diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index c0f896a7..4594c1bb 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -253,16 +253,16 @@ module "ooni_backendproxy" { stage = local.environment - vpc_id = module.network.vpc_id - subnet_id = module.network.vpc_subnet_public[0].id - private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block - dns_zone_ooni_io = local.dns_zone_ooni_io + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name instance_type = "t2.micro" - backend_url = "https://backend-hel.ooni.org/" - clickhouse_url = "backend-fsn.ooni.org" + backend_url = "https://backend-hel.ooni.org/" + clickhouse_url = "backend-fsn.ooni.org" clickhouse_port = "9000" tags = merge( @@ -536,16 +536,20 @@ module "ooniapi_frontend" { vpc_id = module.network.vpc_id subnet_ids = module.network.vpc_subnet_public[*].id - oonibackend_proxy_target_group_arn = module.ooni_backendproxy.alb_target_group_id - ooniapi_oonirun_target_group_arn = module.ooniapi_oonirun.alb_target_group_id - ooniapi_ooniauth_target_group_arn = module.ooniapi_ooniauth.alb_target_group_id - ooniapi_ooniprobe_target_group_arn = module.ooniapi_ooniprobe.alb_target_group_id + oonibackend_proxy_target_group_arn = module.ooni_backendproxy.alb_target_group_id + ooniapi_oonirun_target_group_arn = module.ooniapi_oonirun.alb_target_group_id + ooniapi_ooniauth_target_group_arn = module.ooniapi_ooniauth.alb_target_group_id + ooniapi_ooniprobe_target_group_arn = module.ooniapi_ooniprobe.alb_target_group_id ooniapi_oonifindings_target_group_arn = module.ooniapi_oonifindings.alb_target_group_id ooniapi_service_security_groups = [ module.ooniapi_cluster.web_security_group_id ] + alternative_domains = { + # "api-test-alt.dev.ooni.io" : local.dns_zone_ooni_io + } + stage = local.environment dns_zone_ooni_io = local.dns_zone_ooni_io diff --git a/tf/environments/prod/dns_records.tf b/tf/environments/prod/dns_records.tf index 2129b5c3..06f68e81 100644 --- a/tf/environments/prod/dns_records.tf +++ b/tf/environments/prod/dns_records.tf @@ -30,14 +30,6 @@ resource "aws_route53_record" "ams-slack-1-ooni-org-_A_" { zone_id = local.dns_root_zone_ooni_org } -resource "aws_route53_record" "api-ooni-org-_A_" { - name = "api.ooni.org" - records = ["142.93.237.101"] - ttl = "1799" - type = "A" - zone_id = local.dns_root_zone_ooni_org -} - resource "aws_route53_record" "backend-fsn-ooni-org-_A_" { name = "backend-fsn.ooni.org" records = ["162.55.247.208"] diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 19a09a72..3d973202 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -257,12 +257,21 @@ moved { module "ooni_backendproxy" { source = "../../modules/ooni_backendproxy" - vpc_id = module.network.vpc_id - subnet_ids = module.network.vpc_subnet_public[*].id + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name instance_type = "t2.micro" + backend_url = "https://backend-fsn.ooni.org/" + clickhouse_url = "backend-fsn.ooni.org" + clickhouse_port = "9000" + tags = merge( local.tags, { Name = "ooni-tier0-backendproxy" } @@ -417,6 +426,55 @@ module "ooniapi_oonirun" { ) } +#### OONI Findings service + +module "ooniapi_oonifindings_deployer" { + source = "../../modules/ooniapi_service_deployer" + + service_name = "oonifindings" + repo = "ooni/backend" + branch_name = "master" + buildspec_path = "ooniapi/services/oonifindings/buildspec.yml" + codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn + + codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket + + ecs_service_name = module.ooniapi_oonifindings.ecs_service_name + ecs_cluster_name = module.ooniapi_cluster.cluster_name +} + +module "ooniapi_oonifindings" { + source = "../../modules/ooniapi_service" + + first_run = true + vpc_id = module.network.vpc_id + public_subnet_ids = module.network.vpc_subnet_public[*].id + private_subnet_ids = module.network.vpc_subnet_private[*].id + + service_name = "oonifindings" + default_docker_image_url = "ooni/api-oonifindings:latest" + stage = local.environment + dns_zone_ooni_io = local.dns_zone_ooni_io + key_name = module.adm_iam_roles.oonidevops_key_name + ecs_cluster_id = module.ooniapi_cluster.cluster_id + + task_secrets = { + POSTGRESQL_URL = aws_secretsmanager_secret_version.oonipg_url.arn + JWT_ENCRYPTION_KEY = aws_secretsmanager_secret_version.jwt_secret.arn + PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn + } + + ooniapi_service_security_groups = [ + module.ooniapi_cluster.web_security_group_id + ] + + tags = merge( + local.tags, + { Name = "ooni-tier0-oonifindings" } + ) +} + + #### OONI Auth service module "ooniapi_ooniauth_deployer" { @@ -494,15 +552,20 @@ module "ooniapi_frontend" { vpc_id = module.network.vpc_id subnet_ids = module.network.vpc_subnet_public[*].id - oonibackend_proxy_target_group_arn = module.ooni_backendproxy.alb_target_group_id - ooniapi_oonirun_target_group_arn = module.ooniapi_oonirun.alb_target_group_id - ooniapi_ooniauth_target_group_arn = module.ooniapi_ooniauth.alb_target_group_id - ooniapi_ooniprobe_target_group_arn = module.ooniapi_ooniprobe.alb_target_group_id + oonibackend_proxy_target_group_arn = module.ooni_backendproxy.alb_target_group_id + ooniapi_oonirun_target_group_arn = module.ooniapi_oonirun.alb_target_group_id + ooniapi_ooniauth_target_group_arn = module.ooniapi_ooniauth.alb_target_group_id + ooniapi_ooniprobe_target_group_arn = module.ooniapi_ooniprobe.alb_target_group_id + ooniapi_oonifindings_target_group_arn = module.ooniapi_oonifindings.alb_target_group_id ooniapi_service_security_groups = [ module.ooniapi_cluster.web_security_group_id ] + alternative_domains = { + "api.ooni.org" : local.dns_root_zone_ooni_org + } + stage = local.environment dns_zone_ooni_io = local.dns_zone_ooni_io @@ -584,9 +647,9 @@ module "codesigning" { module "ansible_controller" { source = "../../modules/ansible_controller" - vpc_id = module.network.vpc_id + vpc_id = module.network.vpc_id subnet_id = module.network.vpc_subnet_public[0].id - key_name = module.adm_iam_roles.oonidevops_key_name + key_name = module.adm_iam_roles.oonidevops_key_name dns_zone_ooni_io = local.dns_zone_ooni_io } diff --git a/tf/modules/ooni_backendproxy/main.tf b/tf/modules/ooni_backendproxy/main.tf index 4689efc0..e6b39e34 100644 --- a/tf/modules/ooni_backendproxy/main.tf +++ b/tf/modules/ooni_backendproxy/main.tf @@ -17,7 +17,7 @@ resource "aws_security_group" "nginx_sg" { cidr_blocks = ["0.0.0.0/0"] } - ingress { + ingress { protocol = "tcp" from_port = 9000 to_port = 9000 @@ -40,7 +40,7 @@ resource "aws_security_group" "nginx_sg" { "0.0.0.0/0", ] } - + egress { from_port = 0 to_port = 0 @@ -62,8 +62,8 @@ resource "aws_launch_template" "ooni_backendproxy" { key_name = var.key_name user_data = base64encode(templatefile("${path.module}/templates/setup-backend-proxy.sh", { - backend_url = var.backend_url, - clickhouse_url = var.clickhouse_url, + backend_url = var.backend_url, + clickhouse_url = var.clickhouse_url, clickhouse_port = var.clickhouse_port })) @@ -74,7 +74,7 @@ resource "aws_launch_template" "ooni_backendproxy" { network_interfaces { delete_on_termination = true associate_public_ip_address = true - subnet_id = var.subnet_id + subnet_id = var.subnet_id security_groups = [ aws_security_group.nginx_sg.id, ] @@ -113,8 +113,8 @@ resource "aws_alb_target_group" "oonibackend_proxy" { } resource "aws_lb_target_group_attachment" "oonibackend_proxy" { - target_id = aws_instance.oonibackend_proxy.id - target_group_arn = aws_alb_target_group.oonibackend_proxy.arn + target_id = aws_instance.oonibackend_proxy.id + target_group_arn = aws_alb_target_group.oonibackend_proxy.arn } resource "aws_route53_record" "clickhouse_proxy_alias" { diff --git a/tf/modules/ooniapi_acm_certificate/main.tf b/tf/modules/ooniapi_acm_certificate/main.tf new file mode 100644 index 00000000..486de69c --- /dev/null +++ b/tf/modules/ooniapi_acm_certificate/main.tf @@ -0,0 +1,60 @@ +resource "aws_route53_record" "main" { + name = var.main_domain_name + zone_id = var.main_domain_name_zone_id + type = "A" + + alias { + name = var.alias_record_domain_name + zone_id = var.alias_record_zone_id + evaluate_target_health = true + } +} + +resource "aws_route53_record" "alt" { + for_each = var.alternative_domains + + name = each.key + zone_id = each.value + type = "A" + + alias { + name = var.alias_record_domain_name + zone_id = var.alias_record_zone_id + evaluate_target_health = true + } +} + +resource "aws_acm_certificate" "this" { + domain_name = var.main_domain_name + validation_method = "DNS" + + tags = var.tags + + subject_alternative_names = [for domain_name, zone_id in var.alternative_domains : domain_name] + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "cert_validation" { + for_each = { + for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = var.main_domain_name_zone_id +} + +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] +} diff --git a/tf/modules/ooniapi_acm_certificate/outputs.tf b/tf/modules/ooniapi_acm_certificate/outputs.tf new file mode 100644 index 00000000..20cd899c --- /dev/null +++ b/tf/modules/ooniapi_acm_certificate/outputs.tf @@ -0,0 +1,3 @@ +output "certificate_arn" { + value = aws_acm_certificate_validation.this.certificate_arn +} diff --git a/tf/modules/ooniapi_acm_certificate/variables.tf b/tf/modules/ooniapi_acm_certificate/variables.tf new file mode 100644 index 00000000..b4a4b0e7 --- /dev/null +++ b/tf/modules/ooniapi_acm_certificate/variables.tf @@ -0,0 +1,31 @@ +variable "main_domain_name" { + type = string + description = "main domain_name" +} + +variable "main_domain_name_zone_id" { + type = string + description = "main domain_name zone_id" +} + +variable "alternative_domains" { + type = map(string) + description = "domain_name to zone_id map" + default = {} +} + +variable "alias_record_domain_name" { + type = string + description = "domain name the record alias points to" +} + +variable "alias_record_zone_id" { + type = string + description = "zone_id for the alias record" +} + +variable "tags" { + description = "tags to apply to the resources" + default = {} + type = map(string) +} diff --git a/tf/modules/ooniapi_frontend/main.tf b/tf/modules/ooniapi_frontend/main.tf index 465e3ca7..128801ac 100644 --- a/tf/modules/ooniapi_frontend/main.tf +++ b/tf/modules/ooniapi_frontend/main.tf @@ -33,7 +33,7 @@ resource "aws_alb_listener" "ooniapi_listener_https" { port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_arn = aws_acm_certificate_validation.ooniapi.certificate_arn + certificate_arn = module.ooniapi_acm_certificate.certificate_arn default_action { target_group_arn = var.oonibackend_proxy_target_group_arn @@ -117,47 +117,16 @@ resource "aws_lb_listener_rule" "ooniapi_oonifindings_rule" { ## DNS -resource "aws_route53_record" "ooniapi" { - zone_id = var.dns_zone_ooni_io - name = "api.${var.stage}.ooni.io" - type = "A" +module "ooniapi_acm_certificate" { + source = "../ooniapi_acm_certificate" - alias { - name = aws_alb.ooniapi.dns_name - zone_id = aws_alb.ooniapi.zone_id - evaluate_target_health = true - } -} - -resource "aws_acm_certificate" "ooniapi" { - domain_name = "api.${var.stage}.ooni.io" - validation_method = "DNS" - - tags = var.tags - - lifecycle { - create_before_destroy = true - } -} + main_domain_name = "api.${var.stage}.ooni.io" + main_domain_name_zone_id = var.dns_zone_ooni_io -resource "aws_route53_record" "ooniapi_cert_validation" { - for_each = { - for dvo in aws_acm_certificate.ooniapi.domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type - } - } + alias_record_domain_name = aws_alb.ooniapi.dns_name + alias_record_zone_id = aws_alb.ooniapi.zone_id - allow_overwrite = true - name = each.value.name - records = [each.value.record] - ttl = 60 - type = each.value.type - zone_id = var.dns_zone_ooni_io -} + alternative_domains = var.alternative_domains -resource "aws_acm_certificate_validation" "ooniapi" { - certificate_arn = aws_acm_certificate.ooniapi.arn - validation_record_fqdns = [for record in aws_route53_record.ooniapi_cert_validation : record.fqdn] + tags = var.tags } diff --git a/tf/modules/ooniapi_frontend/outputs.tf b/tf/modules/ooniapi_frontend/outputs.tf index 732c7ad5..73459b1b 100644 --- a/tf/modules/ooniapi_frontend/outputs.tf +++ b/tf/modules/ooniapi_frontend/outputs.tf @@ -1,7 +1,3 @@ -output "ooniapi_ooni_io_fqdn" { - value = aws_route53_record.ooniapi.name -} - output "ooniapi_dns_name" { value = aws_alb.ooniapi.dns_name } diff --git a/tf/modules/ooniapi_frontend/variables.tf b/tf/modules/ooniapi_frontend/variables.tf index e29568e2..a7ec8493 100644 --- a/tf/modules/ooniapi_frontend/variables.tf +++ b/tf/modules/ooniapi_frontend/variables.tf @@ -19,12 +19,15 @@ variable "oonibackend_proxy_target_group_arn" { variable "ooniapi_oonirun_target_group_arn" { description = "arn for the target group of the oonirun service" } + variable "ooniapi_ooniauth_target_group_arn" { description = "arn for the target group of the ooniauth service" } + variable "ooniapi_ooniprobe_target_group_arn" { description = "arn for the target group of the ooniprobe service" } + variable "ooniapi_oonifindings_target_group_arn" { description = "arn for the target group of the oonifindings service" } @@ -41,3 +44,9 @@ variable "ooniapi_service_security_groups" { description = "the shared web security group from the ecs cluster" type = list(string) } + +variable "alternative_domains" { + type = map(string) + description = "map of alternate names for the frontend as a map from domain to zone id" + default = {} +}