prod/keyvault-acmebot.tf: initial import of the acmebot into this framework

I needed to redeploy this, and it seems that the available deployment options have changed
sufficiently from our initial setup that I'd need to recreate everything. So that made it
a good opportunity to integrate it into the Terraform config.
This commit is contained in:
Peter Williams 2024-04-16 12:29:50 -04:00
Родитель 69e1e7a6c4
Коммит a45f8bc4bb
3 изменённых файлов: 67 добавлений и 54 удалений

Просмотреть файл

@ -21,7 +21,6 @@ Directory structure:
- `prod` expresses much, but not all, of the production WWT environment
- `dev` expresses a more limited development environment
- `keyvault-acmebot` describes our, well, Keyvault/Acmebot system
The eventual goal is to merge `dev` and `prod`, and have the distinctions
entirely subsumed into the `.tfvars` files, but that is unlikely to happen

Просмотреть файл

@ -1,53 +0,0 @@
# WWT keyvault-acmebot Subsystem
This file describes how we manage some of our SSL certificates. This
infrastructure is in fact *not* managed through Terraform, but this is a
convenient place to document some aspects of it.
## Motivation
The problem is that there is no Azure-managed way to set up and renew an HTTPS
certificate for an Azure Application Gateway frontend, and that's what we use to
direct our HTTP traffic. Given that, the tempting approach is to use [Let's
Encrypt][le]. But how?
[le]: https://letsencrypt.org/
## Implementation
A project called [keyvault-acmebot][kvab] integrates the protocol that underlies
[Let's Encrypt][le], [ACME], into an Azure environment, in a way that can be
integrated with the Azure Application Gateway system.
[kvab]: https://github.com/shibayan/keyvault-acmebot
[ACME]: https://www.rfc-editor.org/rfc/rfc8555
When we installed this, it wasn't based on Terraform, but there is a [Terraform
module][tf] now.
[tf]: https://registry.terraform.io/modules/shibayan/keyvault-acmebot/azurerm/latest
## Management
[keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the certs
through:
```
https://keyvault-acmebot-UUUU.azurewebsites.net/dashboard
```
where `UUUU` is the unique ID of our instance. You have to login through the
Azure identity framework so it is not a big deal if people know what `UUUU` is
for us.
## New Certificate
To set up the app to manage a new DNS Zone, it has to have the right role
assignments, as per [the wiki][1]. Might also need to reconfigure and/or restart
the function app host to get it to see a new zone.
[1] https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns

67
prod/keyvault-acmebot.tf Normal file
Просмотреть файл

@ -0,0 +1,67 @@
# Keyvault-acmebot Subsystem - managing SSL certificates
#
# The problem is that there is no Azure-managed way to set up and renew an HTTPS
# certificate for an Azure Application Gateway frontend, and that's what we use
# to direct our HTTP traffic. Given that, the tempting approach is to use [Let's
# Encrypt][le]. But how?
#
# [le]: https://letsencrypt.org/
#
#
# ## Implementation
#
# A project called [keyvault-acmebot][kvab] integrates the protocol that
# underlies [Let's Encrypt][le], [ACME], into an Azure environment, in a way
# that can be integrated with the Azure Application Gateway system.
#
# [kvab]: https://github.com/shibayan/keyvault-acmebot [ACME]:
# https://www.rfc-editor.org/rfc/rfc8555
#
# When we first installed this, it wasn't based on Terraform, but we've switch
# to a Terraform module now.
#
#
# ## Management
#
# [keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the
# certs through:
#
# ```
# https://func-wwtprod-kvacmebot.azurewebsites.net/dashboard
# ```
#
# (You have to login through the Azure identity framework so it is not a big
# deal if people know this URL.)
#
#
# ## New Certificate
#
# To set up the app to manage a new DNS Zone, it has to have the right role
# assignments, as per [the wiki][1]. Might also need to reconfigure and/or
# restart the function app host to get it to see a new zone.
#
# [1]: https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
module "keyvault_acmebot" {
source = "shibayan/keyvault-acmebot/azurerm"
version = "~> 3.0"
app_base_name = "${var.prefix}-kvacmebot"
resource_group_name = azurerm_resource_group.kvacmebot.name
location = var.location
mail_address = "wwt@aas.org"
vault_uri = "https://wwtssl.vault.azure.net/"
azure_dns = {
subscription_id = data.azurerm_client_config.current.subscription_id
}
}
resource "azurerm_resource_group" "kvacmebot" {
name = "${var.prefix}-kvacmebot"
location = var.location
lifecycle {
prevent_destroy = true
}
}