Implement and test DNS Migration Procedure for Gitlab Dedicated Tenants
All phases of the DNS Migration Plan have been defined on the Cloudflare WAF Blueprint document. However we need to do the actual implementation by updating the Terraform modules in AMP and Instrumentor and test the procedures for each phase on a sandbox environment as well as test and preprod environments.
Tenant DNS Migration Plan
DNS migration will be executed on multiple phases to reduce risk:
Use Route53 DNS - Non Referenced Duplicate Zone and Records in Cloudflare
Phase 1:- Use Route53 as DNS provider. (Current state. Referenced at Registrar)
- Maintain records in the Route53 monolith zone file (root domain).
- Create Root Domain Zone in Cloudflare. (Non Referenced by Registrar)
- Create Cloudflare subdomain zones for each tenant, and populate corresponding DNS records. (Non Referenced)
- Add NS records for each subdomain zone to the Cloudflare Root Domain Zone. (Non Referenced)
- Verify tenant subdomain zone records in Cloudflare match records in Route53.
Phase 2: Root Domain on Route 53 - Delegate tenant subdomain zones to Cloudflare
- Verify tenant subdomain zone records in Cloudflare match records in Route53.
- Delegate tenant subdomain zone by adding their Cloudflare Nameservers as NS Records to the monolith zone in Route53.
- We'll probably need to delete the customer apex records from Route53. (Need to test this).
- Verify DNS resolution is working as expected.
- Test multiple tenant instances.
- Repeat this phase for each customer/tenant, starting with the lower environments and then move on to production.
Phase 3: Cutover all DNS Management to Cloudflare
- Once all customer subdomain zones have been moved to Cloudflare, update the Root Domain's Registrar Name Servers to point to the Cloudflare Root Domain Zone NS.
- At this point all DNS is now managed by Cloudflare, and zone delegation happens from the Root Domain Zone to each individual subdomain zone.
- Verify DNS resolution is working as expected.
- Test multiple tenant instances.
Phase 4: Cleanup Route53
- Remove terraform resources referencing the monolith zone and Route53, and perform a cleanup.
Acceptance Criteria:
-
Phase 1 Implementation is complete. -
Phase 1 is fully tested on Sandbox Environment -
Phase 1 is fully tested on Non-Prod Environments -
Phase 2 Implementation is complete. -
Phase 2 is fully tested on Sandbox Environment -
Phase 2 is fully tested on Non-Prod Environments -
Phase 3 Implementation is complete. -
Phase 3 is fully tested on Sandbox Environment. -
Phase 3 is fully tested on Non-Prod Environments -
Phase 4 Implementation is complete. -
Phase 4 is fully tested on Sandbox Environment. -
Phase 4 is fully tested on Non-Prod Environments
Edited by Marcel Chacon