feat: can we do without a custom domain name? (#6)

Author: hakamadare

.circleci/config.yml

@@ -3,7 +3,7 @@ version: 2
 jobs:
   build:
     docker:
-      - image: hashicorp/terraform:0.10.6
+      - image: hashicorp/terraform:0.11.8
         entrypoint: /bin/sh
     steps:
       - checkout

.terraform-version

@@ -1 +1 @@
-0.10.6
+0.11.8

alb.tf

@@ -1,5 +1,13 @@
 # Create a new load balancer
 
+locals {
+  enable_custom_domain = "${var.dns_zone == "" ? false : true}"
+  custom_endpoint      = "${coalesce(var.hostname, "vault")}.${var.dns_zone}"
+  vault_url_protocol   = "${local.enable_custom_domain ? "https" : "http"}"
+  vault_url_hostname   = "${local.enable_custom_domain ? local.custom_endpoint : aws_alb.vault.dns_name}"
+  vault_url            = "${local.vault_url_protocol}://${local.vault_url_hostname}"
+}
+
 resource "aws_alb" "vault" {
   name_prefix     = "vault-"
   security_groups = ["${aws_security_group.lb-vault-sg.id}"]
@@ -19,6 +27,7 @@ resource "aws_alb" "vault" {
 
 # DNS Alias for the LB
 resource "aws_route53_record" "vault" {
+  count   = "${local.enable_custom_domain ? 1 : 0}"
   zone_id = "${data.aws_route53_zone.zone.zone_id}"
   name    = "${coalesce(var.hostname, "vault")}.${data.aws_route53_zone.zone.name}"
   type    = "A"
@@ -55,11 +64,24 @@ resource "aws_alb_target_group" "vault_ui" {
 
 # Create a new alb listener
 resource "aws_alb_listener" "vault_https" {
+  count             = "${local.enable_custom_domain ? 1 : 0}"
   load_balancer_arn = "${aws_alb.vault.arn}"
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-2015-05"
-  certificate_arn   = "${data.aws_acm_certificate.cert.arn}" # edit needed
+  certificate_arn   = "${data.aws_acm_certificate.cert.arn}"  # edit needed
+
+  default_action {
+    target_group_arn = "${aws_alb_target_group.vault_ui.arn}"
+    type             = "forward"
+  }
+}
+
+resource "aws_alb_listener" "vault_http" {
+  count             = "${local.enable_custom_domain ? 0 : 1}"
+  load_balancer_arn = "${aws_alb.vault.arn}"
+  port              = "80"
+  protocol          = "HTTP"
 
   default_action {
     target_group_arn = "${aws_alb_target_group.vault_ui.arn}"

files/vault.json

@@ -54,7 +54,7 @@
                 }
             ],
             "command": [
-              "sh", "-c", "sleep 10; vault unseal ${unseal_key0} "
+              "sh", "-c", "sleep 10; vault operator unseal ${unseal_key0} "
             ],
             "cpu": 0,
             "volumesFrom": [
@@ -88,7 +88,7 @@
                 }
             ],
             "command": [
-              "sh", "-c", "sleep 10; vault unseal ${unseal_key1} "
+              "sh", "-c", "sleep 10; vault operator unseal ${unseal_key1} "
             ],
             "cpu": 0,
             "volumesFrom": [
@@ -122,7 +122,7 @@
                 }
             ],
             "command": [
-              "sh", "-c", "sleep 10; vault unseal ${unseal_key2} "
+              "sh", "-c", "sleep 10; vault operator unseal ${unseal_key2} "
             ],
             "cpu": 0,
             "volumesFrom": [

main.tf

@@ -6,11 +6,13 @@ data "aws_vpc" "vpc" {
 }
 
 data "aws_route53_zone" "zone" {
-  name = "${var.dns_zone}"
+  count = "${local.enable_custom_domain ? 1 : 0}"
+  name  = "${var.dns_zone}"
 }
 
 data "aws_acm_certificate" "cert" {
-  domain = "${replace(var.dns_zone, "/.$/","")}" # dirty hack to strip off trailing dot
+  count  = "${local.enable_custom_domain ? 1 : 0}"
+  domain = "${replace(var.dns_zone, "/.$/","")}"   # dirty hack to strip off trailing dot
 }
 
 data "aws_region" "current" {}

outputs.tf

@@ -1,7 +1,11 @@
 output "public_endpoint" {
-  value = "${aws_route53_record.vault.fqdn}"
+  value = "${aws_alb.vault.dns_name}"
+}
+
+output "custom_public_endpoint" {
+  value = "${local.custom_endpoint}"
 }
 
 output "public_url" {
-  value = "https://${aws_route53_record.vault.fqdn}"
+  value = "${local.vault_url}"
 }

variables.tf

@@ -19,6 +19,7 @@ variable "desired_count" {
 
 variable "dns_zone" {
   description = "Zone where the Consul UI alb will be created. This should *not* be consul.example.com"
+  default     = ""
 }
 
 variable "ecs_cluster_ids" {