add raw DNS entries for non-CDN access to the site

Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-20 16:18:56 +00:00 · 2019-12-13 00:00:45 +01:00 · 2019-12-13 00:00:45 +01:00 · f96c98643c
commit f96c98643c
parent 315eb38f26
4 changed files with 27 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -4,8 +4,10 @@ This repo configures infrastructure for the https://dap.ps/ service.

 The service is split into two stages:

-* __`prod`__ - https://prod.dap.sp/
-* __`dev`__ - https://dev.dap.ps/
+| Stage | With CDN | Without CDN |
+|-|-|-|
+| __`prod`__ | https://prod.dap.sp/ | https://raw.prod.dap.sp/ |
+| __`dev`__  | https://dev.dap.ps/  | https://raw.dev.dap.sp/ |

 The `prod` environment is `CNAME`ed to `dap.ps` domain.

@ -18,6 +20,7 @@ The infrastructure is hosted on AWS and consists of 5 main elements:
 * [__EC2__](https://aws.amazon.com/ec2/) - [MongoDB](https://www.mongodb.com/) cluster
 * [__S3__](https://aws.amazon.com/s3/) - [MongoDB](https://www.mongodb.com/) backups & [Terraform](https://www.terraform.io/) state
 * [__SES__](https://aws.amazon.com/ses/) - Mail forwarding
+* [__CF__](https://aws.amazon.com/cloudfront/) - CDN

 All the AWS parts are provisioned and managed with [Terraform](https://www.terraform.io/) and the MongoDB cluster configured with [Ansible](https://www.ansible.com/).

@ -35,7 +38,6 @@ And then configure the MongoDB hosts using ansible:
 ansible-playbook ansible/dev.yml
 ansible-playbook ansible/prod.yml
 ```
-
 # Known Issues

 * The ElasticBeanstalk environments can fail when being recreated
--- a/dev.tf
+++ b/dev.tf
@ -33,6 +33,7 @@ module "dev_cert" {
  source  = "./modules/aws-acm-cert"
  stage   = "dev"
  domain  = "dap.ps"
+  sans    = ["dap.ps", "raw.dev.dap.ps"]
  zone_id = gandi_zone.dap_ps_zone.id
 }

@ -97,3 +98,12 @@ resource "gandi_zonerecord" "dev_dns" {
  ttl    = 3600
  values = ["${module.dev_cdn.cf_domain_name}."]
 }
+
+/* raw subdomain for access without CDN */
+resource "gandi_zonerecord" "dev_dns_raw" {
+  zone   = gandi_zone.dap_ps_zone.id
+  name   = "raw.dev"
+  type   = "CNAME"
+  ttl    = 3600
+  values = [for elb in module.dev_env.elb_fqdns: "${elb}."]
+}
--- a/modules/aws-acm-cert/main.tf
+++ b/modules/aws-acm-cert/main.tf
@ -1,11 +1,7 @@
-locals {
-  cert_sans = [var.domain]
-}
-
 resource "aws_acm_certificate" "main" {
  domain_name = "${var.stage}.${var.domain}"

-  subject_alternative_names = local.cert_sans
+  subject_alternative_names = sort(var.sans)
  validation_method         = "DNS"

  tags = {
@ -19,7 +15,7 @@ resource "gandi_zonerecord" "cert_verification" {
  type   = aws_acm_certificate.main.domain_validation_options[count.index].resource_record_type
  ttl    = 300
  values = [aws_acm_certificate.main.domain_validation_options[count.index].resource_record_value]
-  count  = length(local.cert_sans)+1
+  count  = length(var.sans)+1
 }

 resource "aws_acm_certificate_validation" "main" {
--- a/prod.tf
+++ b/prod.tf
@ -37,7 +37,7 @@ module "prod_cert" {
  source  = "./modules/aws-acm-cert"
  stage   = "prod"
  domain  = "dap.ps"
-  sans    = ["dap.ps"]
+  sans    = ["dap.ps", "raw.prod.dap.ps"]
  zone_id = gandi_zone.dap_ps_zone.id
 }

@ -104,6 +104,15 @@ resource "gandi_zonerecord" "prod_dns" {
  values = ["${module.prod_cdn.cf_domain_name}."]
 }

+/* raw subdomain for access without CDN */
+resource "gandi_zonerecord" "prod_dns_raw" {
+  zone   = gandi_zone.dap_ps_zone.id
+  name   = "raw.prod"
+  type   = "CNAME"
+  ttl    = 3600
+  values = [for elb in module.prod_env.elb_fqdns: "${elb}."]
+}
+
 /* Apex DNS records cannot be CNAMEs */
 data "dns_a_record_set" "prod_cdn" {
  host  = module.prod_cdn.cf_domain_name