fix(stacks.maintenance-site): ensure certificate is created in us-eas…

…t-1 region Signed-off-by: Braden Mars <[email protected]>
CrisisCleanup · Jun 19, 2024 · 8f91dc1 · 8f91dc1
1 parent e21455d
commit 8f91dc1
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 4 deletions.
diff --git a/.github/workflows/deploy-au-offline-site.yml b/.github/workflows/deploy-au-offline-site.yml
@@ -103,6 +103,9 @@ jobs:
       asset-hash3: ${{steps.publish.outputs.asset-hash3}}
       asset-hash4: ${{steps.publish.outputs.asset-hash4}}
       asset-hash5: ${{steps.publish.outputs.asset-hash5}}
+      asset-hash6: ${{steps.publish.outputs.asset-hash6}}
+      asset-hash7: ${{steps.publish.outputs.asset-hash7}}
+      asset-hash8: ${{steps.publish.outputs.asset-hash8}}
     runs-on: ${{inputs.runner || 'ubuntu-latest'}}
     needs:
       - Build-deploy-au-offline-site-synth
@@ -141,16 +144,58 @@ jobs:
       - name: Publish
         id: publish
         run: >-
-          targets="./cdk.out/publish-Assets-FileAsset1-step.sh,./cdk.out/publish-Assets-FileAsset2-step.sh,./cdk.out/publish-Assets-FileAsset3-step.sh,./cdk.out/publish-Assets-FileAsset4-step.sh,./cdk.out/publish-Assets-FileAsset5-step.sh"
+          targets="./cdk.out/publish-Assets-FileAsset1-step.sh,./cdk.out/publish-Assets-FileAsset2-step.sh,./cdk.out/publish-Assets-FileAsset3-step.sh,./cdk.out/publish-Assets-FileAsset4-step.sh,./cdk.out/publish-Assets-FileAsset5-step.sh,./cdk.out/publish-Assets-FileAsset6-step.sh,./cdk.out/publish-Assets-FileAsset7-step.sh,./cdk.out/publish-Assets-FileAsset8-step.sh"
 
           echo -n "$targets" | xargs -r -d',' -t -n1 -P2 /bin/bash
+  production-au-auofflinesiteauofflinesitezonestack-eaac685-e-deploy:
+    name: Deploy productionauauofflinesiteauofflinesitezonestackDB775D5A
+    permissions:
+      contents: read
+      id-token: write
+    needs:
+      - Build-deploy-au-offline-site-synth
+      - publish
+    runs-on: ${{inputs.runner || 'ubuntu-latest'}}
+    steps:
+      - name: Mask values
+        run: |-
+          echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
+          echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}
+      - name: Authenticate Via OIDC Role
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-region: us-east-1
+          role-duration-seconds: 1800
+          role-skip-session-tagging: true
+          role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
+          role-session-name: deploy-au-offline-site
+      - name: Assume CDK Deploy Role
+        uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-region: us-east-1
+          role-duration-seconds: 1800
+          role-skip-session-tagging: true
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+          role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}-us-east-1
+          role-external-id: Pipeline
+      - id: Deploy
+        uses: aws-actions/[email protected]
+        with:
+          name: production-au-auofflinesiteauofflinesitezonestackEAAC685E
+          template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}-us-east-1.s3.us-east-1.amazonaws.com/${{
+            needs.publish.outputs.asset-hash1 }}.json
+          no-fail-on-empty-changeset: "1"
+          role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}-us-east-1
   production-au-au-offline-site-deploy:
     name: Deploy productionauauofflinesiteDEEFF1C4
     permissions:
       contents: read
       id-token: write
     needs:
       - Build-deploy-au-offline-site-synth
+      - production-au-auofflinesiteauofflinesitezonestackEAAC685E-Deploy
       - publish
     runs-on: ${{inputs.runner || 'ubuntu-latest'}}
     steps:
@@ -182,7 +227,7 @@ jobs:
         with:
           name: au-offline-site
           template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}-ap-southeast-2.s3.ap-southeast-2.amazonaws.com/${{
-            needs.publish.outputs.asset-hash1 }}.json
+            needs.publish.outputs.asset-hash3 }}.json
           no-fail-on-empty-changeset: "1"
           role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION_AU}}-ap-southeast-2
 concurrency:

diff --git a/packages/stacks/maintenance-site/src/maintenance-site.ts b/packages/stacks/maintenance-site/src/maintenance-site.ts
@@ -33,16 +33,31 @@ export class MaintenanceSite extends Stack {
 		props: MaintenanceSiteProps,
 		stackProps?: StackProps,
 	) {
-		super(scope, id, stackProps)
+		const { crossRegionReferences = true, ...restStackProps } = stackProps ?? {}
+		super(scope, id, {
+			...restStackProps,
+			crossRegionReferences,
+		})
 		this.domainName = props.domainName ?? 'crisiscleanup.org'
 		const cnameRecord = `maintenance.${this.domainName}`
 
+		// Cloudfront requires ACM certificates to be in us-east-1 (ACM isn't global like cloudfront is).
+		// eslint-disable-next-line @typescript-eslint/no-this-alias
+		let certStack: Stack = this
+		if (this.region !== 'us-east-1') {
+			certStack = new Stack(this, id + '-zone-stack', {
+				description: `Zone Stack for maintenance site`,
+				crossRegionReferences: true,
+				env: { account: this.account, region: 'us-east-1' },
+			})
+		}
+
 		if (stackProps?.env) {
 			this.zone = route53.HostedZone.fromLookup(this, id + '-hosted-zone', {
 				domainName: this.domainName,
 			})
 
-			this.certificate = new acm.Certificate(this, id + '-certificate', {
+			this.certificate = new acm.Certificate(certStack, id + '-certificate', {
 				domainName: this.domainName,
 				validation: acm.CertificateValidation.fromDns(this.zone),
 				subjectAlternativeNames: [cnameRecord],