Setup per-domain based routing for targets

ooni · Sep 17, 2024 · b82221b · b82221b
1 parent 7b7f336
commit b82221b
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 31 deletions.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -562,8 +562,7 @@ module "ooniapi_frontend" {
  "8.th.dev.ooni.io" : local.dns_zone_ooni_io
  }
 
- oonith_domains = ["8.th.dev.ooni.io"]
- direct_domain_suffix = "dev.ooni.io"
+ oonith_domains = ["8.th.dev.ooni.io"]
 
  stage = local.environment
  dns_zone_ooni_io = local.dns_zone_ooni_io

diff --git a/tf/modules/ooniapi_frontend/main.tf b/tf/modules/ooniapi_frontend/main.tf
@@ -1,5 +1,6 @@
 locals {
- name = "ooni-tier0-api-frontend"
+ name = "ooni-tier0-api-frontend"
+ direct_domain_suffix = "${var.stage}.ooni.io"
 }
 
 resource "aws_alb" "ooniapi" {
@@ -61,63 +62,83 @@ resource "aws_alb_listener_rule" "ooniapi_th" {
  tags = var.tags
 }
 
-
-resource "aws_lb_listener_rule" "ooniapi_oonirun_rule" {
+resource "aws_lb_listener_rule" "ooniapi_ooniauth_rule" {
  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
- priority = 100
+ priority = 108
 
  action {
  type = "forward"
- target_group_arn = var.ooniapi_oonirun_target_group_arn
+ target_group_arn = var.ooniapi_ooniauth_target_group_arn
  }
 
  condition {
  path_pattern {
- values = ["/api/v2/oonirun/*"]
+ values = [
+ "/api/v2/ooniauth/*",
+ "/api/v1/user_register",
+ "/api/v1/user_login",
+ "/api/v1/user_refresh_token",
+ "/api/_/account_metadata",
+ ]
  }
+ }
+
 
+}
+
+resource "aws_lb_listener_rule" "ooniapi_ooniauth_rule_host" {
+ listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+ priority = 109
+
+ action {
+ type = "forward"
+ target_group_arn = var.ooniapi_ooniauth_target_group_arn
  }
 
  condition {
  host_header {
- values = ["oonirun.${var.direct_domain_suffix}"]
+ values = ["ooniauth.${local.direct_domain_suffix}"]
  }
  }
-
 }
 
-resource "aws_lb_listener_rule" "ooniapi_ooniauth_rule" {
+resource "aws_lb_listener_rule" "ooniapi_oonirun_rule" {
  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
- priority = 101
+ priority = 110
 
  action {
  type = "forward"
- target_group_arn = var.ooniapi_ooniauth_target_group_arn
+ target_group_arn = var.ooniapi_oonirun_target_group_arn
  }
 
  condition {
  path_pattern {
- values = [
- "/api/v2/ooniauth/*",
- "/api/v1/user_register",
- "/api/v1/user_login",
- "/api/v1/user_refresh_token",
- "/api/_/account_metadata",
- ]
+ values = ["/api/v2/oonirun/*"]
  }
+
+ }
+}
+
+resource "aws_lb_listener_rule" "ooniapi_oonirun_rule_host" {
+ listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+ priority = 111
+
+ action {
+ type = "forward"
+ target_group_arn = var.ooniapi_oonirun_target_group_arn
  }
 
  condition {
  host_header {
- values = ["ooniauth.${var.direct_domain_suffix}"]
+ values = ["oonirun.${local.direct_domain_suffix}"]
  }
  }
 
 }
 
 resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule" {
  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
- priority = 102
+ priority = 120
 
  action {
  type = "forward"
@@ -131,18 +152,29 @@ resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule" {
  ]
  }
  }
+}
+
+resource "aws_lb_listener_rule" "ooniapi_ooniprobe_rule_host" {
+ listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+ priority = 121
+
+ action {
+ type = "forward"
+ target_group_arn = var.ooniapi_ooniprobe_target_group_arn
+ }
+
 
  condition {
  host_header {
- values = ["ooniprobe.${var.direct_domain_suffix}"]
+ values = ["ooniprobe.${local.direct_domain_suffix}"]
  }
  }
 
 }
 
 resource "aws_lb_listener_rule" "ooniapi_oonifindings_rule" {
  listener_arn = aws_alb_listener.ooniapi_listener_https.arn
- priority = 103
+ priority = 130
 
  action {
  type = "forward"
@@ -154,10 +186,19 @@ resource "aws_lb_listener_rule" "ooniapi_oonifindings_rule" {
  values = ["/api/v1/incidents/*"]
  }
  }
+}
+
+resource "aws_lb_listener_rule" "ooniapi_oonifindings_rule_host" {
+ listener_arn = aws_alb_listener.ooniapi_listener_https.arn
+ priority = 131
 
+ action {
+ type = "forward"
+ target_group_arn = var.ooniapi_oonifindings_target_group_arn
+ }
  condition {
  host_header {
- values = ["oonifindings.${var.direct_domain_suffix}"]
+ values = ["oonifindings.${local.direct_domain_suffix}"]
  }
  }
 
@@ -174,7 +215,12 @@ module "ooniapi_acm_certificate" {
  alias_record_domain_name = aws_alb.ooniapi.dns_name
  alias_record_zone_id = aws_alb.ooniapi.zone_id
 
- alternative_domains = var.alternative_domains
+ alternative_domains = merge(var.alternative_domains, {
+ "oonifindings.${local.direct_domain_suffix}" = var.dns_zone_ooni_io,
+ "oonirun.${local.direct_domain_suffix}" = var.dns_zone_ooni_io,
+ "ooniprobe.${local.direct_domain_suffix}" = var.dns_zone_ooni_io,
+ "ooniauth.${local.direct_domain_suffix}" = var.dns_zone_ooni_io,
+ })
 
  tags = var.tags
 }
diff --git a/tf/modules/ooniapi_frontend/variables.tf b/tf/modules/ooniapi_frontend/variables.tf
@@ -55,8 +55,3 @@ variable "oonith_domains" {
  type = list(string)
  default = ["*.th.dev.ooni.io"]
 }
-
-variable "direct_domain_suffix" {
- type = string
- default = "dev.ooni.io"
-}