support https on elb

user can configure: - elb protocol - elb port - custom external domain name - the arn of ssl certificate to be set to elb
mumoshu · Jul 14, 2016 · 05a9bee · 05a9bee
1 parent b3929d7
commit 05a9bee
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 55 deletions.
diff --git a/cmd/up.go b/cmd/up.go
@@ -20,6 +20,7 @@ import (
 	"log"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 
 	"github.com/mumoshu/concourse-aws/concourse"
@@ -109,6 +110,29 @@ func InteractivelyCreateConfig() *concourse.Config {
 	dbInstanceClass := AskForRequiredInput("DB Instance Class", AskOptions{Default: "db.t2.micro"})
 	instanceType := AskForRequiredInput("Concourse Instance Type", AskOptions{Default: "t2.micro"})
 
+	possible_elb_protocols := []string{"http", "https"}
+	default_elb_ports := map[string]string{
+		"http":  "80",
+		"https": "443",
+	}
+	elb_protocol := AskForRequiredInput("Protocol for ELB", AskOptions{
+		Default:    possible_elb_protocols[0],
+		Candidates: possible_elb_protocols,
+		Validate:   mustBeIncludedIn(possible_elb_protocols),
+	})
+	elb_port, err := strconv.Atoi(AskForRequiredInput("Port for ELB", AskOptions{
+		Default: default_elb_ports[elb_protocol],
+	}))
+	if err != nil {
+		log.Fatal(err)
+		panic(err)
+	}
+	ssl_certificate_arn := ""
+	if elb_protocol == "https" {
+		ssl_certificate_arn = AskForRequiredInput("SSL ARN", AskOptions{Default: ""})
+	}
+	custom_external_domain_name := AskForRequiredInput("Custom External Domain Name(just hit enter for skip, e.g. some.cool.com)", AskOptions{Default: ""})
+
 	username := AskForRequiredInput("Basic Auth Username(just hit enter for skip)", AskOptions{Default: ""})
 	password := ""
 	if username != "" {
@@ -150,22 +174,26 @@ func InteractivelyCreateConfig() *concourse.Config {
 	}
 
 	return &concourse.Config{
-		Region:                  region,
-		KeyName:                 keyName,
-		AccessibleCIDRS:         accessibleCIDRS,
-		VpcId:                   vpcId,
-		SubnetIds:               subnetIds,
-		AvailabilityZones:       availabilityZones,
-		DBInstanceClass:         dbInstanceClass,
-		InstanceType:            instanceType,
-		AMI:                     amiId,
-		BasicAuthUsername:       username,
-		BasicAuthPassword:       password,
-		GithubAuthClientId:      ghclient_id,
-		GithubAuthClientSecret:  ghclient_secret,
-		GithubAuthOrganizations: ghorgs,
-		GithubAuthTeams:         ghteams,
-		GithubAuthUsers:         ghusers,
+		Region:                   region,
+		KeyName:                  keyName,
+		AccessibleCIDRS:          accessibleCIDRS,
+		VpcId:                    vpcId,
+		SubnetIds:                subnetIds,
+		AvailabilityZones:        availabilityZones,
+		DBInstanceClass:          dbInstanceClass,
+		InstanceType:             instanceType,
+		AMI:                      amiId,
+		ElbProtocol:              elb_protocol,
+		ElbPort:                  elb_port,
+		CustomExternalDomainName: custom_external_domain_name,
+		SSLCertificateArn:        ssl_certificate_arn,
+		BasicAuthUsername:        username,
+		BasicAuthPassword:        password,
+		GithubAuthClientId:       ghclient_id,
+		GithubAuthClientSecret:   ghclient_secret,
+		GithubAuthOrganizations:  ghorgs,
+		GithubAuthTeams:          ghteams,
+		GithubAuthUsers:          ghusers,
 	}
 }
 
@@ -211,6 +239,15 @@ func TerraformRun(subcommand string, c *concourse.Config) {
 		panic(err)
 	}
 
+	use_custom_external_domain_name := 0
+	if len(c.CustomExternalDomainName) > 0 {
+		use_custom_external_domain_name = 1
+	}
+	use_custom_elb_port := 0
+	if !(c.ElbPort == 80 || c.ElbPort == 443) {
+		use_custom_elb_port = 1
+	}
+
 	args := []string{
 		subcommand,
 		"-var", fmt.Sprintf("aws_region=%s", c.Region),
@@ -230,6 +267,12 @@ func TerraformRun(subcommand string, c *concourse.Config) {
 		"-var", "tsa_worker_private_key=worker_key",
 		"-var", fmt.Sprintf("ami=%s", c.AMI),
 		"-var", fmt.Sprintf("in_access_allowed_cidrs=%s", c.AccessibleCIDRS),
+		"-var", fmt.Sprintf("elb_listener_lb_protocol=%s", c.ElbProtocol),
+		"-var", fmt.Sprintf("elb_listener_lb_port=%d", c.ElbPort),
+		"-var", fmt.Sprintf("use_custom_elb_port=%d", use_custom_elb_port),
+		"-var", fmt.Sprintf("ssl_certificate_arn=%s", c.SSLCertificateArn),
+		"-var", fmt.Sprintf("use_custom_external_domain_name=%d", use_custom_external_domain_name),
+		"-var", fmt.Sprintf("custom_external_domain_name=%s", c.CustomExternalDomainName),
 		"-var", fmt.Sprintf("worker_instance_profile=%s", c.WorkerInstanceProfile),
 		"-var", fmt.Sprintf("basic_auth_username=%s", c.BasicAuthUsername),
 		"-var", fmt.Sprintf("basic_auth_password=%s", c.BasicAuthPassword),

diff --git a/concourse/config.go b/concourse/config.go
@@ -8,23 +8,27 @@ import (
 )
 
 type Config struct {
-	Region                  string
-	KeyName                 string   `yaml:"key_name"`
-	SubnetIds               []string `yaml:"subnet_ids"`
-	VpcId                   string   `yaml:"vpc_id"`
-	AvailabilityZones       []string `yaml:"availability_zones"`
-	AccessibleCIDRS         string   `yaml:"accessible_cidrs"`
-	DBInstanceClass         string   `yaml:"db_instance_class"`
-	InstanceType            string   `yaml:"instance_type"`
-	WorkerInstanceProfile   string   `yaml:"worker_instance_profile"`
-	AMI                     string   `yaml:"ami_id"`
-	BasicAuthUsername       string   `yaml:"basic_auth_username"`
-	BasicAuthPassword       string   `yaml:"basic_auth_password"`
-	GithubAuthClientId      string   `yaml:"github_auth_client_id"`
-	GithubAuthClientSecret  string   `yaml:"github_auth_client_secret"`
-	GithubAuthOrganizations []string `yaml:"github_auth_organizations"`
-	GithubAuthTeams         []string `yaml:"github_auth_teams"`
-	GithubAuthUsers         []string `yaml:"github_auth_users"`
+	Region                   string
+	KeyName                  string   `yaml:"key_name"`
+	SubnetIds                []string `yaml:"subnet_ids"`
+	VpcId                    string   `yaml:"vpc_id"`
+	AvailabilityZones        []string `yaml:"availability_zones"`
+	AccessibleCIDRS          string   `yaml:"accessible_cidrs"`
+	DBInstanceClass          string   `yaml:"db_instance_class"`
+	InstanceType             string   `yaml:"instance_type"`
+	WorkerInstanceProfile    string   `yaml:"worker_instance_profile"`
+	AMI                      string   `yaml:"ami_id"`
+	ElbProtocol              string   `yaml:"elb_protocol"`
+	ElbPort                  int      `yaml:"elb_port"`
+	CustomExternalDomainName string   `yaml:"custom_external_domain_name"`
+	SSLCertificateArn        string   `yaml:"ssl_certificate_arn"`
+	BasicAuthUsername        string   `yaml:"basic_auth_username"`
+	BasicAuthPassword        string   `yaml:"basic_auth_password"`
+	GithubAuthClientId       string   `yaml:"github_auth_client_id"`
+	GithubAuthClientSecret   string   `yaml:"github_auth_client_secret"`
+	GithubAuthOrganizations  []string `yaml:"github_auth_organizations"`
+	GithubAuthTeams          []string `yaml:"github_auth_teams"`
+	GithubAuthUsers          []string `yaml:"github_auth_users"`
 }
 
 func ConfigFromFile(filename string) (*Config, error) {

diff --git a/concourse/config_test.go b/concourse/config_test.go
@@ -23,17 +23,25 @@ github_auth_client_secret: dummydummydummy
 github_auth_organizations: [org1, org2]
 github_auth_teams: [org3/team1, org3/team2]
 github_auth_users: []
+elb_protocol: "https"
+elb_port: 443
+custom_external_domain_name: "some.where"
+ssl_certificate_arn: "arn://dummydummy"
 `,
 		expectedConfig: Config{
-			Region:                  "ap-northeast-1",
-			KeyName:                 "cw_kuoka",
-			SubnetIds:               []string{"subnet-11111914", "subnet-2222fc48"},
-			AccessibleCIDRS:         "123.123.234.234/32,234.234.234.234/32",
-			GithubAuthClientId:      "dummydummy",
-			GithubAuthClientSecret:  "dummydummydummy",
-			GithubAuthOrganizations: []string{"org1", "org2"},
-			GithubAuthTeams:         []string{"org3/team1", "org3/team2"},
-			GithubAuthUsers:         []string{},
+			Region:                   "ap-northeast-1",
+			KeyName:                  "cw_kuoka",
+			SubnetIds:                []string{"subnet-11111914", "subnet-2222fc48"},
+			AccessibleCIDRS:          "123.123.234.234/32,234.234.234.234/32",
+			ElbProtocol:              "https",
+			ElbPort:                  443,
+			CustomExternalDomainName: "some.where",
+			SSLCertificateArn:        "arn://dummydummy",
+			GithubAuthClientId:       "dummydummy",
+			GithubAuthClientSecret:   "dummydummydummy",
+			GithubAuthOrganizations:  []string{"org1", "org2"},
+			GithubAuthTeams:          []string{"org3/team1", "org3/team2"},
+			GithubAuthUsers:          []string{},
 		},
 	},
 }

diff --git a/main.tf b/main.tf
@@ -39,11 +39,10 @@ resource "aws_elb" "web-elb" {
 
   listener {
     instance_port = "${var.elb_listener_instance_port}"
-    # for intercept to function, make sure your load balancer is configured to do TCP or SSL forwarding, not HTTP or HTTPS.
-    # ref. https://concourse.ci/architecture.html
-    instance_protocol = "tcp"
+    instance_protocol = "http"
     lb_port = "${var.elb_listener_lb_port}"
-    lb_protocol = "tcp"
+    lb_protocol = "${var.elb_listener_lb_protocol}"
+    ssl_certificate_id = "${var.ssl_certificate_arn}"
   }
 
   listener {
@@ -60,7 +59,6 @@ resource "aws_elb" "web-elb" {
     target = "TCP:${var.elb_listener_instance_port}"
     interval = 30
   }
-
 }
 
 resource "aws_autoscaling_group" "web-asg" {
@@ -163,7 +161,7 @@ resource "template_file" "start_concourse_web" {
     tsa_host_key = "${file("${path.module}/${var.tsa_host_key}")}"
     tsa_authorized_keys = "${file("${path.module}/${var.tsa_authorized_keys}")}"
     postgres_data_source = "postgres://${var.db_username}:${var.db_password}@${aws_db_instance.default.endpoint}/concourse"
-    external_url = "http://${aws_elb.web-elb.dns_name}"
+    external_url = "${var.elb_listener_lb_protocol}://${element(split(",","${aws_elb.web-elb.dns_name},${var.custom_external_domain_name}"), var.use_custom_external_domain_name)}${element(split(",",",:${var.elb_listener_lb_port}"), var.use_custom_elb_port)}"
     basic_auth_username = "${var.basic_auth_username}"
     basic_auth_password = "${var.basic_auth_password}"
     github_auth_client_id = "${var.github_auth_client_id}"
@@ -256,12 +254,12 @@ resource "aws_security_group" "atc" {
   vpc_id = "${var.vpc_id}"
 
   # HTTP access from a specific CIDRS
-  ingress {
-    from_port = "${var.elb_listener_instance_port}"
-    to_port = "${var.elb_listener_instance_port}"
-    protocol = "tcp"
-    cidr_blocks = [ "${split(",", var.in_access_allowed_cidrs)}" ]
-  }
+#  ingress {
+#    from_port = "${var.elb_listener_instance_port}"
+#    to_port = "${var.elb_listener_instance_port}"
+#    protocol = "tcp"
+#    cidr_blocks = [ "${split(",", var.in_access_allowed_cidrs)}" ]
+#  }
 
   lifecycle {
     create_before_destroy = true

diff --git a/outputs.tf b/outputs.tf
@@ -1,3 +1,7 @@
-output "concourse_web_dns_name" {
+output "concourse_web_endpoint" {
+  value = "${template_file.start_concourse_web.vars.external_url}"
+}
+
+output "concourse_web_elb_dns_name" {
   value = "${aws_elb.web-elb.dns_name}"
 }
diff --git a/variables.tf b/variables.tf
@@ -60,6 +60,14 @@ variable "elb_listener_lb_port" {
   default = "80"
 }
 
+variable "use_custom_elb_port" {
+  default = 0
+}
+
+variable "elb_listener_lb_protocol" {
+  default = "http"
+}
+
 variable "elb_listener_instance_port" {
   description = ""
   default = "8080"
@@ -149,3 +157,16 @@ variable "github_auth_teams" {
 variable "github_auth_users" {
   default = ""
 }
+
+variable "custom_external_domain_name" {
+  default = ""
+  description ="don't include http[s]://"
+}
+
+variable "use_custom_external_domain_name" {
+  default = 0
+}
+
+variable "ssl_certificate_arn" {
+  default = ""
+}