add proxy cert

akerl · akerl · commit fd57147a9416 · 2024-04-03T23:33:13.000-04:00
diff --git a/servers.tf b/servers.tf
@@ -38,6 +38,22 @@ module "charts_ext_validation" {
   zone_id     = module.zones["akerl.app"].zone_id
 }
 
+module "frameproxy_proxy_validation" {
+  source      = "armorfret/r53-certbot/aws"
+  version     = "0.6.4"
+  admin_email = var.admin_email
+  cert_name   = "frameproxy.a-rwx.org"
+  zone_id     = module.zones["a-rwx.org"].zone_id
+}
+
+resource "aws_route53_record" "frameproxy_a-rwx_org" {
+  zone_id = module.zones["a-rwx.org"].zone_id
+  name    = "frameproxy.a-rwx.org"
+  type    = "A"
+  ttl     = "60"
+  records = ["10.0.1.80"]
+}
+
 module "frameproxy_validation" {
   source      = "armorfret/r53-certbot/aws"
   version     = "0.6.4"
diff --git a/terraform.tfstate b/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.2",
-  "serial": 12820,
+  "serial": 12826,
   "lineage": "6a6e3f47-d4c8-46eb-a34e-885062b7c62a",
   "outputs": {
     "domains": {
@@ -4137,6 +4137,44 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "aws_route53_record",
+      "name": "frameproxy_a-rwx_org",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 2,
+          "attributes": {
+            "alias": [],
+            "allow_overwrite": null,
+            "cidr_routing_policy": [],
+            "failover_routing_policy": [],
+            "fqdn": "frameproxy.a-rwx.org",
+            "geolocation_routing_policy": [],
+            "geoproximity_routing_policy": [],
+            "health_check_id": "",
+            "id": "Z06324102J3IVSSCKNZ4A_frameproxy.a-rwx.org_A",
+            "latency_routing_policy": [],
+            "multivalue_answer_routing_policy": false,
+            "name": "frameproxy.a-rwx.org",
+            "records": [
+              "10.0.1.80"
+            ],
+            "set_identifier": "",
+            "ttl": 60,
+            "type": "A",
+            "weighted_routing_policy": [],
+            "zone_id": "Z06324102J3IVSSCKNZ4A"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjIifQ==",
+          "dependencies": [
+            "module.zones.aws_route53_zone.this"
+          ]
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_route53_record",
@@ -36319,6 +36357,200 @@
         }
       ]
     },
+    {
+      "module": "module.frameproxy_proxy_validation",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "certbot_validation",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "4158311214",
+            "json": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"route53:ListHostedZonesByName\",\n        \"route53:ListHostedZones\",\n        \"route53:GetChange\"\n      ],\n      \"Resource\": \"*\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"route53:ListResourceRecordSets\",\n        \"route53:GetHostedZone\"\n      ],\n      \"Resource\": \"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"route53:ChangeResourceRecordSets\",\n      \"Resource\": \"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\",\n      \"Condition\": {\n        \"ForAllValues:StringEquals\": {\n          \"route53:ChangeResourceRecordSetsNormalizedRecordNames\": \"_acme-challenge.frameproxy.a-rwx.org\"\n        }\n      }\n    }\n  ]\n}",
+            "override_json": null,
+            "override_policy_documents": null,
+            "policy_id": null,
+            "source_json": null,
+            "source_policy_documents": null,
+            "statement": [
+              {
+                "actions": [
+                  "route53:GetChange",
+                  "route53:ListHostedZones",
+                  "route53:ListHostedZonesByName"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "*"
+                ],
+                "sid": ""
+              },
+              {
+                "actions": [
+                  "route53:GetHostedZone",
+                  "route53:ListResourceRecordSets"
+                ],
+                "condition": [],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A"
+                ],
+                "sid": ""
+              },
+              {
+                "actions": [
+                  "route53:ChangeResourceRecordSets"
+                ],
+                "condition": [
+                  {
+                    "test": "ForAllValues:StringEquals",
+                    "values": [
+                      "_acme-challenge.frameproxy.a-rwx.org"
+                    ],
+                    "variable": "route53:ChangeResourceRecordSetsNormalizedRecordNames"
+                  }
+                ],
+                "effect": "Allow",
+                "not_actions": [],
+                "not_principals": [],
+                "not_resources": [],
+                "principals": [],
+                "resources": [
+                  "arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A"
+                ],
+                "sid": ""
+              }
+            ],
+            "version": "2012-10-17"
+          },
+          "sensitive_attributes": []
+        }
+      ]
+    },
+    {
+      "module": "module.frameproxy_proxy_validation",
+      "mode": "managed",
+      "type": "aws_iam_user",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::764218738161:user/certbot_frameproxy.a-rwx.org",
+            "force_destroy": false,
+            "id": "certbot_frameproxy.a-rwx.org",
+            "name": "certbot_frameproxy.a-rwx.org",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": null,
+            "tags_all": {},
+            "unique_id": "AIDA3D3X4QXYTS67RMN3D"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
+    {
+      "module": "module.frameproxy_proxy_validation",
+      "mode": "managed",
+      "type": "aws_iam_user_policy",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "id": "certbot_frameproxy.a-rwx.org:certbot_frameproxy.a-rwx.org",
+            "name": "certbot_frameproxy.a-rwx.org",
+            "name_prefix": "",
+            "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"route53:ListHostedZonesByName\",\"route53:ListHostedZones\",\"route53:GetChange\"],\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"route53:ListResourceRecordSets\",\"route53:GetHostedZone\"],\"Effect\":\"Allow\",\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"},{\"Action\":\"route53:ChangeResourceRecordSets\",\"Condition\":{\"ForAllValues:StringEquals\":{\"route53:ChangeResourceRecordSetsNormalizedRecordNames\":\"_acme-challenge.frameproxy.a-rwx.org\"}},\"Effect\":\"Allow\",\"Resource\":\"arn:aws:route53:::hostedzone/Z06324102J3IVSSCKNZ4A\"}]}",
+            "user": "certbot_frameproxy.a-rwx.org"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.frameproxy_proxy_validation.aws_iam_user.this",
+            "module.frameproxy_proxy_validation.data.aws_iam_policy_document.certbot_validation"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.frameproxy_proxy_validation",
+      "mode": "managed",
+      "type": "aws_route53_record",
+      "name": "caa",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 2,
+          "attributes": {
+            "alias": [],
+            "allow_overwrite": null,
+            "cidr_routing_policy": [],
+            "failover_routing_policy": [],
+            "fqdn": "frameproxy.a-rwx.org",
+            "geolocation_routing_policy": [],
+            "geoproximity_routing_policy": [],
+            "health_check_id": "",
+            "id": "Z06324102J3IVSSCKNZ4A_frameproxy.a-rwx.org_CAA",
+            "latency_routing_policy": [],
+            "multivalue_answer_routing_policy": false,
+            "name": "frameproxy.a-rwx.org",
+            "records": [
+              "0 iodef \"mailto:admin@lesaker.org\"",
+              "0 issue \"letsencrypt.org; validationmethods=dns-01\"",
+              "0 issuewild \";\""
+            ],
+            "set_identifier": "",
+            "ttl": 60,
+            "type": "CAA",
+            "weighted_routing_policy": [],
+            "zone_id": "Z06324102J3IVSSCKNZ4A"
+          },
+          "sensitive_attributes": [],
+          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjIifQ==",
+          "dependencies": [
+            "module.zones.aws_route53_zone.this"
+          ]
+        }
+      ]
+    },
+    {
+      "module": "module.frameproxy_proxy_validation",
+      "mode": "managed",
+      "type": "awscreds_iam_access_key",
+      "name": "this",
+      "provider": "provider[\"registry.terraform.io/armorfret/awscreds\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "file": "creds/certbot_frameproxy.a-rwx.org",
+            "id": "AKIA3D3X4QXY7GAT3ENL",
+            "user": "certbot_frameproxy.a-rwx.org"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "module.frameproxy_proxy_validation.aws_iam_user.this"
+          ]
+        }
+      ]
+    },
     {
       "module": "module.frameproxy_validation",
       "mode": "data",
@@ -36489,6 +36721,7 @@
           "sensitive_attributes": [],
           "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjIifQ==",
           "dependencies": [
+            "aws_route53_delegation_set.main",
             "module.zones.aws_route53_zone.this"
           ]
         }
diff --git a/terraform.tfstate.backup b/terraform.tfstate.backup
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.2",
-  "serial": 12818,
+  "serial": 12820,
   "lineage": "6a6e3f47-d4c8-46eb-a34e-885062b7c62a",
   "outputs": {
     "domains": {
@@ -11254,7 +11254,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -12977,7 +12977,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -13237,7 +13237,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -20635,7 +20635,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -24752,7 +24752,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -34192,7 +34192,7 @@
             ],
             "primary_name_server": "ns-1505.awsdns-60.org",
             "private_zone": false,
-            "resource_record_set_count": 22,
+            "resource_record_set_count": 23,
             "tags": {},
             "vpc_id": null,
             "zone_id": "Z06340373MQ1RZIP7YOXL"
@@ -36416,7 +36416,7 @@
             "name": "certbot_frame.akerl.app",
             "path": "/",
             "permissions_boundary": "",
-            "tags": null,
+            "tags": {},
             "tags_all": {},
             "unique_id": "AIDA3D3X4QXY2X75WDHKM"
           },
@@ -36444,8 +36444,10 @@
           "sensitive_attributes": [],
           "private": "bnVsbA==",
           "dependencies": [
+            "aws_route53_delegation_set.main",
             "module.frameproxy_validation.aws_iam_user.this",
-            "module.frameproxy_validation.data.aws_iam_policy_document.certbot_validation"
+            "module.frameproxy_validation.data.aws_iam_policy_document.certbot_validation",
+            "module.zones.aws_route53_zone.this"
           ]
         }
       ]
@@ -36474,6 +36476,7 @@
             "name": "frame.akerl.app",
             "records": [
               "0 iodef \"mailto:admin@lesaker.org\"",
+              "0 issue \"amazon.com\"",
               "0 issue \"letsencrypt.org; validationmethods=dns-01\"",
               "0 issuewild \";\""
             ],
