Merge pull request #5 from silinternational/feature/dns-for-lambdas

get Lambda DNS values from Terraform Cloud

Author: briskt

cmd/cli/multiregion/dns.go

@@ -16,17 +16,23 @@ import (
 )
 
 type DnsCommand struct {
-	cfClient   *cloudflare.API
-	cfZone     *cloudflare.ResourceContainer
-	domainName string
-	tfcOrg     string
-	tfcToken   string
-	testMode   bool
+	cfClient    *cloudflare.API
+	cfZone      *cloudflare.ResourceContainer
+	domainName  string
+	failback    bool
+	tfcOrg      string
+	tfcOrgAlt   string
+	tfcToken    string
+	tfcTokenAlt string
+	testMode    bool
 }
 
-type AlbDnsValues struct {
-	internal string
-	external string
+type DnsValues struct {
+	albInternal string
+	albExternal string
+	bot         string
+	mfa         string
+	twosv       string
 }
 
 func InitDnsCmd(parentCmd *cobra.Command) {
@@ -50,24 +56,16 @@ func InitDnsCmd(parentCmd *cobra.Command) {
 func runDnsCommand(failback bool) {
 	pFlags := getPersistentFlags()
 
-	d := newDnsCommand(pFlags)
+	d := newDnsCommand(pFlags, failback)
 
-	var clusterWorkspaceName string
-	if failback {
-		clusterWorkspaceName = clusterWorkspace(pFlags)
-	} else {
-		clusterWorkspaceName = clusterSecondaryWorkspace(pFlags)
-	}
-
-	dnsValues := d.getAlbDnsValuesFromTfc(clusterWorkspaceName)
-
-	d.setDnsRecordValues(pFlags.idp, dnsValues, failback)
+	values := d.getDnsValuesFromTfc(pFlags)
+	d.setDnsRecordValues(pFlags.idp, values)
 }
 
-func newDnsCommand(pFlags PersistentFlags) *DnsCommand {
+func newDnsCommand(pFlags PersistentFlags, failback bool) *DnsCommand {
 	d := DnsCommand{
 		testMode:   pFlags.readOnlyMode,
-		domainName: viper.GetString("domain-name"),
+		domainName: viper.GetString(flagDomainName),
 	}
 
 	if d.domainName == "" {
@@ -93,46 +91,56 @@ func newDnsCommand(pFlags PersistentFlags) *DnsCommand {
 	d.cfZone = cloudflare.ZoneIdentifier(zoneID)
 
 	d.tfcToken = pFlags.tfcToken
+	d.tfcTokenAlt = pFlags.tfcTokenAlt
 	d.tfcOrg = pFlags.org
+	d.tfcOrgAlt = pFlags.orgAlt
+	d.failback = failback
 
 	return &d
 }
 
-func (d *DnsCommand) setDnsRecordValues(idpKey string, dnsValues AlbDnsValues, failback bool) {
-	if failback {
+func (d *DnsCommand) setDnsRecordValues(idpKey string, dnsValues DnsValues) {
+	if d.failback {
 		fmt.Println("Setting DNS records to primary region...")
 	} else {
 		fmt.Println("Setting DNS records to secondary region...")
 	}
 
 	dnsRecords := []struct {
-		name         string
-		optionValue  string
-		defaultValue string
+		name      string
+		valueFlag string
+		tfcValue  string
 	}{
 		// "mfa-api" is the TOTP API, also known as serverless-mfa-api
-		{"mfa-api", "mfa-api-value", ""},
+		{"mfa-api", "mfa-api-value", dnsValues.mfa},
 
 		// "twosv-api" is the Webauthn API, also known as serverless-mfa-api-go
-		{"twosv-api", "twosv-api-value", ""},
+		{"twosv-api", "twosv-api-value", dnsValues.twosv},
 
 		// "support-bot" is the idp-support-bot API that is configured in the Slack API dashboard
-		{"sherlock", "support-bot-value", ""},
+		{"sherlock", "support-bot-value", dnsValues.bot},
 
 		// ECS services
-		{idpKey + "-email", "email-service-value", dnsValues.internal},
-		{idpKey + "-broker", "id-broker-value", dnsValues.internal},
-		{idpKey + "-pw-api", "pw-api-value", dnsValues.external},
-		{idpKey, "ssp-value", dnsValues.external},
-		{idpKey + "-sync", "id-sync-value", dnsValues.external},
+		{idpKey + "-email", "email-service-value", dnsValues.albInternal},
+		{idpKey + "-broker", "id-broker-value", dnsValues.albInternal},
+		{idpKey + "-pw-api", "pw-api-value", dnsValues.albExternal},
+		{idpKey, "ssp-value", dnsValues.albExternal},
+		{idpKey + "-sync", "id-sync-value", dnsValues.albExternal},
 	}
 
 	for _, record := range dnsRecords {
-		value := getOption(record.optionValue, record.defaultValue)
+		value := getDnsValue(record.valueFlag, record.tfcValue)
 		d.setCloudflareCname(record.name, value)
 	}
 }
 
+func getDnsValue(valueFlag, tfcValue string) string {
+	if tfcValue != "" {
+		return tfcValue
+	}
+	return viper.GetString(valueFlag)
+}
+
 func (d *DnsCommand) setCloudflareCname(name, value string) {
 	if value == "" {
 		fmt.Printf("  skipping %s (no value provided)\n", name)
@@ -177,27 +185,48 @@ func (d *DnsCommand) setCloudflareCname(name, value string) {
 	}
 }
 
-func (d *DnsCommand) getAlbDnsValuesFromTfc(workspaceName string) (values AlbDnsValues) {
-	config := &tfe.Config{
-		Token:             d.tfcToken,
-		RetryServerErrors: true,
+func (d *DnsCommand) getDnsValuesFromTfc(pFlags PersistentFlags) (values DnsValues) {
+	ctx := context.Background()
+
+	var clusterWorkspaceName string
+	if d.failback {
+		clusterWorkspaceName = clusterWorkspace(pFlags)
+	} else {
+		clusterWorkspaceName = clusterSecondaryWorkspace(pFlags)
 	}
 
-	client, err := tfe.NewClient(config)
-	if err != nil {
-		fmt.Printf("Error creating Terraform client: %s", err)
-		return
+	internal, external := d.getAlbValuesFromTfc(ctx, clusterWorkspaceName)
+	values.albInternal = internal
+	values.albExternal = external
+
+	bot := "idp-support-bot-prod"
+	if pFlags.env != envProd {
+		bot = "idp-support-bot-dev" // TODO: consider renaming the workspace name so this can be simplified
 	}
+	values.bot = d.getLambdaDnsValueFromTfc(ctx, bot)
 
-	ctx := context.Background()
+	twosv := "serverless-mfa-api-go-prod"
+	if pFlags.env != envProd {
+		twosv = "serverless-mfa-api-go-dev" // TODO: consider renaming the workspace name so this can be simplified
+	}
+	values.twosv = d.getLambdaDnsValueFromTfc(ctx, twosv)
 
-	w, err := client.Workspaces.Read(ctx, d.tfcOrg, workspaceName)
+	mfa := "serverless-mfa-api-prod"
+	if pFlags.env != envProd {
+		mfa = "serverless-mfa-api-dev" // TODO: consider renaming the workspace name so this can be simplified
+	}
+	values.mfa = d.getLambdaDnsValueFromTfc(ctx, mfa)
+	return
+}
+
+func (d *DnsCommand) getAlbValuesFromTfc(ctx context.Context, workspaceName string) (internal, external string) {
+	workspaceID, client, err := d.findTfcWorkspace(ctx, workspaceName)
 	if err != nil {
-		fmt.Printf("Error reading Terraform workspace %s: %s", workspaceName, err)
+		fmt.Printf("Failed to get ALB DNS values: %s\n  Will use DNS config values if provided.\n", err)
 		return
 	}
 
-	outputs, err := client.StateVersionOutputs.ReadCurrent(ctx, w.ID)
+	outputs, err := client.StateVersionOutputs.ReadCurrent(ctx, workspaceID)
 	if err != nil {
 		fmt.Printf("Error reading Terraform state outputs on workspace %s: %s", workspaceName, err)
 		return
@@ -207,10 +236,88 @@ func (d *DnsCommand) getAlbDnsValuesFromTfc(workspaceName string) (values AlbDns
 		itemValue, _ := item.Value.(string)
 		switch item.Name {
 		case "alb_dns_name":
-			values.external = itemValue
+			external = itemValue
 		case "internal_alb_dns_name":
-			values.internal = itemValue
+			internal = itemValue
 		}
 	}
 	return
 }
+
+func (d *DnsCommand) getLambdaDnsValueFromTfc(ctx context.Context, workspaceName string) string {
+	outputName := "secondary_region_domain_name"
+	if d.failback {
+		outputName = "primary_region_domain_name"
+	}
+	return d.getTfcOutputFromWorkspace(ctx, workspaceName, outputName)
+}
+
+func (d *DnsCommand) getTfcOutputFromWorkspace(ctx context.Context, workspaceName, outputName string) string {
+	workspaceID, client, err := d.findTfcWorkspace(ctx, workspaceName)
+	if err != nil {
+		fmt.Printf("Failed to get DNS value from %s: %s\n  Will use config value if provided.\n", workspaceName, err)
+		return ""
+	}
+
+	outputs, err := client.StateVersionOutputs.ReadCurrent(ctx, workspaceID)
+	if err != nil {
+		fmt.Printf("Error reading Terraform state outputs on workspace %s: %s", workspaceName, err)
+		return ""
+	}
+
+	for _, item := range outputs.Items {
+		if item.Name == outputName {
+			if itemValue, ok := item.Value.(string); ok {
+				return itemValue
+			}
+			break
+		}
+	}
+
+	fmt.Printf("Value for %s not found in %s\n", outputName, workspaceName)
+	return ""
+}
+
+// findTfcWorkspace looks for a workspace by name in two different Terraform Cloud accounts and returns
+// the workspace ID and an API client for the account where the workspace was found
+func (d *DnsCommand) findTfcWorkspace(ctx context.Context, workspaceName string) (id string, client *tfe.Client, err error) {
+	config := &tfe.Config{
+		Token:             d.tfcToken,
+		RetryServerErrors: true,
+	}
+
+	client, err = tfe.NewClient(config)
+	if err != nil {
+		err = fmt.Errorf("error creating Terraform client: %s", err)
+		return
+	}
+
+	w, err := client.Workspaces.Read(ctx, d.tfcOrg, workspaceName)
+	if err == nil {
+		id = w.ID
+		return
+	}
+
+	if d.tfcTokenAlt == "" {
+		err = fmt.Errorf("error reading Terraform workspace %s: %s", workspaceName, err)
+		return
+	}
+
+	fmt.Printf("Workspace %s not found using %s, trying %s\n", workspaceName, flagTfcToken, flagTfcTokenAlternate)
+
+	config.Token = d.tfcTokenAlt
+	client, err = tfe.NewClient(config)
+	if err != nil {
+		err = fmt.Errorf("error creating alternate Terraform client: %s", err)
+		return
+	}
+
+	w, err = client.Workspaces.Read(ctx, d.tfcOrgAlt, workspaceName)
+	if err != nil {
+		err = fmt.Errorf("error reading Terraform workspace %s using %s: %s", workspaceName, flagTfcTokenAlternate, err)
+		return
+	}
+
+	id = w.ID
+	return
+}

cmd/cli/multiregion/multiregion.go

@@ -12,6 +12,17 @@ import (
 	"github.com/spf13/viper"
 )
 
+const (
+	flagDomainName        = "domain-name"
+	flagEnv               = "env"
+	flagRegion2           = "region2"
+	flagTfcToken          = "tfc-token"
+	flagOrgAlternate      = "org-alternate"
+	flagTfcTokenAlternate = "tfc-token-alternate"
+)
+
+const envProd = "prod"
+
 func SetupMultiregionCmd(parentCommand *cobra.Command) {
 	multiregionCmd := &cobra.Command{
 		Use:   "multiregion",
@@ -26,26 +37,38 @@ func SetupMultiregionCmd(parentCommand *cobra.Command) {
 	InitStatusCmd(multiregionCmd)
 
 	var domainName string
-	multiregionCmd.PersistentFlags().StringVar(&domainName, "domain-name", "", "Domain name")
-	if err := viper.BindPFlag("domain-name", multiregionCmd.PersistentFlags().Lookup("domain-name")); err != nil {
+	multiregionCmd.PersistentFlags().StringVar(&domainName, flagDomainName, "", "Domain name")
+	if err := viper.BindPFlag(flagDomainName, multiregionCmd.PersistentFlags().Lookup(flagDomainName)); err != nil {
 		outputFlagError(multiregionCmd, err)
 	}
 
 	var env string
-	multiregionCmd.PersistentFlags().StringVar(&env, "env", "prod", "Execution environment (default: prod)")
-	if err := viper.BindPFlag("env", multiregionCmd.PersistentFlags().Lookup("env")); err != nil {
+	multiregionCmd.PersistentFlags().StringVar(&env, flagEnv, envProd, "Execution environment")
+	if err := viper.BindPFlag(flagEnv, multiregionCmd.PersistentFlags().Lookup(flagEnv)); err != nil {
 		outputFlagError(multiregionCmd, err)
 	}
 
 	var region2 string
-	multiregionCmd.PersistentFlags().StringVar(&region2, "region2", "", "Secondary AWS region")
-	if err := viper.BindPFlag("region2", multiregionCmd.PersistentFlags().Lookup("region2")); err != nil {
+	multiregionCmd.PersistentFlags().StringVar(&region2, flagRegion2, "", "Secondary AWS region")
+	if err := viper.BindPFlag(flagRegion2, multiregionCmd.PersistentFlags().Lookup(flagRegion2)); err != nil {
 		outputFlagError(multiregionCmd, err)
 	}
 
 	var tfcToken string
-	multiregionCmd.PersistentFlags().StringVar(&tfcToken, "tfc-token", "", "Token for Terraform Cloud authentication")
-	if err := viper.BindPFlag("tfc-token", multiregionCmd.PersistentFlags().Lookup("tfc-token")); err != nil {
+	multiregionCmd.PersistentFlags().StringVar(&tfcToken, flagTfcToken, "", "Token for Terraform Cloud authentication")
+	if err := viper.BindPFlag(flagTfcToken, multiregionCmd.PersistentFlags().Lookup(flagTfcToken)); err != nil {
+		outputFlagError(multiregionCmd, err)
+	}
+
+	var orgAlt string
+	multiregionCmd.PersistentFlags().StringVar(&orgAlt, flagOrgAlternate, "", "Alternate Terraform Cloud organization")
+	if err := viper.BindPFlag(flagOrgAlternate, multiregionCmd.PersistentFlags().Lookup(flagOrgAlternate)); err != nil {
+		outputFlagError(multiregionCmd, err)
+	}
+
+	var tfcTokenAlt string
+	multiregionCmd.PersistentFlags().StringVar(&tfcTokenAlt, flagTfcTokenAlternate, "", "Alternate token for Terraform Cloud")
+	if err := viper.BindPFlag(flagTfcTokenAlternate, multiregionCmd.PersistentFlags().Lookup(flagTfcTokenAlternate)); err != nil {
 		outputFlagError(multiregionCmd, err)
 	}
 }
@@ -59,20 +82,35 @@ type PersistentFlags struct {
 	env             string
 	idp             string
 	org             string
+	orgAlt          string
 	readOnlyMode    bool
 	secondaryRegion string
 	tfcToken        string
+	tfcTokenAlt     string
 }
 
 func getPersistentFlags() PersistentFlags {
-	return PersistentFlags{
-		env:             getRequiredParam("env"),
+	pFlags := PersistentFlags{
+		env:             getRequiredParam(flagEnv),
 		idp:             getRequiredParam("idp"),
 		org:             getRequiredParam("org"),
-		tfcToken:        getRequiredParam("tfc-token"),
-		secondaryRegion: getRequiredParam("region2"),
+		tfcToken:        getRequiredParam(flagTfcToken),
+		secondaryRegion: getRequiredParam(flagRegion2),
 		readOnlyMode:    viper.GetBool("read-only-mode"),
+		tfcTokenAlt:     getOption(flagTfcTokenAlternate, ""),
+		orgAlt:          getOption(flagOrgAlternate, viper.GetString("org")),
+	}
+
+	if pFlags.orgAlt != "" && pFlags.tfcTokenAlt == "" {
+		log.Fatalf("%[1]s was specified without %[2]s. Please include %[2]s or remove %[1]s.",
+			flagOrgAlternate, flagTfcTokenAlternate)
 	}
+
+	if pFlags.orgAlt == "" {
+		pFlags.orgAlt = pFlags.org
+	}
+
+	return pFlags
 }
 
 func getRequiredParam(key string) string {