feat(aws): add custom domains for pulumi and terraform websites (#784)

Adds a cdn property to the `nitric/aws` and `nitric/awstf` stackfiles, allowing custom domain configuration for websites deployed to AWS. Custom domains require an existing DNS Hosted Zone in AWS Route 53.

Author: HomelessDinosaur

cloud/aws/common/config.go

@@ -28,6 +28,7 @@ type AwsApiConfig struct {
 }
 
 type AwsCdnConfig struct {
+	Domain                string
 	SkipCacheInvalidation bool `mapstructure:"skip-cache-invalidation"`
 }
 
@@ -110,6 +111,7 @@ var defaultAuroraRdsClusterConfig = &AuroraRdsClusterConfig{
 }
 
 var defaultCdnConfig = &AwsCdnConfig{
+	Domain:                "",
 	SkipCacheInvalidation: false,
 }
 

cloud/aws/common/resources/domain.go

@@ -0,0 +1,124 @@
+// Copyright 2021 Nitric Technologies Pty Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package resources
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/route53"
+)
+
+type ZoneLookup struct {
+	// The domain that matched the Hosted Zone lookup
+	Domain string
+	// The Hosted Zone ID
+	ZoneID string
+	// If the zone matched the domain (false) or matched the parent (true)
+	IsParent bool
+}
+
+func GetARecordLabel(zoneLookup *ZoneLookup) string {
+	if !zoneLookup.IsParent {
+		return ""
+	}
+
+	return getSubdomainLabel(zoneLookup.Domain)
+}
+
+func getSubdomainLabel(domain string) string {
+	domainParts := strings.Split(domain, ".")
+	if len(domainParts) > 2 {
+		return domainParts[0]
+	}
+
+	return ""
+}
+
+func GetZoneID(domainName string) (*ZoneLookup, error) {
+	zoneIds := GetZoneIDs([]string{domainName})
+	if zoneIds[domainName] == nil {
+		return nil, fmt.Errorf("zone ID not found for domain name: %s", domainName)
+	}
+
+	return zoneIds[domainName], nil
+}
+
+func GetZoneIDs(domainNames []string) map[string]*ZoneLookup {
+	ctx := context.TODO()
+
+	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion("us-west-2"))
+	if err != nil {
+		return nil
+	}
+
+	client := route53.NewFromConfig(cfg)
+
+	zoneMap := make(map[string]*ZoneLookup)
+
+	normalizedDomains := make(map[string]string)
+	for _, d := range domainNames {
+		d = strings.ToLower(strings.TrimSuffix(d, "."))
+		normalizedDomains[d] = d + "."
+	}
+
+	paginator := route53.NewListHostedZonesPaginator(client, &route53.ListHostedZonesInput{})
+	hostedZones := make(map[string]string) // map of zone name -> zone ID
+
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(ctx)
+		if err != nil {
+			return nil
+		}
+
+		for _, hz := range page.HostedZones {
+			name := strings.ToLower(strings.TrimSuffix(*hz.Name, "."))
+			hostedZones[name] = strings.TrimPrefix(*hz.Id, "/hostedzone/")
+		}
+	}
+
+	// Resolve each domain name
+	for domain, normalized := range normalizedDomains {
+		// Check full domain
+		if id, ok := hostedZones[strings.TrimSuffix(normalized, ".")]; ok {
+			zoneMap[domain] = &ZoneLookup{
+				Domain:   domain,
+				ZoneID:   id,
+				IsParent: false,
+			}
+			continue
+		}
+
+		// Try parent/root domain
+		parts := strings.Split(domain, ".")
+		if len(parts) > 2 {
+			root := strings.Join(parts[1:], ".")
+			if id, ok := hostedZones[root]; ok {
+				zoneMap[domain] = &ZoneLookup{
+					Domain:   domain,
+					ZoneID:   id,
+					IsParent: true,
+				}
+				continue
+			}
+		}
+
+		zoneMap[domain] = nil
+	}
+
+	return zoneMap
+}

cloud/aws/deploy/api.go

@@ -21,12 +21,14 @@ import (
 	"fmt"
 
 	"github.com/getkin/kin-openapi/openapi3"
+	common_domain "github.com/nitrictech/nitric/cloud/aws/common/resources"
 	"github.com/nitrictech/nitric/cloud/common/deploy/resources"
 	"github.com/nitrictech/nitric/cloud/common/deploy/tags"
 	"github.com/nitrictech/nitric/core/pkg/help"
 	deploymentspb "github.com/nitrictech/nitric/core/pkg/proto/deployments/v1"
 	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/apigatewayv2"
 	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lambda"
+	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/route53"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
@@ -235,11 +237,7 @@ func (a *NitricAwsPulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resourc
 	if additionalApiConfig != nil {
 		// For each specified domain name
 		for _, domainName := range a.AwsConfig.Apis[name].Domains {
-			_, err := newDomainName(ctx, name, domainNameArgs{
-				domainName: domainName,
-				api:        a.Apis[name],
-				stage:      apiStage,
-			})
+			err = a.createApiDomainName(ctx, name, domainName, apiStage, a.Apis[name])
 			if err != nil {
 				return err
 			}
@@ -250,3 +248,56 @@ func (a *NitricAwsPulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resourc
 
 	return nil
 }
+
+func (a *NitricAwsPulumiProvider) createApiDomainName(ctx *pulumi.Context, name string, domainName string, stage *apigatewayv2.Stage, api *apigatewayv2.Api) error {
+	domain, err := a.newPulumiDomainName(ctx, domainName)
+	if err != nil {
+		return err
+	}
+
+	// Create a domain name if one has been requested
+	apiDomainName, err := apigatewayv2.NewDomainName(ctx, fmt.Sprintf("%s-%s", name, domainName), &apigatewayv2.DomainNameArgs{
+		DomainName: pulumi.String(domainName),
+		DomainNameConfiguration: &apigatewayv2.DomainNameDomainNameConfigurationArgs{
+			EndpointType:   pulumi.String("REGIONAL"),
+			SecurityPolicy: pulumi.String("TLS_1_2"),
+			CertificateArn: domain.CertificateValidation.CertificateArn,
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	// Create an API mapping for the new domain name
+	_, err = apigatewayv2.NewApiMapping(ctx, fmt.Sprintf("%s-%s", name, domainName), &apigatewayv2.ApiMappingArgs{
+		ApiId:      api.ID(),
+		DomainName: apiDomainName.DomainName,
+		Stage:      stage.Name,
+	}, pulumi.DependsOn([]pulumi.Resource{stage}))
+	if err != nil {
+		return err
+	}
+
+	subdomainName := common_domain.GetARecordLabel(domain.ZoneLookup)
+
+	// Create a DNS record for the domain name that maps to the APIs
+	// regional endpoint
+	_, err = route53.NewRecord(ctx, fmt.Sprintf("%s-%s-dnsrecord", name, domainName), &route53.RecordArgs{
+		ZoneId: pulumi.String(domain.ZoneLookup.ZoneID),
+		Type:   pulumi.String("A"),
+		Name:   pulumi.String(subdomainName),
+		Aliases: &route53.RecordAliasArray{
+			&route53.RecordAliasArgs{
+				// The target of the A record
+				Name:                 apiDomainName.DomainNameConfiguration.TargetDomainName().Elem(),
+				ZoneId:               apiDomainName.DomainNameConfiguration.HostedZoneId().Elem(),
+				EvaluateTargetHealth: pulumi.Bool(false),
+			},
+		},
+	}, pulumi.DependsOn([]pulumi.Resource{domain}))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

cloud/aws/deploy/domain.go

@@ -18,61 +18,53 @@ package deploy
 
 import (
 	"fmt"
-	"strings"
 
+	awsprovider "github.com/pulumi/pulumi-aws/sdk/v5/go/aws"
+
+	"github.com/nitrictech/nitric/cloud/aws/common/resources"
 	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/acm"
-	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/apigatewayv2"
 	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/route53"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-type domainNameArgs struct {
-	domainName string
-	api        *apigatewayv2.Api
-	stage      *apigatewayv2.Stage
-}
-
-type domainName struct {
+type Domain struct {
 	pulumi.ResourceState
 
-	Name string
+	Name                  string
+	ZoneLookup            *resources.ZoneLookup
+	CertificateValidation *acm.CertificateValidation
 }
 
-func newDomainName(ctx *pulumi.Context, name string, args domainNameArgs) (*domainName, error) {
-	domainParts := strings.Split(args.domainName, ".")
+func (a *NitricAwsPulumiProvider) newPulumiDomainName(ctx *pulumi.Context, domainName string) (*Domain, error) {
+	var err error
+	res := &Domain{Name: domainName}
 
-	res := &domainName{Name: name}
+	res.ZoneLookup, err = resources.GetZoneID(domainName)
+	if err != nil {
+		return nil, err
+	}
 
-	err := ctx.RegisterComponentResource("nitric:api:DomainName", fmt.Sprintf("%s-%s", name, args.domainName), res)
+	err = ctx.RegisterComponentResource("nitric:api:DomainName", fmt.Sprintf("%s-%s", domainName, a.StackId), res)
 	if err != nil {
 		return nil, err
 	}
 
 	defaultOptions := []pulumi.ResourceOption{pulumi.Parent(res)}
 
-	// Treat this domain as root by default
-	baseName := ""
-	// attempt to find hosted zone as the root domain name
-	hostedZone, err := route53.LookupZone(ctx, &route53.LookupZoneArgs{
-		// The name is the base name for the domain
-		Name: &args.domainName,
-	})
-	if err != nil {
-		// try by parent domain instead
-		parentDomain := strings.Join(domainParts[1:], ".")
-		hostedZone, err = route53.LookupZone(ctx, &route53.LookupZoneArgs{
-			// The name is the base name for the domain
-			Name: &parentDomain,
+	// Create an AWS provider for the us-east-1 region as the acm certificates require being deployed in us-east-1 region
+	if a.Region != "us-east-1" {
+		useast1, err := awsprovider.NewProvider(ctx, "us-east-1", &awsprovider.ProviderArgs{
+			Region: pulumi.String("us-east-1"),
 		})
 		if err != nil {
-			return nil, fmt.Errorf("unable to find Route53 hosted zone to create records in: %w", err)
+			return nil, err
 		}
 
-		baseName = domainParts[0]
+		defaultOptions = append(defaultOptions, pulumi.Provider(useast1))
 	}
 
-	cert, err := acm.NewCertificate(ctx, fmt.Sprintf("%s-%s-cert", name, args.domainName), &acm.CertificateArgs{
-		DomainName:       pulumi.String(args.domainName),
+	cert, err := acm.NewCertificate(ctx, fmt.Sprintf("cert-%s", a.StackId), &acm.CertificateArgs{
+		DomainName:       pulumi.String(domainName),
 		ValidationMethod: pulumi.String("DNS"),
 	}, defaultOptions...)
 	if err != nil {
@@ -83,7 +75,7 @@ func newDomainName(ctx *pulumi.Context, name string, args domainNameArgs) (*doma
 		return options[0]
 	})
 
-	certValidationDns, err := route53.NewRecord(ctx, fmt.Sprintf("%s-%s-certvalidationdns", name, args.domainName), &route53.RecordArgs{
+	cdnRecord, err := route53.NewRecord(ctx, fmt.Sprintf("cdn-record-%s", a.StackId), &route53.RecordArgs{
 		Name: domainValidationOption.ApplyT(func(option interface{}) string {
 			return *option.(acm.CertificateDomainValidationOption).ResourceRecordName
 		}).(pulumi.StringOutput),
@@ -96,58 +88,16 @@ func newDomainName(ctx *pulumi.Context, name string, args domainNameArgs) (*doma
 			}).(pulumi.StringOutput),
 		},
 		Ttl:    pulumi.Int(10 * 60),
-		ZoneId: pulumi.String(hostedZone.ZoneId),
-	}, defaultOptions...)
+		ZoneId: pulumi.String(res.ZoneLookup.ZoneID),
+	}, []pulumi.ResourceOption{pulumi.Parent(res)}...)
 	if err != nil {
 		return nil, err
 	}
 
-	certValidation, err := acm.NewCertificateValidation(ctx, fmt.Sprintf("%s-%s-certvalidation", name, args.domainName), &acm.CertificateValidationArgs{
+	res.CertificateValidation, err = acm.NewCertificateValidation(ctx, fmt.Sprintf("cert-validation-%s", a.StackId), &acm.CertificateValidationArgs{
 		CertificateArn: cert.Arn,
 		ValidationRecordFqdns: pulumi.StringArray{
-			certValidationDns.Fqdn,
-		},
-	}, defaultOptions...)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create a domain name if one has been requested
-	apiDomainName, err := apigatewayv2.NewDomainName(ctx, fmt.Sprintf("%s-%s", name, args.domainName), &apigatewayv2.DomainNameArgs{
-		DomainName: pulumi.String(args.domainName),
-		DomainNameConfiguration: &apigatewayv2.DomainNameDomainNameConfigurationArgs{
-			EndpointType:   pulumi.String("REGIONAL"),
-			SecurityPolicy: pulumi.String("TLS_1_2"),
-			CertificateArn: certValidation.CertificateArn,
-		},
-	}, defaultOptions...)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create an API mapping for the new domain name
-	_, err = apigatewayv2.NewApiMapping(ctx, fmt.Sprintf("%s-%s", name, args.domainName), &apigatewayv2.ApiMappingArgs{
-		ApiId:      args.api.ID(),
-		DomainName: apiDomainName.DomainName,
-		Stage:      args.stage.Name,
-	}, append(defaultOptions, pulumi.DependsOn([]pulumi.Resource{args.stage}))...)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create a DNS record for the domain name that maps to the APIs
-	// regional endpoint
-	_, err = route53.NewRecord(ctx, fmt.Sprintf("%s-%s-dnsrecord", name, args.domainName), &route53.RecordArgs{
-		ZoneId: pulumi.String(hostedZone.ZoneId),
-		Type:   pulumi.String("A"),
-		Name:   pulumi.String(baseName),
-		Aliases: &route53.RecordAliasArray{
-			&route53.RecordAliasArgs{
-				// The target of the A record
-				Name:                 apiDomainName.DomainNameConfiguration.TargetDomainName().Elem(),
-				ZoneId:               apiDomainName.DomainNameConfiguration.HostedZoneId().Elem(),
-				EvaluateTargetHealth: pulumi.Bool(false),
-			},
+			cdnRecord.Fqdn,
 		},
 	}, defaultOptions...)
 	if err != nil {