-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of https://github.com/benchiverton/OnlineStore
- Loading branch information
Showing
11 changed files
with
275 additions
and
100 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
terraform {} | ||
|
||
resource "null_resource" "null" { | ||
for_each = { for svc in var.services : svc.key => svc } | ||
|
||
lifecycle { | ||
create_before_destroy = false | ||
} | ||
|
||
triggers = { | ||
ca_name = each.value.container_app_name | ||
ca_rg_name = var.container_app_resource_group_name | ||
ca_env_name = var.container_app_env_name | ||
ca_env_rg_name = var.container_app_env_resource_group_name | ||
custom_domain = each.value.custom_domain | ||
} | ||
|
||
# provision a managed cert and apply it to the container app | ||
provisioner "local-exec" { | ||
when = create | ||
command = "bash ${path.module}/scripts/create.sh" | ||
|
||
environment = { | ||
CONTAINER_APP_NAME = self.triggers.ca_name | ||
CONTAINER_APP_RESOURCE_GROUP = self.triggers.ca_rg_name | ||
CONTAINER_APP_ENV_NAME = self.triggers.ca_env_name | ||
CONTAINER_APP_ENV_RESOURCE_GROUP = self.triggers.ca_env_rg_name | ||
CUSTOM_DOMAIN = self.triggers.custom_domain | ||
} | ||
} | ||
|
||
provisioner "local-exec" { | ||
when = destroy | ||
command = "bash ${path.module}/scripts/destroy.sh" | ||
|
||
environment = { | ||
CONTAINER_APP_NAME = self.triggers.ca_name | ||
CONTAINER_APP_RESOURCE_GROUP = self.triggers.ca_rg_name | ||
CONTAINER_APP_ENV_NAME = self.triggers.ca_env_name | ||
CONTAINER_APP_ENV_RESOURCE_GROUP = self.triggers.ca_env_rg_name | ||
CUSTOM_DOMAIN = self.triggers.custom_domain | ||
} | ||
} | ||
} |
124 changes: 124 additions & 0 deletions
124
terraform/instance/container_apps_bind_dns/scripts/create.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
#!/bin/bash | ||
|
||
# env variables used throughout this script: | ||
# CONTAINER_APP_NAME | ||
# CONTAINER_APP_RESOURCE_GROUP | ||
# CONTAINER_APP_ENV_NAME | ||
# CONTAINER_APP_ENV_RESOURCE_GROUP | ||
# CUSTOM_DOMAIN | ||
|
||
|
||
# functions below taken from: https://stackoverflow.com/a/25515370 | ||
yell() { echo "$0: $*" >&2; } | ||
die() { | ||
yell "$*" | ||
exit 111 | ||
} | ||
|
||
# use dig to verify the asuid txt record exists on the DNS host | ||
# azure requires this to exist prior to adding the domain | ||
# azure's dns can also be slow, so best to check propagation | ||
tries=0 | ||
until [ "$tries" -ge 12 ]; do | ||
[[ ! -z $(dig @8.8.8.8 txt asuid.$CUSTOM_DOMAIN +short) ]] && break | ||
tries=$((tries + 1)) | ||
sleep 10 | ||
done | ||
if [ "$tries" -ge 12 ]; then | ||
die "'asuid.${CUSTOM_DOMAIN}' txt record does not exist" | ||
fi | ||
|
||
echo "took $tries trie(s) for the dns record to exist publically" | ||
|
||
# check if the hostname already exists on the container app | ||
# if not, add it since it's required to provision a managed cert | ||
DOES_CUSTOM_DOMAIN_EXIST=$( | ||
az containerapp hostname list \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--query "[?name=='$CUSTOM_DOMAIN'].name" \ | ||
--output tsv | ||
) | ||
if [ -z "${DOES_CUSTOM_DOMAIN_EXIST}" ]; then | ||
echo "adding custom hostname to container app first since it does not exist yet" | ||
az containerapp hostname add \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--output none | ||
fi | ||
|
||
# check if a managed cert for the domain already exists | ||
# if it does not exist, provision one | ||
# if it does, save its name to use for binding it later | ||
MANAGED_CERTIFICATE_ID=$( | ||
az containerapp env certificate list \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--managed-certificates-only \ | ||
--query "[?properties.subjectName=='$CUSTOM_DOMAIN'].id" \ | ||
--output tsv | ||
) | ||
if [ -z "${MANAGED_CERTIFICATE_ID}" ]; then | ||
MANAGED_CERTIFICATE_ID=$( | ||
az containerapp env certificate create \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--validation-method CNAME \ | ||
--query "id" \ | ||
--output tsv | ||
) | ||
echo "created cert for '$CUSTOM_DOMAIN'. waiting for it to provision now..." | ||
|
||
# poll azcli to check for the certificate status | ||
# this is better than waiting 5 minutes, because it could be | ||
# faster and we get to exit the script faster | ||
# --- | ||
# the default 20 tries means it'll check for 5 mins | ||
# at 15 second intervals | ||
tries=0 | ||
until [ "$tries" -ge 20 ]; do | ||
STATE=$( | ||
az containerapp env certificate list \ | ||
-g $CONTAINER_APP_ENV_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_ENV_NAME \ | ||
--managed-certificates-only \ | ||
--query "[?properties.subjectName=='$CUSTOM_DOMAIN'].properties.provisioningState" \ | ||
--output tsv | ||
) | ||
[[ $STATE == "Succeeded" ]] && break | ||
tries=$((tries + 1)) | ||
|
||
sleep 15 | ||
done | ||
if [ "$tries" -ge 20 ]; then | ||
die "waited for 5 minutes, checked the certificate status 20 times and its not done. check azure portal..." | ||
fi | ||
else | ||
echo "found existing cert in the env. proceeding to use that" | ||
fi | ||
|
||
# check if the cert has already been bound | ||
# if not, bind it then | ||
IS_CERT_ALREADY_BOUND=$( | ||
az containerapp hostname list \ | ||
-n $CONTAINER_APP_NAME \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
--query "[?name=='$CUSTOM_DOMAIN'].bindingType" \ | ||
--output tsv | ||
) | ||
if [ $IS_CERT_ALREADY_BOUND = "SniEnabled" ]; then | ||
echo "cert is already bound, exiting..." | ||
else | ||
# try bind the cert to the container app | ||
echo "cert successfully provisioned. binding the cert id to the hostname" | ||
az containerapp hostname bind \ | ||
-g $CONTAINER_APP_RESOURCE_GROUP \ | ||
-n $CONTAINER_APP_NAME \ | ||
--hostname $CUSTOM_DOMAIN \ | ||
--environment $CONTAINER_APP_ENV_NAME \ | ||
--certificate $MANAGED_CERTIFICATE_ID \ | ||
--output none | ||
echo "finished binding. the domain is now secured and ready to use" | ||
fi |
Oops, something went wrong.