feat: add tls to faucet (#430)

dashpay · Feb 11, 2023 · c76572a · c76572a
1 parent 0ccb6f5
commit c76572a
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 7 deletions.
diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
@@ -121,12 +121,20 @@ resource "aws_elb" "web" {
  ]
 
  listener {
- instance_port = 80
+ instance_port = var.faucet_port
  instance_protocol = "http"
- lb_port = 80
+ lb_port = var.faucet_port
  lb_protocol = "http"
  }
 
+ listener {
+ instance_port = var.faucet_port
+ instance_protocol = "http"
+ lb_port = var.faucet_https_port
+ lb_protocol = "https"
+ ssl_certificate_id = aws_acm_certificate_validation.faucet.certificate_arn
+ }
+
  listener {
  instance_port = var.insight_port
  instance_protocol = "http"
@@ -156,6 +164,33 @@ resource "aws_elb" "web" {
  }
 }
 
+resource "aws_acm_certificate" "faucet" {
+ domain_name = "faucet.${var.public_network_name}.${var.main_domain}"
+ validation_method = "DNS"
+}
+
+resource "aws_route53_record" "faucet_validation" {
+ for_each = {
+ for dvo in aws_acm_certificate.faucet.domain_validation_options : dvo.domain_name => {
+ name = dvo.resource_record_name
+ record = dvo.resource_record_value
+ type = dvo.resource_record_type
+ }
+ }
+
+ zone_id = data.aws_route53_zone.main_domain[0].zone_id
+ allow_overwrite = true
+ name = each.value.name
+ records = [each.value.record]
+ ttl = 60
+ type = each.value.type
+}
+
+resource "aws_acm_certificate_validation" "faucet" {
+ certificate_arn = aws_acm_certificate.faucet.arn
+ validation_record_fqdns = [for record in aws_route53_record.faucet_validation : record.fqdn]
+}
+
 resource "aws_route53_record" "faucet" {
  zone_id = data.aws_route53_zone.main_domain[count.index].zone_id
  name = "faucet.${var.public_network_name}.${var.main_domain}"

diff --git a/terraform/aws/security_groups.tf b/terraform/aws/security_groups.tf
@@ -343,12 +343,24 @@ resource "aws_security_group" "elb" {
  name = "${terraform.workspace}-elb"
  vpc_id = aws_vpc.default.id
 
- # HTTP access from anywhere
+ # Faucet
  ingress {
- from_port = 80
- to_port = 80
+ from_port = var.faucet_port
+ to_port = var.faucet_port
+ protocol = "tcp"
+ description = "Faucet"
+
+ cidr_blocks = [
+ "0.0.0.0/0",
+ ]
+ }
+
+ # Faucet HTTPS
+ ingress {
+ from_port = var.faucet_https_port
+ to_port = var.faucet_https_port
  protocol = "tcp"
- description = "HTTP"
+ description = "Faucet HTTPS"
 
  cidr_blocks = [
  "0.0.0.0/0",
@@ -367,7 +379,7 @@ resource "aws_security_group" "elb" {
  ]
  }
 
- # Insight Explorer
+ # Insight Explorer HTTPS
  ingress {
  from_port = var.insight_https_port
  to_port = var.insight_https_port

diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -16,6 +16,16 @@ variable "dashd_zmq_port" {
  default = 29998
 }
 
+variable "faucet_port" {
+ description = "Faucet port"
+ default = 80
+}
+
+variable "faucet_https_port" {
+ description = "Faucet HTTPS port"
+ default = 443
+}
+
 variable "insight_port" {
  description = "Insight port"
  default = 3001