chore(portal): Split domains and set separate CAAs records (#5434)

elixir/README.md

@@ -238,8 +238,9 @@ account_id = "c89bcc8c-9392-4dae-a40d-888aef6d28e0"
 
 Prerequisites:
 
-* A Stripe account (Note: for the Firezone team, you will need to be invited to the Firezone Stripe account)
-* [Stripe CLI](https://github.com/stripe/stripe-cli)
+- A Stripe account (Note: for the Firezone team, you will need to be invited to
+  the Firezone Stripe account)
+- [Stripe CLI](https://github.com/stripe/stripe-cli)
 
 Steps:
 
@@ -264,27 +265,37 @@ Steps:
    BILLING_ENABLED=true STRIPE_SECRET_KEY="...copy from stripe dashboard..." STRIPE_WEBHOOK_SIGNING_SECRET="...copy from stripe cli tool.." mix phx.server
    ```
 
-When updating the billing plan in stripe, use the [Stripe Testing Docs](https://docs.stripe.com/testing#testing-interactively) for how to add test payment info
+When updating the billing plan in stripe, use the
+[Stripe Testing Docs](https://docs.stripe.com/testing#testing-interactively) for
+how to add test payment info
 
 ### WorkOS integration
 
-WorkOS is currently being used for JumpCloud directory sync integration.  This allows JumpCloud users to use SCIM on the JumpCloud side, rather than having to give Firezone an admin JumpCloud API token.
+WorkOS is currently being used for JumpCloud directory sync integration. This
+allows JumpCloud users to use SCIM on the JumpCloud side, rather than having to
+give Firezone an admin JumpCloud API token.
 
 #### Connecting WorkOS in dev mode for manual testing
 
-If you are not planning to use the JumpCloud provider in your local development setup, then no additional setup is needed.
-However, if you do need to use the JumpCloud provider locally, you will need to obtain an API Key and Client ID from the [WorkOS Dashboard](https://dashboard.workos.com/api-keys).
+If you are not planning to use the JumpCloud provider in your local development
+setup, then no additional setup is needed. However, if you do need to use the
+JumpCloud provider locally, you will need to obtain an API Key and Client ID
+from the [WorkOS Dashboard](https://dashboard.workos.com/api-keys).
 
-To obtain a WorkOS dashboard login, contact one of the following Firezone team members:
+To obtain a WorkOS dashboard login, contact one of the following Firezone team
+members:
 
-* @jamilbk
-* @bmanifold
-* @AndrewDryga
+- @jamilbk
+- @bmanifold
+- @AndrewDryga
 
-Once you are able to login to the WorkOS Dashboard, make sure that you have selected the 'Staging' environment within WorkOS.
-Navigate to the API Keys page and use the `Create Key` button to obtain credentials.
+Once you are able to login to the WorkOS Dashboard, make sure that you have
+selected the 'Staging' environment within WorkOS. Navigate to the API Keys page
+and use the `Create Key` button to obtain credentials.
 
-After obtaining WorkOS API credentials, you will need to make sure they are set in the environment ENVs when starting your local dev instance of Firezone.  As an example:
+After obtaining WorkOS API credentials, you will need to make sure they are set
+in the environment ENVs when starting your local dev instance of Firezone. As an
+example:
 
 ```bash
 cd elixir/
@@ -310,9 +321,10 @@ You'll need access to this env to perform the commands below; to request access
 you need to complete the following process:
 
 - Open a PR adding yourself to `project_owners` in `main.tf` for each of the
-[environments](../terraform/environments) you need access.
+  [environments](../terraform/environments) you need access.
 - Request a review from an existing project owner.
-- Once approved, merge the PR and verify access by continuing with one of the steps below.
+- Once approved, merge the PR and verify access by continuing with one of the
+  steps below.
 
 This is a danger zone so first of all, ALWAYS make sure on which environment
 your code is running:
@@ -451,6 +463,20 @@ iex(web@web-xxxx.us-east1-d.c.firezone-staging.internal)2> {:ok, token} = Domain
 ...
 ```
 
+## Apply Terraform changes without deploying new containers
+
+Switch to environment you want to apply changes to:
+
+```bash
+cd terraform/environments/staging
+```
+
+and apply changes:
+
+```bash
+terraform apply -var image_tag=$(terraform output -raw image_tag)
+```
+
 ## Connection to production Cloud SQL instance
 
 Install

elixir/config/dev.exs

@@ -67,7 +67,7 @@ config :web, Web.Plugs.SecureHeaders,
     "default-src 'self' 'nonce-${nonce}' https://api-js.mixpanel.com",
     "img-src 'self' data: https://www.gravatar.com https://track.hubspot.com",
     "style-src 'self' 'unsafe-inline'",
-    "script-src 'self' 'unsafe-inline' http://cdn.mxpnl.com http://*.hs-analytics.net"
+    "script-src 'self' 'unsafe-inline' http://cdn.mxpnl.com http://*.hs-analytics.net https://cdn.tailwindcss.com/"
   ]
 
 # Note: on Linux you may need to add `--add-host=host.docker.internal:host-gateway`

terraform/environments/production/dns.tf

@@ -6,25 +6,37 @@ resource "google_dns_record_set" "dns-caa" {
   type = "CAA"
   name = module.google-cloud-dns.dns_name
   rrdatas = [
-    "0 issue \"letsencrypt.org\"",
     "0 issue \"pki.goog\"",
     "0 iodef \"mailto:security@firezone.dev\""
   ]
   ttl = 3600
 }
 
-# Website
-
 resource "google_dns_record_set" "website-ipv4" {
   project      = module.google-cloud-project.project.project_id
   managed_zone = module.google-cloud-dns.zone_name
 
   type    = "A"
   name    = module.google-cloud-dns.dns_name
-  rrdatas = ["76.76.21.21"]
+  rrdatas = [google_compute_global_address.tld-ipv4.address]
   ttl     = 3600
 }
 
+# Website
+
+resource "google_dns_record_set" "website-caa" {
+  project      = module.google-cloud-project.project.project_id
+  managed_zone = module.google-cloud-dns.zone_name
+
+  type = "CAA"
+  name = "www.${module.google-cloud-dns.dns_name}"
+  rrdatas = [
+    "0 issue \"letsencrypt.org\"",
+    "0 iodef \"mailto:security@firezone.dev\""
+  ]
+  ttl = 3600
+}
+
 resource "google_dns_record_set" "website-www-redirect" {
   project      = module.google-cloud-project.project.project_id
   managed_zone = module.google-cloud-dns.zone_name
@@ -41,16 +53,7 @@ resource "google_dns_record_set" "blog-ipv4" {
 
   type    = "A"
   name    = "blog.${module.google-cloud-dns.dns_name}"
-  rrdatas = ["45.63.84.183"]
-  ttl     = 3600
-}
-resource "google_dns_record_set" "blog-ipv6" {
-  project      = module.google-cloud-project.project.project_id
-  managed_zone = module.google-cloud-dns.zone_name
-
-  type    = "AAAA"
-  name    = "blog.${module.google-cloud-dns.dns_name}"
-  rrdatas = ["2001:19f0:ac02:bb:5400:4ff:fe47:6bdf"]
+  rrdatas = [google_compute_global_address.tld-ipv4.address]
   ttl     = 3600
 }
 
@@ -60,17 +63,7 @@ resource "google_dns_record_set" "docs-ipv4" {
 
   type    = "A"
   name    = "docs.${module.google-cloud-dns.dns_name}"
-  rrdatas = ["45.63.84.183"]
-  ttl     = 3600
-}
-
-resource "google_dns_record_set" "docs-ipv6" {
-  project      = module.google-cloud-project.project.project_id
-  managed_zone = module.google-cloud-dns.zone_name
-
-  type    = "AAAA"
-  name    = "docs.${module.google-cloud-dns.dns_name}"
-  rrdatas = ["2001:19f0:ac02:bb:5400:4ff:fe47:6bdf"]
+  rrdatas = [google_compute_global_address.tld-ipv4.address]
   ttl     = 3600
 }
 

terraform/environments/production/redirects.tf

@@ -0,0 +1,161 @@
+resource "google_project_service" "compute" {
+  project = module.google-cloud-project.project.project_id
+  service = "servicenetworking.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "servicenetworking" {
+  project = module.google-cloud-project.project.project_id
+  service = "servicenetworking.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+# Create a global address that will be used for the load balancer
+resource "google_compute_global_address" "tld-ipv4" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+}
+
+# Create a SSL policy
+resource "google_compute_ssl_policy" "tld" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+
+  min_tls_version = "TLS_1_2"
+  profile         = "RESTRICTED"
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# Create a managed SSL certificate
+resource "google_compute_managed_ssl_certificate" "tld" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+
+  type = "MANAGED"
+
+  managed {
+    domains = [
+      local.tld,
+    ]
+  }
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# URL maps are used to define redirect rules for incoming requests
+resource "google_compute_url_map" "redirects" {
+  project = module.google-cloud-project.project.project_id
+
+  name = "${replace(local.tld, ".", "-")}-www-redirect"
+
+  # docs.firezone.dev -> https://www.firezone.dev/docs{uri}
+  host_rule {
+    hosts        = ["docs.${local.tld}"]
+    path_matcher = "firezone-docs-redirects"
+  }
+
+  path_matcher {
+    name = "firezone-redirects"
+
+    default_url_redirect {
+      host_redirect          = "www.firezone.dev"
+      prefix_redirect        = "/docs"
+      https_redirect         = true
+      redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
+      strip_query            = false
+    }
+  }
+
+  # blog.firezone.dev -> https://www.firezone.dev/blog{uri}
+  host_rule {
+    hosts        = ["blog.${local.tld}"]
+    path_matcher = "firezone-blog-redirects"
+  }
+
+  path_matcher {
+    name = "firezone-redirects"
+
+    default_url_redirect {
+      host_redirect          = "www.firezone.dev"
+      prefix_redirect        = "/blog"
+      https_redirect         = true
+      redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
+      strip_query            = false
+    }
+  }
+
+  # rest of the hosts -> https://www.firezone.dev{uri}
+  default_url_redirect {
+    host_redirect          = "www.${local.tld}"
+    https_redirect         = true
+    redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
+    strip_query            = false
+  }
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# HTTP(s) proxies are used to route requests to the appropriate URL maps
+resource "google_compute_target_http_proxy" "tld" {
+  project = module.google-cloud-project.project.project_id
+  name    = "${replace(local.tld, ".", "-")}-http"
+
+  url_map = google_compute_url_map.redirects.self_link
+}
+
+resource "google_compute_target_https_proxy" "tld" {
+  project = module.google-cloud-project.project.project_id
+  name    = "${replace(local.tld, ".", "-")}-https"
+
+  url_map = google_compute_url_map.redirects.self_link
+
+  ssl_certificates = [google_compute_managed_ssl_certificate.tld.self_link]
+  ssl_policy       = google_compute_ssl_policy.tld.self_link
+  quic_override    = "NONE"
+}
+
+# Forwarding rules are used to route incoming requests to the appropriate proxies
+resource "google_compute_global_forwarding_rule" "http" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+  labels = {
+    managed_by = "terraform"
+  }
+
+  target     = google_compute_target_http_proxy.tld.self_link
+  ip_address = google_compute_global_address.tld-ipv4.address
+  port_range = "80"
+
+  load_balancing_scheme = "EXTERNAL"
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  project = module.google-cloud-project.project.project_id
+
+  name = "${replace(local.tld, ".", "-")}-https"
+  labels = {
+    managed_by = "terraform"
+  }
+
+  target     = google_compute_target_https_proxy.tld.self_link
+  ip_address = google_compute_global_address.tld-ipv4.address
+  port_range = "443"
+
+  load_balancing_scheme = "EXTERNAL"
+}

terraform/environments/staging/.terraform.lock.hcl

@@ -24,65 +24,65 @@ provider "registry.terraform.io/cyrilgdn/postgresql" {
 }
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.47.0"
+  version     = "5.54.1"
   constraints = ">= 3.29.0, >= 5.30.0"
   hashes = [
-    "h1:T0tupfn2Ubj18Y7xmO0pFMvti1Qns2K6EGXenR6Hg30=",
-    "zh:06037a14e47e8f82d0b3b326cd188566272b808b7970a9249a11db26d475b83d",
-    "zh:116b7dd58ca964a1056249d2b6550f399b0a6bc9a7920b7ee134242114432c9f",
-    "zh:1aa089c81459071c1d65ba7454f1122159e1fa1b5384e6e9ef85c8264f8a9ecb",
-    "zh:2c1471acba40c4944aa88dda761093c0c969db6408bdc1a4fb62417788cd6bb6",
-    "zh:3b950bea06ea4bf1ec359a97a4f1745b7efca7fc2da368843666020dd0ebc5d4",
-    "zh:7191c5c2fce834d584153dcd5269ed3042437f224d341ad85df06b2247bd09b2",
-    "zh:76d841b3f247f9bb3899dec3b4d871613a4ae8a83a581a827655d34b1bbee0ee",
-    "zh:7c656ce252fafc2c915dad43a0a7da17dba975207d75841a02f3f2b92d51ec25",
-    "zh:8ec97118cbdef64139c52b719e4e22443e67a1f37ea1597cd45b2e9b97332a35",
+    "h1:+aq386lQCaPX7wR6EPf3PPZvCiI6dRwnjb1wR6lNa8E=",
+    "zh:37c09b9a0a0a2f7854fe52c6adb15f71593810b458a8283ed71d68036af7ba3a",
+    "zh:42fe11d87723d4e43b9c6224ae6bacdcb53faee8abc58f0fc625a161d1f71cb1",
+    "zh:57c6dfc46f28c9c2737559bd84acbc05aeae90431e731bb72a0024028a2d2412",
+    "zh:5ba9665a4ca0e182effd75575b19a4d47383ec02662024b9fe26f78286c36619",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a369deca7938236a7da59f7ad1fe18137f736764c9015ed10e88edb6e8505980",
-    "zh:a743882fb099401eae0c86d9388a6faadbbc27b2ac9477aeef643e5de4eec3f9",
-    "zh:d5f960f58aff06fc58e244fea6e665800384cacb8cd64a556f8e145b98650372",
-    "zh:e31ffcfd560132ffbff2f574928ba392e663202a750750ed39a8950031b75623",
-    "zh:ebd9061b92a772144564f35a63d5a08cb45e14a9d39294fda185f2e0de9c8e28",
+    "zh:b55980be0237644123a02a30b56d4cc03863ef29036c47d6e8ab5429ab45adf5",
+    "zh:b81e7664f10855a3a6fc234a18b4c4f1456273126a40c41516f2061696fb9870",
+    "zh:bd09736ffafd92af104c3c34b5add138ae8db4402eb687863ce472ca7e5ff2e2",
+    "zh:cc2eb1c62fba2a11d1f239e650cc2ae94bcab01c907384dcf2e213a6ee1bd5b2",
+    "zh:e5dc40205d9cf6f353c0ca532ae29afc6c83928bc9bcca47d74b640d3bb5a38c",
+    "zh:ebf1acdcd13f10db1b9c85050ddaadc70ab269c47c5a240753362446442d8371",
+    "zh:f2fc28a4ad94af5e6144a7309286505e3eb7a94d9dc106722b506c372ff7f591",
+    "zh:f49445e8435944df122aa89853260a2716ba8b73d6a6a70cae1661554926d5a2",
+    "zh:fc3b5046e60ae7cab20715be23de8436eb12736136fd6d0f0cc1549ebda6cc73",
+    "zh:fdb98a53500e245a3b5bec077b994da6959dba8fc4eb7534528658d820e06bd5",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.27.0"
+  version     = "5.34.0"
   constraints = "~> 5.20"
   hashes = [
-    "h1:WCDkdISBBLVlW4PyIkNn0hr4XMSL3ZZNKBsZ/MKFqRc=",
-    "zh:08301af898c1a78e78ad547482d50c95a43ef65d09fd5058800cf32cd9c8cd53",
-    "zh:1a4f9e5134e990132978e78ea15431d32e06bf8024fd6733a98faa811ae03efb",
-    "zh:383e66659d69dc4b4a1ad5d7cbc6aa4ce75015f380cfb5f47beaeb506c9e2e1c",
-    "zh:3aa4aff7dd9240fb387271dc791e084d010044dc58336a7a690b0f1a8890ab68",
-    "zh:4084b9a61e662bdd79d1304432dffc6cd3cf00021b937b01001ae9fee5727b12",
-    "zh:448f5d281cab53caacb8759fcd3309c7aa1ba5a210d1866b28e8bd77fd4634ab",
-    "zh:75457a1f0b77bc7477efe58e7b223649340147fd735ed8b8fe57a06ec8459c95",
-    "zh:7648c6ea04d5b1d1413cce880ed77bd7373aef1a58cd5a26394edf64dc6cac11",
-    "zh:b43630367e29a4c185d3eab8b3f84f818e8a91f16007f0e81d876ab96af4ee43",
-    "zh:b478e7d36c5e99f0c026cb05c06047ce1f24fc07284692a10e74214a853e7139",
-    "zh:e6f349125299401049f64e608b3d73236b139e960816fffdd208d1ba405e1804",
+    "h1:t48NNfGkdHByEWWiKx6GtlZPlzEB1Dha3cq44Uidev0=",
+    "zh:143c88bb74631041c291ebf7b6213467bf376d3775a33815785939dc102fac09",
+    "zh:1616ac79345f472b33fcc388eaf4a8a3002e4cc3a5e8748d60d6f4786d0d16dc",
+    "zh:554ce78e73349ac2c893a74b6981f5e55169ca16f4d0f239e6ccdecadbe1c9e1",
+    "zh:8022f97aa907685b2eb6c39d5411cf2be2448c6f3b7fbeaf9c06618d376ac4bc",
+    "zh:85f1fe3628954c35379cc05b895091ec8fe8ba0a5610bc9660492d5be65d4902",
+    "zh:873fb64fca79695aa930cd868b41ac498809eb76bc3292e41460d916c6fa3538",
+    "zh:8d3c5112a4abf14b42d769f78373e66f2c2f5f03a7e6544d80019a695bd9b198",
+    "zh:93cbcfa38991965b976d1973bc528d666006b5247c3fda00c714d0f3a2b62d3e",
+    "zh:b7710246637aee522a4ea4c1b4f0effb83b701546124ae90c8b4afb97ce03aba",
+    "zh:e4e02fe946ccbe192b6bbc6bed5715cf68084f1faadc134ed99d5e732429d2ca",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:fb6b1e4fb2d019d2740aa21b5ecd5f0609f562633a78604a96c14c94aff762b4",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/google-beta" {
-  version     = "5.27.0"
+  version     = "5.34.0"
   constraints = "~> 5.20"
   hashes = [
-    "h1:Q1TtRjUkcIULvyinqWEVRl+r8VaS5Bqa/EXsWNe7CfE=",
-    "zh:074d29ba9a70de197f14bbed7cb418209764a491e2dcba52aebb7299e8dc7c12",
-    "zh:68638b88b9059fcb7931f2b7e3e136a3cfd3d974d0d424c5435aafaf6ea188b5",
-    "zh:9a1770398dddfdced4d42c9e2d6551dbc38937f733e00cbc0faba2944dd14443",
-    "zh:9cc072528ed4a3163025135f3d2026a6f2f8e8472e3188822fe1e0721f9e5359",
-    "zh:a441ce8a1fe57cb538d8b4301f7d9045bec0e7d796b962d2c97fd47bf9daf4f0",
-    "zh:a704bf6682d0db7c5578d39880f9081da6b81d458547f97f15c59ee94f5638a3",
-    "zh:ab548b6bc8508eeebf6da8cf577758ff5b078d0b655b1a76940b9cc7f107d3b1",
-    "zh:b15c056b140a8ea330efd277253d02930eec350b06831c526cd5a78cf25cd39e",
-    "zh:df79906421ab1d6ff733d9c167875afaafbda3d0e9f58fe581c0c9010523bbce",
-    "zh:ea75a33508d17132152ae3543f981359b215a586ae864546e7b45976de374e1b",
+    "h1:HIgDlZlb6fzgCHh/NZQW9byVzN11Mt6T0Ay0TDW87Sg=",
+    "zh:01619cfe684471dc88d470cf157f7adc659a2f6849346d6be2a71efe1cbd0250",
+    "zh:1b6b2401862aaaf08819cf83b27a147957f0bcc1821a3b94a438788760cb65ad",
+    "zh:30d3fbaa204dd1d197d01ed5385a5d325fd8d313a5fdcf7cdd80209f1740247f",
+    "zh:461d084c0a0590785134218d57df39f34863a8977e4e925585eea085c86c97b5",
+    "zh:534bc4652861bdcbe0451673269d326477781d70a9f03cae3b780d574f29f841",
+    "zh:6e8abcd37a9609b05aab3529ccc3414b6d1258b124e58754b62f28fd4f3877a7",
+    "zh:838a31873ce35e40e52ba0513aec5ff519159e99459829f0ea590eb62714801a",
+    "zh:9387550c9e45e68c7ac5d6839a8f88e8e525ebf81a4c76847f7c05f13bf5dc19",
+    "zh:997ac33e5d72f0aecfddd5235ba4dbe82b5bbaf811b801849e419942e204a12b",
+    "zh:a66fbccde0dd854f764bf247576eaea4898966b6814db232fa45e789dc2ca014",
+    "zh:d60efed82a54ff41a8f2380f83fefd9477616f49296e349b5a41fccb558fde08",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f734a884346550d5ce0e4563294572ae7546773ced9c1314ed21901f24b9041e",
   ]
 }
 
@@ -107,22 +107,22 @@ provider "registry.terraform.io/hashicorp/null" {
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version     = "3.6.1"
+  version     = "3.6.2"
   constraints = "~> 3.6"
   hashes = [
-    "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=",
-    "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176",
-    "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52",
-    "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5",
-    "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f",
+    "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=",
+    "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec",
+    "zh:1bcd2d8161e89e39886119965ef0f37fcce2da9c1aca34263dd3002ba05fcb53",
+    "zh:37c75d15e9514556a5f4ed02e1548aaa95c0ecd6ff9af1119ac905144c70c114",
+    "zh:4210550a767226976bc7e57d988b9ce48f4411fa8a60cd74a6b246baf7589dad",
+    "zh:562007382520cd4baa7320f35e1370ffe84e46ed4e2071fdc7e4b1a9b1f8ae9b",
+    "zh:5efb9da90f665e43f22c2e13e0ce48e86cae2d960aaf1abf721b497f32025916",
+    "zh:6f71257a6b1218d02a573fc9bff0657410404fb2ef23bc66ae8cd968f98d5ff6",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f",
-    "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a",
-    "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0",
-    "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d",
-    "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de",
-    "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1",
-    "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a",
+    "zh:9647e18f221380a85f2f0ab387c68fdafd58af6193a932417299cdcae4710150",
+    "zh:bb6297ce412c3c2fa9fec726114e5e0508dd2638cad6a0cb433194930c97a544",
+    "zh:f83e925ed73ff8a5ef6e3608ad9225baa5376446349572c2449c0c0b3cf184b7",
+    "zh:fbef0781cb64de76b1df1ca11078aecba7800d82fd4a956302734999cfd9a4af",
   ]
 }
 

terraform/environments/staging/dns.tf

@@ -15,23 +15,13 @@ resource "google_dns_record_set" "dns-caa" {
 
 # Website -- these redirect to firezone.dev
 
-resource "google_dns_record_set" "website-ipv6" {
-  project      = module.google-cloud-project.project.project_id
-  managed_zone = module.google-cloud-dns.zone_name
-
-  type    = "AAAA"
-  name    = module.google-cloud-dns.dns_name
-  rrdatas = ["2001:19f0:ac02:bb:5400:4ff:fe47:6bdf"]
-  ttl     = 3600
-}
-
 resource "google_dns_record_set" "website-ipv4" {
   project      = module.google-cloud-project.project.project_id
   managed_zone = module.google-cloud-dns.zone_name
 
   type    = "A"
   name    = module.google-cloud-dns.dns_name
-  rrdatas = ["45.63.84.183"]
+  rrdatas = [google_compute_global_address.tld-ipv4.address]
   ttl     = 3600
 }
 
@@ -39,9 +29,9 @@ resource "google_dns_record_set" "website-www-redirect" {
   project      = module.google-cloud-project.project.project_id
   managed_zone = module.google-cloud-dns.zone_name
 
-  type    = "CNAME"
+  type    = "A"
   name    = "www.${module.google-cloud-dns.dns_name}"
-  rrdatas = ["firez.one."]
+  rrdatas = [google_compute_global_address.tld-ipv4.address]
   ttl     = 3600
 }
 

terraform/environments/staging/redirects.tf

@@ -0,0 +1,124 @@
+resource "google_project_service" "compute" {
+  project = module.google-cloud-project.project.project_id
+  service = "servicenetworking.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "servicenetworking" {
+  project = module.google-cloud-project.project.project_id
+  service = "servicenetworking.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+# Create a global address that will be used for the load balancer
+resource "google_compute_global_address" "tld-ipv4" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+}
+
+# Create a SSL policy
+resource "google_compute_ssl_policy" "tld" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+
+  min_tls_version = "TLS_1_2"
+  profile         = "RESTRICTED"
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# Create a managed SSL certificate
+resource "google_compute_managed_ssl_certificate" "tld" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+
+  type = "MANAGED"
+
+  managed {
+    domains = [
+      local.tld,
+    ]
+  }
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# URL maps are used to define redirect rules for incoming requests
+resource "google_compute_url_map" "redirects" {
+  project = module.google-cloud-project.project.project_id
+
+  name = "${replace(local.tld, ".", "-")}-production-redirect"
+
+  default_url_redirect {
+    host_redirect          = "www.firezone.dev"
+    https_redirect         = true
+    redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
+    strip_query            = false
+  }
+
+  depends_on = [
+    google_project_service.compute,
+    google_project_service.servicenetworking,
+  ]
+}
+
+# HTTP(s) proxies are used to route requests to the appropriate URL maps
+resource "google_compute_target_http_proxy" "tld" {
+  project = module.google-cloud-project.project.project_id
+  name    = "${replace(local.tld, ".", "-")}-http"
+
+  url_map = google_compute_url_map.redirects.self_link
+}
+
+resource "google_compute_target_https_proxy" "tld" {
+  project = module.google-cloud-project.project.project_id
+  name    = "${replace(local.tld, ".", "-")}-https"
+
+  url_map = google_compute_url_map.redirects.self_link
+
+  ssl_certificates = [google_compute_managed_ssl_certificate.tld.self_link]
+  ssl_policy       = google_compute_ssl_policy.tld.self_link
+  quic_override    = "NONE"
+}
+
+# Forwarding rules are used to route incoming requests to the appropriate proxies
+resource "google_compute_global_forwarding_rule" "http" {
+  project = module.google-cloud-project.project.project_id
+
+  name = replace(local.tld, ".", "-")
+  labels = {
+    managed_by = "terraform"
+  }
+
+  target     = google_compute_target_http_proxy.tld.self_link
+  ip_address = google_compute_global_address.tld-ipv4.address
+  port_range = "80"
+
+  load_balancing_scheme = "EXTERNAL"
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  project = module.google-cloud-project.project.project_id
+
+  name = "${replace(local.tld, ".", "-")}-https"
+  labels = {
+    managed_by = "terraform"
+  }
+
+  target     = google_compute_target_https_proxy.tld.self_link
+  ip_address = google_compute_global_address.tld-ipv4.address
+  port_range = "443"
+
+  load_balancing_scheme = "EXTERNAL"
+}

terraform/environments/staging/versions.tf

@@ -29,7 +29,7 @@ terraform {
 
     postgresql = {
       source  = "cyrilgdn/postgresql"
-      version = "1.22.0"
+      version = "1.22"
     }
   }
 }