Add ACME process (#13)

ewilde · web-flow · commit 488da5169310 · 2018-11-09T21:08:37.000Z
Fixes #14 Signed-off-by: Edward Wilde <ewilde@gmail.com>
diff --git a/alb-acme.tf b/alb-acme.tf
@@ -0,0 +1,50 @@
+resource "tls_private_key" "private_key" {
+    algorithm = "RSA"
+    count = "${var.acme_enabled}"
+}
+
+resource "acme_registration" "reg" {
+    account_key_pem = "${tls_private_key.private_key.0.private_key_pem}"
+    email_address   = "${var.acme_email_address}"
+    count           = "${var.acme_enabled}"
+}
+
+resource "acme_certificate" "acme" {
+    account_key_pem           = "${acme_registration.reg.0.account_key_pem}"
+    common_name               = "${aws_route53_record.main.fqdn}"
+    count                     = "${var.acme_enabled}"
+
+    dns_challenge {
+        provider = "route53"
+    }
+}
+
+resource "aws_iam_server_certificate" "acme" {
+    name              = "acme-certificate-${md5(acme_certificate.acme.0.certificate_pem)}"
+    certificate_body  = "${acme_certificate.acme.0.certificate_pem}"
+    private_key       = "${acme_certificate.acme.0.private_key_pem}"
+    certificate_chain = "${acme_certificate.acme.0.issuer_pem}"
+    count             = "${var.acme_enabled}"
+
+    lifecycle {
+        create_before_destroy = true
+    }
+}
+
+resource "aws_route53_zone" "main" {
+    name  = "${var.acme_domain_name}"
+    count = "${var.acme_enabled}"
+}
+
+resource "aws_route53_record" "main" {
+    name = "gateway"
+    zone_id = "${aws_route53_zone.main.0.id}"
+    type    = "A"
+    count   = "${var.acme_enabled}"
+    alias {
+        name                   = "${aws_lb.openfaas.dns_name}"
+        zone_id                = "${aws_lb.openfaas.zone_id}"
+        evaluate_target_health = false
+    }
+}
+
diff --git a/alb.tf b/alb.tf
@@ -4,10 +4,12 @@ resource "aws_lb" "openfaas" {
     security_groups    = ["${aws_security_group.alb.id}"]
     subnets            = ["${aws_subnet.external.*.id}"]
     load_balancer_type = "application"
-
+    access_logs {
+        bucket = "${var.alb_logs_bucket}"
+        enabled  = true
+    }
 }
 
-
 resource "tls_private_key" "main" {
     algorithm   = "RSA"
 }
@@ -38,7 +40,7 @@ resource "tls_self_signed_cert" "main" {
     }
 }
 
-resource "aws_iam_server_certificate" "main" {
+resource "aws_iam_server_certificate" "self_signed" {
     name             = "example_self_signed_cert_${random_string.name.result}"
     certificate_body = "${tls_self_signed_cert.main.cert_pem}"
     private_key      = "${tls_private_key.main.private_key_pem}"
@@ -67,11 +69,25 @@ resource "aws_lb_target_group" "gateway" {
     }
 }
 
-resource "aws_lb_listener" "gateway" {
+resource "aws_lb_listener" "gateway_self_signed" {
+    load_balancer_arn = "${aws_lb.openfaas.arn}"
+    port              = 443
+    protocol          = "HTTPS"
+    certificate_arn   = "${aws_iam_server_certificate.self_signed.arn}"
+    count             = "${var.self_signed_enabled}"
+
+    default_action {
+        target_group_arn = "${aws_lb_target_group.gateway.arn}"
+        type             = "forward"
+    }
+}
+
+resource "aws_lb_listener" "gateway_acme" {
     load_balancer_arn = "${aws_lb.openfaas.arn}"
     port              = 443
     protocol          = "HTTPS"
-    certificate_arn   = "${aws_iam_server_certificate.main.arn}"
+    certificate_arn   = "${aws_iam_server_certificate.acme.arn}"
+    count             = "${var.acme_enabled}"
     default_action {
         target_group_arn = "${aws_lb_target_group.gateway.arn}"
         type             = "forward"
diff --git a/gateway.tf b/gateway.tf
@@ -26,7 +26,10 @@ resource "aws_ecs_service" "gateway" {
         ignore_changes = ["desired_count"]
     }
 
-    depends_on = ["aws_lb_listener.gateway"]
+    depends_on = [
+        "aws_lb_listener.gateway_self_signed",
+        "aws_lb_listener.gateway_acme"
+    ]
 }
 
 resource "aws_ecs_task_definition" "gateway" {
diff --git a/main.tf b/main.tf
@@ -2,3 +2,8 @@ provider "aws" {
     region = "${var.aws_region}"
     version = "~> 1.41.0"
 }
+
+provider "acme" {
+    version = "~> 1.0"
+    server_url = "https://acme-v02.api.letsencrypt.org/directory"
+}
diff --git a/variables.tf b/variables.tf
@@ -32,3 +32,21 @@ variable "ecs_cluster_name" {
 variable "bastion_keypair_name" {
     default = "openfaas"
 }
+
+variable "self_signed_enabled" {
+    default = 1
+}
+
+variable "acme_enabled" {
+    default = 0
+}
+
+variable "acme_email_address" {
+    default = "nobody@example.com"
+}
+
+variable "acme_domain_name" {
+    default = ""
+}
+
+variable "alb_logs_bucket" {}

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,10 @@ resource "aws_ecs_service" "gateway" {`
`26`	`26`	`ignore_changes = ["desired_count"]`
`27`	`27`	`}`
`28`	`28`
`29`		`- depends_on = ["aws_lb_listener.gateway"]`
	`29`	`+ depends_on = [`
	`30`	`+ "aws_lb_listener.gateway_self_signed",`
	`31`	`+ "aws_lb_listener.gateway_acme"`
	`32`	`+ ]`
`30`	`33`	`}`
`31`	`34`
`32`	`35`	`resource "aws_ecs_task_definition" "gateway" {`
Original file line number	Diff line number	Diff line change
`@@ -2,3 +2,8 @@ provider "aws" {`
`2`	`2`	`region = "${var.aws_region}"`
`3`	`3`	`version = "~> 1.41.0"`
`4`	`4`	`}`
	`5`	`+`
	`6`	`+provider "acme" {`
	`7`	`+ version = "~> 1.0"`
	`8`	`+ server_url = "https://acme-v02.api.letsencrypt.org/directory"`
	`9`	`+}`