From e3b6838e39ea60808fa538f66a7a14e971ca2580 Mon Sep 17 00:00:00 2001 From: Brian Hannafious Date: Fri, 18 May 2018 14:41:55 -0700 Subject: [PATCH 1/2] Deploy/provision regional domain name with script Terraform does not support regional domain names. As a workaround, use a Terraform "null_resource" to call a custom provisioning script to set up a custom regional domain name and Route 53 record. --- environment | 2 ++ infra/Makefile | 2 +- infra/build_deploy_config.py | 3 ++ infra/domain/create_regional_domain_name.py | 40 +++++++++++++++++++++ infra/domain/domain.tf | 18 ++++++++++ 5 files changed, 64 insertions(+), 1 deletion(-) create mode 100755 infra/domain/create_regional_domain_name.py create mode 100644 infra/domain/domain.tf diff --git a/environment b/environment index 308b5a0bd6..f49c03845a 100644 --- a/environment +++ b/environment @@ -74,6 +74,8 @@ DSS_ES_DOMAIN="dss-index-$DSS_DEPLOYMENT_STAGE" DSS_ES_INSTANCE_TYPE="m4.large.elasticsearch" DSS_ES_VOLUME_SIZE="35" DSS_ES_INSTANCE_COUNT="1" +DSS_CERTIFICATE_DOMAIN="*.dev.data.humancellatlas.org" +DSS_ZONE_NAME="dev.data.humancellatlas.org." PYTHONWARNINGS=ignore:ResourceWarning,ignore::UserWarning:zipfile: DSS_SECRETS_STORE="dcp/dss" EVENT_RELAY_AWS_USERNAME="dss-event-relay-${DSS_DEPLOYMENT_STAGE}" diff --git a/infra/Makefile b/infra/Makefile index 64b34732c7..d2e7c94fa3 100644 --- a/infra/Makefile +++ b/infra/Makefile @@ -30,7 +30,7 @@ destroy: init cd $(COMPONENT); terraform destroy init: - rm -rf $(COMPONENT)/.terraform + rm -rf $(COMPONENT)/.terraform/*.tfstate ./build_deploy_config.py $(COMPONENT) cd $(COMPONENT); terraform init; diff --git a/infra/build_deploy_config.py b/infra/build_deploy_config.py index d5365f53f5..608f6920ba 100755 --- a/infra/build_deploy_config.py +++ b/infra/build_deploy_config.py @@ -73,6 +73,9 @@ "DSS_SECRETS_STORE", "DSS_DEPLOYMENT_STAGE", "ES_ALLOWED_SOURCE_IP_SECRETS_NAME", + "API_DOMAIN_NAME", + "DSS_CERTIFICATE_DOMAIN", + "DSS_ZONE_NAME", ] terraform_variable_info = {'variable': dict()} diff --git a/infra/domain/create_regional_domain_name.py b/infra/domain/create_regional_domain_name.py new file mode 100755 index 0000000000..546cdb39a8 --- /dev/null +++ b/infra/domain/create_regional_domain_name.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python + +""" +This script configures a regional domain name for AWS Apigateway, based on an existing +certificate, and Route 53 zone. The certificate must be in the same region as the regional +domain. +""" + +import os +import sys +import json +import boto3 +import argparse + +parser = argparse.ArgumentParser(description=__doc__) +parser.add_argument("--domain-name", required=True) +parser.add_argument("--certificate-arn", required=True) +parser.add_argument("--zone-id", required=True) +args = parser.parse_args() + +resp = boto3.client("apigateway").create_domain_name( + domainName=args.domain_name, + regionalCertificateArn=args.certificate_arn, + endpointConfiguration={'types': ["REGIONAL"]} +) + +boto3.client("route53").change_resource_record_sets( + HostedZoneId=args.zone_id, + ChangeBatch={ + 'Changes': [{ + 'Action': 'CREATE', + 'ResourceRecordSet': { + 'Name': f"{args.domain_name}.", + 'Type': 'CNAME', + 'ResourceRecords': [ {'Value': resp['regionalDomainName']} ], + 'TTL': 300, + } + }] + } +) diff --git a/infra/domain/domain.tf b/infra/domain/domain.tf new file mode 100644 index 0000000000..5233d6d0dd --- /dev/null +++ b/infra/domain/domain.tf @@ -0,0 +1,18 @@ +data aws_caller_identity current {} + +data aws_route53_zone dss_route53_zone { + name = "${var.DSS_ZONE_NAME}" +} + +data aws_acm_certificate dss_domain_cert { + domain = "${var.DSS_CERTIFICATE_DOMAIN}" +} + +# TODO: Configure regional domain name with Terraform +# Terraform does not currently support regional API Endpoints: +# https://github.com/terraform-providers/terraform-provider-aws/issues/2195 +resource null_resource dss_domain { + provisioner "local-exec" { + command = "./create_regional_domain_name.py --domain-name ${var.API_DOMAIN_NAME} --certificate-arn ${data.aws_acm_certificate.dss_domain_cert.arn} --zone-id ${data.aws_route53_zone.dss_route53_zone.zone_id}" + } +} From 3e06d7ef0faf37a238e878ed7657a306b1704e55 Mon Sep 17 00:00:00 2001 From: Brian Hannafious Date: Wed, 30 May 2018 10:25:25 -0700 Subject: [PATCH 2/2] Use "API Gateway" consistently --- infra/domain/create_regional_domain_name.py | 2 +- infra/domain/domain.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/domain/create_regional_domain_name.py b/infra/domain/create_regional_domain_name.py index 546cdb39a8..c3e803374c 100755 --- a/infra/domain/create_regional_domain_name.py +++ b/infra/domain/create_regional_domain_name.py @@ -1,7 +1,7 @@ #!/usr/bin/env python """ -This script configures a regional domain name for AWS Apigateway, based on an existing +This script configures a regional domain name for API Gateway, based on an existing certificate, and Route 53 zone. The certificate must be in the same region as the regional domain. """ diff --git a/infra/domain/domain.tf b/infra/domain/domain.tf index 5233d6d0dd..5630d5365b 100644 --- a/infra/domain/domain.tf +++ b/infra/domain/domain.tf @@ -9,7 +9,7 @@ data aws_acm_certificate dss_domain_cert { } # TODO: Configure regional domain name with Terraform -# Terraform does not currently support regional API Endpoints: +# Terraform does not currently support regional API Gateway endpoints: # https://github.com/terraform-providers/terraform-provider-aws/issues/2195 resource null_resource dss_domain { provisioner "local-exec" {