Starting on some DNS.

README.md

@@ -1,18 +1,27 @@
 # NHS Notify DNS
 
-[![CI/CD Pull Request](https://github.com/nhs-england-tools/repository-template/actions/workflows/cicd-1-pull-request.yaml/badge.svg)](https://github.com/nhs-england-tools/repository-template/actions/workflows/cicd-1-pull-request.yaml)
-[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=repository-template&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=repository-template)
+NHS Notify DNS Zones.
 
-Start with an overview or a brief description of what the project is about and what it does. For example -
+Variables:
+- parent domain eg nhsnotify.abc.com
+- EnvType
+- EnvName
+- Destinations:
+  - eg 192.168.1.1
 
-Welcome to our repository template designed to streamline your project setup! This robust template provides a reliable starting point for your new projects, covering an essential tech stack and encouraging best practices in documenting.
+EG when deployed:
+- parent domain nhsnotify.abc.co,m
+- envType: prod
+- envname: prod1
+- billingDnsZone: 192.168.1.1
 
-This repository template aims to foster a user-friendly development environment by ensuring that every included file is concise and adequately self-documented. By adhering to this standard, we can promote increased clarity and maintainability throughout your project's lifecycle. Bundled within this template are resources that pave the way for seamless repository creation. Currently supported technologies are:
+DNS record would be:
 
-- Terraform
-- Docker
+billing.prod1.prod.nhsnotify.abc.com => NS => 192.168.1.1
 
-Make use of this repository template to expedite your project setup and enhance your productivity right from the get-go. Enjoy the advantage of having a well-structured, self-documented project that reduces overhead and increases focus on what truly matters - coding!
+Format:
+
+[NotifyDomainBoundary].[EnvName].[EnvType].[ParentDomain]
 
 ## Table of Contents
 

scripts/terraform/dns/.gitignore

@@ -0,0 +1,41 @@
+# Ignore the lock file as this is just an example
+.terraform.lock.hcl
+# Ignore Terraform plan
+*tfplan*
+
+# SEE: https://github.com/github/gitignore/blob/main/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

scripts/terraform/dns/README.md

@@ -0,0 +1 @@
+# Notify DNS

scripts/terraform/dns/main.tf

@@ -0,0 +1,46 @@
+resource "aws_s3_bucket" "terraform_state_store" {
+  bucket = var.terraform_state_bucket_name
+  lifecycle {
+    prevent_destroy = false // FIXME: Normally, this should be 'true' - this is just an example
+  }
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.terraform_state_store.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.terraform_state_store.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.terraform_state_store.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" {
+  name         = var.terraform_state_table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  server_side_encryption {
+    enabled = true
+  }
+  point_in_time_recovery {
+    enabled = true
+  }
+}

scripts/terraform/dns/provider.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "eu-west-2"
+}

scripts/terraform/dns/variables.tf

@@ -0,0 +1,9 @@
+variable "terraform_state_bucket_name" {
+  description = "The S3 bucket name to store Terraform state"
+  default     = "repository-template-example-terraform-state-store"
+}
+
+variable "terraform_state_table_name" {
+  description = "The DynamoDB table name to acquire Terraform lock"
+  default     = "repository-template-example-terraform-state-lock"
+}

scripts/terraform/dns/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      version = ">= 5.14.0"
+    }
+  }
+}