Merge pull request #19 from gabrielmiller/add-tls-check

Add tls check command
gabrielmiller · Jul 4, 2024 · 2587b82 · 2587b82
2 parents f682d3a + e9da04b
commit 2587b82
Show file tree

Hide file tree

Showing 7 changed files with 113 additions and 75 deletions.
diff --git a/blog.sh b/blog.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 GBLOG_ENVIRONMENT="staging"
+GBLOG_SUBDOMAIN="apex"
 SKIP_BACKEND=false
 SKIP_FRONTEND=false
 OPTIMIZED_IMAGE_SIZE=1920
@@ -32,6 +33,13 @@ albumfiletypes=(
   ["png"]="image/png"
 )
 
+declare -A subdomains
+subdomains=(
+  ["apex"]=""
+  ["api"]="api"
+  ["www"]="www"
+)
+
 validate_aws_dependency() {
   if ! command -v aws &> /dev/null
   then
@@ -175,6 +183,30 @@ redeploy_index() {
   cd ..
 }
 
+check_tls_certificate_for_subdomain() {
+  echo "Which subdomain should be checked? (default: apex)"
+  read GBLOG_SUBDOMAIN
+
+  if [[ "${subdomains[@]}" =~ "$GBLOG_SUBDOMAIN" ]] ; then
+    MATCH=1
+  fi
+
+  if [ "$MATCH" != 1 ]
+  then
+    echo "ERROR: Provided subdomain '$GBLOG_SUBDOMAIN' is not valid."
+    exit 1
+  fi
+
+  if [ "$GBLOG_SUBDOMAIN" = "" ]
+  then
+    DOMAIN="$APEX_DOMAIN"
+  else
+    DOMAIN="$GBLOG_SUBDOMAIN.$APEX_DOMAIN"
+  fi
+  echo "The TLS certificate for $DOMAIN says the following:"
+  openssl s_client -servername "$DOMAIN" -connect "$DOMAIN":443 | openssl x509 -noout -dates
+}
+
 deploy_album() {
   cd albums
 
@@ -232,7 +264,7 @@ deploy_albums() {
 }
 
 deploy_backend() {
-  npm run deploy -w album-backend -- --stage "$GBLOG_ENVIRONMENT"
+  npm run deploy -w album-backend -- --stage "$AWS_PROFILE"
 }
 
 traverse_and_upload_frontend_files() {
@@ -310,7 +342,7 @@ shipit() {
 generate_tls_certificate() {
   cd dns
   initialize_environment
-  sudo -E certbot certonly -d "$APEX_DOMAIN" -d "$WILDCARD_DOMAIN" --email "$EMAIL" --dns-cloudflare --agree-tos --preferred-challenges dns --non-interactive --dns-cloudflare-credentials cloudflare.ini --dns-cloudflare-propagation-seconds 30
+  sudo -E certbot certonly -d "$APEX_DOMAIN_ORIGIN" -d "$WILDCARD_DOMAIN" --email "$EMAIL" --dns-cloudflare --agree-tos --preferred-challenges dns --non-interactive --dns-cloudflare-credentials cloudflare.ini --dns-cloudflare-propagation-seconds 30
   # --force-renewal if doing this off of the usual schedule
   cd ..
 }
@@ -440,8 +472,9 @@ Do the blog thing.
           5. authenticate with aws
           6. generate a tls certificate
           7. plant the tls certificate in acm
-          8. deploy all albums
-          9. update index for an individual album
+          8. check subdomain tls certificate expiration date
+          9. deploy all albums
+          10. update index for an individual album
 
     -t, --title
         Title of album to deploy.
@@ -621,15 +654,21 @@ case "$GBLOG_OPERATION" in
    echo "[$(date +%T)] Certificate planted in acm."
    exit 0
    ;;
- 8) # deploy all albums
+ 8) # check subdomain tls expiration date
+   echo "[$(date +%T)] validating tls certificate expiration date..."
+   check_tls_certificate_for_subdomain
+
+   exit 0
+   ;;
+ 9) # deploy all albums
    validate_aws_dependency
    echo "[$(date +%T)] Starting $GBLOG_ENVIRONMENT album deployment."
    validate_album_filetypes
    deploy_albums
    echo "[$(date +%T)] album deploy complete."
    exit 0
    ;;
- 9) # update index for an individual album
+ 10) # update index for an individual album
    if [ "$GBLOG_ALBUM_TITLE" = "" ]
    then
     echo "ERROR: You must specify a title."

diff --git a/infra/README.md b/infra/README.md
@@ -19,17 +19,23 @@ region = us-east-2
 sso_start_url = <redacted>
 sso_region = us-east-2
 
-[profile staging]
+[profile personal-staging]
 sso_session = gabe
 sso_account_id = <redacted>
 sso_role_name = AdministratorAccess
+sso_start_url = <redacted>
+sso_region = us-east-2
 
-[profile production]
+[profile personal-production]
 sso_session = gabe
 sso_account_id = <redacted>
 sso_role_name = AdministratorAccess
+sso_start_url = <redacted>
+sso_region = us-east-2
 ```
 
+_The redundant regions and start_url on the profiles appear to be necessary, but I'm not sure why_.
+
 # Initial setup for each environment
 
 1. Create the resources in question
@@ -61,4 +67,4 @@ terraform -chdir=./production import -var-file=./variables.tfvars 'module.acm_ce
 ```
 terraform -chdir=./production plan -var-file=./variables.tfvars -out changes
 terraform -chdir=./production apply changes
-```
+```
diff --git a/infra/modules/local_env_file/main.tf b/infra/modules/local_env_file/main.tf
@@ -2,11 +2,11 @@ resource "local_file" "environment" {
   content = <<-ENVFILE
   ALBUM_BUCKET="${var.album_bucket_name}"
   ALBUM_BUCKET_REGION="${var.album_bucket_region}"
-  APEX_BUCKET_NAME="${var.apex_bucket_name}"
-  APEX_DOMAIN="https://${var.apex_domain}"
+  APEX_DOMAIN="${var.apex_domain}"
+  APEX_DOMAIN_ORIGIN="https://${var.apex_domain}"
   AWS_PROFILE="${var.aws_profile}"
   CLOUDFRONT_CACHE_MAX_AGE="${var.cloudfront_cache_max_age}"
   ENVFILE
 
   filename = "../../.env.${var.environment_name}"
-}
+}
diff --git a/infra/modules/local_env_file/variables.tf b/infra/modules/local_env_file/variables.tf
@@ -1,27 +1,23 @@
 variable "album_bucket_name" {
-    type = string
-}
-
-variable "apex_domain" {
-    type = string
+  type = string
 }
 
 variable "album_bucket_region" {
-    type = string
+  type = string
 }
 
-variable "apex_bucket_name" {
-    type = string
+variable "apex_domain" {
+  type = string
 }
 
 variable "aws_profile" {
-    type = string
+  type = string
 }
 
 variable "cloudfront_cache_max_age" {
-    type = string
+  type = string
 }
 
 variable "environment_name" {
-    type = string
-}
+  type = string
+}
diff --git a/infra/production/main.tf b/infra/production/main.tf
@@ -6,7 +6,7 @@ terraform {
     }
 
     cloudflare = {
-      source = "cloudflare/cloudflare"
+      source  = "cloudflare/cloudflare"
       version = "~> 4"
     }
   }
@@ -30,8 +30,8 @@ provider "cloudflare" {
 }
 
 module "acm_certificate_cloudfront" {
-  source = "../modules/acm_certificate_cloudfront"
-  domain = var.apex_domain
+  source  = "../modules/acm_certificate_cloudfront"
+  domain  = var.apex_domain
   profile = var.aws_profile
   providers = {
     aws = aws.virginia
@@ -44,15 +44,15 @@ module "acm_certificate_api_gateway" {
 }
 
 module "cloudflare_apex_dns" {
-  source = "../modules/cloudflare_apex_dns"
-  domain = var.apex_domain
-  value = module.cloudfront_apex_website.domain_name
+  source  = "../modules/cloudflare_apex_dns"
+  domain  = var.apex_domain
+  value   = module.cloudfront_apex_website.domain_name
   zone_id = var.cloudflare_zone_id
 }
 
 module "cloudflare_www_dns" {
-  source = "../modules/cloudflare_www_dns"
-  value = module.cloudfront_www_website.domain_name
+  source  = "../modules/cloudflare_www_dns"
+  value   = module.cloudfront_www_website.domain_name
   zone_id = var.cloudflare_zone_id
 }
 
@@ -73,28 +73,27 @@ module "s3_bucket_www_website" {
 }
 
 module "cloudfront_apex_website" {
-  source         = "../modules/cloudfront_apex_website"
-  domain         = var.apex_domain
-  region         = var.region
-  certificate_id = module.acm_certificate_cloudfront.id
+  source          = "../modules/cloudfront_apex_website"
   cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" #CachingOptimized
+  certificate_id  = module.acm_certificate_cloudfront.id
+  domain          = var.apex_domain
+  region          = var.region
 }
 
 module "cloudfront_www_website" {
-  source         = "../modules/cloudfront_www_website"
-  domain         = var.www_domain
-  region         = var.region
-  certificate_id = module.acm_certificate_cloudfront.id
+  source          = "../modules/cloudfront_www_website"
   cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" #CachingOptimized
+  certificate_id  = module.acm_certificate_cloudfront.id
+  domain          = var.www_domain
+  region          = var.region
 }
 
 module "local_env_file" {
-  source = "../modules/local_env_file"
-  album_bucket_name = var.private_bucket
-  album_bucket_region = var.region
-  apex_domain = var.apex_domain
-  apex_bucket_name = var.apex_domain
+  source                   = "../modules/local_env_file"
+  album_bucket_name        = var.private_bucket
+  album_bucket_region      = var.region
+  apex_domain              = var.apex_domain
+  aws_profile              = var.aws_profile
   cloudfront_cache_max_age = "0"
-  environment_name = var.environment_name
-  aws_profile = var.aws_profile
-}
+  environment_name         = var.environment_name
+}
diff --git a/infra/staging/main.tf b/infra/staging/main.tf
@@ -6,7 +6,7 @@ terraform {
     }
 
     cloudflare = {
-      source = "cloudflare/cloudflare"
+      source  = "cloudflare/cloudflare"
       version = "~> 4"
     }
   }
@@ -30,8 +30,8 @@ provider "cloudflare" {
 }
 
 module "acm_certificate_cloudfront" {
-  source = "../modules/acm_certificate_cloudfront"
-  domain = var.apex_domain
+  source  = "../modules/acm_certificate_cloudfront"
+  domain  = var.apex_domain
   profile = var.aws_profile
   providers = {
     aws = aws.virginia
@@ -44,15 +44,15 @@ module "acm_certificate_api_gateway" {
 }
 
 module "cloudflare_apex_dns" {
-  source = "../modules/cloudflare_apex_dns"
-  domain = var.apex_domain
-  value = module.cloudfront_apex_website.domain_name
+  source  = "../modules/cloudflare_apex_dns"
+  domain  = var.apex_domain
+  value   = module.cloudfront_apex_website.domain_name
   zone_id = var.cloudflare_zone_id
 }
 
 module "cloudflare_www_dns" {
-  source = "../modules/cloudflare_www_dns"
-  value = module.cloudfront_www_website.domain_name
+  source  = "../modules/cloudflare_www_dns"
+  value   = module.cloudfront_www_website.domain_name
   zone_id = var.cloudflare_zone_id
 }
 
@@ -73,28 +73,27 @@ module "s3_bucket_www_website" {
 }
 
 module "cloudfront_apex_website" {
-  source         = "../modules/cloudfront_apex_website"
-  domain         = var.apex_domain
-  region         = var.region
-  certificate_id = module.acm_certificate_cloudfront.id
+  source          = "../modules/cloudfront_apex_website"
   cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" #CachingDisabled
+  certificate_id  = module.acm_certificate_cloudfront.id
+  domain          = var.apex_domain
+  region          = var.region
 }
 
 module "cloudfront_www_website" {
-  source         = "../modules/cloudfront_www_website"
-  domain         = var.www_domain
-  region         = var.region
-  certificate_id = module.acm_certificate_cloudfront.id
+  source          = "../modules/cloudfront_www_website"
+  domain          = var.www_domain
   cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" #CachingDisabled
+  certificate_id  = module.acm_certificate_cloudfront.id
+  region          = var.region
 }
 
 module "local_env_file" {
-  source = "../modules/local_env_file"
-  album_bucket_name = var.private_bucket
-  album_bucket_region = var.region
-  apex_domain = var.apex_domain
-  apex_bucket_name = var.apex_domain
+  source                   = "../modules/local_env_file"
+  album_bucket_name        = var.private_bucket
+  album_bucket_region      = var.region
+  apex_domain              = var.apex_domain
+  aws_profile              = var.aws_profile
   cloudfront_cache_max_age = "0"
-  environment_name = var.environment_name
-  aws_profile = var.aws_profile
-}
+  environment_name         = var.environment_name
+}
diff --git a/src/packages/album-backend/sst.config.ts b/src/packages/album-backend/sst.config.ts
@@ -18,20 +18,19 @@ export default {
 
         app.stack(function Stack({ stack }: StackContext) {
             const {
-                APEX_DOMAIN,
+                APEX_DOMAIN_ORIGIN,
                 ALBUM_BUCKET
             } = process.env;
 
             const api = new Api(stack, "api", {
                 cors: {
                     allowHeaders: ["authorization"],
                     allowMethods: ["GET"],
-                    allowOrigins: [APEX_DOMAIN],
+                    allowOrigins: [APEX_DOMAIN_ORIGIN],
                 },
                 defaults: {
                     function: {
                         environment: {
-                            APEX_DOMAIN,
                             ALBUM_BUCKET
                         }
                     }