Merge pull request #84 from abetterinternet/timg/terraform-dns-for-ma…

…nifest-domain

terraform: Google Cloud DNS for manifest domain

terraform/main.tf

@@ -38,6 +38,10 @@ variable "manifest_domain" {
   description = "Domain (plus optional relative path) to which this environment's global and specific manifests should be uploaded."
 }
 
+variable "managed_dns_zone" {
+  type = map(string)
+}
+
 variable "peer_share_processor_manifest_domain" {
   type = string
 }
@@ -92,7 +96,7 @@ module "manifest" {
   source                                = "./modules/manifest"
   environment                           = var.environment
   gcp_region                            = var.gcp_region
-  domain                                = var.manifest_domain
+  managed_dns_zone                      = var.managed_dns_zone
   sum_part_bucket_service_account_email = google_service_account.sum_part_bucket_writer.email
 }
 

terraform/modules/manifest/manifest.tf

@@ -6,8 +6,8 @@ variable "gcp_region" {
   type = string
 }
 
-variable "domain" {
-  type = string
+variable "managed_dns_zone" {
+  type = map(string)
 }
 
 variable "sum_part_bucket_service_account_email" {
@@ -63,20 +63,41 @@ resource "google_storage_bucket_object" "global_manifest" {
   })
 }
 
+locals {
+  domain_name = "${var.environment}.${data.google_dns_managed_zone.manifests.dns_name}"
+}
+
 # Now we configure an external HTTPS load balancer backed by the bucket.
 resource "google_compute_managed_ssl_certificate" "manifests" {
   provider = google-beta
   name     = "prio-${var.environment}-manifests"
   managed {
-    domains = [var.domain]
+    domains = [local.domain_name]
   }
 }
 
+# We expect a managed DNS zone in which we can create subdomains for a given
+# env's manifest endpoint to already exist, outside of this Terraform module.
+data "google_dns_managed_zone" "manifests" {
+  provider = google-beta
+  name     = var.managed_dns_zone.name
+  # The managed zone is not necessarily in the same GCP project as this env, so
+  # we pass the project all the way from tfvars to here.
+  project = var.managed_dns_zone.gcp_project
+}
+
+# Create an A record from which this env's manifests will be served.
+resource "google_dns_record_set" "manifests" {
+  provider     = google-beta
+  name         = local.domain_name
+  managed_zone = data.google_dns_managed_zone.manifests.name
+  type         = "A"
+  ttl          = 300
+  rrdatas      = [google_compute_global_address.manifests.address]
+}
+
 # Reserve an external IP address for the load balancer.
 # https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket#ip-address
-# TODO(timg): we should have Terraform configure DNS for the manifest domain so
-# we can point it at this IP address, without which the managed certificate will
-# not work.
 resource "google_compute_global_address" "manifests" {
   provider = google-beta
   name     = "prio-${var.environment}-manifests"

terraform/variables/demo-gcp.tfvars

@@ -4,10 +4,13 @@ gcp_project                = "prio-bringup-290620"
 machine_type               = "e2-small"
 peer_share_processor_names = ["test-pha-1", "test-pha-2"]
 aws_region                 = "us-west-1"
-# Graciously donated by jrenken
-manifest_domain = "portcull.is"
+manifest_domain            = "isrg-prio.org"
+managed_dns_zone = {
+  name        = "manifests"
+  gcp_project = "prio-bringup-290620"
+}
 ingestors = {
-  ingestor-1 = "portcull.is/ingestor-1"
-  ingestor-2 = "portcull.is/ingestor-2"
+  ingestor-1 = "storage.googleapis.com/prio-demo-gcp-manifests/ingestor-1"
+  ingestor-2 = "storage.googleapis.com/prio-demo-gcp-manifests/ingestor-2"
 }
-peer_share_processor_manifest_domain = "portcull.is/pha-servers"
+peer_share_processor_manifest_domain = "storage.googleapis.com/prio-demo-gcp-manifests/pha-servers"