How to configure DNS for public services
Introduction
In order for users to access public facing services with a URL (Uniform Resource Locator), DNS (Domain Name System) records must be created, and associated with a valid certificate.
This will enable users to securely access services over HTTPS (Hypertext Transfer Protocol Secure).
There are two main ways to use certificates for DNS on the Modernisation Platform; ACM (Amazon Certificate Manager) public certificates, and Gandi.net certificates imported into ACM.
Unless there is a good reason, ACM public certificates should be used as they are automatically managed and renewed. Gandi.net certificates cost more and require manual renewal.
DNS with ACM certificate
Non production environments
Non production environments should use the Modernisation Platform domain naming standards.
The following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.
| Resource | Terraform Resource | Terraform Provider | Description |
|---|---|---|---|
| ACM Public Certificate | aws_acm_certificate | default | ACM Public certificate created in the application account. The domain name should equal the main modernisation-platform domain, “modernisation-platform.service.justice.gov.uk”, the SAN (subject alternative name) should equal the DNS record name entry, eg “my-application.hmpps-test.modernisation-platform.service.justice.gov.uk” |
| Route53 DNS record for certificate validation | aws_route53_record | aws.core-network-services | Created in the modernisation-platform hosted zone, this record validates the public certificate. |
| Route53 DNS record for directing traffic to the service | aws_route53_record | aws.core-vpc | Created in the hosted zone for the environment and business unit, eg “my-application.hmpps-test.modernisation-platform.service.justice.gov.uk”. |
Production environments
Production environments should use a service.justice.gov.uk domain as per MoJ naming domains guidance.
The Modernisation Platform will need to request the delegation of the application domain (eg my-application.service.justice.gov.uk) from the Operations Engineering team via an email to the domains mailbox with the details of the records to be added to the service.justice.gov.uk domain and to discuss if the subdomain name meets the MoJ naming domains standard. Please contact the Modernisation Platform team in the #ask-modernisation-platform Slack channel to do this.
The Modernisation Platform team will then create a hosted zone for your domain. Once this has been completed the following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.
| Resource | Terraform Resource | Terraform Provider | Description |
|---|---|---|---|
| ACM Public Certificate | aws_acm_certificate | default | ACM Public certificate created in the application account. The domain name should equal the application domain, “my-application.service.justice.gov.uk” |
| Route53 DNS record for certificate validation | aws_route53_record | aws.core-network-services | Created in the application hosted zone, this record validates the public certificate. |
| Route53 DNS record for directing traffic to the service | aws_route53_record | aws.core-network-services | Created in the application hosted zone, eg “my-application.service.justice.gov.uk”. |
DNS with Gandi.net certificate
Gandi.net certificates should only be used if it is not possible to use ACM, for example some applications require the certificate to be installed on the server if HTTPS terminates on the server rather than the load balancer.
Non production environments
Non production environments should use ACM public certificate as detailed above unless necessary.
Production environments
The Modernisation Platform will need to request the delegation of the application domain (eg my-application.service.justice.gov.uk) from the Operations Engineering team, along with a new Gandi.net certificate. Please contact the Modernisation Platform team in the #ask-modernisation-platform Slack channel to do this; to send an email to the domains mailbox with the details of the records to be added to the service.justice.gov.uk domain and to discuss if the subdomain name meets the MoJ naming domains standard.
The Modernisation Platform team will then create a hosted zone for your domain and a validation record for the Gandi.net certificate. Once this has been completed the following resources need to be created in different AWS accounts (see diagram above), the table details the resources and the AWS provider required for them.
| Resource | Terraform Resource | Terraform Provider | Description |
|---|---|---|---|
| Gandi.net certificate in ACM | N/A | N/A | The new certificate should be imported into ACM in the application production account. |
| Data look up for the certificate in ACM | aws_acm_certificate (data) | default | Data source to enable to imported certificate to be used by AWS services such as an elastic load balancer. |
| Route53 DNS record for directing traffic to the service | aws_route53_record | aws.core-network-services | Created in the application hosted zone, eg “my-application.service.justice.gov.uk”. |
The certificate should also be installed in the application as needed.