As part of my migration to Bunny CDN for andreas-jaggi.ch, I also moved the DNS zone over.
There are not many records in the zone, but one which turned out to be a bit more tricky was the CAA one.
I wanted to use the following Terraform snippet to create it:
resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
zone = bunnynet_dns_zone.andreas_jaggi_ch.id
name = ""
type = "CAA"
value = "0 issue \"letsencrypt.org;validationmethods=http-01\""
}
But this always failed with a cryptic error message during terraform apply
:
│ Error: Unable to create DNS record
│
│ with bunnynet_dns_record.andreas_jaggi_ch_CAA,
│ on dns.tf line 22, in resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA":
│ 22: resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
│
│ A tag can be a maximum of 50 ASCII characters.
After some head-scratching I figured out that the Terraform provider has dedicated fields for the flags
and tag
parts of the CAA DNS record.
And it insists on them being used this way:
resource "bunnynet_dns_record" "andreas_jaggi_ch_CAA" {
zone = bunnynet_dns_zone.andreas_jaggi_ch.id
name = ""
type = "CAA"
tag = "issue"
flags = 0
value = "letsencrypt.org;validationmethods=http-01"
}
With this in place, it worked fine.
And it prepared me also for the MX record where a similar approach is required.
For andreas-jaggi.ch I wanted to try out Bunny CDN.
Everything went very smooth and I nicely used Terraform to configure Edge Rules blocking all unwanted access.
As andreas-jaggi.ch does not have much content this resulted in a list of allowed files similar to this:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
pullzone = bunnynet_pullzone.andreas_jaggi.id
description = "block not(known good) http://www.andreas-jaggi.ch"
enabled = true
match_type = "MatchNone"
actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]
triggers = [
{
match_type = "MatchAny",
patterns = [
"http://www.andreas-jaggi.ch/",
"http://www.andreas-jaggi.ch/favicon.ico",
"http://www.andreas-jaggi.ch/robots.txt",
"http://www.andreas-jaggi.ch/security.txt",
],
type = "Url", parameter1 = null, parameter2 = null
},
]
}
After this I did setup the www subdomain as CNAME and added it as additional hostname to the CDN Pullzone.
But the process to get a Let's Encrypt certificate for the www subdomain always failed with an error.
This is where I messed up.
Turns out my Edge Rules blocking all unwanted access also blocked the Let's Encrypt validation requests. 🤦
Once I realized this (which took a shamefully long amount of time), I added an entry to the Edge Rules for the .well-known/acme-challenge/
subpath:
resource "bunnynet_pullzone_edgerule" "andreas_jaggi_4" {
pullzone = bunnynet_pullzone.andreas_jaggi.id
description = "block not(known good) https://www.andreas-jaggi.ch"
enabled = true
match_type = "MatchNone"
actions = [{ type = "BlockRequest", parameter1 = null, parameter2 = null, parameter3 = null }]
triggers = [
{
match_type = "MatchAny",
patterns = [
"http://www.andreas-jaggi.ch/",
"http://www.andreas-jaggi.ch/favicon.ico",
"http://www.andreas-jaggi.ch/robots.txt",
"http://www.andreas-jaggi.ch/security.txt",
"http://www.andreas-jaggi.ch/.well-known/acme-challenge/*",
],
type = "Url", parameter1 = null, parameter2 = null
},
]
}
With this in place, the process worked immediately and the www subdomain now also serves encrypted traffic. 🔐