got ssl working

beam-cloud · Jan 21, 2024 · 49fe55a · 49fe55a
1 parent ea6090a
commit 49fe55a
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 11 deletions.
diff --git a/deploy/aws/modules/cluster/main.tf b/deploy/aws/modules/cluster/main.tf
@@ -704,4 +704,5 @@ resource "aws_db_instance" "postgres_db" {
   skip_final_snapshot  = true
 
   depends_on = [aws_db_subnet_group.default]
-}
+}
+
diff --git a/deploy/aws/modules/cluster/variables.tf b/deploy/aws/modules/cluster/variables.tf
@@ -3,13 +3,6 @@ variable "prefix" {
   type        = string
 }
 
-variable "domain" {
-  default = "eng-stage.slai.io"
-}
-
-variable "domain_hosted_zone_id" {
-  default = "Z07081541B2HAA9KWC78W"
-}
 
 variable "k3s_cluster_ami" {
   default = "ami-027a754129abb5386" # ubuntu 20.04

diff --git a/deploy/aws/modules/k8s-resources/main.tf b/deploy/aws/modules/k8s-resources/main.tf
@@ -8,6 +8,39 @@ provider "helm" {
 }
 
 
+# SSL Certificate for the service exposed
+resource "aws_acm_certificate" "ssl_cert" {
+  domain_name       = var.domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Certificate validation
+resource "aws_acm_certificate_validation" "ssl_cert" {
+  certificate_arn         = aws_acm_certificate.ssl_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
+}
+
+# DNS records for certificate validation
+resource "aws_route53_record" "cert_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.ssl_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  zone_id = var.domain_hosted_zone_id
+  name    = each.value.name
+  type    = each.value.type
+  ttl     = 60
+  records = [each.value.record]
+}
+
 resource "helm_release" "aws_lb_controller" {
   name       = "aws-load-balancer-controller"
   repository = "https://aws.github.io/eks-charts"
@@ -50,11 +83,14 @@ resource "helm_release" "nginx_ingress" {
           service.beta.kubernetes.io/aws-load-balancer-type: external
           service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
           service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+          service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
           service.beta.kubernetes.io/aws-load-balancer-subnets: ${var.public_subnets}
+          service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "${aws_acm_certificate.ssl_cert.arn}"
+          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+          service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06"
         targetPorts:
           http: http
-          https: https
+          https: http
       ingressClass: nginx-public
       ingressClassResource:
         name: nginx-public

diff --git a/deploy/aws/modules/k8s-resources/variables.tf b/deploy/aws/modules/k8s-resources/variables.tf
@@ -28,4 +28,12 @@ variable "vpc_id" {
 
 variable "public_subnets" {
   type = string
-}
+}
+
+variable "domain" {
+  default = "eng-stage.slai.io"
+}
+
+variable "domain_hosted_zone_id" {
+  default = "Z07081541B2HAA9KWC78W"
+}