Challenge:
you need to change a lot of DNS records inside the AWS Route53 hosted zone. In prod...
Let's skip the obvious question why these DNS records are not managed as Infra-as-aCode..
Sure thing, you need to backup all these record prior to change for rollback purpose.
Solution:
1. create a list of the dns names to change
2. get zone id from AWS cli:
3. Normally aws route53 list-resource-record-sets --hosted-zone-id Z1YS
will give you JSON, but unfortunately it's not useful for quick restore due to the format difference from the change-resource-record-sets.json file you need to have to change/restore records.
4. With a quick and quite dirty bash we can get better formatted JSON:
This file has almost everything needed to build change-batch file for the aws cli: https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html
Almost.. We need to add
remove "," and add
5. Now you have Route53 DNS records backed up and ready to restore.
Next step is to create a copy of you backup file and modify it to reflect changes you need to make.
6. Final step: apply your changes:
7. And, in case of disaster, use the same command to roll it back quickly specifying backup file:
aws route53 change-resource-record-sets --hosted-zone-id Z1YS --change-batch file://multisitest.it-security.ca.back.json --profile it-sec
you need to change a lot of DNS records inside the AWS Route53 hosted zone. In prod...
Let's skip the obvious question why these DNS records are not managed as Infra-as-aCode..
Sure thing, you need to backup all these record prior to change for rollback purpose.
Solution:
1. create a list of the dns names to change
cat multisitest.it-security.ca.list
test1.it-security.ca.
test2.it-security.ca.
test3.it-security.ca.
2. get zone id from AWS cli:
aws route53 list-hosted-zones
3. Normally aws route53 list-resource-record-sets --hosted-zone-id Z1YS
will give you JSON, but unfortunately it's not useful for quick restore due to the format difference from the change-resource-record-sets.json file you need to have to change/restore records.
4. With a quick and quite dirty bash we can get better formatted JSON:
while read site; do echo '{ "Action": "UPSERT","ResourceRecordSet":'; aws route53 list-resource-record-sets --hosted-zone-id Z1YS --query "ResourceRecordSets[?Name == '$site']" --profile it-sec | jq .[] ; echo "},"; done < multisitest.it-security.ca.list > multisitest.it-security.ca.back.json
This file has almost everything needed to build change-batch file for the aws cli: https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html
Almost.. We need to add
{
"Comment": "Point some Test TLS1.2 enviroments to the Incapsula",
"Changes": [
in the beginning of the change set, andremove "," and add
]
}
att the end.5. Now you have Route53 DNS records backed up and ready to restore.
Next step is to create a copy of you backup file and modify it to reflect changes you need to make.
6. Final step: apply your changes:
aws route53 change-resource-record-sets --hosted-zone-id Z1YS --change-batch file://multisitest.it-security.ca.json --profile it-sec
7. And, in case of disaster, use the same command to roll it back quickly specifying backup file:
aws route53 change-resource-record-sets --hosted-zone-id Z1YS --change-batch file://multisitest.it-security.ca.back.json --profile it-sec
No comments:
Post a Comment