diff --git a/infrastructure/terraform/README.md b/infrastructure/terraform/README.md index be36fe44..136d873a 100644 --- a/infrastructure/terraform/README.md +++ b/infrastructure/terraform/README.md @@ -68,6 +68,53 @@ terraform workspace select prod Remember to update your variables file accordingly when planning and applying changes (`-var-file=prod.tfvars` for production, for example). +# Deployment with Github actions + +Deployment has been automated with github actions. In order to trigger a new deployment, simply make a pull request to either the `dev` or `prod` branches, depending on the deployment you wish to trigger. Then, once that pull request is merge, it will trigger a workflow in Github actions which will perform the deployment steps, as described above. + +# AWS Route 53 and SSL Certificate Creation + +This document provides an explanation of the Terraform script used to create AWS Route 53 resources and an SSL certificate. + +## Code Explanation + +The code can be found in the route53 module in `modules/route53/main.tf` + +- First, an AWS Route 53 hosted zone is created for your domain with the aws_route53_zone resource. + +- Next, the aws_acm_certificate resource requests a wildcard SSL certificate for your domain. This certificate will secure your domain and all its subdomains. The validation_method is set to DNS, which means that Amazon will verify that you own the domain by checking DNS records. + +- After requesting the certificate, we use the aws_route53_record resource to create a DNS validation record in our Route 53 hosted zone. This record is used by Amazon to verify our ownership of the domain. + +- With the aws_acm_certificate_validation resource, we tell AWS to use our validation DNS record to validate the certificate. + +- An AWS Route 53 CAA record is also created with the aws_route53_record resource. This record specifies that Amazon is authorized to issue certificates for our domain. + +- Finally, the ARN of the certificate is stored in AWS SSM Parameter Store using the aws_ssm_parameter resource, so that it can be accessed by other resources. + +## Initial Verification + +The first time you run this script, Amazon will need to verify your ownership of the domain before issuing the certificate. To do this, Amazon will check for the presence of the DNS validation record that was created by the script. + +When using Google Domains, follow these steps to add the validation record: + +Go to the Google Domains website and sign in. +Select your domain. +Open the DNS settings. +In the 'Custom resource records' section, add a new record with the following details: + +- Name: +- Type: CNAME +- TTL: 1H +- Data: + After you've added the record, Amazon will automatically validate your domain once it detects the new DNS record. This process can take a few minutes to several hours, depending on DNS propagation times. + +Note: Please replace the Name and Data values with the ones provided by the script's output. + +### Certificate Renewal + +Amazon will automatically renew managed certificates 60 days before they expire. This means that, once your domain is validated and the certificate is issued, Amazon will handle the renewal of the certificate for you. You will not need to manually renew the certificate or repeat the validation process. + ## Future TODOS - At the moment, the database is publicly accessible. We could add an inbound rule to a security group to restrict access to the ip of the vercel application in prod which would look something like this: