Merge pull request #4 from silinternational/feature/dns-from-tfc

Use Terraform state output for DNS values

Author: briskt

cmd/cli/multiregion/dns.go

@@ -10,6 +10,7 @@ import (
 	"log"
 
 	"github.com/cloudflare/cloudflare-go"
+	"github.com/hashicorp/go-tfe"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -18,26 +19,49 @@ type DnsCommand struct {
 	cfClient   *cloudflare.API
 	cfZone     *cloudflare.ResourceContainer
 	domainName string
+	tfcOrg     string
+	tfcToken   string
 	testMode   bool
 }
 
+type AlbDnsValues struct {
+	internal string
+	external string
+}
+
 func InitDnsCmd(parentCmd *cobra.Command) {
-	parentCmd.AddCommand(&cobra.Command{
+	var failback bool
+
+	cmd := &cobra.Command{
 		Use:   "dns",
 		Short: "DNS Failover and Failback",
-		Long:  `Configure DNS CNAME values for primary or secondary region hostnames`,
+		Long:  `Configure DNS CNAME values for primary or secondary region hostnames. Default is failover, use --failback to switch back to the primary region.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			runDnsCommand()
+			runDnsCommand(failback)
 		},
-	})
+	}
+	parentCmd.AddCommand(cmd)
+
+	cmd.PersistentFlags().BoolVar(&failback, "failback", false,
+		`set DNS records to switch back to primary`,
+	)
 }
 
-func runDnsCommand() {
+func runDnsCommand(failback bool) {
 	pFlags := getPersistentFlags()
 
-	f := newDnsCommand(pFlags)
+	d := newDnsCommand(pFlags)
+
+	var clusterWorkspaceName string
+	if failback {
+		clusterWorkspaceName = clusterWorkspace(pFlags)
+	} else {
+		clusterWorkspaceName = clusterSecondaryWorkspace(pFlags)
+	}
 
-	f.setDnsToSecondary(pFlags.idp)
+	dnsValues := d.getAlbDnsValuesFromTfc(clusterWorkspaceName)
+
+	d.setDnsRecordValues(pFlags.idp, dnsValues, failback)
 }
 
 func newDnsCommand(pFlags PersistentFlags) *DnsCommand {
@@ -68,38 +92,44 @@ func newDnsCommand(pFlags PersistentFlags) *DnsCommand {
 	fmt.Printf("Using domain name %s with ID %s\n", d.domainName, zoneID)
 	d.cfZone = cloudflare.ZoneIdentifier(zoneID)
 
+	d.tfcToken = pFlags.tfcToken
+	d.tfcOrg = pFlags.org
+
 	return &d
 }
 
-func (d *DnsCommand) setDnsToSecondary(idpKey string) {
-	fmt.Println("Setting DNS records to secondary...")
+func (d *DnsCommand) setDnsRecordValues(idpKey string, dnsValues AlbDnsValues, failback bool) {
+	if failback {
+		fmt.Println("Setting DNS records to primary region...")
+	} else {
+		fmt.Println("Setting DNS records to secondary region...")
+	}
 
 	dnsRecords := []struct {
-		optionName  string
-		defaultName string
-		optionValue string
+		name         string
+		optionValue  string
+		defaultValue string
 	}{
 		// "mfa-api" is the TOTP API, also known as serverless-mfa-api
-		{"mfa-api-name", "mfa-api", "mfa-api-value"},
+		{"mfa-api", "mfa-api-value", ""},
 
 		// "twosv-api" is the Webauthn API, also known as serverless-mfa-api-go
-		{"twosv-api-name", "twosv-api", "twosv-api-value"},
+		{"twosv-api", "twosv-api-value", ""},
 
 		// "support-bot" is the idp-support-bot API that is configured in the Slack API dashboard
-		{"support-bot-name", "sherlock", "support-bot-value"},
+		{"sherlock", "support-bot-value", ""},
 
 		// ECS services
-		{"email-service-name", idpKey + "-email-service", "email-service-value"},
-		{"id-broker-name", idpKey + "-id-broker", "id-broker-value"},
-		{"pw-api-name", idpKey + "-pw-api", "pw-api-value"},
-		{"ssp-name", idpKey + "-ssp", "ssp-value"},
-		{"id-sync-name", idpKey + "-id-sync", "id-sync-value"},
+		{idpKey + "-email", "email-service-value", dnsValues.internal},
+		{idpKey + "-broker", "id-broker-value", dnsValues.internal},
+		{idpKey + "-pw-api", "pw-api-value", dnsValues.external},
+		{idpKey, "ssp-value", dnsValues.external},
+		{idpKey + "-sync", "id-sync-value", dnsValues.external},
 	}
 
 	for _, record := range dnsRecords {
-		name := getOption(record.optionName, record.defaultName)
-		value := getOption(record.optionValue, "")
-		d.setCloudflareCname(name, value)
+		value := getOption(record.optionValue, record.defaultValue)
+		d.setCloudflareCname(record.name, value)
 	}
 }
 
@@ -127,7 +157,7 @@ func (d *DnsCommand) setCloudflareCname(name, value string) {
 	}
 
 	if d.testMode {
-		fmt.Println("  test mode: skipping API call")
+		fmt.Println("  read-only mode: skipping API call")
 		return
 	}
 
@@ -146,3 +176,41 @@ func (d *DnsCommand) setCloudflareCname(name, value string) {
 		log.Fatalf("error updating DNS record %s: %s", name, err)
 	}
 }
+
+func (d *DnsCommand) getAlbDnsValuesFromTfc(workspaceName string) (values AlbDnsValues) {
+	config := &tfe.Config{
+		Token:             d.tfcToken,
+		RetryServerErrors: true,
+	}
+
+	client, err := tfe.NewClient(config)
+	if err != nil {
+		fmt.Printf("Error creating Terraform client: %s", err)
+		return
+	}
+
+	ctx := context.Background()
+
+	w, err := client.Workspaces.Read(ctx, d.tfcOrg, workspaceName)
+	if err != nil {
+		fmt.Printf("Error reading Terraform workspace %s: %s", workspaceName, err)
+		return
+	}
+
+	outputs, err := client.StateVersionOutputs.ReadCurrent(ctx, w.ID)
+	if err != nil {
+		fmt.Printf("Error reading Terraform state outputs on workspace %s: %s", workspaceName, err)
+		return
+	}
+
+	for _, item := range outputs.Items {
+		itemValue, _ := item.Value.(string)
+		switch item.Name {
+		case "alb_dns_name":
+			values.external = itemValue
+		case "internal_alb_dns_name":
+			values.internal = itemValue
+		}
+	}
+	return
+}

go.mod

@@ -6,6 +6,7 @@ go 1.20
 
 require (
 	github.com/cloudflare/cloudflare-go v0.69.0
+	github.com/hashicorp/go-tfe v1.31.0
 	github.com/silinternational/tfc-ops/v3 v3.5.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.16.0
@@ -16,8 +17,11 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.3 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+	github.com/hashicorp/go-slug v0.12.0 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -28,6 +32,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.9.0 // indirect
 	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect

go.sum

@@ -128,12 +128,21 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
 github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
-github.com/hashicorp/go-retryablehttp v0.7.3 h1:5n2R5B7+2YWrtEzIWO2jPPQWseAPLkgIuvUgS1l97KY=
-github.com/hashicorp/go-retryablehttp v0.7.3/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
+github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-slug v0.12.0 h1:y1ArGp5RFF85uvD8nq5VZug/bup/kGN5Ft4xFOQ5GPM=
+github.com/hashicorp/go-slug v0.12.0/go.mod h1:JZVtycnZZbiJ4oxpJ/zfhyfBD8XxT4f0uOSyjNLCqFY=
+github.com/hashicorp/go-tfe v1.31.0 h1:R1CokrAVBHxrsvRw1vKes7RQxTRTWcula7gjQK7Jfsk=
+github.com/hashicorp/go-tfe v1.31.0/go.mod h1:vcfy2u52JQ4sYLFi941qcQXQYfUq2RjEW466tZ+m97Y=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
+github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d h1:9ARUJJ1VVynB176G1HCwleORqCaXm/Vx0uUi0dL26I0=
+github.com/hashicorp/jsonapi v0.0.0-20210826224640-ee7dae0fb22d/go.mod h1:Yog5+CPEM3c99L1CL2CFCYoSzgWm5vTU58idbRUaLik=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -293,6 +302,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

idp-cli-example.toml

@@ -5,7 +5,7 @@
 idp = "myidp"
 
 # -------------------------------------------------------------------------------------------------
-# These parameters are required for the "multiregion setup" and "multiregion failover" commands.
+# These parameters are required for multiregion commands.
 
 # Operation environment, used for Terraform workspace name. Default is "prod"
 env = "prod"
@@ -20,43 +20,30 @@ org = "my-tfc-org"
 tfc-token = ""
 
 # -------------------------------------------------------------------------------------------------
-# These parameters are required for the "dns" commands.
+# These additional parameters are for the "multiregion dns" command.
 
+# "domain-name" is required
 domain-name = "example.net"
+
+# "cloudflare-token" is required and must have edit permission on the domain name specified in "domain-name"
 cloudflare-token = ""
 
-# The "name" parameters specify the DNS subdomain.
-# The "value" parameters specify the hostname.
+# The following are the values to set DNS CNAME records. If any DNS value is omitted, the "multiregion dns" command
+# will skip that record update.
 
 # "mfa-api" is the TOTP API, also known as serverless-mfa-api.
-# The default mfa-api-name is "mfa-api".
-mfa-api-name = "mfa-api"
 mfa-api-value = "abcde01234.execute-api.us-west-2.amazonaws.com"
 
 # "twosv-api" is the Webauthn API, also known as serverless-mfa-api-go.
-# The default twosv-api-name is "twosv-api".
-twosv-api-name = "twosv-api"
 twosv-api-value = "abcde12345.execute-api.us-west-2.amazonaws.com"
 
 # "support-bot" is the idp-support-bot API that is configured in the Slack API dashboard.
-# The default support-bot-value is "sherlock".
-support-bot-name = "sherlock"
 support-bot-value = "abcde23456.execute-api.us-west-2.amazonaws.com"
 
-# These are the DNS name and value for each of the ECS services.
-# The default name for each is the IdP key followed by the service name.
-
-email-service-name = "myidp-email-service"
+# These are the DNS values for each of the ECS services. If omitted, the value will be read from the
+# Terraform Cloud "010-cluster" workspace output.
 email-service-value = "internal-alb-idp-myidp-prod-int-123456789.us-west-2.elb.amazonaws.com"
-
-id-broker-name = "myidp-broker"
 id-broker-value = "internal-alb-idp-myidp-prod-int-123456789.us-west-2.elb.amazonaws.com"
-
-pw-api-name = "myidp-pw-api"
 pw-api-value = "alb-idp-myidp-prod-987654321-us-west-2.elb.amazonaws.com"
-
-ssp-name = "myidp"
 ssp-value = "alb-idp-myidp-prod-987654321-us-west-2.elb.amazonaws.com"
-
-id-sync-name = "myidp-sync"
 id-sync-value = "alb-idp-myidp-prod-987654321-us-west-2.elb.amazonaws.com"