search

cisagov / cool-dns-cyber.dhs.gov

Terraform configuration to create and populate the cyber.dhs.gov zone.
Creative Commons Zero v1.0 Universal
3 stars 9 forks source link

Update route53_crossfeed_app.tf TXT values #89

Closed cduhn17 closed 10 months ago

cduhn17 commented 10 months ago

Update route53_crossfeed_app.tf TXT values

๐Ÿ—ฃ Description

Letsencrypt certbot SSL certs renewed, as part of the renewal process the DNS TXT files are system updated.

๐Ÿ’ญ Motivation and context

The DNS TXT records must be updated for the renewal process to complete. This process determines ownership and control of the domains, that the SSL certs are dependant.

๐Ÿงช Testing

โœ… Pre-approval checklist

dv4harr10 commented 10 months ago

Hi Team, one question: For route53_static.tf line 95: Are the Amazon Simple Queue Service (SQS) queues protecting the contents of their messages using Server-Side Encryption (SSE)? The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for encryption/decryption process of SQS messages. Apparently, there is no additional charge for using SQS Server-Side Encryption, but there is a charge for using AWS KMS.

dav3r commented 10 months ago

Hi Team, one question: For route53_static.tf line 95: Are the Amazon Simple Queue Service (SQS) queues protecting the contents of their messages using Server-Side Encryption (SSE)? The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for encryption/decryption process of SQS messages. Apparently, there is no additional charge for using SQS Server-Side Encryption, but there is a charge for using AWS KMS.

Server-side encryption is currently disabled for that SQS queue. Since this issue is unrelated to this PR, please create a new issue for this. I'm not sure if there are any concerns with encrypting this queue, but if so, they can be discussed in the new issue you create. Thanks!

dv4harr10 commented 10 months ago

Hi Team, one question: For route53_static.tf line 95: Are the Amazon Simple Queue Service (SQS) queues protecting the contents of their messages using Server-Side Encryption (SSE)? The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for encryption/decryption process of SQS messages. Apparently, there is no additional charge for using SQS Server-Side Encryption, but there is a charge for using AWS KMS.

Server-side encryption is currently disabled for that SQS queue. Since this issue is unrelated to this PR, please create a new issue for this. I'm not sure if there are any concerns with encrypting this queue, but if so, they can be discussed in the new issue you create. Thanks!

Hi Dave, the issue is mostly specific to the route53_static.tf code. Since SSE is disabled for the SQS queue that's sufficient. Thanks

dav3r commented 10 months ago

@cduhn17 I went ahead and applied these TXT record changes, so you should now (or very soon) see them updated in DNS.