From 319a185af288b120f6aeecd898f50ea2b021a669 Mon Sep 17 00:00:00 2001
From: Brian Manifold <bmanifold@users.noreply.github.com>
Date: Wed, 11 Sep 2024 12:02:21 -0400
Subject: [PATCH] chore(infra): Add CAA record for trust.firezone.dev (#6668)

Why:

* `trust.firezone.dev` is actually being hosted by `trust.oneleet.com`
which means Oneleet needs to issue the cert for `trust.firezone.dev` and
can't use the Google CA used for the rest of `firezone.dev`.

Closes #6661
---
 terraform/environments/production/dns.tf | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/terraform/environments/production/dns.tf b/terraform/environments/production/dns.tf
index b1496a49d..05deeebb3 100644
--- a/terraform/environments/production/dns.tf
+++ b/terraform/environments/production/dns.tf
@@ -155,6 +155,19 @@ resource "google_dns_record_set" "google-dkim" {
 
 # Oneleet Trust page
 
+resource "google_dns_record_set" "trust-dns-caa" {
+  project      = module.google-cloud-project.project.project_id
+  managed_zone = module.google-cloud-dns.zone_name
+
+  type = "CAA"
+  name = "trust.${module.google-cloud-dns.dns_name}"
+  rrdatas = [
+    "0 issue \"letsencrypt.org\"",
+    "0 iodef \"mailto:security@firezone.dev\""
+  ]
+  ttl = 3600
+}
+
 resource "google_dns_record_set" "oneleet-trust" {
   project      = module.google-cloud-project.project.project_id
   managed_zone = module.google-cloud-dns.zone_name