[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: cdn: Add a distribution for ci.guix.gnu.org.
|
From: |
Chris Marusich |
|
Subject: |
01/02: cdn: Add a distribution for ci.guix.gnu.org. |
|
Date: |
Wed, 1 May 2019 20:30:30 -0400 (EDT) |
marusich pushed a commit to branch master
in repository maintenance.
commit c71c5286c123534fff8d213780d494f1394f5ecb
Author: Chris Marusich <address@hidden>
Date: Sun Apr 28 23:01:05 2019 -0700
cdn: Add a distribution for ci.guix.gnu.org.
* cdn/terraform/cloudfront.tf (charlie-distribution): New resource.
(charlie-distribution-id, charlie-distribution-enabled)
(charlie-distribution-status, charlie-distribution-domain-name): New
outputs.
---
cdn/terraform/cloudfront.tf | 110 ++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 107 insertions(+), 3 deletions(-)
diff --git a/cdn/terraform/cloudfront.tf b/cdn/terraform/cloudfront.tf
index e2e519e..d9cadda 100644
--- a/cdn/terraform/cloudfront.tf
+++ b/cdn/terraform/cloudfront.tf
@@ -30,9 +30,9 @@ locals {
max_ttl = 31536000 # 365 days
min_ttl = 0
target_origin_id = "berlin.guixsd.org"
- # Before ci.guix.info pointed to this distribution, it allowed
- # both HTTP and HTTPS. We choose to maintain that policy here.
- # In the future, we should consider changing this to "https-only".
+ # Historically, the build farm has allowed both HTTP and HTTPS.
+ # We choose to maintain that policy here. In the future, we
+ # should consider changing this to "https-only".
viewer_protocol_policy = "allow-all"
}
# Like the default behavior, but forward everything, and cache
@@ -160,3 +160,107 @@ output "berlin-mirror-status" {
output "berlin-mirror-domain-name" {
value = "${aws_cloudfront_distribution.berlin-mirror.domain_name}"
}
+
+# We plan to migrate to ci.guix.gnu.org. During the migration, we'll
+# need to have two distributions. Since the name "berlin mirror"
+# is already taken, let's use something unique. Since "C" comes after
+# "B", let's use the name "charlie". B for berlin, C for charlie.
+
+resource "aws_cloudfront_distribution" "charlie-distribution" {
+ enabled = true
+ comment = "Distributed caching proxy for berlin.guixsd.org"
+ origin {
+ domain_name = "berlin.guixsd.org"
+ origin_id = "berlin.guixsd.org"
+ custom_origin_config {
+ http_port = 80 # Required, but not used.
+ https_port = 443
+ # Always use TLS when forwarding requests to the origin.
+ origin_protocol_policy = "https-only"
+ origin_ssl_protocols = ["TLSv1.2"]
+ origin_keepalive_timeout = 60
+ origin_read_timeout = 60
+ }
+ }
+ # The CNAME that will point to this CloudFront distribution.
+ aliases = ["ci.guix.gnu.org"]
+ is_ipv6_enabled = true
+ # This is actually the_maximum HTTP version to support. See:
+ #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#http_version
+ http_version = "http2"
+ # Serve requests from all edge locations.
+ price_class = "PriceClass_All"
+ # Do not restrict access.
+ restrictions { geo_restriction { restriction_type = "none" }}
+ # When deleting the distribution, actually delete it. See:
+ #
https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#retain_on_delete
+ retain_on_delete = false
+ # By default, don't cache anything. This is useful because on
+ # berlin.guixsd.org, we run Cuirass, which has many URLs we don't
+ # want to cache.
+ default_cache_behavior = ["${local.do_not_cache_behavior}"]
+ # Cache all the relevant paths published by "guix publish". See
+ # guix/scripts/publish.scm in the Guix source for details.
+ ordered_cache_behavior = [
+ # /nix-cache-info
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/nix-cache-info")
+ )}",
+ # /<hash>.narinfo
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/*.narinfo")
+ )}",
+ # /file/<name>/sha256/<hash>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/file/*")
+ )}",
+ # /log/<output>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/log/*")
+ )}",
+ # /nar/gzip/<store-item>
+ # /nar/<store-item>
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/nar/*")
+ )}",
+ # Static files for the Cuirass website - this is not part of "guix
publish".
+ "${merge(
+ local.default_behavior,
+ map("path_pattern", "/static/*")
+ )}"
+ ]
+ # TODO: Maybe set a caching behavior for error responses.
+ # custom_error_response {}
+ viewer_certificate {
+ # Note that "terraform apply" will fail until this certificate is
+ # valid. See the comment in the definition of
+ # charlie-certificate for more information.
+ acm_certificate_arn = "${aws_acm_certificate.charlie-certificate.arn}"
+ # This is the recommended value as of 2018-12-28. See:
+ #
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ViewerCertificate.html
+ #
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers
+ minimum_protocol_version = "TLSv1.1_2016"
+ # Use SNI. Don't use the "vip" (i.e., dedicated IP address)
+ # method, since it's expensive and unnecessary. See:
+ #
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html
+ ssl_support_method = "sni-only"
+ }
+}
+
+output "charlie-distribution-id" {
+ value = "${aws_cloudfront_distribution.charlie-distribution.id}"
+}
+output "charlie-distribution-enabled" {
+ value = "${aws_cloudfront_distribution.charlie-distribution.enabled}"
+}
+output "charlie-distribution-status" {
+ value = "${aws_cloudfront_distribution.charlie-distribution.status}"
+}
+output "charlie-distribution-domain-name" {
+ value = "${aws_cloudfront_distribution.charlie-distribution.domain_name}"
+}