now, first of all you should choose a language you will use to manage your DNS zone and/or infrastructure. There are some platform-specific options available like Bicep for Azure or you can choose a more general one like Terraform. For this example, I will use Terraform. Next, you should make sure your infrastructure and or DNS-provider supports Terraform. There are bunch of them available. You can find the complete list on the Terraform website. Often used providers are cloud providers like Azure and Google Cloud Platform (GCP) – but did you know you can even manage Cloudflare through Terraform?
In this example I will use Azure. First of all, you need to specify which provider you use. The exact syntax is different for each provider. Choose your provider on the Terraform website and then choose the ‘documentation’ button in the right top corner.
For example, for Azure you use:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
provider "azurerm" {
features {}
}Then you create a DNS-zone. As usual, every resource is contained in a resource group, so we create a resource group too:
resource "azurerm_resource_group" "dns-rg" {
name = "prd-weu-dnsmanagement"
location = "West Europe"
}
resource "azurerm_dns_zone" "maartendemoor-be-dns-zone" {
name = "maartendemoor.be"
resource_group_name = azurerm_resource_group.dns-rg.name
}Now you can start adding all necessary DNS-records like A-records, CNAME-records etc.
resource "azurerm_dns_a_record" "maartendemoor-be-a" {
name = "@"
zone_name = azurerm_dns_zone.maartendemoor-be-dns-zone.name
resource_group_name = azurerm_resource_group.dns-rg.name
ttl = 300
records = ["1.2.3.4"]
}
resource "azurerm_dns_cname_record" "www-maartendemoor-be-cname" {
name = "test"
zone_name = azurerm_dns_zone.maartendemoor-be-dns-zone.name
resource_group_name = azurerm_resource_group.dns-rg.name
ttl = 300
record = "maartendemoor.be"
}Since the syntax is specific for each provider, make sure you keep a close eye on the Terraform documentation.
Thank you for reading my very first blog post. I hope you were able get started with it! If you have any questions or feedback do not hesitate to leave a comment or reach out to me via Linkedin.