-
-
Notifications
You must be signed in to change notification settings - Fork 150
WIP: Support for verifying custom domains #228
WIP: Support for verifying custom domains #228
Conversation
f2e9c1d
to
d8af0c5
Compare
Hi @squarebracket, my apologies for the late reply to this PR but since there is some interest in this functionality I would like to share my thoughts around it. I would indeed like to support verification, but what makes me think twice about it is the volatility of DNS propagation. We would be depending on a name server to resolve a domain correctly within a reasonable time frame so we can perform the actual verification. Using a Perhaps we could treat the output of the verification as the resource regardless of a successful verification. A custom domain verification response can have |
Thank you for the comment. I'm sure it's tough to find time as a humble single maintainer. I'm not very familiar with go or with coding for terraform, so I might need you to walk me through something here or there. I agree that the volatility of DNS creates issues, both with the resource creation and in ensuring a reliable test. My thinking here is: what does the user expect based on the declarative nature of terraform? I would personally expect that the successful creation of all my resources would mean that everything is in the state I expect -- i.e. that the custom domain is verified and working in auth0. In my opinion, that conflicts with having the This is also probably worth a mention:
So there are potentially 2 sources of "wait time" here -- waiting for the verify to complete, and waiting for the custom domain to start accepting requests. Perhaps we can take an approach similar to the Do you think adding a
I'm afraid I don't know what you mean, here. Could you elaborate? I thought |
This makes sense. However I would argue that many resources created by terraform are not immediately available. With The same I imagine applies to a
I probably should have explained myself better here. We wouldn't be doing anything async here. The If at the time of creation of this resource, its |
This is a good point. There is a difference between a resource's concrete existence and being able to query something on / do something with that resource. That boundary isn't always clear. If you approach things from an OOP perspective in terms of objects and properties, I'm not sure a custom domain verification's status and the status of an ssh server within an It's been a while since I've coded this, and some things are only just now coming back to me. If I remember correctly, calling To me, this means the custom domain will not eventually be verified, which jives with what I remember. This means it is fundamentally different than an SSH server or DNS record. If configured correctly, those will be "eventually correct." In the case of a custom domain verification, even if you configure everything correctly, there is no chance the domain will be verified if it fails during the
Thank you for the example. How would you envision using it? In this case, I think the only thing that would be helpful is to recreate the verification's resource if its custom domain's status is not If indeed it is all synchronous, though, I still think it's more useful to the user to simply fail the resource creation. It's clear, and the user can work around it with On that note, would failing the resource creation cause downstream failures? I assume that any auth0 resources/settings that require a custom domain can be configured with an unverified custom domain, but you'd be in a better position to know the actual answer. |
I wasn't implying that it is. I was merely pointing out that it will likely rely on a DNS record to propagate in order to succeed.
I disagree here. The As you pointed out, the docs say that a domain verification request will succeed whether the domain passed or failed verification.
Therefore we can run the verification multiple times until it is successful. To give an example on how to do this, I made a PoC using the trigger mechanism I described earlier. Have a look at this branch. |
I'm not trying to claim that it does. It may work, it may not; the onus is on the user. But at least if the resource creation fails, you at least can know from the exit code of terraform if your infrastructure is in its desired state. So if I understand your branch correctly, you would have to do the following to verify a domain:
Is that correct? I guess if you want to know if your domain is verified in an automated fashion, you would have to print the |
Yep, thats what I'm thinking. |
Personally, I think having to run Not saying that I necessarily have a better solution. |
@alexkappa / @squarebracket is this MR still alive? I'm running into a need for this as well. Happy to contribute if it helps revive this work. I would recommend looking at the AWS terraform provider for a similar situation. The |
@emilhdiaz are you familiar with the code of the provider and how it handles the use case? |
@alexkappa I took a look at how AWS provider's handles ACM certs and validations, as suggested by @emilhdiaz. It functions similarly, in that there is a resource which has validation attributes, which is then used to create a DNS record, and then some waiting must be done for the DNS change to propagate before verification can be attempted. Here is what the use case looks like, straight from the docs of the resource "aws_acm_certificate" "example" {
domain_name = "example.com"
validation_method = "DNS"
}
data "aws_route53_zone" "example" {
name = "example.com"
private_zone = false
}
resource "aws_route53_record" "example" {
for_each = {
for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.example.zone_id
}
resource "aws_acm_certificate_validation" "example" {
certificate_arn = aws_acm_certificate.example.arn
validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
} Notice also the big warning message on the docs page stating that the validation resource is merely part of the validation workflow and "does not represent a real-world entity in AWS, therefore changing or deleting this resource on its own has no immediate effect." I decided to take a look at the source code of the provider. I am not very familiar at all with coding providers, but it seems that in the Using a similar strategy for the Auth0 use case, the relevant code could look like this: resource "auth0_custom_domain" "mydomain" {
domain = "login.example.com"
type = "auth0_managed_certs"
verification_method = "txt"
}
resource "digitalocean_record" "auth0_domain" {
domain = "example.com"
type = upper(auth0_custom_domain.mydomain.verification[0].methods[0].name)
name = "login"
value = "${auth0_custom_domain.mydomain.verification[0].methods[0].record}."
}
resource "auth0_custom_domain_verification" "mydomain" {
custom_domain_id = auth0_custom_domain.mydomain.id
# this is just for implicit resource ordering
dns_record = digitalocean_record.auth0_domain.value
} This seems very reasonable to me:
What do you think @alexkappa? |
@squarebracket this makes a lot of sense to me. For comparison, here's a work around we currently have in place using a terraform data external resource (note: we use Cloudflare for DNS management):
... and the custom bash script that handles the verification logic. Note the use of an SSM param here to preserve the
|
I have a similar issue with domain verification with SendGrid in the custom provider we wrote. How I handled it was to add a "valid" (or in this case "verified") optional calculated field that I would just hard code to This means you'd have to know to run an apply twice and the first apply would not actually perform the verification. But since DNS propagation can take a number of minutes, it was the only way to guarantee it always worked and had a happy workflow. Just my 2 cents. |
@squarebracket thank you for looking deeper into this. Your analysis makes sense and given the example comes from one of the most used providers out there there's a good chance people will be used to how it works. In this case having a separate resource for verification is more appropriate. Would you like to revise your PR? There is one thing we still need to figure out - how do we test this? |
I've been looking into this during the past couple of weeks, mainly trying to wrap my head around testing. The approach makes sense, I've tried it several times and the workflow seems pretty reasonable. On the testing front, we can use my DigitalOcean account to create DNS entries that can help us test the verification process. I've copied parts of the DO provider so we can create #410 relies on your contributions and adds tests to verify the feature works as expected. Thanks again for your effort! |
Closing this PR as support for verifying custom domains was introduced with #410 |
Community Note
Fixes #227, the lazy way.
Changes proposed in this pull request:
auth0_custom_domain_verification
resourceYour
CHANGELOG
looks auto-generated, I'm not sure if I should add an entry or not.Also, I don't think I can really add an acceptance test without being able to modify a DNS record...
Output from acceptance testing:
Not run.