Route 53 Hosted Zone & Records

aws-route53

Route 53 hosted zone (public by default) plus a clean, map-driven set of records. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. The fiddly bits are handled for you: record names are normalised to the zone (use a relative label, @ for the apex, or a full FQDN), and the alias-vs-rdata distinction is resolved so ttl/records are only sent for standard records and the alias block only for alias targets.

Secure / sensible defaults:

• Public zone by default; supply vpc_ids to make it a private zone resolvable only inside those VPCs (DNS is inherently public, so there is no "encryption" knob — the meaningful control is public vs. private).
• force_destroy = false by default so you never silently delete records that were created outside Terraform; the live-test fixture flips it to true for guaranteed teardown.
• Standalone aws_route53_record resources via for_each (stable addressing, no count churn when the record map changes).
• Inputs are validated: record type is checked against the allowed set, and each record must set exactly one of records (rdata) or alias.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint, checkov). A live-test fixture is provided under tests/ (throwaway public zone + A/TXT records, applied and destroyed immediately — Route 53 hosted zones are billed ~$0.50/month prorated, so a same-session apply→destroy costs cents). See catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).