Merge branch 'feat/blackhole-non-rp-traffic' into main

terraform/cloudflare-origin-cert.tf

@@ -14,7 +14,7 @@ resource "tls_cert_request" "web_csr" {
 
 resource "cloudflare_origin_ca_certificate" "web" {
   csr                = tls_cert_request.web_csr.cert_request_pem
-  hostnames          = ["web-${var.environment_tag}.roleypoly.com"]
+  hostnames          = var.ui_hostnames
   request_type       = "origin-rsa"
   requested_validity = 365 * 15
 }

terraform/variables.tf

@@ -41,6 +41,11 @@ variable "ui_public_uri" {
   description = "UI Public Base Path"
 }
 
+variable "ui_hostnames" {
+  type        = list(string)
+  description = "Hostnames to allow web UI requests from, e.g. roleypoly.com, web-prod.roleypoly.com"
+}
+
 variable "api_public_uri" {
   type        = string
   description = "API Public Base Path"

terraform/variables/prod.tfvars

@@ -11,3 +11,7 @@ ui_regions = [
 ]
 deploy_bot        = true
 bot_instance_size = "e2-micro"
+ui_hostnames = [
+  "next.roleypoly.com",
+  "web-prod.roleypoly.com"
+]

terraform/variables/stage.tfvars

@@ -2,5 +2,9 @@ environment_tag = "stage"
 ui_regions = [
   "us-east4"
 ]
-deploy_bot        = true
+deploy_bot        = false
 bot_instance_size = "f1-micro"
+ui_hostnames = [
+  "stage.roleypoly.com",
+  "web-stage.roleypoly.com"
+]

terraform/weblb.tf

@@ -2,9 +2,25 @@
 resource "google_compute_url_map" "web_lb" {
   name = "lb-um-web-${var.environment_tag}"
 
+  host_rule {
+    hosts        = var.ui_hostnames
+    path_matcher = "web"
+  }
+
+  path_matcher {
+    name            = "web"
     default_service = google_compute_backend_service.web_lb.id
   }
 
+  // Blackhole. No addresses will ever be this, and hosts without IPv6 will fail regardless.
+  // Not matching the host_rule should be seen as treason.
+  default_url_redirect {
+    host_redirect = "[100::]"
+    path_redirect = "/"
+    strip_query   = true
+  }
+}
+
 // Regional load balancer
 resource "google_compute_backend_service" "web_lb" {
   name = "lb-rbes-web-${var.environment_tag}"
@@ -67,17 +83,25 @@ resource "google_compute_global_forwarding_rule" "web_lb-ipv6" {
 }
 
 // Cloudflare DNS records
+
+locals {
+  // for web-example.roleypoly.com, grab the .roleypoly.com. This may break for .co.uk, etc, so don't use that. :) 
+  uiDNSReplace = regex("/\\.[a-z0-9-]+\\.[a-z\\.]+$/", var.ui_hostnames[0])
+}
+
 resource "cloudflare_record" "web-ipv4" {
+  for_each = toset(var.ui_hostnames)
   zone_id  = var.cloudflare_zone_id
-  name    = "web-${var.environment_tag}"
+  name     = replace(each.value, uiDNSReplace, "")
   type     = "A"
   value    = google_compute_global_forwarding_rule.web_lb-ipv4.ip_address
   proxied  = true
 }
 
 resource "cloudflare_record" "web-ipv6" {
+  for_each = toset(var.ui_hostnames)
   zone_id  = var.cloudflare_zone_id
-  name    = "web-${var.environment_tag}"
+  name     = replace(each.value, uiDNSReplace, "")
   type     = "AAAA"
   value    = google_compute_global_forwarding_rule.web_lb-ipv6.ip_address
   proxied  = true