From b73772a074750812585d11634758351aad66d329 Mon Sep 17 00:00:00 2001 From: Jesse Lee Date: Tue, 9 May 2023 20:53:16 -0400 Subject: [PATCH] add certificate setup for https (#13) * add certificate setup for https * feat: get https to work with certificate * add example env file --- example.env | 1 - main.tf | 4 ++++ modules/dns/main.tf | 39 +++++++++++++++++++++++++++++++++++++++ modules/dns/outputs.tf | 3 +++ modules/dns/variables.tf | 11 +++++++++++ modules/elb/main.tf | 12 ++++++++++++ modules/elb/variables.tf | 9 +++++++++ variables.tf | 6 ++++++ 8 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 modules/dns/outputs.tf diff --git a/example.env b/example.env index e502f97..77a839c 100644 --- a/example.env +++ b/example.env @@ -2,4 +2,3 @@ TF_VAR_deployment_name="devnet13" TF_VAR_company_name="company" TF_VAR_owner="user@polygon.technology" TF_VAR_fullnode_count=0 - diff --git a/main.tf b/main.tf index 1cc0d9b..039a575 100644 --- a/main.tf +++ b/main.tf @@ -23,6 +23,8 @@ module "dns" { fullnode_count = var.fullnode_count validator_count = var.validator_count geth_count = var.geth_count + route53_zone_id = var.route53_zone_id + deployment_name = var.deployment_name devnet_id = module.networking.devnet_id aws_lb_int_rpc_domain = module.elb.aws_lb_int_rpc_domain @@ -70,6 +72,7 @@ module "elb" { fullnode_count = var.fullnode_count validator_count = var.validator_count geth_count = var.geth_count + route53_zone_id = var.route53_zone_id base_id = local.base_id devnet_private_subnet_ids = module.networking.devnet_private_subnet_ids @@ -80,6 +83,7 @@ module "elb" { devnet_id = module.networking.devnet_id security_group_open_http_id = module.securitygroups.security_group_open_http_id security_group_default_id = module.securitygroups.security_group_default_id + certificate_arn = module.dns.certificate_arn } module "networking" { diff --git a/modules/dns/main.tf b/modules/dns/main.tf index 665136a..eac8ebd 100644 --- a/modules/dns/main.tf +++ b/modules/dns/main.tf @@ -85,3 +85,42 @@ resource "aws_route53_record" "geth_rpc" { records = [var.aws_lb_ext_rpc_geth_domain] } +data "aws_route53_zone" "ext_rpc" { + count = var.route53_zone_id == "" ? 0 : 1 + zone_id = var.route53_zone_id +} + +resource "aws_acm_certificate" "ext_rpc" { + count = var.route53_zone_id == "" ? 0 : 1 + domain_name = "${var.deployment_name}.${data.aws_route53_zone.ext_rpc[0].name}" + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "validation" { + for_each = { + for dvo in (var.route53_zone_id == "" ? [] : aws_acm_certificate.ext_rpc[0].domain_validation_options) : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = var.route53_zone_id +} + +resource "aws_acm_certificate_validation" "edge" { + count = var.route53_zone_id == "" ? 0 : 1 + certificate_arn = aws_acm_certificate.ext_rpc[0].arn + validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn] +} + + diff --git a/modules/dns/outputs.tf b/modules/dns/outputs.tf new file mode 100644 index 0000000..cc787c9 --- /dev/null +++ b/modules/dns/outputs.tf @@ -0,0 +1,3 @@ +output "certificate_arn" { + value = var.route53_zone_id == "" ? "" : aws_acm_certificate.ext_rpc[0].arn +} \ No newline at end of file diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf index 5772847..c8aa554 100644 --- a/modules/dns/variables.tf +++ b/modules/dns/variables.tf @@ -8,6 +8,12 @@ variable "region" { type = string default = "us-west-2" } + +variable "deployment_name" { + description = "The unique name for this particular deployment" + type = string +} + variable "fullnode_count" { description = "The number of full nodes that we're going to deploy" type = number @@ -39,4 +45,9 @@ variable "aws_lb_int_rpc_domain" { } variable "aws_lb_ext_rpc_geth_domain" { type = string +} + +variable "route53_zone_id" { + description = "The ID for external DNS" + type = string } \ No newline at end of file diff --git a/modules/elb/main.tf b/modules/elb/main.tf index a80ab85..aa3afea 100644 --- a/modules/elb/main.tf +++ b/modules/elb/main.tf @@ -61,6 +61,18 @@ resource "aws_lb_listener" "ext_rpc" { } } +resource "aws_lb_listener" "ext_rpc_secure" { + count = var.route53_zone_id == "" ? 0 : 1 + load_balancer_arn = aws_lb.ext_rpc.arn + port = 443 + protocol = "HTTPS" + certificate_arn = var.certificate_arn + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.ext_rpc.arn + } +} + resource "aws_lb" "ext_rpc_geth" { name = "ext-rpc-rootchain-${var.base_id}" load_balancer_type = "application" diff --git a/modules/elb/variables.tf b/modules/elb/variables.tf index 0c79f65..6f2f80c 100644 --- a/modules/elb/variables.tf +++ b/modules/elb/variables.tf @@ -47,4 +47,13 @@ variable "security_group_open_http_id" { } variable "security_group_default_id" { type = string +} + +variable "certificate_arn" { + type = string +} + +variable "route53_zone_id" { + description = "The ID for external DNS" + type = string } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 5e91372..dc03322 100644 --- a/variables.tf +++ b/variables.tf @@ -100,6 +100,12 @@ variable "rootchain_rpc_port" { default = 8545 } +variable "route53_zone_id" { + description = "The ID of the hosted zone to contain the CNAME record to our LB" + type = string + default = "" +} + variable "owner" { description = "The main point of contact for this particular deployment" type = string