Domain and certs handling (#52)

* Initial commit
* Removing 00_acm_create from deploy
* Adding missing files
* Fixing variables
* Small fixes from old code
* Changing lb_url for vm_url
* Moved env_out file
* We don't need app_port being passed
* Chaging elb protocol level
* Removing blank variable
* Chaging cert_available lb check
* Adding variables passthrough
* Adding readme definitions for domains and certs
* Resolving comments
* Fixes

Author: LeoDiazL

README.md

@@ -77,6 +77,14 @@ The following inputs can be used as `steps.with` keys:
 | `aws_create_vpc` | bool | `false` | Whether an AWS VPC should be created in the action. Otherwise, the existing default VPC will be used. |
 | `aws_extra_tags` | json | | A list of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`. |
 | `infrastructure_only` | bool | `false` | Set to true to provision infrastructure (with Terraform) but skip the app deployment (with ansible) |
+| **Domain and certificates configuration** |
+| `aws_domain_name` | string | | Define the root domain name for the application. e.g. bitovi.com'. If empty, ELB URL will be provided. |
+| `aws_sub_domain` | string | `${org}-${repo}-${branch}` | Define the sub-domain part of the URL. |
+| `aws_root_domain` | bool | `false` | Deploy application to root domain. Will create root and www DNS records. Domain must exist in Route53. |
+| `aws_cert_arn` | string | | Existing certificate ARN to be used in the ELB. Use if you manage a certificate outside of this action. See [this](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-list.html) for how to find the certificate ARN. **See note**. |
+| `aws_create_root_cert` | bool | `false`| Generates and manage the root certificate for the application to be used in the ELB. **See note**.|
+| `aws_create_sub_cert` | bool | `false` | Generates and manage the sub-domain certificate for the application to be used in the ELB. **See note**.|
+| `aws_no_cert` | bool | `false` | Set this to true if you want not to use a certificate in the ELB. **See note**. |
 | **Teraform configuration** |
 | `tf_state_bucket` | string | `${org}-${repo}-${branch}-tf-state` | AWS S3 bucket to use for Terraform state. By default, a new deployment will be created for each unique branch. Hardcode if you want to keep a shared resource state between the several branches. |
 | **StackStorm configuration** |
@@ -98,6 +106,27 @@ For some specific resources, we have a `32` characters limit. If the identifier
 ### S3 buckets naming
 Bucket names can be made of up to 63 characters. If the length allows us to add `-tf-state`, we will do so. If not, a simple `-tf` will be added.
 
+## Domain and Certificates - Only for AWS Managed domains with Route53
+
+As a default, the application will be deployed and the ELB public URL will be displayed.
+
+If `aws_domain_name` is defined, we will look up for a certificate with the name of that domain (eg. `example.com`). We expect that certificate to contain both `example.com` and `*.example.com`. Resulting URL will be `aws_sub_domain.aws_domain_name`
+
+If no certificate is available for `aws_domain_name`, then set up `no_cert` to true. 
+
+If you want to use an already created certificate, or prefer to manage it manually, you can set up `aws_cert_arn`. 
+Check the [AWS notes](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-list.html) for how to find the certificate ARN in AWS.
+
+Setting `aws_create_root_cert` to `true` will create this certificate with both `example.com` and `*.example.com` for you, and validate them. (DNS validation).
+
+Setting `aws_create_sub_cert` to `true` will create a certificate **just for the subdomain**, and validate it.
+
+> :warning: Be very careful here! **Created certificates are fully managed by Terraform**. Therefore **they will be destroyed upon stack destruction**.
+
+To change a certificate (root_cert, sub_cert, ARN or pre-existing root cert), you must first set the `no_cert` flag to true, run the action, then set the `no_cert` flag to false, add the desired settings and excecute the action again. (**This will destroy the first certificate.**)
+
+This is necessary due to a limitation that prevents certificates from being changed while in use by certain resources.
+
 ### Advanced StackStorm configuration with Ansible vars
 This action runs [`ansible-st2`](https://github.com/stackStorm/ansible-st2) roles under the hood. You can customize the Ansible configuration by creating a yaml file in your repo. This file will be passed to the Ansible playbook as extra vars. See the [Ansible-st2](https://github.com/stackStorm/ansible-st2#variables) documentation for a full list of available options.
 

action.yaml

@@ -68,10 +68,32 @@ inputs:
     description: 'Force purge and deletion of tf_state_bucket defined. Any file contained there will be destroyed. tf_stack_destroy must also be true.'
     default: "false"
 
+  # Domains
+  aws_domain_name:
+    description: 'Define the root domain name for the application. e.g. bitovi.com'. If empty, ELB URL will be provided.'
+    required: false
+  aws_sub_domain:
+    description: 'Define the sub-domain part of the URL. Defaults to `${org}-${repo}-{branch}`'
+  aws_root_domain:
+    description: 'Deploy application to root domain. Will create root and www DNS records. Domain must exist in Route53.'
+    required: false
+  aws_cert_arn:
+    description: 'Existing certificate ARN to be used in the ELB. Use if you manage a certificate outside of this action. See https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-list.html for how to find the certificate ARN.'
+    required: false
+  aws_create_root_cert:
+    description: 'Generates and manage the root certificate for the application to be used in the ELB.'
+    required: false
+  aws_create_sub_cert: 
+    description: 'Generates and manage the sub-domain certificate for the application to be used in the ELB.'
+    required: false
+  aws_no_cert:
+    description: 'Set this to true if you want not to use a certificate in the ELB.'
+    required: false
+
 outputs:
-  lb_url:
+  vm_url:
     description: 'The URL of the generated app'
-    value: ${{ steps.deploy.outputs.lb_url }}
+    value: ${{ steps.deploy.outputs.vm_url }}
 
 runs:
   using: 'composite'
@@ -93,14 +115,21 @@ runs:
         TF_STATE_BUCKET: ${{ inputs.tf_state_bucket }}
         TF_STATE_BUCKET_DESTROY: ${{ inputs.tf_state_bucket_destroy }}
 
-        APP_PORT: ${{ inputs.app_port }}
         EC2_INSTANCE_PROFILE: ${{ inputs.aws_ec2_instance_profile }}
         EC2_INSTANCE_TYPE: ${{ inputs.aws_ec2_instance_type }}
         STACK_DESTROY: ${{ inputs.tf_stack_destroy }}
         AWS_RESOURCE_IDENTIFIER: ${{ inputs.aws_resource_identifier }}
         CREATE_VPC: ${{ inputs.aws_create_vpc }}
         AWS_EXTRA_TAGS: ${{ inputs.aws_extra_tags }}
 
+        # Domain / cert management
+        DOMAIN_NAME: ${{ inputs.aws_domain_name }}
+        SUB_DOMAIN: ${{ inputs.aws_sub_domain }}
+        ROOT_DOMAIN: ${{ inputs.aws_root_domain }}
+        CERT_ARN: ${{ inputs.aws_cert_arn }}
+        CREATE_ROOT_CERT: ${{ inputs.aws_create_root_cert }}
+        CREATE_SUB_CERT: ${{ inputs.aws_create_sub_cert }}
+        NO_CERT: ${{ inputs.aws_no_cert }}
 
         # Skip ansible deployment if deploying only infrastructure
         ANSIBLE_SKIP_DEPLOY: ${{ inputs.infrastructure_only }}
@@ -118,13 +147,13 @@ runs:
         $GITHUB_ACTION_PATH/operations/_scripts/deploy/export_vars.sh
 
     # output results to GitHub
-    - if: ${{ steps.deploy.outputs.lb_url != '' }}
+    - if: ${{ steps.deploy.outputs.vm_url != '' }}
       name: Print result created
       shell: bash
       run: |
         echo "## VM Created! :rocket:" >> $GITHUB_STEP_SUMMARY
-        echo " ${{ steps.deploy.outputs.lb_url }}" >> $GITHUB_STEP_SUMMARY
-    - if: ${{ steps.deploy.outputs.lb_url == '' }}
+        echo " ${{ steps.deploy.outputs.vm_url }}" >> $GITHUB_STEP_SUMMARY
+    - if: ${{ steps.deploy.outputs.vm_url == '' }}
       name: Print result destroyed
       shell: bash
       run: |

operations/_scripts/deploy/deploy.sh

@@ -25,11 +25,6 @@ export LB_LOGS_BUCKET="$(/bin/bash $GITHUB_ACTION_PATH/operations/_scripts/gener
 # Generate app repo
 /bin/bash $GITHUB_ACTION_PATH/operations/_scripts/generate/generate_app_repo.sh
 
-# Generate `00_acm_create`
-if [[ "$CREATE_DOMAIN" == "true" ]]; then
-  /bin/bash $GITHUB_ACTION_PATH/operations/_scripts/generate/generate_acm_tf.sh
-fi
-
 if [ "$STACK_DESTROY" == "true" ]; then
   export BITOPS_TERRAFORM_STACK_ACTION="destroy"
   export BITOPS_ANSIBLE_SKIP_DEPLOY="true"

operations/_scripts/generate/generate_acm_tf.sh

@@ -36,12 +36,8 @@ if [ -z "${EC2_INSTANCE_PROFILE}" ]; then
 fi
 
 echo "
-app_port = \"$APP_PORT\"
-
 lb_port = \"$LB_PORT\"
 
-lb_healthcheck = \"$LB_HEALTHCHECK\"
-
 # the name of the operations repo environment directory
 ops_repo_environment = \"deployment\"
 
@@ -75,6 +71,13 @@ aws_resource_identifier_supershort = \"${GITHUB_IDENTIFIER_SS}\"
 sub_domain_name = \"${SUB_DOMAIN}\"
 domain_name = \"${DOMAIN_NAME}\"
 
+# Cert stuff
+root_domain = \"${ROOT_DOMAIN}\"
+cert_arn = \"${CERT_ARN}\"
+create_root_cert = \"${CREATE_ROOT_CERT}\"
+create_sub_cert = \"${CREATE_SUB_CERT}\"
+no_cert = \"${NO_CERT}\"
+
 # VPC
 create_vpc = \"${CREATE_VPC}\"
 

operations/_scripts/generate/generate_tf_vars.sh

@@ -16,17 +16,22 @@ module "Stackstorm-Single-VM" {
   lb_access_bucket_name=var.lb_access_bucket_name
   aws_resource_identifier=var.aws_resource_identifier
   aws_resource_identifier_supershort=var.aws_resource_identifier_supershort
-  sub_domain_name=var.sub_domain_name
-  domain_name=var.domain_name
   create_vpc=var.create_vpc
   #create_domain=var.create_domain
   availability_zones=local.availability_zones
-  route53_zone_id=var.route53_zone_id
+  #route53_zone_id=var.route53_zone_id
+  sub_domain_name=var.sub_domain_name
+  domain_name=var.domain_name
+  root_domain=var.root_domain
+  cert_arn=var.cert_arn
+  create_root_cert=var.create_root_cert
+  create_sub_cert=var.create_sub_cert
+  no_cert=var.no_cert
 }
 
 locals {
   availability_zones = "${formatlist("${var.region}%s", var.availability_zones)}"
-  url = "${module.Stackstorm-Single-VM.loadbalancer_protocol}${module.Stackstorm-Single-VM.loadbalancer_public_dns}"
+  #url = "${module.Stackstorm-Single-VM.loadbalancer_protocol}${module.Stackstorm-Single-VM.loadbalancer_public_dns}"
 }
 
 output "availability_zone" {

operations/deployment/terraform/main.tf

@@ -0,0 +1,83 @@
+# Lookup for main domain.
+
+data "aws_acm_certificate" "issued" {
+  count  = var.no_cert == "true" ? 0 : (var.create_root_cert != "true" ? (var.create_sub_cert != "true" ? (local.fqdn_provided ? 1 : 0) : 0) : 0)
+  domain = var.domain_name
+}
+
+# This block will create and validate the root domain and www cert
+resource "aws_acm_certificate" "root_domain" {
+  count                     = var.create_root_cert == "true" ? (var.domain_name != "" ? 1 : 0) : 0
+  domain_name               = var.domain_name
+  subject_alternative_names = ["*.${var.domain_name}", "${var.domain_name}"]
+  validation_method         = "DNS"
+}
+
+resource "aws_route53_record" "root_domain" {
+  count           = var.create_root_cert == "true" ? (var.domain_name != "" ? 1 : 0) : 0
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_value]
+  type            = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_type
+  zone_id         = data.aws_route53_zone.selected[0].zone_id
+  ttl             = 60
+}
+
+resource "aws_acm_certificate_validation" "root_domain" {
+  count                   = var.create_root_cert == "true" ? (var.domain_name != "" ? 1 : 0) : 0
+  certificate_arn         = aws_acm_certificate.root_domain[0].arn
+  validation_record_fqdns = [for record in aws_route53_record.root_domain : record.fqdn]
+}
+
+
+# This block will create and validate the sub domain cert ONLY
+resource "aws_acm_certificate" "sub_domain" {
+  count             = var.create_sub_cert == "true" ? (var.domain_name != "" ? (var.sub_domain_name != "" ? 1 : 0) : 0) : 0
+  domain_name       = "${var.sub_domain_name}.${var.domain_name}"
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "sub_domain" {
+  count           = var.create_sub_cert == "true" ? (var.domain_name != "" ? (var.sub_domain_name != "" ? 1 : 0) : 0) : 0
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value]
+  type            = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_type
+  zone_id         = data.aws_route53_zone.selected[0].zone_id
+  ttl             = 60
+}
+
+resource "aws_acm_certificate_validation" "sub_domain" {
+  count                   = var.create_sub_cert == "true" ? (var.domain_name != "" ? 1 : 0) : 0
+  certificate_arn         = aws_acm_certificate.sub_domain[0].arn
+  validation_record_fqdns = [for record in aws_route53_record.sub_domain : record.fqdn]
+}
+
+locals {
+  selected_arn = (
+    var.no_cert == "true" ? "" :
+    (var.cert_arn != "" ? var.cert_arn :
+      (var.create_root_cert != "true" ?
+        (var.create_sub_cert != "true" ?
+          (local.fqdn_provided ? data.aws_acm_certificate.issued[0].arn : "")
+          : aws_acm_certificate.sub_domain[0].arn
+        ) : aws_acm_certificate.root_domain[0].arn
+      )
+    )
+  )
+  cert_available = (
+    var.no_cert == "true" ? false :
+    (var.cert_arn != "" ? true :
+      (var.create_root_cert != "true" ?
+        (var.create_sub_cert != "true" ?
+          (local.fqdn_provided ? true : false)
+          : true
+        ) : true
+      )
+    )
+  )
+}
+
+output "selected_arn" {
+  value = local.selected_arn
+}