Merge branch 'load-balancer-cleanup' into 'master'

Load balancer cleanup + Certbot

See merge request postgres-ai/database-lab-infrastructure!9

Author: dcassanego

api_dns.tf

@@ -4,10 +4,35 @@ set -x
 
 sleep 20
 #run certbot and copy files to envoy
-# to avoid restrinctions from letsencrypt like "There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: demo-api-engine.aws.postgres.ai: see https://letsencrypt.org/docs/rate-limits/" follwing three lines were commented out and mocked up. In real implementation inline certs have to be removed and letsencrypt generated certs should be used
-#sudo certbot certonly --standalone -d demo-api-engine.aws.postgres.ai -m m@m.com --agree-tos -n
-#sudo cp /etc/letsencrypt/archive/demo-api-engine.aws.postgres.ai/fullchain1.pem /etc/envoy/certs/
-#sudo cp /etc/letsencrypt/archive/demo-api-engine.aws.postgres.ai/privkey1.pem /etc/envoy/certs/
+# to avoid restrinctions from letsencrypt like "There were too many requests of a given type ::
+# Error creating new order :: too many certificates (5) already issued for this exact set of domains
+# in the last 168 hours: demo-api-engine.aws.postgres.ai: see https://letsencrypt.org/docs/rate-limits/"
+# follwing three lines were commented out and mocked up. In real implementation inline certs have to be
+# removed and letsencrypt generated certs should be used
+
+
+# <START certbot generated cert>
+#
+#sudo certbot certonly --standalone -d ${aws_deploy_dns_api_subdomain}.${aws_deploy_dns_zone_name} -m ${aws_deploy_certificate_email} --agree-tos -n
+#sudo cp /etc/letsencrypt/live/${aws_deploy_dns_api_subdomain}.${aws_deploy_dns_zone_name}/fullchain.pem /etc/envoy/certs/fullchain1.pem
+#sudo cp /etc/letsencrypt/live/${aws_deploy_dns_api_subdomain}.${aws_deploy_dns_zone_name}/privkey.pem /etc/envoy/certs/privkey1.pem
+
+# cat <<EOF > /etc/letsencrypt/renewal-hooks/deploy/envoy.deploy
+# #!/bin/bash
+# umask 0177
+# export DOMAIN=${aws_deploy_dns_api_subdomain}.${aws_deploy_dns_zone_name}
+# export DATA_DIR=/etc/envoy/certs/
+# cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/fullchain1.pem
+# cp /etc/letsencrypt/live/$DOMAIN/privkey.pem   $DATA_DIR/privkey1.pem
+# EOF
+# sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/envoy.deploy
+#
+# # <END certbot generated cert>
+#
+# FIXME
+# 1. Write script to edit the `/etc/envoy/envoy.yaml` file so that it replaces the wildcard domains with specific domain
+
+
 cat <<EOF > /etc/envoy/certs/fullchain1.pem
 -----BEGIN CERTIFICATE-----
 MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
@@ -62,7 +87,7 @@ sudo systemctl enable envoy
 sudo systemctl start envoy
 
 #create zfs pools
-disks=(${dle_disks}) 
+disks=(${dle_disks})
 for i in $${!disks[@]}; do
   sudo zpool create -f \
   -O compression=on \
@@ -71,11 +96,11 @@ for i in $${!disks[@]}; do
   -O logbias=throughput \
   -m /var/lib/dblab/dblab_pool_0$i\
   dblab_pool_0$i \
-  $${disks[$i]} 
+  $${disks[$i]}
 done
 
 #configure and start DLE
-mkdir ~/.dblab 
+mkdir ~/.dblab
 #cp /home/ubuntu/.dblab/config.example.logical_generic.yml ~/.dblab/server.yml
 curl https://gitlab.com/postgres-ai/database-lab/-/raw/${dle_version_full}/configs/config.example.logical_generic.yml --output ~/.dblab/server.yml
 sed -ri "s/^(\s*)(debug:.*$)/\1debug: ${dle_debug_mode}/" ~/.dblab/server.yml

api_ssl_endpoint.tf

@@ -0,0 +1,50 @@
+/**
+ * This file sets up all resources necessary to route incoming
+ * HTTPS requests to the Load Balancer defined in api_ssl_endpoint.
+ *
+ * It assumes that the AWS account has a Route 53 hosted zone
+ * and then provisions a sub-domain that will be used to point
+ * to the load balancer
+ */
+
+
+data "aws_route53_zone" "dblab_zone" {
+  name = var.aws_deploy_dns_zone_name
+}
+
+###
+# FIXME: Understand when this is and is not needed
+# This record was created manually within the Postgres.ai hosted zone
+# due to issues when attempting to validate the AWS issue certificate.
+# If this is necessary in all circumstances, then this Terraform
+# resource should be close to correct.
+#
+#resource "aws_route53_record" "dblab_subdomain_caa" {
+#  name = var.aws_deploy_dns_zone_name
+#  type = "CAA"
+#
+#  records = [
+#    "0 issue \"amazon.com\"",
+#    "0 issue \"amazontrust.com\"",
+#    "0 issue \"awstrust.com\"",
+#    "0 issue \"amazonaws.com\"",
+#    "0 issue \"letsencrypt.org\""
+#  ]
+#
+#  zone_id = data.aws_route53_zone.dblab_zone.zone_id
+#  ttl     = "60"
+#}
+
+resource "aws_route53_record" "dblab_subdomain" {
+  name = var.aws_deploy_dns_api_subdomain
+  type = "CNAME"
+
+  # TODO -- Allocate an Elastic IP address for the instance rather than using the
+  #         default assigned public DNS which can rotate
+  records = [
+    aws_instance.aws_ec2.public_dns
+  ]
+
+  zone_id = data.aws_route53_zone.dblab_zone.zone_id
+  ttl     = "60"
+}

clones_dns.tf

@@ -30,7 +30,9 @@ data "template_file" "init" {
     dle_retrieval_refresh_timetable = "${var.dle_retrieval_refresh_timetable}"
     dle_disks = "${join(" ",var.aws_deploy_ec2_volumes_names)}"
     dle_version_full = "${var.dle_version_full}"
+    aws_deploy_dns_zone_name = "${var.aws_deploy_dns_zone_name}"
     aws_deploy_dns_api_subdomain = "${var.aws_deploy_dns_api_subdomain}"
+    aws_deploy_certificate_email = "{var.aws_deploy_certificate_email}"
     source_postgres_dbname = "${var.source_postgres_dbname}"
     source_postgres_host = "${var.source_postgres_host}"
     source_postgres_port = "${var.source_postgres_port}"
@@ -40,7 +42,7 @@ data "template_file" "init" {
     postgres_config_shared_preload_libraries = "${var.postgres_config_shared_preload_libraries}"
     platform_access_token = "${var.platform_access_token}"
     platform_project_name = "${var.platform_project_name}"
-    platform_joe_signing_secret = "${random_string.platform_joe_signing_secret.result}" 
+    platform_joe_signing_secret = "${random_string.platform_joe_signing_secret.result}"
     vcs_db_migration_checker_verification_token = "${random_string.vcs_db_migration_checker_verification_token.result}"
     vcs_github_secret_token = "${var.vcs_github_secret_token}"
   }

dle-logical-init.sh.tpl

@@ -8,10 +8,10 @@ output "aws_ec2_instance_dns" {
   value = "${aws_instance.aws_ec2.public_dns}"
 }
 output "platform_dle_registration_url" {
-  value = "${format("%s://%s", "https",join("", aws_route53_record.dblab_clones_subdomain.*.fqdn))}"
+  value = "${format("%s://%s", "https",join("", aws_route53_record.dblab_subdomain.*.fqdn))}"
 }
 output "platform_joe_registration_url" {
-  value = "${format("%s://%s:%s", "https",join("", aws_route53_record.dblab_clones_subdomain.*.fqdn),"444")}"
+  value = "${format("%s://%s:%s", "https",join("", aws_route53_record.dblab_subdomain.*.fqdn),"444")}"
 }
 output "dle_verification_token" {
   value = "${random_string.dle_verification_token.result}"
@@ -23,5 +23,5 @@ output "vcs_db_migration_checker_verification_token" {
   value = "${random_string.vcs_db_migration_checker_verification_token.result}"
 }
 output "vcs_db_migration_checker_registration_url" {
-  value = "${format("%s://%s:%s", "https",join("", aws_route53_record.dblab_clones_subdomain.*.fqdn),"445")}"
+  value = "${format("%s://%s:%s", "https",join("", aws_route53_record.dblab_subdomain.*.fqdn),"445")}"
 }