prod/keyvault-acmebot.tf: initial import of the acmebot into this framework

I needed to redeploy this, and it seems that the available deployment options have changed sufficiently from our initial setup that I'd need to recreate everything. So that made it a good opportunity to integrate it into the Terraform config.
2024-04-16 12:29:50 -04:00 · 2024-04-16 12:29:50 -04:00 · a45f8bc4bb
--- a/README.md
+++ b/README.md
@ -21,7 +21,6 @@ Directory structure:

 - `prod` expresses much, but not all, of the production WWT environment
 - `dev` expresses a more limited development environment
- `keyvault-acmebot` describes our, well, Keyvault/Acmebot system

 The eventual goal is to merge `dev` and `prod`, and have the distinctions
 entirely subsumed into the `.tfvars` files, but that is unlikely to happen
--- a/keyvault-acmebot/README.md
+++ b/keyvault-acmebot/README.md
@ -1,53 +0,0 @@
-# WWT keyvault-acmebot Subsystem
-
-This file describes how we manage some of our SSL certificates. This
-infrastructure is in fact *not* managed through Terraform, but this is a
-convenient place to document some aspects of it.
-
-
-## Motivation
-
-The problem is that there is no Azure-managed way to set up and renew an HTTPS
-certificate for an Azure Application Gateway frontend, and that's what we use to
-direct our HTTP traffic. Given that, the tempting approach is to use [Let's
-Encrypt][le]. But how?
-
-[le]: https://letsencrypt.org/
-
-
-## Implementation
-
-A project called [keyvault-acmebot][kvab] integrates the protocol that underlies
-[Let's Encrypt][le], [ACME], into an Azure environment, in a way that can be
-integrated with the Azure Application Gateway system.
-
-[kvab]: https://github.com/shibayan/keyvault-acmebot
-[ACME]: https://www.rfc-editor.org/rfc/rfc8555
-
-When we installed this, it wasn't based on Terraform, but there is a [Terraform
-module][tf] now.
-
-[tf]: https://registry.terraform.io/modules/shibayan/keyvault-acmebot/azurerm/latest
-
-
-## Management
-
-[keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the certs
-through:
-
-```
-https://keyvault-acmebot-UUUU.azurewebsites.net/dashboard
-```
-
-where `UUUU` is the unique ID of our instance. You have to login through the
-Azure identity framework so it is not a big deal if people know what `UUUU` is
-for us.
-
-
-## New Certificate
-
-To set up the app to manage a new DNS Zone, it has to have the right role
-assignments, as per [the wiki][1]. Might also need to reconfigure and/or restart
-the function app host to get it to see a new zone.
-
-[1] https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
--- a/prod/keyvault-acmebot.tf
+++ b/prod/keyvault-acmebot.tf
@ -0,0 +1,67 @@
+# Keyvault-acmebot Subsystem - managing SSL certificates
+#
+# The problem is that there is no Azure-managed way to set up and renew an HTTPS
+# certificate for an Azure Application Gateway frontend, and that's what we use
+# to direct our HTTP traffic. Given that, the tempting approach is to use [Let's
+# Encrypt][le]. But how?
+#
+# [le]: https://letsencrypt.org/
+#
+#
+# ## Implementation
+#
+# A project called [keyvault-acmebot][kvab] integrates the protocol that
+# underlies [Let's Encrypt][le], [ACME], into an Azure environment, in a way
+# that can be integrated with the Azure Application Gateway system.
+#
+# [kvab]: https://github.com/shibayan/keyvault-acmebot [ACME]:
+# https://www.rfc-editor.org/rfc/rfc8555
+#
+# When we first installed this, it wasn't based on Terraform, but we've switch
+# to a Terraform module now.
+#
+#
+# ## Management
+#
+# [keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the
+# certs through:
+#
+# ```
+# https://func-wwtprod-kvacmebot.azurewebsites.net/dashboard
+# ```
+#
+# (You have to login through the Azure identity framework so it is not a big
+# deal if people know this URL.)
+#
+#
+# ## New Certificate
+#
+# To set up the app to manage a new DNS Zone, it has to have the right role
+# assignments, as per [the wiki][1]. Might also need to reconfigure and/or
+# restart the function app host to get it to see a new zone.
+#
+# [1]: https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
+
+module "keyvault_acmebot" {
+  source  = "shibayan/keyvault-acmebot/azurerm"
+  version = "~> 3.0"
+
+  app_base_name       = "${var.prefix}-kvacmebot"
+  resource_group_name = azurerm_resource_group.kvacmebot.name
+  location            = var.location
+  mail_address        = "wwt@aas.org"
+  vault_uri           = "https://wwtssl.vault.azure.net/"
+
+  azure_dns = {
+    subscription_id = data.azurerm_client_config.current.subscription_id
+  }
+}
+
+resource "azurerm_resource_group" "kvacmebot" {
+  name     = "${var.prefix}-kvacmebot"
+  location = var.location
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}