standalone domains for dev/staging (#7009)

Author: dotansimha

deployment/index.ts

@@ -234,22 +234,28 @@ const hiveConfigSecret = new ServiceSecret('hive-config-secret', {
   usageAccessToken: hiveConfig.requireSecret('cliAccessToken'),
 });
 
-const publishGraphQLSchemaCommand = publishGraphQLSchema({
-  graphql,
-  registry: {
-    endpoint: `https://${environment.appDns}/registry`,
-    accessToken: hiveConfigSecret.raw.usageAccessToken,
-    target: hiveConfig.require('target'),
-  },
-  version: {
-    commit: imagesTag,
-  },
-  schemaPath: graphqlSchemaAbsolutePath,
-});
+// You can change this to `false` in cases when you don't want to publish commands.
+// For example, if the entire env is down or if you are having SSL issues.
+const RUN_PUBLISH_COMMANDS: boolean = true;
+
+const publishGraphQLSchemaCommand = RUN_PUBLISH_COMMANDS
+  ? publishGraphQLSchema({
+      graphql,
+      registry: {
+        endpoint: `https://${environment.appDns}/registry`,
+        accessToken: hiveConfigSecret.raw.usageAccessToken,
+        target: hiveConfig.require('target'),
+      },
+      version: {
+        commit: imagesTag,
+      },
+      schemaPath: graphqlSchemaAbsolutePath,
+    })
+  : null;
 
 let publishAppDeploymentCommand: pulumi.Resource | undefined;
 
-if (hiveAppPersistedDocumentsAbsolutePath) {
+if (hiveAppPersistedDocumentsAbsolutePath && RUN_PUBLISH_COMMANDS) {
   publishAppDeploymentCommand = publishAppDeployment({
     appName: 'hive-app',
     registry: {
@@ -268,7 +274,7 @@ if (hiveAppPersistedDocumentsAbsolutePath) {
           dockerSecret: docker.secret,
         },
     // We need to wait until the new GraphQL schema is published before we can publish the app deployment.
-    dependsOn: [publishGraphQLSchemaCommand],
+    dependsOn: publishGraphQLSchemaCommand ? [publishGraphQLSchemaCommand] : [],
   });
 }
 
@@ -316,18 +322,6 @@ deployCloudFlareSecurityTransform({
     '/api/github',
     '/api/slack',
   ],
-  ignoredHosts: [
-    // Ignore CSP for Production CDN
-    'cdn.graphql-hive.com',
-    // Staging
-    'staging.graphql-hive.com',
-    'app.staging.graphql-hive.com',
-    'cdn.staging.graphql-hive.com',
-    // Dev
-    'dev.graphql-hive.com',
-    'app.dev.graphql-hive.com',
-    'cdn.dev.graphql-hive.com',
-  ],
 });
 
 export const graphqlApiServiceId = graphql.service.id;

deployment/services/cf-broker.ts

@@ -26,12 +26,7 @@ export function deployCFBroker({
   const broker = new CloudflareBroker({
     envName: environment.envName,
     zoneId: cfConfig.require('zoneId'),
-    // We can't cdn for staging env, since CF certificate only covers
-    // one level of subdomains. See: https://community.cloudflare.com/t/ssl-handshake-error-cloudflare-proxy/175088
-    // So for staging env, we are going to use `broker-staging` instead of `broker.staging`.
-    cdnDnsRecord: environment.isProduction
-      ? `broker.${environment.rootDns}`
-      : `broker-${environment.rootDns}`,
+    cdnDnsRecord: `broker.${environment.rootDns}`,
     secretSignature: cfBrokerSignature,
     sentryDsn: sentry.enabled && sentry.secret ? sentry.secret.raw.dsn : '',
     release: environment.release,

deployment/services/cf-cdn.ts

@@ -31,9 +31,7 @@ export function deployCFCDN({
     // We can't cdn for staging env, since CF certificate only covers
     // one level of subdomains. See: https://community.cloudflare.com/t/ssl-handshake-error-cloudflare-proxy/175088
     // So for staging env, we are going to use `cdn-staging` instead of `cdn.staging`.
-    cdnDnsRecord: environment.isProduction
-      ? `cdn.${environment.rootDns}`
-      : `cdn-${environment.rootDns}`,
+    cdnDnsRecord: `cdn.${environment.rootDns}`,
     sentryDsn: sentry.enabled && sentry.secret ? sentry.secret?.raw.dsn : '',
     release: environment.release,
     s3,

deployment/services/cloudflare-security.ts

@@ -17,21 +17,11 @@ function toExpressionList(items: string[]): string {
 export function deployCloudFlareSecurityTransform(options: {
   environment: Environment;
   ignoredPaths: string[];
-  ignoredHosts: string[];
 }) {
-  // We deploy it only once, because CloudFlare is not super friendly for multiple deployments of "http_response_headers_transform" rules
-  // The single rule, deployed to prod, covers all other envs, and infers the hostname dynamically.
-  if (!options.environment.isProduction) {
-    console.warn(
-      `Skipped deploy security headers (see "cloudflare-security.ts") for env ${options.environment.envName}`,
-    );
-
-    return;
-  }
-
+  const ignoredHosts = [`cdn.${options.environment.rootDns}`];
   const expression = `not http.request.uri.path in { ${toExpressionList(
     options.ignoredPaths,
-  )} } and not http.host in { ${toExpressionList(options.ignoredHosts)} }`;
+  )} } and not http.host in { ${toExpressionList(ignoredHosts)} }`;
 
   // TODO: When Preflight PR is merged, we'll need to change this to build this host in a better way.
   const monacoCdnDynamicBasePath: `https://${string}/` = `https://cdn.jsdelivr.net/npm/monaco-editor@${monacoEditorVersion}/`;
@@ -57,7 +47,7 @@ export function deployCloudFlareSecurityTransform(options: {
   frame-src ${stripeHost} https://game.crisp.chat https://{DYNAMIC_HOST_PLACEHOLDER};
   style-src 'self' 'unsafe-inline' ${crispHost} fonts.googleapis.com rsms.me ${monacoCdnDynamicBasePath} ${monacoCdnStaticBasePath};
   script-src 'self' 'unsafe-eval' 'unsafe-inline' {DYNAMIC_HOST_PLACEHOLDER} ${monacoCdnDynamicBasePath} ${monacoCdnStaticBasePath} ${cspHosts};
-  connect-src 'self' * {DYNAMIC_HOST_PLACEHOLDER} ${cspHosts}; 
+  connect-src 'self' * {DYNAMIC_HOST_PLACEHOLDER} ${cspHosts};
   media-src ${crispHost};
   style-src-elem 'self' 'unsafe-inline' ${monacoCdnDynamicBasePath} ${monacoCdnStaticBasePath} fonts.googleapis.com rsms.me ${crispHost};
   font-src 'self' data: fonts.gstatic.com rsms.me ${monacoCdnDynamicBasePath} ${monacoCdnStaticBasePath} ${crispHost};
@@ -75,14 +65,14 @@ export function deployCloudFlareSecurityTransform(options: {
   return new cf.Ruleset('cloudflare-security-transform', {
     zoneId: cfConfig.require('zoneId'),
     description: 'Enforce security headers and CSP',
-    name: `Security Transform (all envs)`,
+    name: `Security Transform (${options.environment.envName})`,
     kind: 'zone',
     phase: 'http_response_headers_transform',
     rules: [
       {
         expression,
         enabled: true,
-        description: `Security Headers (all envs)`,
+        description: `Security Headers (${options.environment.envName})`,
         action: 'rewrite',
         actionParameters: {
           headers: [

deployment/utils/reverse-proxy.ts

@@ -76,7 +76,7 @@ export class Proxy {
   }
 
   registerService(
-    dns: { record: string; apex?: boolean },
+    dns: { record: string },
     routes: {
       name: string;
       path: string;
@@ -135,7 +135,7 @@ export class Proxy {
               secretName: dns.record,
             },
             corsPolicy: {
-              allowOrigin: ['https://app.graphql-hive.com', 'https://graphql-hive.com'],
+              allowOrigin: [`https://${dns.record}`],
               allowMethods: ['GET', 'POST', 'OPTIONS'],
               allowHeaders: ['*'],
               exposeHeaders: ['*'],