add certificate setup for https (maticnetwork#13)

* add certificate setup for https * feat: get https to work with certificate * add example env file
Stefan-Ethernal · May 10, 2023 · b73772a · b73772a
1 parent 8d6ac56
commit b73772a
Show file tree

Hide file tree

Showing 8 changed files with 84 additions and 1 deletion.
diff --git a/example.env b/example.env
@@ -2,4 +2,3 @@ TF_VAR_deployment_name="devnet13"
 TF_VAR_company_name="company"
 TF_VAR_owner="[email protected]"
 TF_VAR_fullnode_count=0
-
diff --git a/main.tf b/main.tf
@@ -23,6 +23,8 @@ module "dns" {
   fullnode_count  = var.fullnode_count
   validator_count = var.validator_count
   geth_count      = var.geth_count
+  route53_zone_id = var.route53_zone_id
+  deployment_name = var.deployment_name
 
   devnet_id                  = module.networking.devnet_id
   aws_lb_int_rpc_domain      = module.elb.aws_lb_int_rpc_domain
@@ -70,6 +72,7 @@ module "elb" {
   fullnode_count     = var.fullnode_count
   validator_count    = var.validator_count
   geth_count         = var.geth_count
+  route53_zone_id = var.route53_zone_id
   base_id            = local.base_id
 
   devnet_private_subnet_ids   = module.networking.devnet_private_subnet_ids
@@ -80,6 +83,7 @@ module "elb" {
   devnet_id                   = module.networking.devnet_id
   security_group_open_http_id = module.securitygroups.security_group_open_http_id
   security_group_default_id   = module.securitygroups.security_group_default_id
+  certificate_arn             = module.dns.certificate_arn
 }
 
 module "networking" {

diff --git a/modules/dns/main.tf b/modules/dns/main.tf
@@ -85,3 +85,42 @@ resource "aws_route53_record" "geth_rpc" {
   records = [var.aws_lb_ext_rpc_geth_domain]
 }
 
+data "aws_route53_zone" "ext_rpc" {
+  count   = var.route53_zone_id == "" ? 0 : 1
+  zone_id = var.route53_zone_id
+}
+
+resource "aws_acm_certificate" "ext_rpc" {
+  count   = var.route53_zone_id == "" ? 0 : 1
+  domain_name       = "${var.deployment_name}.${data.aws_route53_zone.ext_rpc[0].name}"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "validation" {
+  for_each = {
+    for dvo in (var.route53_zone_id == "" ? [] : aws_acm_certificate.ext_rpc[0].domain_validation_options) : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.route53_zone_id
+}
+
+resource "aws_acm_certificate_validation" "edge" {
+  count   = var.route53_zone_id == "" ? 0 : 1
+  certificate_arn         = aws_acm_certificate.ext_rpc[0].arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
+}
+
+
diff --git a/modules/dns/outputs.tf b/modules/dns/outputs.tf
@@ -0,0 +1,3 @@
+output "certificate_arn" {
+  value = var.route53_zone_id == "" ? "" : aws_acm_certificate.ext_rpc[0].arn
+}
diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf
@@ -8,6 +8,12 @@ variable "region" {
   type        = string
   default     = "us-west-2"
 }
+
+variable "deployment_name" {
+  description = "The unique name for this particular deployment"
+  type        = string
+}
+
 variable "fullnode_count" {
   description = "The number of full nodes that we're going to deploy"
   type        = number
@@ -39,4 +45,9 @@ variable "aws_lb_int_rpc_domain" {
 }
 variable "aws_lb_ext_rpc_geth_domain" {
   type = string
+}
+
+variable "route53_zone_id" {
+  description = "The ID for external DNS"
+  type        = string
 }
diff --git a/modules/elb/main.tf b/modules/elb/main.tf
@@ -61,6 +61,18 @@ resource "aws_lb_listener" "ext_rpc" {
   }
 }
 
+resource "aws_lb_listener" "ext_rpc_secure" {
+  count             = var.route53_zone_id == "" ? 0 : 1
+  load_balancer_arn = aws_lb.ext_rpc.arn
+  port              = 443
+  protocol          = "HTTPS"
+  certificate_arn   = var.certificate_arn
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ext_rpc.arn
+  }
+}
+
 resource "aws_lb" "ext_rpc_geth" {
   name               = "ext-rpc-rootchain-${var.base_id}"
   load_balancer_type = "application"

diff --git a/modules/elb/variables.tf b/modules/elb/variables.tf
@@ -47,4 +47,13 @@ variable "security_group_open_http_id" {
 }
 variable "security_group_default_id" {
   type = string
+}
+
+variable "certificate_arn" {
+  type = string
+}
+
+variable "route53_zone_id" {
+  description = "The ID for external DNS"
+  type        = string
 }
diff --git a/variables.tf b/variables.tf
@@ -100,6 +100,12 @@ variable "rootchain_rpc_port" {
   default     = 8545
 }
 
+variable "route53_zone_id" {
+  description = "The ID of the hosted zone to contain the CNAME record to our LB"
+  type        = string
+  default     = ""
+}
+
 variable "owner" {
   description = "The main point of contact for this particular deployment"
   type        = string
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,3 @@ TF_VAR_deployment_name="devnet13"
		TF_VAR_company_name="company"
		TF_VAR_owner="[email protected]"
		TF_VAR_fullnode_count=0