PARENT: Backup of MoJ DNS estate

[AntonyBishop]

User Need

As a Operations Engineering Team
I want a way to-back-up our DNS estate
so that in the event of loss or a failure we are able to recover DNS records in part or as a whole.

Value

AWS Route53 is highly available but doesn't offer a back-up. All DNS processes in MoJ are manual and therefore back-up is a manual process. Without a backup we are reliant on the manual process of recovery via audit logs.

We know we have others user in this account who could make changes. We are guarding against the risk of DNS being changes by someone that could could have a negative impact on services. Having a backup could allows us to revert changes/restore on a known configuration.

Without a backup of records there is a risk that reverting changes could take longer, or worse, case we have no previous configuration to revert back to.

Having a regular, automated process for back-up would de-risk change, or loss of one or more entire Hostedzones

Functional Requirements:

1. We can back-up all our hostedzones and associated DNS records from the MoJDSD account.
2. We are able to use back-up to revert changes.
3. We should be able to restore whole zones or individual records.
4. We should back-up at least once a week.
5. Easy to read format e.g. JSON, YAML.
6. Any repos should be classified as "Internal".

Non-Functional Requirements:

1. Process should be secure
2. Process should be documented

Acceptance Criteria:

1. We should check with Security how securely we should store this information.
2. We identify a process to back-up.
3. We have a working process to bac-up.
   Notes:

[levgorbunov1]

Terraform/AWS Lambda - https://github.com/bridgecrewio/terraform-aws-route53-backup-restore

[levgorbunov1]

Python - https://github.com/cosmin/route53-transfer

[levgorbunov1]

AWS CLI - https://medium.com/@sharma.naman/how-to-take-aws-route53-backup-2bc3a0343b4

[levgorbunov1]

Security's response:
Yes that should be good, as long as the bucket access is restricted to a specific S3 Access IAM role such that only authorised internal users can access this data, and block public access to the S3 bucket.
Once it's done please let us know.

[levgorbunov1]

SUBTASKS:

• SUBTASK: R53 backup system demo and documentation #4198
• SUBTASK: Create unit tests for Route 53 backup #4214
• SUBTASK: Script to Restore R53 records from backup #4197
• SUBTASK: Terraform R53 DSD backup IAM role #4215
• SUBTASK: Create state infrastructure for R53 backup #4193
• SUBTASK: Discuss architecture of R53 backup system #4203
• SUBTASK: set up S3 infrastructure to store R53 backup data #4192
• SUBTASK: Script to backup R53 data to S3 #4195