From 461d1a1bb53d968d19852fce5137a82d96676be7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 1 Oct 2024 16:18:54 +0200 Subject: [PATCH] Fix configuring certs directly via terraform --- tf/environments/dev/main.tf | 9 ++--- tf/environments/prod/main.tf | 72 ++++++++++++++++++------------------ 2 files changed, 40 insertions(+), 41 deletions(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 2d210985..b00f8cb7 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -584,6 +584,9 @@ module "ooniapi_frontend" { locals { ooniapi_frontend_alternative_domains = { + "ooniauth.${local.environment}.ooni.io" : local.dns_zone_ooni_io, + "ooniprobe.${local.environment}.ooni.io" : local.dns_zone_ooni_io, + "oonirun.${local.environment}.ooni.io" : local.dns_zone_ooni_io, "8.th.dev.ooni.io" : local.dns_zone_ooni_io, } ooniapi_frontend_main_domain_name = "api.${local.environment}.ooni.io" @@ -625,10 +628,6 @@ resource "aws_acm_certificate" "ooniapi_frontend" { tags = local.tags subject_alternative_names = keys(local.ooniapi_frontend_alternative_domains) - - lifecycle { - create_before_destroy = true - } } resource "aws_route53_record" "ooniapi_frontend_cert_validation" { @@ -646,7 +645,7 @@ resource "aws_route53_record" "ooniapi_frontend_cert_validation" { records = [each.value.record] ttl = 60 type = each.value.type - zone_id = lookup(local.ooniapi_frontend_alternative_domains, each.value.domain_name, module.ooniapi_frontend.ooniapi_dns_zone_id) + zone_id = lookup(local.ooniapi_frontend_alternative_domains, each.value.domain_name, local.dns_zone_ooni_io) } resource "aws_acm_certificate_validation" "ooniapi_frontend" { diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index dda651a5..f9f049ce 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -567,7 +567,7 @@ module "ooniapi_frontend" { module.ooniapi_cluster.web_security_group_id ] - ooniapi_acm_certificate_arn = "arn:aws:acm:eu-central-1:471112720364:certificate/d0a13d97-677e-4713-84fa-b7f3f992af87" + ooniapi_acm_certificate_arn = aws_acm_certificate.ooniapi_frontend.arn oonith_domains = [ "*.th.ooni.org", @@ -595,6 +595,10 @@ locals { "4.th.ooni.org" : local.dns_root_zone_ooni_org, "5.th.ooni.org" : local.dns_root_zone_ooni_org, "6.th.ooni.org" : local.dns_root_zone_ooni_org, + # TODO: add these once we unlock the quota for maximum certificates + #"ooniauth.${local.environment}.ooni.io" : local.dns_zone_ooni_io, + #"ooniprobe.${local.environment}.ooni.io" : local.dns_zone_ooni_io, + #"oonirun.${local.environment}.ooni.io" : local.dns_zone_ooni_io, } ooniapi_frontend_main_domain_name = "api.${local.environment}.ooni.io" ooniapi_frontend_main_domain_name_zone_id = local.dns_zone_ooni_io @@ -629,41 +633,37 @@ resource "aws_route53_record" "ooniapi_frontend_alt" { } # TODO: currently the certificate is hardcoded -#resource "aws_acm_certificate" "ooniapi_frontend" { -# domain_name = local.ooniapi_frontend_main_domain_name -# validation_method = "DNS" -# -# tags = local.tags -# -# subject_alternative_names = keys(local.ooniapi_frontend_alternative_domains) -# -# lifecycle { -# create_before_destroy = true -# } -#} -# -#resource "aws_route53_record" "ooniapi_frontend_cert_validation" { -# for_each = { -# for dvo in aws_acm_certificate.ooniapi_frontend.domain_validation_options : dvo.domain_name => { -# name = dvo.resource_record_name -# record = dvo.resource_record_value -# type = dvo.resource_record_type -# domain_name = dvo.domain_name -# } -# } -# -# allow_overwrite = true -# name = each.value.name -# records = [each.value.record] -# ttl = 60 -# type = each.value.type -# zone_id = lookup(local.ooniapi_frontend_alternative_domains, each.value.domain_name, module.ooniapi_frontend.ooniapi_dns_zone_id) -#} -# -#resource "aws_acm_certificate_validation" "ooniapi_frontend" { -# certificate_arn = aws_acm_certificate.ooniapi_frontend.arn -# validation_record_fqdns = [for record in aws_route53_record.ooniapi_frontend_cert_validation : record.fqdn] -#} +resource "aws_acm_certificate" "ooniapi_frontend" { + domain_name = local.ooniapi_frontend_main_domain_name + validation_method = "DNS" + + tags = local.tags + + subject_alternative_names = keys(local.ooniapi_frontend_alternative_domains) +} + +resource "aws_route53_record" "ooniapi_frontend_cert_validation" { + for_each = { + for dvo in aws_acm_certificate.ooniapi_frontend.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + domain_name = dvo.domain_name + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = lookup(local.ooniapi_frontend_alternative_domains, each.value.domain_name, local.dns_zone_ooni_io) +} + +resource "aws_acm_certificate_validation" "ooniapi_frontend" { + certificate_arn = aws_acm_certificate.ooniapi_frontend.arn + validation_record_fqdns = [for record in aws_route53_record.ooniapi_frontend_cert_validation : record.fqdn] +} ## Code signing setup