Skip to content

Commit

Permalink
WIP use automatic DNS to provision initial certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
chrnorm committed Feb 8, 2024
1 parent b372e66 commit 760e4f9
Show file tree
Hide file tree
Showing 11 changed files with 106 additions and 32 deletions.
54 changes: 41 additions & 13 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ provider "aws" {
data "aws_partition" "current" {}
data "aws_caller_identity" "current" {}

locals {
deployment_id = "xfa3r1" # would be fetched from the factory API
deployment_domain = "${local.deployment_id}.deploy.devcommonfate.com"
app_domain = "console.${local.deployment_id}.deploy.devcommonfate.com"
app_url = coalesce(var.app_url, "https://${local.app_domain}")
}


module "vpc" {
source = "./modules/vpc"
Expand All @@ -13,13 +20,35 @@ module "vpc" {
aws_region = var.aws_region
}


resource "aws_route53_zone" "primary" {
name = local.deployment_domain
comment = "Common Fate deployment DNS zone"
}

module "default_app_certificate" {
source = "./modules/acm-validated-certificate"
zone_id = aws_route53_zone.primary.id
domain = local.app_domain
}

resource "aws_route53_record" "www-dev" {
zone_id = aws_route53_zone.primary.zone_id
name = "console"
type = "CNAME"
ttl = 60
allow_overwrite = true

records = [module.alb.domain]
}

module "alb" {
source = "./modules/alb"
namespace = var.namespace
stage = var.stage
certificate_arns = [
var.app_certificate_arn
]
source = "./modules/alb"
namespace = var.namespace
stage = var.stage
certificate_arn = module.default_app_certificate.arn
additional_certificate_arns = var.app_certificate_arn != null ? [var.app_certificate_arn] : []

public_subnet_ids = module.vpc.public_subnet_ids
vpc_id = module.vpc.vpc_id
}
Expand Down Expand Up @@ -62,7 +91,7 @@ module "cognito" {
namespace = var.namespace
stage = var.stage
aws_region = var.aws_region
app_url = var.app_url
app_url = local.app_url
auth_url = var.auth_url
auth_certificate_arn = var.auth_certificate_arn
saml_metadata_is_file = var.saml_metadata_is_file
Expand All @@ -84,7 +113,7 @@ module "control_plane" {
database_security_group_id = module.control_plane_db.security_group_id
eventbus_arn = module.events.event_bus_arn
sqs_queue_arn = module.events.sqs_queue_arn
app_url = var.app_url
app_url = local.app_url
pager_duty_client_id = var.pager_duty_client_id
pager_duty_client_secret_ps_arn = var.pager_duty_client_secret_ps_arn
release_tag = var.release_tag
Expand Down Expand Up @@ -125,13 +154,13 @@ module "web" {
vpc_id = module.vpc.vpc_id
auth_authority_url = module.cognito.auth_authority_url
auth_cli_client_id = module.cognito.cli_client_id
auth_url = var.auth_url
auth_url = module.cognito.auth_url
auth_web_client_id = module.cognito.web_client_id
logo_url = var.logo_url
team_name = var.team_name
ecs_cluster_id = module.ecs.cluster_id
alb_listener_arn = module.alb.listener_arn
app_url = var.app_url
app_url = local.app_url
auth_issuer = module.cognito.auth_issuer
alb_security_group_id = module.alb.alb_security_group_id

Expand All @@ -151,7 +180,7 @@ module "access_handler" {
alb_listener_arn = module.alb.listener_arn
auth_issuer = module.cognito.auth_issuer
log_level = var.access_handler_log_level
app_url = var.app_url
app_url = local.app_url
oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id
oidc_access_handler_service_client_secret = module.cognito.access_handler_service_client_secret
oidc_access_handler_service_issuer = module.cognito.auth_issuer
Expand All @@ -175,7 +204,7 @@ module "authz" {
dynamodb_table_name = module.authz_db.dynamodb_table_name
log_level = var.authz_log_level
dynamodb_table_arn = module.authz_db.dynamodb_table_arn
app_url = var.app_url
app_url = local.app_url
oidc_trusted_issuer = module.cognito.auth_issuer
oidc_terraform_client_id = module.cognito.terraform_client_id
oidc_access_handler_service_client_id = module.cognito.access_handler_service_client_id
Expand All @@ -184,4 +213,3 @@ module "authz" {
alb_security_group_id = module.alb.alb_security_group_id
additional_cors_allowed_origins = var.additional_cors_allowed_origins
}

27 changes: 27 additions & 0 deletions modules/acm-validated-certificate/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@

resource "aws_acm_certificate" "this" {
domain_name = var.domain
validation_method = "DNS"
}

resource "aws_route53_record" "this" {
for_each = {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}

allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = var.zone_id
}

resource "aws_acm_certificate_validation" "this" {
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
}
3 changes: 3 additions & 0 deletions modules/acm-validated-certificate/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "arn" {
value = aws_acm_certificate.this.arn
}
9 changes: 9 additions & 0 deletions modules/acm-validated-certificate/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "domain" {
type = string
description = "The domain to provision the certificate for"
}

variable "zone_id" {
type = string
description = "The Route53 hosted zone ID"
}
7 changes: 2 additions & 5 deletions modules/alb/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,6 @@ resource "aws_lb" "main_alb" {

}

locals {
distinct_certificates = distinct(var.certificate_arns)
}
// The listener is configured to use SNI for multiple certificates if provided
// else it will just use a single cert if all provided arns are the same
resource "aws_lb_listener" "https_listener" {
Expand All @@ -51,7 +48,7 @@ resource "aws_lb_listener" "https_listener" {
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"

certificate_arn = element(local.distinct_certificates, 0)
certificate_arn = var.certificate_arn

default_action {
type = "fixed-response"
Expand Down Expand Up @@ -83,7 +80,7 @@ resource "aws_lb_listener" "http" {

// if there are any other distict certificates, add them to the listener
resource "aws_lb_listener_certificate" "additional_certs" {
for_each = { for idx, cert_arn in local.distinct_certificates : idx => cert_arn if idx > 0 }
for_each = toset(var.additional_certificate_arns)
listener_arn = aws_lb_listener.https_listener.arn
certificate_arn = each.value
}
14 changes: 8 additions & 6 deletions modules/alb/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,16 @@ variable "vpc_id" {
}


variable "certificate_arns" {

variable "certificate_arn" {
description = "The Amazon Certificate Manager (ACM) certificate ARN for the domains served by this load balancer"
type = list(string)
type = string
}


validation {
condition = length(var.certificate_arns) > 0
error_message = "The certificate_arns list must contain at least one certificate ARN."
}
variable "additional_certificate_arns" {
description = "Additional certificate ARNs to add to the load balancer"
type = list(string)
}


Expand Down
2 changes: 1 addition & 1 deletion modules/cognito/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ locals {
}
// Optionally configure a custom domain if the auth_url and auth_certificate_arn are provided
resource "aws_cognito_user_pool_domain" "custom_domain" {
domain = local.has_custom_domain ? replace(var.auth_url, "https://", "") : random_id.auth_domain_prefix.id
domain = local.has_custom_domain ? replace(var.auth_url, "https://", "") : random_pet.auth_domain_prefix.id
user_pool_id = aws_cognito_user_pool.cognito_user_pool.id
certificate_arn = local.has_custom_domain ? var.auth_certificate_arn : null
}
2 changes: 1 addition & 1 deletion modules/cognito/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ output "saml_acs_url" {

output "auth_url" {
description = "The Cognito Auth URL will be either the custom domain if configured or a generated cognito domain."
value = aws_cognito_user_pool_domain.custom_domain.domain
value = "https://${aws_cognito_user_pool_domain.custom_domain.domain}"
}


Expand Down
9 changes: 4 additions & 5 deletions modules/controlplane/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -406,18 +406,17 @@ resource "aws_ecs_task_definition" "control_plane_task" {
name = "CF_SCIM_TOKEN",
valueFrom = var.scim_token_ps_arn
}] : [],
var.licence_key_ps_arn != null && var.licence_key_ps_arn != "" ? [{
name = "CF_LICENCE_KEY",
valueFrom = var.licence_key_ps_arn
}] : [],

[
{
name = "CF_PG_PASSWORD",
// the password key is extracted from the json that is stored in secrets manager so that we don't need to decode it in the go server
valueFrom = "${var.database_secret_sm_arn}:password::"
},
{
name = "CF_LICENCE_KEY",
valueFrom = var.licence_key_ps_arn
},

]
)

Expand Down
2 changes: 2 additions & 0 deletions modules/controlplane/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,8 @@ variable "alb_listener_arn" {
variable "licence_key_ps_arn" {
description = "The AWS Parameter Store ARN for the license key."
type = string
nullable = true
default = null
}
variable "log_retention_in_days" {
description = "Specifies the cloudwatch log retention period."
Expand Down
9 changes: 8 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,14 @@ variable "aws_region" {
variable "release_tag" {
description = "Specifies the tag for frontend and backend images, typically the git commit hash."
type = string
default = "v1.2.0"
}

variable "app_certificate_arn" {
description = "The Amazon Certificate Manager (ACM) certificate ARN for the application."
type = string
nullable = true
default = null
}

variable "auth_certificate_arn" {
Expand Down Expand Up @@ -72,9 +75,11 @@ variable "auth_url" {
variable "app_url" {
description = "The app url (e.g., 'https://common-fate.mydomain.com')."
type = string
nullable = true
default = null

validation {
condition = can(regex("^https://", var.app_url))
condition = (var.app_url == null || can(regex("^https://", var.app_url)))
error_message = "The app_url must start with 'https://'."
}
}
Expand Down Expand Up @@ -128,6 +133,8 @@ variable "scim_token_ps_arn" {
variable "licence_key_ps_arn" {
description = "The AWS Parameter Store ARN for the license key."
type = string
nullable = true
default = null
}


Expand Down

0 comments on commit 760e4f9

Please sign in to comment.