add ilmo domain

main.tf

@@ -158,6 +158,7 @@ module "ilmo" {
   dns_resource_group_name = module.dns_prod.resource_group_name
   root_zone_name          = module.dns_prod.root_zone_name
   subdomain               = "ilmo"
+  acme_account_key        = module.common.acme_account_key
 
   dkim_selector = "mg"
   dkim_key      = "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQYrVWefo+vOByb07hseOTt1Ryu47Yt5odumYka5JiEt1p/FHl/ZeeY8gehxV0Dv4PIWM91htY2JY2UZguGYFODzqq9Y9AeKjWpq1dyFKiM8nlrI6GRin0kY7SRLeSgpcVFuwNLiT74Wqy477Geq+l5/Stwho23kHu/pXiQuVUMwIDAQAB"

modules/ilmo/dns.tf

@@ -50,3 +50,24 @@ resource "azurerm_dns_txt_record" "ilmo_dmarc" {
     value = "v=DMARC1;p=none;sp=none;rua=mailto:[email protected]!10m;ruf=mailto:[email protected]!10m"
   }
 }
+
+# A record for the web app
+resource "azurerm_dns_a_record" "ilmo_a" {
+  name                = var.subdomain
+  resource_group_name = var.dns_resource_group_name
+  zone_name           = var.root_zone_name
+  ttl                 = 300
+  records             = data.dns_a_record_set.ilmo_dns_fetch.addrs
+}
+
+# Azure verification key
+resource "azurerm_dns_txt_record" "ilmo_asuid" {
+  name                = "asuid.${var.subdomain}"
+  resource_group_name = var.dns_resource_group_name
+  zone_name           = var.root_zone_name
+  ttl                 = 300
+
+  record {
+    value = azurerm_linux_web_app.ilmo_backend.custom_domain_verification_id
+  }
+}

modules/ilmo/main.tf

@@ -1,3 +1,12 @@
+terraform {
+  required_providers {
+    acme = {
+      source  = "vancluever/acme"
+      version = "2.19.0"
+    }
+  }
+}
+
 locals {
   db_name = "${var.env_name}_ilmo_db"
   fqdn    = "${var.subdomain}.${var.root_zone_name}"
@@ -76,3 +85,57 @@ resource "azurerm_linux_web_app" "ilmo_backend" {
     ]
   }
 }
+
+
+resource "azurerm_app_service_custom_hostname_binding" "ilmo_hostname_binding" {
+  hostname            = local.fqdn
+  app_service_name    = azurerm_linux_web_app.ilmo_backend.name
+  resource_group_name = var.resource_group_name
+
+  # Deletion may need manual work.
+  # https://github.com/hashicorp/terraform-provider-azurerm/issues/11231
+  # TODO: Add dependencies for creation
+  depends_on = [
+    azurerm_dns_a_record.ilmo_a,
+    azurerm_dns_txt_record.ilmo_asuid
+  ]
+}
+resource "random_password" "ilmo_cert_password" {
+  length  = 48
+  special = false
+}
+
+resource "acme_certificate" "ilmo_acme_cert" {
+  account_key_pem          = var.acme_account_key
+  common_name              = local.fqdn
+  key_type                 = "2048" # RSA
+  certificate_p12_password = random_password.ilmo_cert_password.result
+
+  dns_challenge {
+    provider = "azure"
+    config = {
+      AZURE_RESOURCE_GROUP = var.dns_resource_group_name
+      AZURE_ZONE_NAME      = var.root_zone_name
+    }
+  }
+}
+
+resource "azurerm_app_service_certificate" "ilmo_cert" {
+  name                = "tik-ilmo-cert-${terraform.workspace}"
+  resource_group_name = var.resource_group_name
+  location            = var.resource_group_location
+  pfx_blob            = acme_certificate.ilmo_acme_cert.certificate_p12
+  password            = acme_certificate.ilmo_acme_cert.certificate_p12_password
+}
+
+resource "azurerm_app_service_certificate_binding" "ilmo_cert_binding" {
+  certificate_id      = azurerm_app_service_certificate.ilmo_cert.id
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.ilmo_hostname_binding.id
+  ssl_state           = "SniEnabled"
+}
+
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/14642#issuecomment-1084728235
+# Currently, the azurerm provider doesn't give us the IP address, so we need to fetch it ourselves.
+data "dns_a_record_set" "ilmo_dns_fetch" {
+  host = azurerm_linux_web_app.ilmo_backend.default_hostname
+}

modules/ilmo/variables.tf

@@ -76,3 +76,7 @@ variable "tikweb_rg_name" {
 variable "tikweb_rg_location" {
   type = string
 }
+
+variable "acme_account_key" {
+  type = string
+}