mirror of
https://github.com/Hestia-Homes/Model.git
synced 2026-06-30 13:10:47 +00:00
Merge pull request #896 from Hestia-Homes/deploy-fastapi-with-terraform
Deploy fastapi with terraform: add certificate
This commit is contained in:
commit
246e6aa1c6
12 changed files with 172 additions and 5 deletions
47
.github/workflows/deploy_terraform.yml
vendored
47
.github/workflows/deploy_terraform.yml
vendored
|
|
@ -346,11 +346,56 @@ jobs:
|
||||||
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
||||||
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
||||||
|
|
||||||
|
# ============================================================
|
||||||
|
# Deploy ACM Certificate for Cloudfront
|
||||||
|
# ============================================================
|
||||||
|
cloudfront_acm:
|
||||||
|
needs: [determine_stage, shared_terraform, fast_api_lambda]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
env:
|
||||||
|
STAGE: ${{ needs.determine_stage.outputs.stage }}
|
||||||
|
TERRAFORM_APPLY: ${{ needs.determine_stage.outputs.terraform_apply }}
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- uses: aws-actions/configure-aws-credentials@v4
|
||||||
|
with:
|
||||||
|
aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
||||||
|
aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||||
|
aws-region: ${{ secrets.DEV_AWS_REGION }}
|
||||||
|
|
||||||
|
- uses: hashicorp/setup-terraform@v3
|
||||||
|
|
||||||
|
- name: Terraform Init
|
||||||
|
working-directory: infrastructure/terraform/cdn_certificate
|
||||||
|
run: terraform init -reconfigure
|
||||||
|
|
||||||
|
- name: Terraform Workspace
|
||||||
|
working-directory: infrastructure/terraform/cdn_certificate
|
||||||
|
run: |
|
||||||
|
terraform workspace select $STAGE \
|
||||||
|
|| terraform workspace new $STAGE
|
||||||
|
|
||||||
|
- name: Terraform Plan
|
||||||
|
working-directory: infrastructure/terraform/cdn_certificate
|
||||||
|
run: |
|
||||||
|
terraform plan \
|
||||||
|
-var="stage=${STAGE}" \
|
||||||
|
-out=tfplan
|
||||||
|
|
||||||
|
- name: Terraform Apply
|
||||||
|
if: env.TERRAFORM_APPLY == 'true'
|
||||||
|
working-directory: infrastructure/terraform/cdn_certificate
|
||||||
|
run: terraform apply -auto-approve tfplan
|
||||||
|
|
||||||
|
|
||||||
# ============================================================
|
# ============================================================
|
||||||
# Deploy Cloudfront CDN
|
# Deploy Cloudfront CDN
|
||||||
# ============================================================
|
# ============================================================
|
||||||
cloudfront_cdn:
|
cloudfront_cdn:
|
||||||
needs: [determine_stage, shared_terraform, fast_api_lambda]
|
needs: [determine_stage, cloudfront_acm]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
env:
|
env:
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,19 @@ data "terraform_remote_state" "shared" {
|
||||||
data "terraform_remote_state" "fast_api" {
|
data "terraform_remote_state" "fast_api" {
|
||||||
backend = "s3"
|
backend = "s3"
|
||||||
config = {
|
config = {
|
||||||
bucket = "ara-fast-api-terraform-state"
|
bucket = data.terraform_remote_state.shared.ara_fast_api_state_bucket
|
||||||
|
key = "env:/${var.stage}/terraform.tfstate"
|
||||||
|
region = "eu-west-2"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Load CDN Certificate Terraform State
|
||||||
|
############################################
|
||||||
|
data "terraform_remote_state" "cdn_certificate" {
|
||||||
|
backend = "s3"
|
||||||
|
config = {
|
||||||
|
bucket = data.terraform_remote_state.shared.cdn_certificate_state_bucket
|
||||||
key = "env:/${var.stage}/terraform.tfstate"
|
key = "env:/${var.stage}/terraform.tfstate"
|
||||||
region = "eu-west-2"
|
region = "eu-west-2"
|
||||||
}
|
}
|
||||||
|
|
@ -28,8 +40,9 @@ data "terraform_remote_state" "fast_api" {
|
||||||
module "cdn" {
|
module "cdn" {
|
||||||
source = "../modules/cloudfront"
|
source = "../modules/cloudfront"
|
||||||
|
|
||||||
aliases = []
|
aliases = [data.terraform_remote_state.fast_api.outputs.domain_name]
|
||||||
# aliases = [data.terraform_remote_state.fast_api.outputs.domain_name]
|
|
||||||
|
acm_certificate_arn = data.terraform_remote_state.cdn_certificate.outputs.certificate_arn
|
||||||
|
|
||||||
origins = [
|
origins = [
|
||||||
# ---- S3 ----
|
# ---- S3 ----
|
||||||
|
|
|
||||||
28
infrastructure/terraform/cdn_certificate/main.tf
Normal file
28
infrastructure/terraform/cdn_certificate/main.tf
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
############################################
|
||||||
|
# Load FastAPI Terraform State
|
||||||
|
############################################
|
||||||
|
data "terraform_remote_state" "fast_api" {
|
||||||
|
backend = "s3"
|
||||||
|
config = {
|
||||||
|
bucket = "ara-fast-api-terraform-state"
|
||||||
|
key = "env:/${var.stage}/terraform.tfstate"
|
||||||
|
region = "eu-west-2"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Define Certificate
|
||||||
|
############################################
|
||||||
|
module "cdn_certificate" {
|
||||||
|
source = "../modules/acm_certificate"
|
||||||
|
|
||||||
|
providers = {
|
||||||
|
aws = aws.us_east_1
|
||||||
|
}
|
||||||
|
|
||||||
|
domain_name = data.terraform_remote_state.fast_api.outputs.domain_name
|
||||||
|
|
||||||
|
tags = {
|
||||||
|
Environment = var.stage
|
||||||
|
}
|
||||||
|
}
|
||||||
3
infrastructure/terraform/cdn_certificate/outputs.tf
Normal file
3
infrastructure/terraform/cdn_certificate/outputs.tf
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
output "certificate_arn" {
|
||||||
|
value = module.cdn_certificate.certificate_arn
|
||||||
|
}
|
||||||
17
infrastructure/terraform/cdn_certificate/provider.tf
Normal file
17
infrastructure/terraform/cdn_certificate/provider.tf
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
terraform {
|
||||||
|
required_providers {
|
||||||
|
aws = {
|
||||||
|
source = "hashicorp/aws"
|
||||||
|
version = ">= 5.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "aws" {
|
||||||
|
region = var.region
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "aws" {
|
||||||
|
alias = "us_east_1"
|
||||||
|
region = "us-east-1"
|
||||||
|
}
|
||||||
3
infrastructure/terraform/cdn_certificate/variables.tf
Normal file
3
infrastructure/terraform/cdn_certificate/variables.tf
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
variable "stage" {
|
||||||
|
type = string
|
||||||
|
}
|
||||||
11
infrastructure/terraform/modules/acm_certificate/main.tf
Normal file
11
infrastructure/terraform/modules/acm_certificate/main.tf
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
resource "aws_acm_certificate" "this" {
|
||||||
|
domain_name = var.domain_name
|
||||||
|
subject_alternative_names = var.subject_alternative_names
|
||||||
|
validation_method = "DNS"
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
create_before_destroy = true
|
||||||
|
}
|
||||||
|
|
||||||
|
tags = var.tags
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
output "certificate_arn" {
|
||||||
|
value = aws_acm_certificate.this.arn
|
||||||
|
}
|
||||||
|
|
||||||
|
output "domain_validation_options" {
|
||||||
|
value = aws_acm_certificate.this.domain_validation_options
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
variable "domain_name" {
|
||||||
|
description = "Primary domain name for the certificate"
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "subject_alternative_names" {
|
||||||
|
description = "Additional domains for the certificate"
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "tags" {
|
||||||
|
description = "Tags to apply to the certificate"
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
@ -1,3 +1,6 @@
|
||||||
|
#############################################
|
||||||
|
# Use Managed Caching and Forwarding Policies
|
||||||
|
#############################################
|
||||||
data "aws_cloudfront_cache_policy" "caching_disabled" {
|
data "aws_cloudfront_cache_policy" "caching_disabled" {
|
||||||
name = "Managed-CachingDisabled"
|
name = "Managed-CachingDisabled"
|
||||||
}
|
}
|
||||||
|
|
@ -113,7 +116,11 @@ resource "aws_cloudfront_distribution" "this" {
|
||||||
##########################################
|
##########################################
|
||||||
|
|
||||||
viewer_certificate {
|
viewer_certificate {
|
||||||
cloudfront_default_certificate = true
|
acm_certificate_arn = var.acm_certificate_arn
|
||||||
|
ssl_support_method = var.acm_certificate_arn != null ? "sni-only" : null
|
||||||
|
minimum_protocol_version = var.acm_certificate_arn != null ? "TLSv1.2_2021" : null
|
||||||
|
|
||||||
|
cloudfront_default_certificate = var.acm_certificate_arn == null
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,4 +11,10 @@ variable "origins" {
|
||||||
|
|
||||||
variable "aliases" {
|
variable "aliases" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "acm_certificate_arn" {
|
||||||
|
description = "ACM certificate ARN for custom aliases"
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
}
|
}
|
||||||
|
|
@ -562,4 +562,15 @@ output "fast_api_s3_read_and_write_arn" {
|
||||||
value = module.fast_api_s3_read_and_write.policy_arn
|
value = module.fast_api_s3_read_and_write.policy_arn
|
||||||
}
|
}
|
||||||
|
|
||||||
|
################################################
|
||||||
|
# CDN Certificate
|
||||||
|
################################################
|
||||||
|
module "cdn_certificate_state_bucket" {
|
||||||
|
source = "../modules/tf_state_bucket"
|
||||||
|
bucket_name = "cdn-certificate-terraform-state"
|
||||||
|
}
|
||||||
|
|
||||||
|
output "cdn_certificate_state_bucket" {
|
||||||
|
value = module.cdn_certificate_state_bucket.bucket_name
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue