feat(corp/ops): initial hosting bucket & TLS configuration

Doesn't actually have bucket serving or access configuration yet, one
step at a time!

Change-Id: I0ce9b3b077252395bd807fad44cbdca40cdeac49
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8649
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
This commit is contained in:
Vincent Ambo 2023-05-26 18:19:45 +03:00 committed by tazjin
parent d419b81ef7
commit 9c7da22e5b
2 changed files with 52 additions and 7 deletions

View file

@ -55,13 +55,6 @@ resource "yandex_storage_bucket" "tf_state" {
bucket = "su-tvl-terraform-state"
}
resource "yandex_dns_zone" "russiaishiring_com" {
name = "russiaishiring-com"
zone = "russiaishiring.com."
public = true
folder_id = local.rih_folder_id
}
# Secret management configuration
resource "yandex_kms_symmetric_key" "tvl_credentials_key" {

52
corp/ops/yandex/rih.tf Normal file
View file

@ -0,0 +1,52 @@
# Deployment configuration for russiaishiring.com
#
# The frontend of the page is served from a storage bucket, the
# backend runs in a container.
resource "yandex_dns_zone" "russiaishiring_com" {
name = "russiaishiring-com"
zone = "russiaishiring.com."
public = true
folder_id = local.rih_folder_id
}
resource "yandex_iam_service_account" "rih_storage_sa" {
name = "rih-storage-sa"
folder_id = local.rih_folder_id
}
resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
folder_id = local.rih_folder_id
role = "storage.editor"
member = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
}
resource "yandex_iam_service_account_static_access_key" "rih_sa_static_key" {
service_account_id = yandex_iam_service_account.rih_storage_sa.id
description = "RIH bucket access key"
}
resource "yandex_storage_bucket" "rih_storage_bucket" {
access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
bucket = "russiaishiring.com"
folder_id = local.rih_folder_id
}
resource "yandex_cm_certificate" "russiaishiring_com" {
folder_id = local.rih_folder_id
name = "russiaishiring-com"
domains = ["russiaishiring.com"]
managed {
challenge_type = "DNS_CNAME"
}
}
resource "yandex_dns_recordset" "acme_russiaishiring_com" {
zone_id = yandex_dns_zone.russiaishiring_com.id
name = yandex_cm_certificate.russiaishiring_com.challenges[0].dns_name
type = yandex_cm_certificate.russiaishiring_com.challenges[0].dns_type
data = [yandex_cm_certificate.russiaishiring_com.challenges[0].dns_value]
ttl = 60
}