cleaning up unneeded load balancer, making the certbot script more dynamic

Author: dcassanego

api_dns.tf

@@ -4,10 +4,32 @@ set -x
 
 sleep 20
 #run certbot and copy files to envoy
-# to avoid restrinctions from letsencrypt like "There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: demo-api-engine.aws.postgres.ai: see https://letsencrypt.org/docs/rate-limits/" follwing three lines were commented out and mocked up. In real implementation inline certs have to be removed and letsencrypt generated certs should be used
-#sudo certbot certonly --standalone -d demo-api-engine.aws.postgres.ai -m m@m.com --agree-tos -n
-#sudo cp /etc/letsencrypt/archive/demo-api-engine.aws.postgres.ai/fullchain1.pem /etc/envoy/certs/
-#sudo cp /etc/letsencrypt/archive/demo-api-engine.aws.postgres.ai/privkey1.pem /etc/envoy/certs/
+# to avoid restrinctions from letsencrypt like "There were too many requests of a given type ::
+# Error creating new order :: too many certificates (5) already issued for this exact set of domains
+# in the last 168 hours: demo-api-engine.aws.postgres.ai: see https://letsencrypt.org/docs/rate-limits/"
+# follwing three lines were commented out and mocked up. In real implementation inline certs have to be
+# removed and letsencrypt generated certs should be used
+
+
+# <START certbot generated cert>
+#
+#sudo certbot certonly --standalone -d ${dns_api_subdomain}.${dns_zone_name} -m m@m.com --agree-tos -n
+#sudo cp /etc/letsencrypt/live/${dns_api_subdomain}.${dns_zone_name}/fullchain.pem /etc/envoy/certs/fullchain1.pem
+#sudo cp /etc/letsencrypt/live/${dns_api_subdomain}.${dns_zone_name}/privkey.pem /etc/envoy/certs/privkey1.pem
+
+# cat <<EOF > /etc/letsencrypt/renewal-hooks/deploy/envoy.deploy
+# #!/bin/bash
+# umask 0177
+# export DOMAIN=${dns_api_subdomain}.${dns_zone_name}
+# export DATA_DIR=/etc/envoy/certs/
+# cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/fullchain1.pem
+# cp /etc/letsencrypt/live/$DOMAIN/privkey.pem   $DATA_DIR/privkey1.pem
+# EOF
+# sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/envoy.deploy
+#
+# # <END certbot generated cert>
+
+
 cat <<EOF > /etc/envoy/certs/fullchain1.pem
 -----BEGIN CERTIFICATE-----
 MIICqDCCAZACCQCquzpHNpqBcDANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtm
@@ -62,7 +84,7 @@ sudo systemctl enable envoy
 sudo systemctl start envoy
 
 #create zfs pools
-disks=(${dle_disks}) 
+disks=(${dle_disks})
 for i in $${!disks[@]}; do
   sudo zpool create -f \
   -O compression=on \
@@ -71,11 +93,11 @@ for i in $${!disks[@]}; do
   -O logbias=throughput \
   -m /var/lib/dblab/dblab_pool_0$i\
   dblab_pool_0$i \
-  $${disks[$i]} 
+  $${disks[$i]}
 done
 
 #configure and start DLE
-mkdir ~/.dblab 
+mkdir ~/.dblab
 cp /home/ubuntu/.dblab/config.example.logical_generic.yml ~/.dblab/server.yml
 sed -ri "s/^(\s*)(debug:.*$)/\1debug: ${dle_debug}/" ~/.dblab/server.yml
 sed -ri "s/^(\s*)(timetable:.*$)/\1timetable: \"${dle_retrieval_refresh_timetable}\"/" ~/.dblab/server.yml

api_ssl_endpoint.tf

@@ -0,0 +1,50 @@
+/**
+ * This file sets up all resources necessary to route incoming
+ * HTTPS requests to the Load Balancer defined in api_ssl_endpoint.
+ *
+ * It assumes that the AWS account has a Route 53 hosted zone
+ * and then provisions a sub-domain that will be used to point
+ * to the load balancer
+ */
+
+
+data "aws_route53_zone" "dblab_zone" {
+  name = var.dns_zone_name
+}
+
+###
+# FIXME: Understand when this is and is not needed
+# This record was created manually within the Postgres.ai hosted zone
+# due to issues when attempting to validate the AWS issue certificate.
+# If this is necessary in all circumstances, then this Terraform
+# resource should be close to correct.
+#
+#resource "aws_route53_record" "dblab_subdomain_caa" {
+#  name = var.dns_zone_name
+#  type = "CAA"
+#
+#  records = [
+#    "0 issue \"amazon.com\"",
+#    "0 issue \"amazontrust.com\"",
+#    "0 issue \"awstrust.com\"",
+#    "0 issue \"amazonaws.com\"",
+#    "0 issue \"letsencrypt.org\""
+#  ]
+#
+#  zone_id = data.aws_route53_zone.dblab_zone.zone_id
+#  ttl     = "60"
+#}
+
+resource "aws_route53_record" "dblab_subdomain" {
+  name = var.dns_api_subdomain
+  type = "CNAME"
+
+  # TODO -- Allocate an Elastic IP address for the instance rather than using the
+  #         default assigned public DNS which can rotate
+  records = [
+    aws_instance.aws_ec2.public_dns
+  ]
+
+  zone_id = data.aws_route53_zone.dblab_zone.zone_id
+  ttl     = "60"
+}

clones_dns.tf

@@ -8,7 +8,7 @@ output "ec2_public_dns" {
   value = "${aws_instance.aws_ec2.public_dns}"
 }
 output "public_dns_name" {
-  value = "${join("", aws_route53_record.dblab_clones_subdomain.*.fqdn)}"
+  value = "${join("", aws_route53_record.dblab_subdomain.*.fqdn)}"
 }
 output "dle_verification_token" {
   value = "${random_string.dle_token.result}"

dle-logical-init.sh.tpl

@@ -1,32 +1,3 @@
-resource "aws_security_group" "dle_api_sg" {
-  ingress {
-    cidr_blocks = "${var.allow_api_from_cidrs}"
-    from_port = 443
-    to_port   = 443
-    protocol  = "tcp"
-  }
-  ingress {
-    cidr_blocks = "${var.allow_api_from_cidrs}"
-    from_port = 2345
-    to_port   = 2345
-    protocol  = "tcp"
-  }
-  ingress {
-    cidr_blocks = "${var.allow_api_from_cidrs}"
-    from_port = 2400
-    to_port   = 2400
-    protocol  = "tcp"
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = "${local.common_tags}"
-}
 
 resource "aws_security_group" "dle_instance_sg" {
   tags = "${local.common_tags}"
@@ -47,8 +18,7 @@ resource "aws_security_group_rule" "dle_instance_api" {
   from_port                 = 443
   to_port                   = 443
   protocol                  = "tcp"
-  #source_security_group_id  = aws_security_group.dle_api_sg.id
-  cidr_blocks       = "${var.allow_api_from_cidrs}"
+  cidr_blocks               = "${var.allow_api_from_cidrs}"
 }
 
 resource "aws_security_group_rule" "joe_bot_api" {
@@ -57,18 +27,17 @@ resource "aws_security_group_rule" "joe_bot_api" {
   from_port                 = 444
   to_port                   = 444
   protocol                  = "tcp"
-  #source_security_group_id  = aws_security_group.dle_api_sg.id
-  cidr_blocks       = "${var.allow_api_from_cidrs}"
+  cidr_blocks               = "${var.allow_api_from_cidrs}"
 }
 
-#resource "aws_security_group_rule" "dle_instance_http_cert_auth" {
-#  security_group_id         = aws_security_group.dle_instance_sg.id
-#  type                      = "ingress"
-#  from_port                 = 80
-#  to_port                   = 80
-#  protocol                  = "tcp"
-#  cidr_blocks               = ["0.0.0.0/0"]
-#}
+resource "aws_security_group_rule" "dle_instance_http_cert_auth" {
+  security_group_id         = aws_security_group.dle_instance_sg.id
+  type                      = "ingress"
+  from_port                 = 80
+  to_port                   = 80
+  protocol                  = "tcp"
+  cidr_blocks               = ["0.0.0.0/0"]
+}
 
 resource "aws_security_group_rule" "dle_instance_clones" {
   security_group_id = aws_security_group.dle_instance_sg.id