Domains

There are 2 domains that are currently managed by the Digital Marketplace team.

digitalmarketplace.service.gov.uk

Main production service domain.

marketplace.team

Used for preview and staging environments, test user emails and for internal tools that we host ourselves (like CI).

Environment subdomains for preview, staging and production are documented in Environments.

DNS

DNS records for all domains are hosted AWS Route 53.

marketplace.team

All marketplace.team records are managed with Digital Marketplace AWS Terraform modules.

Main AWS account manages the marketplace.team domain (which is registered through AWS on the same account). It delegates preview.marketplace.team and staging.marketplace.team subdomains to development and production AWS accounts. It also manages the records for ci.marketplace.team, which point to the Jenkins EC2 instance.

*.service.gov.uk

digitalmarketplace.service.gov.uk is delegated from the service.gov.uk DNS to Route 53 hosted zones on our production AWS account.

Most of these records (including MX, DMARC, DKIM, and other TXT records) used to be managed by CloudFormation stacks and haven’t been imported into our Terraform modules after the move to GOV.UK PaaS. These records can be edited manually in Route 53 or imported and updated with Terraform.

SSL/TLS cerfiticates

marketplace.team and *.service.gov.uk

SSL/TLS certificates for *.digitalmarketplace.service.gov.uk, *.preview.marketplace.team, and *.staging.marketplace.team are generated by our PaaS cdn-route service and issued by Let’s Encrypt. Current certificates are attached to Cloudfront using Terraform as outlined in the process of setting up the PaaS CDN service with a custom domain - https://docs.cloud.service.gov.uk/deploying_services/use_a_custom_domain/. There should be no manual renewal process needed by developers.

ci.marketplace.team

Our Jenkins server sits behind an Amazon Elastic Load Balancer (ELB). ELB’s get a free certificate. We have a wildcard certificate set up for *.marketplace.team which we use for Jenkins. This should allow us to spin up a new Jenkins server in parallel with the current server (on a different subdomain) but with the same certificate. This eases the process of transitioning the ci subdomain between servers.

The certificate is created and managed by our Terraform in the main accounts route53.tf file. See the Jenkins section of this manual for more information on our Jenkins setup.