prod/keyvault-acmebot.tf: initial import of the acmebot into this framework
I needed to redeploy this, and it seems that the available deployment options have changed sufficiently from our initial setup that I'd need to recreate everything. So that made it a good opportunity to integrate it into the Terraform config.
This commit is contained in:
Родитель
69e1e7a6c4
Коммит
a45f8bc4bb
|
@ -21,7 +21,6 @@ Directory structure:
|
|||
|
||||
- `prod` expresses much, but not all, of the production WWT environment
|
||||
- `dev` expresses a more limited development environment
|
||||
- `keyvault-acmebot` describes our, well, Keyvault/Acmebot system
|
||||
|
||||
The eventual goal is to merge `dev` and `prod`, and have the distinctions
|
||||
entirely subsumed into the `.tfvars` files, but that is unlikely to happen
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
# WWT keyvault-acmebot Subsystem
|
||||
|
||||
This file describes how we manage some of our SSL certificates. This
|
||||
infrastructure is in fact *not* managed through Terraform, but this is a
|
||||
convenient place to document some aspects of it.
|
||||
|
||||
|
||||
## Motivation
|
||||
|
||||
The problem is that there is no Azure-managed way to set up and renew an HTTPS
|
||||
certificate for an Azure Application Gateway frontend, and that's what we use to
|
||||
direct our HTTP traffic. Given that, the tempting approach is to use [Let's
|
||||
Encrypt][le]. But how?
|
||||
|
||||
[le]: https://letsencrypt.org/
|
||||
|
||||
|
||||
## Implementation
|
||||
|
||||
A project called [keyvault-acmebot][kvab] integrates the protocol that underlies
|
||||
[Let's Encrypt][le], [ACME], into an Azure environment, in a way that can be
|
||||
integrated with the Azure Application Gateway system.
|
||||
|
||||
[kvab]: https://github.com/shibayan/keyvault-acmebot
|
||||
[ACME]: https://www.rfc-editor.org/rfc/rfc8555
|
||||
|
||||
When we installed this, it wasn't based on Terraform, but there is a [Terraform
|
||||
module][tf] now.
|
||||
|
||||
[tf]: https://registry.terraform.io/modules/shibayan/keyvault-acmebot/azurerm/latest
|
||||
|
||||
|
||||
## Management
|
||||
|
||||
[keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the certs
|
||||
through:
|
||||
|
||||
```
|
||||
https://keyvault-acmebot-UUUU.azurewebsites.net/dashboard
|
||||
```
|
||||
|
||||
where `UUUU` is the unique ID of our instance. You have to login through the
|
||||
Azure identity framework so it is not a big deal if people know what `UUUU` is
|
||||
for us.
|
||||
|
||||
|
||||
## New Certificate
|
||||
|
||||
To set up the app to manage a new DNS Zone, it has to have the right role
|
||||
assignments, as per [the wiki][1]. Might also need to reconfigure and/or restart
|
||||
the function app host to get it to see a new zone.
|
||||
|
||||
[1] https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
|
|
@ -0,0 +1,67 @@
|
|||
# Keyvault-acmebot Subsystem - managing SSL certificates
|
||||
#
|
||||
# The problem is that there is no Azure-managed way to set up and renew an HTTPS
|
||||
# certificate for an Azure Application Gateway frontend, and that's what we use
|
||||
# to direct our HTTP traffic. Given that, the tempting approach is to use [Let's
|
||||
# Encrypt][le]. But how?
|
||||
#
|
||||
# [le]: https://letsencrypt.org/
|
||||
#
|
||||
#
|
||||
# ## Implementation
|
||||
#
|
||||
# A project called [keyvault-acmebot][kvab] integrates the protocol that
|
||||
# underlies [Let's Encrypt][le], [ACME], into an Azure environment, in a way
|
||||
# that can be integrated with the Azure Application Gateway system.
|
||||
#
|
||||
# [kvab]: https://github.com/shibayan/keyvault-acmebot [ACME]:
|
||||
# https://www.rfc-editor.org/rfc/rfc8555
|
||||
#
|
||||
# When we first installed this, it wasn't based on Terraform, but we've switch
|
||||
# to a Terraform module now.
|
||||
#
|
||||
#
|
||||
# ## Management
|
||||
#
|
||||
# [keyvault-acmebot][kvab] actually comes with a nice UI. You can manage the
|
||||
# certs through:
|
||||
#
|
||||
# ```
|
||||
# https://func-wwtprod-kvacmebot.azurewebsites.net/dashboard
|
||||
# ```
|
||||
#
|
||||
# (You have to login through the Azure identity framework so it is not a big
|
||||
# deal if people know this URL.)
|
||||
#
|
||||
#
|
||||
# ## New Certificate
|
||||
#
|
||||
# To set up the app to manage a new DNS Zone, it has to have the right role
|
||||
# assignments, as per [the wiki][1]. Might also need to reconfigure and/or
|
||||
# restart the function app host to get it to see a new zone.
|
||||
#
|
||||
# [1]: https://github.com/shibayan/keyvault-acmebot/wiki/DNS-Provider-Configuration#azure-dns
|
||||
|
||||
module "keyvault_acmebot" {
|
||||
source = "shibayan/keyvault-acmebot/azurerm"
|
||||
version = "~> 3.0"
|
||||
|
||||
app_base_name = "${var.prefix}-kvacmebot"
|
||||
resource_group_name = azurerm_resource_group.kvacmebot.name
|
||||
location = var.location
|
||||
mail_address = "wwt@aas.org"
|
||||
vault_uri = "https://wwtssl.vault.azure.net/"
|
||||
|
||||
azure_dns = {
|
||||
subscription_id = data.azurerm_client_config.current.subscription_id
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_resource_group" "kvacmebot" {
|
||||
name = "${var.prefix}-kvacmebot"
|
||||
location = var.location
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
Загрузка…
Ссылка в новой задаче