(WIP while I work on updating the tests and documentation to match the new behavior)
CloudFront now requires us to present valid, trusted certificates for a domain before we can create a distribution that uses that domain.
Currently, the workflow works like this:
user requests an instance of CDN broker
cdn-broker processes the initial request all in one step:
i. cdn-broker creates a user for interacting with LetsEncrypt and persists the user information to the database in the user_data table
ii. cdn-broker creates a request for a certificate to LetsEncrypt
iii. cdn-broker creates the CloudFront Distribution
iv. cdn-broker sets the status to provisioning
v. cdn-broker persists the following fields to the routes table
status (State)
cloudfront domain name (DomainInternal)
customer domain name(s) (DomainExternal)
origin domain name (Origin)
whether the origin is http or https (InsecureOrigin)
the path to use with the origin (Path)
the cloudfront distribution identifier (DistId)
reference to the user_data entry
cdn-broker starts polling to get see if the cert is available from LetsEncrypt
the user checks the status of the cdn-broker to get DNS instructions for LetsEncrypt challenge
the user creates a TXT record per the challenge instructions
cdn-broker successfully gets a certificate from LetsEncrypt
cdn-broker publishes the certificate to IAM and persists the metadata to the certificates table and associates the certificate to the route in the routes table
cdn-broker updates the CloudFront distribution with the certificate and sets the status to provisioned
This changes the workflow to:
user requests an instance of CDN broker
cdn-broker processes the initial request:
i. cdn-broker creates a user for interacting with LetsEncrypt and persists the user information to the database in the user_data table
ii. cdn-broker creates a request for a certificate to LetsEncrypt
iii. cdn-broker persists the following fields to the routes table:
status (State)
customer domain name(s) (DomainExternal)
origin domain name (Origin)
whether the origin is http or https (InsecureOrigin)
the path to use with the origin (Path)
whether or not to forward cookies (ForwardCookies)
the reference to the user_data
as well as publishing the tags to the new tags table and the headers to the new headers table, each with references back to the route entry
cdn-broker starts polling to get see if the cert is available from LetsEncrypt and if the CloudFront distribution is deployed
the user checks the status of the cdn-broker to get DNS instructions for LetsEncrypt challenge
the user creates a TXT record per the challenge instructions
cdn-broker successfully gets a certificate from LetsEncrypt
cdn-broker persists the certificate to IAM and the certificate table and associates the certificate to the route in the routes table
cdn-broker creates the distribution in CloudFront and persists the CloudFront domain name and distribution identifier to the routes table
cdn-broker sees status of the distribution in CloudFront change to deployed and sets the service status to provisioned
(
WIP
while I work on updating the tests and documentation to match the new behavior) CloudFront now requires us to present valid, trusted certificates for a domain before we can create a distribution that uses that domain.Currently, the workflow works like this:
user_data
table ii. cdn-broker creates a request for a certificate to LetsEncrypt iii. cdn-broker creates the CloudFront Distribution iv. cdn-broker sets the status to provisioning v. cdn-broker persists the following fields to theroutes
tableState
)DomainInternal
)DomainExternal
)Origin
)InsecureOrigin
)Path
)DistId
)user_data
entrycertificates
table and associates the certificate to the route in theroutes
tableprovisioned
This changes the workflow to:
user_data
table ii. cdn-broker creates a request for a certificate to LetsEncrypt iii. cdn-broker persists the following fields to theroutes
table:State
)DomainExternal
)Origin
)InsecureOrigin
)Path
)ForwardCookies
)user_data
as well as publishing the tags to the newtags
table and the headers to the newheaders
table, each with references back to the route entryroutes
tableroutes
tabledeployed
and sets the service status toprovisioned