WIP prototyping access to the clones over SSL

Author: dcassanego

api_ssl_endpoint.tf

@@ -9,7 +9,7 @@
 
 # Create the Load Balancer for only the main DLE API
 resource "aws_lb" "dle_api_lb" {
-  name               = "dle-api-lb"
+  name               = "dle-api-lb-${var.dns_api_subdomain}"
   load_balancer_type = "application"
   security_groups    = [aws_security_group.dle_api_sg.id]
 

clones_dns.tf

@@ -0,0 +1,13 @@
+resource "aws_route53_record" "dblab_clones_subdomain" {
+  name = "${var.dns_api_subdomain}-engine"
+  type = "CNAME"
+
+  # TODO -- Allocate an Elastic IP address for the instance rather than using the
+  #         default assigned public DNS which can rotate
+  records = [
+    aws_instance.aws_ec2.public_dns
+  ]
+
+  zone_id = data.aws_route53_zone.dblab_zone.zone_id
+  ttl     = "60"
+}

dle-logical-init.sh.tpl

@@ -2,7 +2,7 @@
 
 set -x
 
-disks=(${dle_disks}) 
+disks=(${dle_disks})
 for i in $${!disks[@]}; do
   sudo zpool create -f \
   -O compression=on \
@@ -11,10 +11,10 @@ for i in $${!disks[@]}; do
   -O logbias=throughput \
   -m /var/lib/dblab/dblab_pool_0$i\
   dblab_pool_0$i \
-  $${disks[$i]} 
+  $${disks[$i]}
 done
 
-mkdir ~/.dblab 
+mkdir ~/.dblab
 cp /home/ubuntu/.dblab/config.example.logical_generic.yml ~/.dblab/server.yml
 sed -ri "s/^(\s*)(debug:.*$)/\1debug: ${dle_debug}/" ~/.dblab/server.yml
 sed -ri "s/^(\s*)(timetable:.*$)/\1timetable: \"${dle_timetable}\"/" ~/.dblab/server.yml
@@ -47,6 +47,36 @@ for i in {1..300}; do
   sleep 1
 done
 
+### Setup cert for SSH login
+sudo snap install --classic certbot
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
+sudo certbot certonly --standalone -d ${var.dns_api_subdomain}-engine
+
+####################################################################
+## This file should be written to:
+## /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy
+####################################################################
+# #!/bin/bash
+# umask 0177
+# export DOMAIN=example.com
+# export DATA_DIR=/var/lib/pgsql/data
+# cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
+# cp /etc/letsencrypt/live/$DOMAIN/privkey.pem   $DATA_DIR/server.key
+# chown postgres:postgres  $DATA_DIR/server.crt $DATA_DIR/server.key
+
+# Then make the above file executable so that certbot copies over new certs
+# sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/postgresql.deploy
+
+## change postgresql.conf to have:
+# # - SSL -
+# ssl = on
+# ssl_cert_file = 'server.crt'
+# ssl_key_file = 'server.key'
+# ssl_prefer_server_ciphers = on
+
+## change pg_hba.conf to have:
+# hostssl    all    all    0.0.0.0/0    md5
+
 dblab init \
  --environment-id=tutorial \
  --url=http://localhost:2345 \

security.tf

@@ -39,6 +39,24 @@ resource "aws_security_group_rule" "dle_instance_api" {
   source_security_group_id  = aws_security_group.dle_api_sg.id
 }
 
+resource "aws_security_group_rule" "dle_instance_http_cert_auth" {
+  security_group_id         = aws_security_group.dle_instance_sg.id
+  type                      = "ingress"
+  from_port                 = 80
+  to_port                   = 80
+  protocol                  = "tcp"
+  cidr_blocks               = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "dle_instance_clones" {
+  security_group_id = aws_security_group.dle_instance_sg.id
+  type              = "ingress"
+  from_port         = 6000
+  to_port           = 6999
+  protocol          = "tcp"
+  cidr_blocks       = "${var.allow_ssh_from_cidrs}"
+}
+
 resource "aws_security_group_rule" "dle_instance_egress" {
   security_group_id = aws_security_group.dle_instance_sg.id
   type              = "egress"