From ab2fee67cb9f377adf8be8a2bd61d94d88c050af Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 11:35:57 -0400 Subject: [PATCH 01/10] Use new variable for multiple domains --- .github/workflows/terragrunt-apply-staging.yml | 4 ++-- .github/workflows/terragrunt-plan-all-staging.yml | 2 +- .github/workflows/terragrunt-plan-staging.yml | 2 +- env/cloud/alarms/terragrunt.hcl | 2 +- env/cloud/load_balancer/terragrunt.hcl | 2 +- env/terragrunt.hcl | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/terragrunt-apply-staging.yml b/.github/workflows/terragrunt-apply-staging.yml index 0bfca9e43..ff2a3ef42 100644 --- a/.github/workflows/terragrunt-apply-staging.yml +++ b/.github/workflows/terragrunt-apply-staging.yml @@ -12,7 +12,7 @@ on: env: APP_ENV: "staging" - APP_DOMAIN: ${{ vars.STAGING_APP_DOMAIN }} + APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }} AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }} AWS_REGION: ca-central-1 AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }} @@ -250,4 +250,4 @@ jobs: WORKFLOW_NAME: "${{ github.workflow }}" run: | json='{"channel":"#forms-staging-events", "blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red: GitHub workflow failed: <${{ env.WORKFLOW_URL }}|${{ env.WORKFLOW_NAME }}>"}}]}' - curl -X POST -H 'Content-type: application/json' --data "$json" "https://hooks.slack.com${{ secrets.STAGING_SLACK_WEBHOOK }}" \ No newline at end of file + curl -X POST -H 'Content-type: application/json' --data "$json" "https://hooks.slack.com${{ secrets.STAGING_SLACK_WEBHOOK }}" diff --git a/.github/workflows/terragrunt-plan-all-staging.yml b/.github/workflows/terragrunt-plan-all-staging.yml index fc68f1765..e620b9ca0 100644 --- a/.github/workflows/terragrunt-plan-all-staging.yml +++ b/.github/workflows/terragrunt-plan-all-staging.yml @@ -5,7 +5,7 @@ on: env: APP_ENV: staging - APP_DOMAIN: ${{ vars.STAGING_APP_DOMAIN_ARRAY }} + APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }} AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }} AWS_REGION: ca-central-1 AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/terragrunt-plan-staging.yml b/.github/workflows/terragrunt-plan-staging.yml index 8234210e8..ac0402114 100644 --- a/.github/workflows/terragrunt-plan-staging.yml +++ b/.github/workflows/terragrunt-plan-staging.yml @@ -12,7 +12,7 @@ on: env: APP_ENV: staging - APP_DOMAIN: ${{ vars.STAGING_APP_DOMAIN_ARRAY }} + APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }} AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }} AWS_REGION: ca-central-1 AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }} diff --git a/env/cloud/alarms/terragrunt.hcl b/env/cloud/alarms/terragrunt.hcl index 790f1bc04..0a3a5406d 100644 --- a/env/cloud/alarms/terragrunt.hcl +++ b/env/cloud/alarms/terragrunt.hcl @@ -7,7 +7,7 @@ dependencies { } locals { - domain = jsondecode(get_env("APP_DOMAIN", "['localhost:3000']")) + domain = jsondecode(get_env("APP_DOMAINS", "['localhost:3000']")) } dependency "hosted_zone" { diff --git a/env/cloud/load_balancer/terragrunt.hcl b/env/cloud/load_balancer/terragrunt.hcl index 34f8075c2..4bde23a69 100644 --- a/env/cloud/load_balancer/terragrunt.hcl +++ b/env/cloud/load_balancer/terragrunt.hcl @@ -7,7 +7,7 @@ dependencies { } locals { - domain = jsondecode(get_env("APP_DOMAIN", "['localhost:3000']")) + domain = jsondecode(get_env("APP_DOMAINS", "['localhost:3000']")) } diff --git a/env/terragrunt.hcl b/env/terragrunt.hcl index d91025b30..4bafa1ef0 100644 --- a/env/terragrunt.hcl +++ b/env/terragrunt.hcl @@ -1,7 +1,7 @@ locals { account_id = get_env("AWS_ACCOUNT_ID", "") env = get_env("APP_ENV", "local") - domain = get_env("APP_DOMAIN", "['localhost:3000']") + domain = get_env("APP_DOMAINS", "['localhost:3000']") } inputs = { From 91a0181d13f97af78c432248fae22b5eb0d29682 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 12:03:51 -0400 Subject: [PATCH 02/10] test --- aws/load_balancer/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index fa6fc93b0..b5e9c91af 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -5,7 +5,7 @@ resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain domain_name = var.domain[0] validation_method = "DNS" - subject_alternative_names = length(var.domain) > 1 ? slice(var.domain, 1, length(var.domain) - 1) : [] + subject_alternative_names = var.domain[1] # length(var.domain) > 1 ? slice(var.domain, 1, length(var.domain) - 1) : [] lifecycle { create_before_destroy = true From 3eabd2c7b84250d02b9df1c5c029f369ee60a773 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 12:09:44 -0400 Subject: [PATCH 03/10] test --- aws/load_balancer/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index b5e9c91af..4b677bc62 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -5,7 +5,7 @@ resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain domain_name = var.domain[0] validation_method = "DNS" - subject_alternative_names = var.domain[1] # length(var.domain) > 1 ? slice(var.domain, 1, length(var.domain) - 1) : [] + subject_alternative_names = [var.domain[1]] # length(var.domain) > 1 ? slice(var.domain, 1, length(var.domain) - 1) : [] lifecycle { create_before_destroy = true From 40f6da06b191ac18e41b3786e2616f96b80acb04 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 12:24:27 -0400 Subject: [PATCH 04/10] test --- aws/load_balancer/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index 4b677bc62..da0b70ee3 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -5,7 +5,7 @@ resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain domain_name = var.domain[0] validation_method = "DNS" - subject_alternative_names = [var.domain[1]] # length(var.domain) > 1 ? slice(var.domain, 1, length(var.domain) - 1) : [] + subject_alternative_names = length(var.domain) > 1 ? setsubtract(var.domain, [var.domain[0]]) : [] lifecycle { create_before_destroy = true From ce0dd4868995517d1a1c4b714d8943ed6de7bee6 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 13:11:34 -0400 Subject: [PATCH 05/10] different approach --- aws/app/ecs.tf | 2 +- aws/app/lambda.tf | 2 +- aws/cognito/user_pool.tf | 2 +- aws/hosted_zone/hosted_zone.tf | 4 ++-- aws/load_balancer/certificates.tf | 4 ++-- aws/load_balancer/route53.tf | 34 +++++++++++++++++-------------- aws/load_balancer/waf.tf | 2 +- aws/load_testing/lambda.tf | 2 +- env/common/common_variables.tf | 4 ++-- 9 files changed, 30 insertions(+), 26 deletions(-) diff --git a/aws/app/ecs.tf b/aws/app/ecs.tf index f52e4a93c..59a2e4738 100644 --- a/aws/app/ecs.tf +++ b/aws/app/ecs.tf @@ -37,7 +37,7 @@ data "template_file" "form_viewer_task" { token_secret = aws_secretsmanager_secret_version.token_secret.arn database_url = var.database_url_secret_arn redis_url = var.redis_url - nextauth_url = "https://${var.domain[0]}" + nextauth_url = "https://${var.domains[0]}" submission_api = aws_lambda_function.submission.arn reliability_file_storage = aws_s3_bucket.reliability_file_storage.id vault_file_storage = aws_s3_bucket.vault_file_storage.id diff --git a/aws/app/lambda.tf b/aws/app/lambda.tf index 8cc018890..f3b934133 100644 --- a/aws/app/lambda.tf +++ b/aws/app/lambda.tf @@ -565,7 +565,7 @@ resource "aws_lambda_function" "nagware" { variables = { ENVIRONMENT = var.env REGION = var.region - DOMAIN = var.domain[0] + DOMAIN = var.domains[0] DYNAMODB_VAULT_TABLE_NAME = var.dynamodb_vault_table_name DB_ARN = var.rds_cluster_arn DB_SECRET = var.database_secret_arn diff --git a/aws/cognito/user_pool.tf b/aws/cognito/user_pool.tf index 844d1f78d..71396dd44 100644 --- a/aws/cognito/user_pool.tf +++ b/aws/cognito/user_pool.tf @@ -32,7 +32,7 @@ resource "aws_cognito_user_pool_client" "forms" { name = "forms_client" user_pool_id = aws_cognito_user_pool.forms.id - callback_urls = concat(formatlist("https://%s/api/auth/callback/cognito", var.domain), ["https://localhost:3000/api/auth/callback/cognito"]) + callback_urls = concat(formatlist("https://%s/api/auth/callback/cognito", var.domains), ["https://localhost:3000/api/auth/callback/cognito"]) allowed_oauth_flows_user_pool_client = true allowed_oauth_flows = ["code"] allowed_oauth_scopes = ["email", "openid", "profile"] diff --git a/aws/hosted_zone/hosted_zone.tf b/aws/hosted_zone/hosted_zone.tf index 541cc584e..012c4b1c5 100644 --- a/aws/hosted_zone/hosted_zone.tf +++ b/aws/hosted_zone/hosted_zone.tf @@ -3,8 +3,8 @@ # Holds the DNS records for the service # resource "aws_route53_zone" "form_viewer" { - count = length(var.domain) - name = var.domain[count.index] + count = length(var.domains) + name = var.domains[count.index] tags = { (var.billing_tag_key) = var.billing_tag_value diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index da0b70ee3..6e4e0a437 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -3,9 +3,9 @@ # resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain - domain_name = var.domain[0] + domain_name = var.domains[0] validation_method = "DNS" - subject_alternative_names = length(var.domain) > 1 ? setsubtract(var.domain, [var.domain[0]]) : [] + subject_alternative_names = length(var.domains) > 1 ? setsubtract(var.domains, [var.domains[0]]) : [] lifecycle { create_before_destroy = true diff --git a/aws/load_balancer/route53.tf b/aws/load_balancer/route53.tf index b82cb1895..297948d6a 100644 --- a/aws/load_balancer/route53.tf +++ b/aws/load_balancer/route53.tf @@ -2,9 +2,9 @@ # Route53 records # resource "aws_route53_record" "form_viewer" { - count = length(var.domain) + count = length(var.domains) zone_id = var.hosted_zone_ids[count.index] - name = var.domain[count.index] + name = var.domains[count.index] type = "A" alias { @@ -17,30 +17,34 @@ resource "aws_route53_record" "form_viewer" { # # Certificate validation # +# locals { +# cert_validation_by_zone_id = setproduct(var.hosted_zone_ids, [for dvo in aws_acm_certificate.form_viewer.domain_validation_options : { +# name = dvo.resource_record_name +# type = dvo.resource_record_type +# record = dvo.resource_record_value +# }]) +# } + locals { - cert_validation_by_zone_id = setproduct(var.hosted_zone_ids, [for dvo in aws_acm_certificate.form_viewer.domain_validation_options : { - name = dvo.resource_record_name - type = dvo.resource_record_type - record = dvo.resource_record_value - }]) + domain_name_to_zone_id = zipmap(var.domains, var.hosted_zone_ids) } resource "aws_route53_record" "form_viewer_certificate_validation" { - for_each = { - for idx, entry in local.cert_validation_by_zone_id : idx => { - zone_id = entry[0] - name = entry[1].name - type = entry[1].type - record = entry[1].record + for dvo in aws_acm_certificate.form_viewer.domain_validation_options : dvo.domain_name => { + domain = dvo.domain_name + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type } } + allow_overwrite = true - zone_id = each.value.zone_id name = each.value.name records = [each.value.record] + ttl = 60 type = each.value.type + zone_id = domain_name_to_zone_id[each.value.domain] - ttl = 60 } diff --git a/aws/load_balancer/waf.tf b/aws/load_balancer/waf.tf index f64d0126b..ec6c3a974 100644 --- a/aws/load_balancer/waf.tf +++ b/aws/load_balancer/waf.tf @@ -294,7 +294,7 @@ resource "aws_wafv2_regex_pattern_set" "forms_base_url" { description = "Regex matching the root domain of GCForms" scope = "REGIONAL" dynamic "regular_expression" { - for_each = var.domain + for_each = var.domains content { regex_string = "^${regular_expression.value}$" } diff --git a/aws/load_testing/lambda.tf b/aws/load_testing/lambda.tf index d761a3e89..70d3be51d 100644 --- a/aws/load_testing/lambda.tf +++ b/aws/load_testing/lambda.tf @@ -17,7 +17,7 @@ resource "aws_lambda_function" "load_testing" { variables = { LOCUST_RUN_TIME = "3m" LOCUST_LOCUSTFILE = "locust_test_file.py" - LOCUST_HOST = "https://${var.domain[0]}" + LOCUST_HOST = "https://${var.domains[0]}" LOCUST_HATCH_RATE = "1" LOCUST_NUM_CLIENTS = "1" } diff --git a/env/common/common_variables.tf b/env/common/common_variables.tf index dbce16825..9081328e8 100644 --- a/env/common/common_variables.tf +++ b/env/common/common_variables.tf @@ -18,8 +18,8 @@ variable "billing_tag_value" { type = string } -variable "domain" { - description = "The server domain" +variable "domains" { + description = "The server domains" type = list(string) } From 56653f198dc424cd71221292f51f05de097a310c Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 13:13:26 -0400 Subject: [PATCH 06/10] fix typo in var --- env/terragrunt.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/env/terragrunt.hcl b/env/terragrunt.hcl index 4bafa1ef0..f71ab1de2 100644 --- a/env/terragrunt.hcl +++ b/env/terragrunt.hcl @@ -1,14 +1,14 @@ locals { account_id = get_env("AWS_ACCOUNT_ID", "") env = get_env("APP_ENV", "local") - domain = get_env("APP_DOMAINS", "['localhost:3000']") + domains = get_env("APP_DOMAINS", "['localhost:3000']") } inputs = { account_id = "${local.account_id}" billing_tag_key = "CostCentre" billing_tag_value = "forms-platform-${local.env}" - domain = local.domain + domains = local.domains env = "${local.env}" region = "ca-central-1" cbs_satellite_bucket_name = "cbs-satellite-${local.account_id}" From 982040fececcb4b25da1bc7925dad56ee5995d51 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 13:24:39 -0400 Subject: [PATCH 07/10] silly mistake, forgot to append local --- aws/load_balancer/route53.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/load_balancer/route53.tf b/aws/load_balancer/route53.tf index 297948d6a..d7d6e4587 100644 --- a/aws/load_balancer/route53.tf +++ b/aws/load_balancer/route53.tf @@ -45,6 +45,6 @@ resource "aws_route53_record" "form_viewer_certificate_validation" { records = [each.value.record] ttl = 60 type = each.value.type - zone_id = domain_name_to_zone_id[each.value.domain] + zone_id = local.domain_name_to_zone_id[each.value.domain] } From 8e41e8f7350ea7d671d2a7d9cf3b92caf4ca39fb Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Tue, 24 Oct 2023 13:38:16 -0400 Subject: [PATCH 08/10] update workflows --- .github/workflows/terragrunt-apply-production.yml | 2 +- .github/workflows/terragrunt-plan-production.yml | 2 +- aws/load_balancer/route53.tf | 8 -------- 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/terragrunt-apply-production.yml b/.github/workflows/terragrunt-apply-production.yml index ce86bcb28..5221d23df 100644 --- a/.github/workflows/terragrunt-apply-production.yml +++ b/.github/workflows/terragrunt-apply-production.yml @@ -6,7 +6,7 @@ on: env: APP_ENV: production - APP_DOMAIN: ${{ vars.PRODUCTION_APP_DOMAIN}} + APP_DOMAINS: ${{ vars.PRODUCTION_APP_DOMAINS}} AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }} AWS_REGION: ca-central-1 AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }} diff --git a/.github/workflows/terragrunt-plan-production.yml b/.github/workflows/terragrunt-plan-production.yml index 6040195e8..0c3fded1e 100644 --- a/.github/workflows/terragrunt-plan-production.yml +++ b/.github/workflows/terragrunt-plan-production.yml @@ -7,7 +7,7 @@ on: env: APP_ENV: production - APP_DOMAIN: ${{ vars.PRODUCTION_APP_DOMAIN}} + APP_DOMAINS: ${{ vars.PRODUCTION_APP_DOMAINS}} AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }} AWS_REGION: ca-central-1 AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }} diff --git a/aws/load_balancer/route53.tf b/aws/load_balancer/route53.tf index d7d6e4587..581d144f6 100644 --- a/aws/load_balancer/route53.tf +++ b/aws/load_balancer/route53.tf @@ -17,14 +17,6 @@ resource "aws_route53_record" "form_viewer" { # # Certificate validation # -# locals { -# cert_validation_by_zone_id = setproduct(var.hosted_zone_ids, [for dvo in aws_acm_certificate.form_viewer.domain_validation_options : { -# name = dvo.resource_record_name -# type = dvo.resource_record_type -# record = dvo.resource_record_value -# }]) -# } - locals { domain_name_to_zone_id = zipmap(var.domains, var.hosted_zone_ids) } From 3452596cecc3afe6cada206c6a184c3f76128ee0 Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Wed, 25 Oct 2023 08:28:08 -0400 Subject: [PATCH 09/10] remove additional domain names from cert --- aws/load_balancer/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index 6e4e0a437..e0df4411d 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -5,7 +5,7 @@ resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain domain_name = var.domains[0] validation_method = "DNS" - subject_alternative_names = length(var.domains) > 1 ? setsubtract(var.domains, [var.domains[0]]) : [] + # subject_alternative_names = length(var.domains) > 1 ? setsubtract(var.domains, [var.domains[0]]) : [] lifecycle { create_before_destroy = true From c666fba0384c2ef505da4d9b64a8b272b5473d5d Mon Sep 17 00:00:00 2001 From: Bryan Robitaille Date: Wed, 25 Oct 2023 08:34:15 -0400 Subject: [PATCH 10/10] formatting --- aws/load_balancer/certificates.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws/load_balancer/certificates.tf b/aws/load_balancer/certificates.tf index e0df4411d..94f770cba 100644 --- a/aws/load_balancer/certificates.tf +++ b/aws/load_balancer/certificates.tf @@ -3,8 +3,8 @@ # resource "aws_acm_certificate" "form_viewer" { # First entry in domain list is the primary domain - domain_name = var.domains[0] - validation_method = "DNS" + domain_name = var.domains[0] + validation_method = "DNS" # subject_alternative_names = length(var.domains) > 1 ? setsubtract(var.domains, [var.domains[0]]) : [] lifecycle {