From 8b6f0ad78ffc935b237edd09f63d5720ec245637 Mon Sep 17 00:00:00 2001 From: Khalim Conn-Kowlessar Date: Mon, 17 Jul 2023 11:51:16 +0100 Subject: [PATCH 1/5] commend out domain --- infrastructure/terraform/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf index dfde8f94..0f67b8c3 100644 --- a/infrastructure/terraform/main.tf +++ b/infrastructure/terraform/main.tf @@ -85,9 +85,9 @@ module "s3_presignable_bucket" { } # Set up the route53 record for the API -module "route53" { - source = "./modules/route53" - domain_name = var.domain_name - api_url_prefix = var.api_url_prefix +# module "route53" { +# source = "./modules/route53" +# domain_name = var.domain_name +# api_url_prefix = var.api_url_prefix -} \ No newline at end of file +# } \ No newline at end of file From 1b8c41256ae92b109cd3f0439c64a52b6339be88 Mon Sep 17 00:00:00 2001 From: Khalim Conn-Kowlessar Date: Mon, 17 Jul 2023 11:54:57 +0100 Subject: [PATCH 2/5] Add back in route53 --- infrastructure/terraform/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf index 0f67b8c3..dfde8f94 100644 --- a/infrastructure/terraform/main.tf +++ b/infrastructure/terraform/main.tf @@ -85,9 +85,9 @@ module "s3_presignable_bucket" { } # Set up the route53 record for the API -# module "route53" { -# source = "./modules/route53" -# domain_name = var.domain_name -# api_url_prefix = var.api_url_prefix +module "route53" { + source = "./modules/route53" + domain_name = var.domain_name + api_url_prefix = var.api_url_prefix -# } \ No newline at end of file +} \ No newline at end of file From 9e06fd037155057edb2915cd292648c204b99a9f Mon Sep 17 00:00:00 2001 From: Khalim Conn-Kowlessar Date: Mon, 17 Jul 2023 12:16:01 +0100 Subject: [PATCH 3/5] successfully created and verified dns --- infrastructure/terraform/modules/route53/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infrastructure/terraform/modules/route53/main.tf b/infrastructure/terraform/modules/route53/main.tf index d40714fb..c82768d7 100644 --- a/infrastructure/terraform/modules/route53/main.tf +++ b/infrastructure/terraform/modules/route53/main.tf @@ -4,8 +4,7 @@ resource "aws_route53_zone" "my_hosted_zone" { # Request an SSL certificate for the domain resource "aws_acm_certificate" "my_certificate_request" { - domain_name = var.domain_name - subject_alternative_names = ["*.${var.domain_name}"] + domain_name = "*.${var.domain_name}" validation_method = "DNS" tags = { From c7a765c1932f49443e11397293a7f106dd448e0d Mon Sep 17 00:00:00 2001 From: Khalim Conn-Kowlessar Date: Mon, 17 Jul 2023 12:22:51 +0100 Subject: [PATCH 4/5] Added docs to readme --- infrastructure/terraform/README.md | 47 ++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/infrastructure/terraform/README.md b/infrastructure/terraform/README.md index be36fe44..136d873a 100644 --- a/infrastructure/terraform/README.md +++ b/infrastructure/terraform/README.md @@ -68,6 +68,53 @@ terraform workspace select prod Remember to update your variables file accordingly when planning and applying changes (`-var-file=prod.tfvars` for production, for example). +# Deployment with Github actions + +Deployment has been automated with github actions. In order to trigger a new deployment, simply make a pull request to either the `dev` or `prod` branches, depending on the deployment you wish to trigger. Then, once that pull request is merge, it will trigger a workflow in Github actions which will perform the deployment steps, as described above. + +# AWS Route 53 and SSL Certificate Creation + +This document provides an explanation of the Terraform script used to create AWS Route 53 resources and an SSL certificate. + +## Code Explanation + +The code can be found in the route53 module in `modules/route53/main.tf` + +- First, an AWS Route 53 hosted zone is created for your domain with the aws_route53_zone resource. + +- Next, the aws_acm_certificate resource requests a wildcard SSL certificate for your domain. This certificate will secure your domain and all its subdomains. The validation_method is set to DNS, which means that Amazon will verify that you own the domain by checking DNS records. + +- After requesting the certificate, we use the aws_route53_record resource to create a DNS validation record in our Route 53 hosted zone. This record is used by Amazon to verify our ownership of the domain. + +- With the aws_acm_certificate_validation resource, we tell AWS to use our validation DNS record to validate the certificate. + +- An AWS Route 53 CAA record is also created with the aws_route53_record resource. This record specifies that Amazon is authorized to issue certificates for our domain. + +- Finally, the ARN of the certificate is stored in AWS SSM Parameter Store using the aws_ssm_parameter resource, so that it can be accessed by other resources. + +## Initial Verification + +The first time you run this script, Amazon will need to verify your ownership of the domain before issuing the certificate. To do this, Amazon will check for the presence of the DNS validation record that was created by the script. + +When using Google Domains, follow these steps to add the validation record: + +Go to the Google Domains website and sign in. +Select your domain. +Open the DNS settings. +In the 'Custom resource records' section, add a new record with the following details: + +- Name: +- Type: CNAME +- TTL: 1H +- Data: + After you've added the record, Amazon will automatically validate your domain once it detects the new DNS record. This process can take a few minutes to several hours, depending on DNS propagation times. + +Note: Please replace the Name and Data values with the ones provided by the script's output. + +### Certificate Renewal + +Amazon will automatically renew managed certificates 60 days before they expire. This means that, once your domain is validated and the certificate is issued, Amazon will handle the renewal of the certificate for you. You will not need to manually renew the certificate or repeat the validation process. + ## Future TODOS - At the moment, the database is publicly accessible. We could add an inbound rule to a security group to restrict access to the ip of the vercel application in prod which would look something like this: From 043d390977262cbece0383358c4bdef2ee4a76ab Mon Sep 17 00:00:00 2001 From: Khalim Conn-Kowlessar Date: Mon, 17 Jul 2023 12:33:25 +0100 Subject: [PATCH 5/5] deploying api with api domain --- .github/workflows/deploy_fastapi_backend.yml | 2 ++ backend/serverless.yml | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/deploy_fastapi_backend.yml b/.github/workflows/deploy_fastapi_backend.yml index 4d75c6a9..fc1883fa 100644 --- a/.github/workflows/deploy_fastapi_backend.yml +++ b/.github/workflows/deploy_fastapi_backend.yml @@ -21,6 +21,7 @@ jobs: run: | npm install -g serverless npm install -g serverless-python-requirements + npm install -g serverless-domain-manager - name: Install dependencies run: | @@ -50,4 +51,5 @@ jobs: SECRET_KEY: ${{ secrets.NEXTAUTH_SECRET }} ALGORITHM: 'HS256' PLAN_TRIGGER_BUCKET: 'retrofit-plan-inputs-${{ github.ref_name }}' + DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }} run: cd backend && sls deploy --stage ${{ github.ref_name }} --verbose diff --git a/backend/serverless.yml b/backend/serverless.yml index 145892a3..144939fb 100644 --- a/backend/serverless.yml +++ b/backend/serverless.yml @@ -10,6 +10,7 @@ provider: SECRET_KEY: ${env:SECRET_KEY} ALGORITHM: ${env:ALGORITHM} PLAN_TRIGGER_BUCKET: ${env:PLAN_TRIGGER_BUCKET} + DOMAIN_NAME: ${env:DOMAIN_NAME} package: individually: true @@ -18,6 +19,7 @@ package: plugins: - serverless-python-requirements + - serverless-domain-manager custom: pythonRequirements: @@ -26,6 +28,11 @@ custom: useDocker: true dockerSsh: true fileName: requirements/base.txt + customDomain: + domainName: api-${self:provider.stage}.${self:provider.environment.DOMAIN_NAME} + stage: ${self:provider.stage} + createRoute53Record: true + certificateArn: ${ssm:/ssl_certificate_arn~true} functions: app: