Add TLS termination and Route53 DNS (#330)

* Add TLS termination and Route53 DNS * move global into environments * restructure environments out of AWS directory
pubpub · May 6, 2024 · e915d30 · e915d30
1 parent 849ca9f
commit e915d30
Show file tree

Hide file tree

Showing 35 changed files with 283 additions and 92 deletions.
diff --git a/infrastructure/maskfile.md b/infrastructure/maskfile.md
@@ -28,7 +28,16 @@ Both `act` commands (for container version updates) and `terraform` commands
 Usually this means setting a file at `~/.aws/credentials` and `~/.aws/config`:
 see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 
-## aws:tf:plan
+`terraform` commands for the `global` workspace require write-access API token
+to Cloudflare. Since this is one of the highest-security-profile accounts, it
+is not assumed all developers have access to this. To run these commands, set
+`CLOUDFLARE_API_TOKEN` environment variable.
+
+## tf
+
+> Terraform-related commands to run in one workspace or another
+
+### tf plan
 
 > Runs the plan (diff showing) command interactively using the environment specified.
 
@@ -44,7 +53,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 
 ```bash
 (
-    cd terraform/aws/environments/${proper_name}
+    cd terraform/environments/${proper_name}
 
     export AWS_PAGER=""
     if aws sts get-caller-identity; then
@@ -61,7 +70,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 )
 ```
 
-## aws:tf:apply
+### tf apply
 
 > Runs the apply command interactively, still asking for confirmation, using the environment specified.
 
@@ -77,7 +86,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 
 ```bash
 (
-    cd terraform/aws/environments/${proper_name}
+    cd terraform/environments/${proper_name}
 
     export AWS_PAGER=""
     if aws sts get-caller-identity; then
@@ -94,7 +103,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 )
 ```
 
-## aws:tf:init
+### tf init
 
 > Runs the initialization for the environment
 
@@ -109,13 +118,17 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 ```bash
 
 (
-    cd terraform/aws/environments/${proper_name}
+    cd terraform/environments/${proper_name}
 
     terraform init
 )
 ```
 
-## aws:ecs:deploy:all
+## ecs
+
+> commands that manage AWS containers
+
+### ecs deploy:all
 
 > Use `act` CLI to deploy all containers to a given SHA (or HEAD).
 
@@ -160,7 +173,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 )
 ```
 
-## aws:ecs:deploy:one
+### ecs deploy:one
 
 > Use `act` CLI to deploy ONE container/service to a given SHA (or HEAD).
 
@@ -211,7 +224,7 @@ see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
 )
 ```
 
-## aws:ecr:build:all
+### ecs build:all
 
 > Use `act` CLI to build and push all containers with local code, tagged with the HEAD (or HEAD-dirty) SHA
 
@@ -235,7 +248,7 @@ No options are required -- the workflow infers them all.
 )
 ```
 
-## aws:bastion
+### ecs bastion
 
 > Opens an interactive shell on the bastion container in AWS
 
@@ -286,7 +299,7 @@ aws ecs \
 
 <!-- build nginx container -->
 
-## nginx:build
+### ecs nginx:build
 
 > Builds the nginx container used in AWS ECS for inbound traffic
 
@@ -298,7 +311,7 @@ docker build \
   ./nginx
 ```
 
-## nginx:push
+### ecs nginx:push
 
 > Pushes the locally built latest nginx container
 

diff --git a/infrastructure/terraform/aws/README.md → infrastructure/terraform/README.md b/infrastructure/terraform/aws/README.md → infrastructure/terraform/README.md
diff --git a/infrastructure/terraform/aws/.terraform.lock.hcl b/infrastructure/terraform/aws/.terraform.lock.hcl
diff --git a/...ws/environments/blake/.terraform.lock.hcl → ...rm/environments/blake/.terraform.lock.hcl b/...ws/environments/blake/.terraform.lock.hcl → ...rm/environments/blake/.terraform.lock.hcl
diff --git a/.../terraform/aws/environments/blake/main.tf → ...ture/terraform/environments/blake/main.tf b/.../terraform/aws/environments/blake/main.tf → ...ture/terraform/environments/blake/main.tf
@@ -39,15 +39,16 @@ locals {
   environment = "staging"
   region = "us-east-1"
 
-  # TODO: Resume using this once we also Terraform the Route53
-  # pubpub_url = "https://v7.pubpub.org"
+  pubpub_hostname = "blake.duqduq.org"
+  route53_zone_id = "Z059164612717GL8VGM95"
 
   MAILGUN_SMTP_USERNAME = "[email protected]"
   NEXT_PUBLIC_SUPABASE_URL = "https://dsleqjuvzuoycpeotdws.supabase.co"
   NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImRzbGVxanV2enVveWNwZW90ZHdzIiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODIzNTE0MjEsImV4cCI6MTk5NzkyNzQyMX0.3HHC0f7zlFXP77N0U8cS3blr7n6hhjqdYI6_ciQJams"
   ASSETS_BUCKET_NAME = "assets.blake.pubpub.org"
 }
 
+
 ######
 ##
 ##  Complete generic environment
@@ -61,6 +62,9 @@ module "deployment" {
   environment = local.environment
   region = local.region
 
+  pubpub_hostname = local.pubpub_hostname
+  route53_zone_id = local.route53_zone_id
+
   MAILGUN_SMTP_USERNAME = local.MAILGUN_SMTP_USERNAME
   NEXT_PUBLIC_SUPABASE_URL = local.NEXT_PUBLIC_SUPABASE_URL
   NEXT_PUBLIC_SUPABASE_PUBLIC_KEY = local.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY

diff --git a/...ure/terraform/globals/.terraform.lock.hcl → ...vironments/cloudflare/.terraform.lock.hcl b/...ure/terraform/globals/.terraform.lock.hcl → ...vironments/cloudflare/.terraform.lock.hcl
diff --git a/infrastructure/terraform/environments/cloudflare/README.md b/infrastructure/terraform/environments/cloudflare/README.md
@@ -0,0 +1,21 @@
+# Global Cloudflare configuration
+
+This module should generally be created by an admin,
+and assumees the following permissions which are sensitive:
+
+**Cloudflare read-write token** set at `CLOUDFLARE_API_TOKEN`. In general, this
+secret can be used  for very nefarious things and should be extra sensitively protected.
+
+**AWS read-write permissions**: in `~/.aws/credentials`. see `../maskfile.md` for more info.
+
+##  Relationship to AWS environments
+
+AWS environments assume existence of the Route53 zone and DNS NS records that refer authority
+to that zone. If you are not using Cloudflare this module is not needed for those environments,
+but in general to create a new env it is expected to augment this module with NS  records referring
+to this route53 configuration for domains subordinate to that new AWS env.
+
+Therefore updates to this module, which should happen very infrequently, should be applied before
+you attempt to create the new AWS-ECS environment, otherwise that will fail due to the AWS Certificate
+Manager being unsuccessful in validating your ownership of the DNS.
+
diff --git a/infrastructure/terraform/environments/cloudflare/main.tf b/infrastructure/terraform/environments/cloudflare/main.tf
@@ -0,0 +1,56 @@
+# aws terraform provider config
+
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.0"
+    }
+
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+  backend "s3" {
+    bucket = "pubpub-tfstates"
+    key    = "cloudflare.tfstate"
+    region = "us-east-1"
+  }
+}
+
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+######
+#
+## Configuration of routing from Cloudflare to Route53.
+#
+######
+
+locals {
+  duqduq_domain = "duqduq.org"
+}
+
+data "cloudflare_zone" "duqduq" {
+  name = local.duqduq_domain
+}
+
+resource "aws_route53_zone" "duqduq" {
+  name = local.duqduq_domain
+}
+
+# do this for all subdomains of duqduq that need to be NS'd to v7
+resource "cloudflare_record" "ns" {
+  for_each = toset(["0", "1", "2", "3"])
+  type    = "NS"
+
+  zone_id = data.cloudflare_zone.duqduq.id
+
+  name    = "blake.${local.duqduq_domain}"
+
+  value   = aws_route53_zone.duqduq.name_servers[tonumber(each.key)]
+}
diff --git a/.../aws/modules/container-generic/outputs.tf → ...raform/environments/cloudflare/outputs.tf b/.../aws/modules/container-generic/outputs.tf → ...raform/environments/cloudflare/outputs.tf