Custom domain configuration?

[jonnyry]

What configuration is required in order to apply a custom domain name to a TRE instance?

I'm assuming you will need to create a DNS record to your TRE instance along the lines of:

treinstance.mydomainname.co.uk CNAME treinstance.region.cloudapp.azure.com

What is then required in terms of Azure TRE configuration? Is this just setting the TRE_URL in config.yaml / env vars and redeploying? Will the letsencrypt make action still work for custom domains?

Thanks

[BiologyGeek]

You can find some insights here: #3908 (comment)
If it works, it would be nice if you could share a more detailed instruction about the steps to set up a custom domain.

Relevant: #1540

[tim-p-allen]

Hi @jonnyry
I've got this to add to the docs, but I'll add it here too

Using a custom DNS and custom cert

A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines.
Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway.
The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.

[jonnyry]

Thanks @tim-allen-ck I've requested a new subdomain so I'll let you know how it goes.

[jonnyry]

Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).

I noticed the following in config.yaml, though I'm not clear on what the comments mean:

  # If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider
  # uncomment and set this variable
  # tre_url: __CHANGE_ME__

[tim-p-allen]

Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).

I noticed the following in config.yaml, though I'm not clear on what the comments mean:

  # If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider
  # uncomment and set this variable
  # tre_url: __CHANGE_ME__

Hey @jonnyry, I've not tried adding the custom domain to the TRE deployment build.
I was assuming that that was the config value to change to be able to use a custom domain, but that comment doesn't make sense. Maybe @marrobi can shed some light?

[jonnyry]

I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:

AzureTRE/devops/scripts/load_and_validate_env.sh

Line 84 in 1ffb09b

TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}")

So guessing tre_url in the config.yaml is now redundant.

[tim-p-allen]

I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:

AzureTRE/devops/scripts/load_and_validate_env.sh

Line 84 in 1ffb09b

TRE_URL=$(construct_tre_url "${TRE_ID}" "${LOCATION}" "${AZURE_ENVIRONMENT}")

So guessing tre_url in the config.yaml is now redundant.

Yes, I saw this looking through the code to find where that tre_rul went.
I think you're right, it must be redundant. There's another place where it constructs that URL too.

[marrobi]

I believe I've used tre_url to configure the end to end tests to point to my local running API. Maybe it should be under developer settings. Not sure its related to custom domain configuration.

[jonnyry]

Hi @jonnyry I've got this to add to the docs, but I'll add it here too

Using a custom DNS and custom cert

A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines. Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway. The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.

Got it working with the instructions above thanks :-)

Managed to piggyback the existing letsencrypt.sh script to request & install the custom domain cert:

TRE_ID=mytre \
FQDN=mycustomdomain.org \
STORAGE_ACCOUNT=stweb$TRE_ID \
RESOURCE_GROUP_NAME=rg-$TRE_ID \
APPLICATION_GATEWAY=agw-$TRE_ID \
KEYVAULT=kv-$TRE_ID \
core/terraform/scripts/letsencrypt.sh

[jonnyry]

@tim-allen-ck @marrobi

In terms of supporting a custom domain within the codebase (and not requiring a post deployment manual fix up)... how about the following?

1. Add a new parameter CUSTOM_DOMAIN in config.yaml (by default commented out).

2. Feed the new parameter into the make auth target which adds SSO redirect URLs for the custom domain in addition to the default Azure one here:

AzureTRE/devops/scripts/aad/create_api_application.sh

Lines 241 to 246 in 1ffb09b

	# Create the UX App Registration
	redirectUris="\"http://localhost:8000/api/docs/oauth2-redirect\", \"http://localhost:3000\""
	if [[ -n ${treUrl} ]]; then
	echo "Adding reply/redirect URL \"${treUrl}\" to \"${appName}\""
	redirectUris="${redirectUris}, \"${treUrl}\", \"${treUrl}/api/docs/oauth2-redirect\""
	fi

3. Feed the new parameter into the make letsencrypt target which when populated, generates a uploads a certificate for the custom domain instead of the cloudapp.azure.com domain. If not populated, it runs as the behaves as it does now generating a certificate for the default Azure domain.

4. Modify Lets Encrypt GitHub Action to look for a CUSTOM_DOMAIN GH secret and pass in to the make letsencrypt flow. Again if CUSTOM_DOMAIN is present a cert is generated for it, if not it reverts to generating a cert for the default domain.