search

cloud-gov / cf-cdn-service-broker

A Cloud Foundry service broker for CloudFront and Let's Encrypt
Other
10 stars 13 forks source link

[WIP] - Create Distribution after getting certs #115

Closed bengerman13 closed 5 years ago

bengerman13 commented 5 years ago

(WIP while I work on updating the tests and documentation to match the new behavior) CloudFront now requires us to present valid, trusted certificates for a domain before we can create a distribution that uses that domain.

Currently, the workflow works like this:

  1. user requests an instance of CDN broker
  2. cdn-broker processes the initial request all in one step: i. cdn-broker creates a user for interacting with LetsEncrypt and persists the user information to the database in the user_data table ii. cdn-broker creates a request for a certificate to LetsEncrypt iii. cdn-broker creates the CloudFront Distribution iv. cdn-broker sets the status to provisioning v. cdn-broker persists the following fields to the routes table
    • status (State)
    • cloudfront domain name (DomainInternal)
    • customer domain name(s) (DomainExternal)
    • origin domain name (Origin)
    • whether the origin is http or https (InsecureOrigin)
    • the path to use with the origin (Path)
    • the cloudfront distribution identifier (DistId)
    • reference to the user_data entry
  3. cdn-broker starts polling to get see if the cert is available from LetsEncrypt
  4. the user checks the status of the cdn-broker to get DNS instructions for LetsEncrypt challenge
  5. the user creates a TXT record per the challenge instructions
  6. cdn-broker successfully gets a certificate from LetsEncrypt
  7. cdn-broker publishes the certificate to IAM and persists the metadata to the certificates table and associates the certificate to the route in the routes table
  8. cdn-broker updates the CloudFront distribution with the certificate and sets the status to provisioned

This changes the workflow to:

  1. user requests an instance of CDN broker
  2. cdn-broker processes the initial request: i. cdn-broker creates a user for interacting with LetsEncrypt and persists the user information to the database in the user_data table ii. cdn-broker creates a request for a certificate to LetsEncrypt iii. cdn-broker persists the following fields to the routes table:
    • status (State)
    • customer domain name(s) (DomainExternal)
    • origin domain name (Origin)
    • whether the origin is http or https (InsecureOrigin)
    • the path to use with the origin (Path)
    • whether or not to forward cookies (ForwardCookies)
    • the reference to the user_data as well as publishing the tags to the new tags table and the headers to the new headers table, each with references back to the route entry
  3. cdn-broker starts polling to get see if the cert is available from LetsEncrypt and if the CloudFront distribution is deployed
  4. the user checks the status of the cdn-broker to get DNS instructions for LetsEncrypt challenge
  5. the user creates a TXT record per the challenge instructions
  6. cdn-broker successfully gets a certificate from LetsEncrypt
  7. cdn-broker persists the certificate to IAM and the certificate table and associates the certificate to the route in the routes table
  8. cdn-broker creates the distribution in CloudFront and persists the CloudFront domain name and distribution identifier to the routes table
  9. cdn-broker sees status of the distribution in CloudFront change to deployed and sets the service status to provisioned
bengerman13 commented 5 years ago

Closing this in favor of #116