-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Resolve DNS issues on container apps (#74)
* Fix issues with DNS not auto-provisioning * Prefix container apps * Update container_apps.tf * Update instance-deploy-test.yml * Update instance-deploy-test.yml * Update instance-deploy-test.yml * Update instance-deploy-test.yml * Correct container app names * Update dns.tf * Update dns.tf * Bind DNS via terraform module * Typos * Linux-ify * Update instance-deploy-test.yml * Add bin/bash * Update main.tf * Get certificate ID over name * Update dns.tf * Tidy up terraform + workflows * Use my updated action * Move apps into shared resource group * Update dns.tf * Update instance-deploy-prod.yml * Update instance-deploy-test.yml * Update container_apps.tf * Change nginx port * Revert "Change nginx port" This reverts commit 6d76a75.
- Loading branch information
1 parent
9d50627
commit dcf39a6
Showing
11 changed files
with
275 additions
and
100 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
terraform {} | ||
|
||
resource "null_resource" "null" { | ||
for_each = { for svc in var.services : svc.key => svc } | ||
|
||
lifecycle { | ||
create_before_destroy = false | ||
} | ||
|
||
triggers = { | ||
ca_name = each.value.container_app_name | ||
ca_rg_name = var.container_app_resource_group_name | ||
ca_env_name = var.container_app_env_name | ||
ca_env_rg_name = var.container_app_env_resource_group_name | ||
custom_domain = each.value.custom_domain | ||
} | ||
|
||
# provision a managed cert and apply it to the container app | ||
provisioner "local-exec" { | ||
when = create | ||
command = "bash ${path.module}/scripts/create.sh" | ||
|
||
environment = { | ||
CONTAINER_APP_NAME = self.triggers.ca_name | ||
CONTAINER_APP_RESOURCE_GROUP = self.triggers.ca_rg_name | ||
CONTAINER_APP_ENV_NAME = self.triggers.ca_env_name | ||
CONTAINER_APP_ENV_RESOURCE_GROUP = self.triggers.ca_env_rg_name | ||
CUSTOM_DOMAIN = self.triggers.custom_domain | ||
} | ||
} | ||
|
||
provisioner "local-exec" { | ||
when = destroy | ||
command = "bash ${path.module}/scripts/destroy.sh" | ||
|
||
environment = { | ||
CONTAINER_APP_NAME = self.triggers.ca_name | ||
CONTAINER_APP_RESOURCE_GROUP = self.triggers.ca_rg_name | ||
CONTAINER_APP_ENV_NAME = self.triggers.ca_env_name | ||
CONTAINER_APP_ENV_RESOURCE_GROUP = self.triggers.ca_env_rg_name | ||
CUSTOM_DOMAIN = self.triggers.custom_domain | ||
} | ||
} | ||
} |
124 changes: 124 additions & 0 deletions
124
terraform/instance/container_apps_bind_dns/scripts/create.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
#!/bin/bash | ||
|
||
# env variables used throughout this script: | ||
# CONTAINER_APP_NAME | ||
# CONTAINER_APP_RESOURCE_GROUP | ||
# CONTAINER_APP_ENV_NAME | ||
# CONTAINER_APP_ENV_RESOURCE_GROUP | ||
# CUSTOM_DOMAIN | ||
|
||
|
||
# functions below taken from: https://stackoverflow.com/a/25515370 | ||
yell() { echo "$0: $*" >&2; } | ||
die() { | ||
yell "$*" | ||
exit 111 | ||
} | ||
|
||
# use dig to verify the asuid txt record exists on the DNS host | ||
# azure requires this to exist prior to adding the domain | ||
# azure's dns can also be slow, so best to check propagation | ||
tries=0 | ||
until [ "$tries" -ge 12 ]; do | ||
[[ ! -z $(dig @8.8.8.8 txt asuid.$CUSTOM_DOMAIN +short) ]] && break | ||
tries=$((tries + 1)) | ||
sleep 10 | ||
done | ||
if [ "$tries" -ge 12 ]; then | ||
die "'asuid.${CUSTOM_DOMAIN}' txt record does not exist" | ||
fi | ||
|
||
echo "took $tries trie(s) for the dns record to exist publically" | ||
|
||
# check if the hostname already exists on the container app | ||
# if not, add it since it's required to provision a managed cert | ||
DOES_CUSTOM_DOMAIN_EXIST=$( | ||
az containerapp hostname list \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--query "[?name=='$CUSTOM_DOMAIN'].name" \ | ||
--output tsv | ||
) | ||
if [ -z "${DOES_CUSTOM_DOMAIN_EXIST}" ]; then | ||
echo "adding custom hostname to container app first since it does not exist yet" | ||
az containerapp hostname add \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--output none | ||
fi | ||
|
||
# check if a managed cert for the domain already exists | ||
# if it does not exist, provision one | ||
# if it does, save its name to use for binding it later | ||
MANAGED_CERTIFICATE_ID=$( | ||
az containerapp env certificate list \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--managed-certificates-only \ | ||
--query "[?properties.subjectName=='$CUSTOM_DOMAIN'].id" \ | ||
--output tsv | ||
) | ||
if [ -z "${MANAGED_CERTIFICATE_ID}" ]; then | ||
MANAGED_CERTIFICATE_ID=$( | ||
az containerapp env certificate create \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--validation-method CNAME \ | ||
--query "id" \ | ||
--output tsv | ||
) | ||
echo "created cert for '$CUSTOM_DOMAIN'. waiting for it to provision now..." | ||
|
||
# poll azcli to check for the certificate status | ||
# this is better than waiting 5 minutes, because it could be | ||
# faster and we get to exit the script faster | ||
# --- | ||
# the default 20 tries means it'll check for 5 mins | ||
# at 15 second intervals | ||
tries=0 | ||
until [ "$tries" -ge 20 ]; do | ||
STATE=$( | ||
az containerapp env certificate list \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--managed-certificates-only \ | ||
--query "[?properties.subjectName=='$CUSTOM_DOMAIN'].properties.provisioningState" \ | ||
--output tsv | ||
) | ||
[[ $STATE == "Succeeded" ]] && break | ||
tries=$((tries + 1)) | ||
|
||
sleep 15 | ||
done | ||
if [ "$tries" -ge 20 ]; then | ||
die "waited for 5 minutes, checked the certificate status 20 times and its not done. check azure portal..." | ||
fi | ||
else | ||
echo "found existing cert in the env. proceeding to use that" | ||
fi | ||
|
||
# check if the cert has already been bound | ||
# if not, bind it then | ||
IS_CERT_ALREADY_BOUND=$( | ||
az containerapp hostname list \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--query "[?name=='$CUSTOM_DOMAIN'].bindingType" \ | ||
--output tsv | ||
) | ||
if [ $IS_CERT_ALREADY_BOUND = "SniEnabled" ]; then | ||
echo "cert is already bound, exiting..." | ||
else | ||
# try bind the cert to the container app | ||
echo "cert successfully provisioned. binding the cert id to the hostname" | ||
az containerapp hostname bind \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_NAME \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--environment $CONTAINER_APP_ENV_NAME \ | ||
--certificate $MANAGED_CERTIFICATE_ID \ | ||
--output none | ||
echo "finished binding. the domain is now secured and ready to use" | ||
fi |
Oops, something went wrong.