feat: add alternative domains for oonith_service (#43)

This diff allows adding alternative domains which point to
`oonith_service`.

---------

Co-authored-by: Arturo Filastò <[email protected]>

tf/environments/dev/main.tf

@@ -531,6 +531,12 @@ module "oonith_oohelperd" {
     module.oonith_cluster.web_security_group_id
   ]
 
+  // Note: Since we do not have a dns zone for ooni org, we test on io domains here
+  alternative_names = {
+    "5.th.dev.ooni.io" = local.dns_zone_ooni_io,
+    "6.th.dev.ooni.io" = local.dns_zone_ooni_io,
+  }
+
   tags = merge(
     local.tags,
     { Name = "ooni-tier0-oohelperd" }

tf/environments/prod/main.tf

@@ -535,6 +535,11 @@ module "oonith_oohelperd" {
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
 
+  alternative_names = {
+    "5.th.ooni.org" = local.dns_root_zone_ooni_org,
+    "6.th.ooni.org" = local.dns_root_zone_ooni_org,
+  }
+
   oonith_service_security_groups = [
     module.oonith_cluster.web_security_group_id
   ]

tf/modules/oonith_service/main.tf

@@ -55,7 +55,6 @@ resource "aws_ecs_task_definition" "oonith_service" {
         jsondecode(data.aws_ecs_task_definition.oonith_service_current.0.task_definition).ContainerDefinitions[0].image,
         var.default_docker_image_url
       ),
-      image  = var.default_docker_image_url,
       memory = var.task_memory,
       name   = local.name,
       portMappings = [
@@ -189,6 +188,8 @@ resource "aws_acm_certificate" "oonith_service" {
   domain_name       = "${var.service_name}.th.${var.stage}.ooni.io"
   validation_method = "DNS"
 
+  subject_alternative_names = keys(var.alternative_names)
+
   tags = var.tags
 
   lifecycle {
@@ -202,6 +203,7 @@ resource "aws_route53_record" "oonith_service_validation" {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
+      domain_name = dvo.domain_name
     }
   }
 
@@ -210,13 +212,28 @@ resource "aws_route53_record" "oonith_service_validation" {
   records         = [each.value.record]
   ttl             = 60
   type            = each.value.type
-  zone_id         = var.dns_zone_ooni_io
+  zone_id         = lookup(var.alternative_names,each.value.domain_name,var.dns_zone_ooni_io)
 }
 
 resource "aws_acm_certificate_validation" "oonith_service" {
   certificate_arn         = aws_acm_certificate.oonith_service.arn
   validation_record_fqdns = [for record in aws_route53_record.oonith_service_validation : record.fqdn]
   depends_on = [
-    aws_route53_record.oonith_service
+    aws_route53_record.oonith_service,
+    aws_route53_record.oonith_service_alias
   ]
 }
+
+resource "aws_route53_record" "oonith_service_alias" {
+  for_each = var.alternative_names
+
+  zone_id = each.value
+  name    = each.key
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.oonith_service.dns_name
+    zone_id                = aws_alb.oonith_service.zone_id
+    evaluate_target_health = true
+  }
+}

tf/modules/oonith_service/variables.tf

@@ -48,6 +48,11 @@ variable "dns_zone_ooni_io" {
   description = "id of the DNS zone for ooni_io"
 }
 
+variable "dns_zone_ooni_org" {
+  description = "id of the DNS zone for ooni_org"
+  default     = ""
+}
+
 variable "default_docker_image_url" {
   description = "the url to the default docker image unless there is one already defined in the task definition"
 }
@@ -73,4 +78,10 @@ variable "oonith_service_security_groups" {
 
 variable "first_run" {
   default = false
-}
+}
+
+variable "alternative_names" {
+  description = "mapping of alternative domain names to zone_id. the domain name should be a fqdn that's in the zone_id being passed, otherwise it will be treated as a label"
+  type = map(string)
+  default = {}
+}