blackhole non-roleypoly traffic

terraform/cloudflare-origin-cert.tf

@@ -14,7 +14,7 @@ resource "tls_cert_request" "web_csr" {
 
 resource "cloudflare_origin_ca_certificate" "web" {
   csr                = tls_cert_request.web_csr.cert_request_pem
-  hostnames          = ["web-${var.environment_tag}.roleypoly.com"]
+  hostnames          = var.ui_hostnames
   request_type       = "origin-rsa"
   requested_validity = 365 * 15
 }

terraform/variables.tf

@@ -41,6 +41,11 @@ variable "ui_public_uri" {
   description = "UI Public Base Path"
 }
 
+variable "ui_hostnames" {
+  type        = list(string)
+  description = "Hostnames to allow web UI requests from, e.g. roleypoly.com, web-prod.roleypoly.com"
+}
+
 variable "api_public_uri" {
   type        = string
   description = "API Public Base Path"

terraform/variables/prod.tfvars

@@ -10,4 +10,8 @@ ui_regions = [
   "asia-southeast1"
 ]
 deploy_bot        = true
-bot_instance_size = "e2-micro"
+bot_instance_size = "e2-micro"
+ui_hostnames = [
+  "next.roleypoly.com",
+  "web-prod.roleypoly.com"
+]

terraform/variables/stage.tfvars

@@ -2,5 +2,9 @@ environment_tag = "stage"
 ui_regions = [
   "us-east4"
 ]
-deploy_bot        = true
+deploy_bot        = false
 bot_instance_size = "f1-micro"
+ui_hostnames = [
+  "stage.roleypoly.com",
+  "web-stage.roleypoly.com"
+]

terraform/weblb.tf

@@ -2,7 +2,23 @@
 resource "google_compute_url_map" "web_lb" {
   name = "lb-um-web-${var.environment_tag}"
 
-  default_service = google_compute_backend_service.web_lb.id
+  host_rule {
+    hosts        = var.ui_hostnames
+    path_matcher = "web"
+  }
+
+  path_matcher {
+    name            = "web"
+    default_service = google_compute_backend_service.web_lb.id
+  }
+
+  // Blackhole. No addresses will ever be this, and hosts without IPv6 will fail regardless.
+  // Not matching the host_rule should be seen as treason.
+  default_url_redirect {
+    host_redirect = "[100::]"
+    path_redirect = "/"
+    strip_query   = true
+  }
 }
 
 // Regional load balancer
@@ -67,20 +83,28 @@ resource "google_compute_global_forwarding_rule" "web_lb-ipv6" {
 }
 
 // Cloudflare DNS records
+
+locals {
+  // for web-example.roleypoly.com, grab the .roleypoly.com. This may break for .co.uk, etc, so don't use that. :) 
+  uiDNSReplace = regex("/\\.[a-z0-9-]+\\.[a-z\\.]+$/", var.ui_hostnames[0])
+}
+
 resource "cloudflare_record" "web-ipv4" {
-  zone_id = var.cloudflare_zone_id
-  name    = "web-${var.environment_tag}"
-  type    = "A"
-  value   = google_compute_global_forwarding_rule.web_lb-ipv4.ip_address
-  proxied = true
+  for_each = toset(var.ui_hostnames)
+  zone_id  = var.cloudflare_zone_id
+  name     = replace(each.value, uiDNSReplace, "")
+  type     = "A"
+  value    = google_compute_global_forwarding_rule.web_lb-ipv4.ip_address
+  proxied  = true
 }
 
 resource "cloudflare_record" "web-ipv6" {
-  zone_id = var.cloudflare_zone_id
-  name    = "web-${var.environment_tag}"
-  type    = "AAAA"
-  value   = google_compute_global_forwarding_rule.web_lb-ipv6.ip_address
-  proxied = true
+  for_each = toset(var.ui_hostnames)
+  zone_id  = var.cloudflare_zone_id
+  name     = replace(each.value, uiDNSReplace, "")
+  type     = "AAAA"
+  value    = google_compute_global_forwarding_rule.web_lb-ipv6.ip_address
+  proxied  = true
 }
 
 // Regional groups so the backend service knows what it can route to for a given region

terraform/workers.tf

@@ -39,6 +39,11 @@ resource "cloudflare_worker_script" "backend" {
     text = var.bot_client_secret
   }
 
+  secret_text_binding {
+    name = "BOT_TOKEN"
+    text = var.bot_token
+  }
+
   plain_text_binding {
     name = "UI_PUBLIC_URI"
     text = var.ui_public_uri