
A Terraform module that handles creation of multiple Route53 zones including attachment to new or existing delegation set

Primary LanguageHCLMIT LicenseMIT

Terraform module: AWS Route53 Zone

Usage | Tagging | Importing | Examples | Requirements | Providers | Inputs | Outputs | License

Build Status Tag Terraform License

This Terraform module is able to create an arbitrary number of delegation sets, public and private hosted zones for root and delegated domains.

Public hosted zones can be created with or without a delegation set. Private hosted zones will always have the default VPC from the current region attached, but can optionally also attach more VPCs from any region.

When adding delegated secondary zones, the NS records are added automatically to their corresponding root zone. The only thing you need to choose, is the TTL (in seconds), of those NS records, per item.


module "public_zone" {
  source = "github.com/cytopia/terraform-aws-route53-zone?ref=v1.0.0"

  # Create as many delegation sets by reference name as are required.
  delegation_sets = [

  # Specify your root zones.
  # Tld or subdomain of any level to make this your starting point on the current AWS account.
  # If delegation set is null, it will use AWS defaults. otherwise specify the delegation set
  # by reference name as defined in 'delegation_sets' above.
  public_root_zones = [
      name           = "example.com",
      delegation_set = "root-zone",
      name           = "example.org",
      delegation_set = null,

  # Specify your delegated secondary zones (must have their parents defined in 'public_zones')
  # If delegation set is null, it will use AWS defaults. otherwise specify the delegation set
  # by reference name as defined in 'delegation_sets' above.
  # Specify your own name servers or use an empty list to use AWS defaults.
  public_delegated_secondary_zones = [
      name           = "internal.example.org",
      parent         = "example.org",
      ns_ttl         = 30,
      ns_list        = [],
      delegation_set = null,
      name           = "private.example.org",
      parent         = "example.org",
      ns_ttl         = 30,
      ns_list        = ["", "", "", ""],
      delegation_set = "sub-zone",

  # Specify your private zones.
  # All private zones will be attached to the default VPC of the current region.
  # Optionally also attach more VPCs by id and region.
  private_root_zones = [
      name     = "private.loc",
      vpc_ids  = [],
      name     = "private.local",
      vpc_ids  = [{"id": "vpc-xxxxxxxxxx", "region": "eu-central-1"}],

  # A set of default tags to add to all managed resources.
  # The 'Name' tag will be added automatically with the value of the domain of each item.
  tags = {
    Environment    = "prod"
    Infrastructure = "core"
    Owner          = "terraform"
    Project        = "route53-zone"

  # The default comment to add to all managed resources.
  comment = "Managed by Terraform"

Resource tagging

This module will add certain tags to specific resources by default. The tags variable extends these and adds additional tags to the resources.

Tags Condition Description
Name Always on all zones Name of domain
Parent On public delegated zones Name of parent domain
DelegationSetId On public zones which are using a delegation set Name of delegation set
DelegationSetName On public zones which are using a delegation set ID of delegation set

Importing existing resources

In case you have existing resources and want to import them into this module, use the following commands:

Delegation sets

# List available delegation sets
aws route53 list-reusable-delegation-sets

# Define them in tfvars
delegation_sets = [
  "",  # <- If a delegation set is nameless, use an empty string

# Import them
terraform import 'aws_route53_delegation_set.delegation_sets[""]' <DELEG-ID>
terraform import 'aws_route53_delegation_set.delegation_sets["deleg1"]' <DELEG-ID>


# Public root zone
terraform import 'aws_route53_zone.public_root_zones["www.example.com"]' <ZONE-ID>

# Private root zone
terraform import 'aws_route53_zone.private_root_zones["private.example.com"]' <ZONE-ID>

Secondary zones

Secondary zones will create NS records in their parent zone. So in order to import them, you will first have to identify the currently existing NS record in the parent zone, import it and then import the secondary zone.

# List records in parent zone
aws route53 list-resource-record-sets --hosted-zone-id <PARENT-ZONE-ID>

# Import NS record (from parent zone)
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record#import
terraform import 'aws_route53_record.public_delegated_secondary_ns_records["sub.www.example.com"]' <PARENT-ZONE-ID>_sub.www.example.com_NS

# Import Sub zone
terraform import 'aws_route53_zone.public_delegated_secondary_zones["sub.www.example.com"]' <ZONE-ID>



No requirements.


Name Version
aws n/a


Name Description Type Default Required
comment Default comment to add to all resources. string "Managed by Terraform" no
delegation_sets A list of delegation sets to create. You only need to specify the alias names that can then be referenced by other variables in this module via this unique name. A delegation set is a set of four authoritative name servers that you can use with more than one hosted zone. By default, Route 53 assigns a random selection of name servers to each new hosted zone. To make it easier to migrate DNS service to Route 53 for a large number of domains, you can create a reusable delegation set and then associate the reusable delegation set with new hosted zones. list(string) [] no
private_root_zones Private Route53 root zone (also allows subdomain if this is your root starting point). Note, by default the default VPC will always be attached, even if vpc_ids or vpc_tags are empty.
name = string,
vpc_ids = list(object({
id = string,
region = string,
[] no
public_delegated_secondary_zones A list of public Route53 delegated secondary zones. Each item must specify its 'parent' by name, which must match the name defined in the 'public_root_zones' variables and must also be exactly one level deeper than the corresponding root zone item. By doing so, this module will automatically add nameservers into the root zone to create the delegation. You can also attach a delegation_set to this zone by its reference name (if it has been defined in the 'delegation_sets' list) or set it to 'null' to use no delegation set. Additionally you can also define your own name servers for this zone by specifying them in the ns_list list or just leave the list empty to use AWS default name server.
name = string,
parent = string,
ns_ttl = number,
ns_list = list(string),
delegation_set = string,
[] no
public_root_zones A list of public Route53 root zones. A 'root zone' can be anything from a tld to any level of subdomain, if and only if this is your root starting point for this (sub-)domain on the current AWS account. You can also attach a delegation_set to this root zone by its reference name (if it has been defined in the 'delegation_sets' list) or set it to 'null' to use no delegation set.
name = string,
delegation_set = string,
[] no
tags Default tags to additionally apply to all resources. map {} no


Name Description
delegation_sets Created delegation sets.
private_root_zones Created private root zones.
public_delegated_secondary_ns_records Created NS records in your root zone for delegated secondary zones.
public_delegated_secondary_zones Created public delegated secondary zones.
public_root_zones Created public root zones.

Example output

$ terraform output

delegation_sets = {
  "dg0" = {
    "name_servers" = [
    "reference_name" = "dg0"
  "dg1" = {
    "name_servers" = [
    "reference_name" = "dg1"
public_root_zones = {
  "example.org" = {
    "comment" = "Managed by Terraform"
    "delegation_set_id" = "N0XXXXXXXXXXXXXXXXXXX"
    "force_destroy" = false
    "name" = "example.org."
    "name_servers" = [
    "tags" = {
      "DelegationSetId" = "N0XXXXXXXXXXXXXXXXXXX"
      "DelegationSetName" = "dg0"
      "Name" = "example.org"
    "vpc" = []
    "zone_id" = "Z0YYYYYYYYYYYYYYYY"
public_delegated_secondary_ns_records = {
  "internal.example.org" = {
    "alias" = []
    "failover_routing_policy" = []
    "fqdn" = "internal.example.org"
    "geolocation_routing_policy" = []
    "id" = "Z1YYYYYYYYYYYYYYYY_internal.example.org_NS"
    "latency_routing_policy" = []
    "name" = "internal.example.org"
    "records" = [
    "ttl" = 30
    "type" = "NS"
    "weighted_routing_policy" = []
    "zone_id" = "Z1YYYYYYYYYYYYYYYY"
public_delegated_secondary_zones = {
  "internal.example.org" = {
    "comment" = "Managed by Terraform"
    "delegation_set_id" = "N1XXXXXXXXXXXXXXXXXXX"
    "force_destroy" = false
    "name" = "internal.example.org."
    "name_servers" = [
    "tags" = {
      "DelegationSetId" = "N1XXXXXXXXXXXXXXXXXXX"
      "DelegationSetName" = "dg1"
      "Name" = "internal.example.org"
      "Root" = "example.org"
    "vpc" = []
    "zone_id" = "Z1YYYYYYYYYYYYYYYY"


Module managed by cytopia.


MIT License

Copyright (c) 2018 cytopia