Comments (10)
Hi @jonnyry
I've got this to add to the docs, but I'll add it here too
Using a custom DNS and custom cert
A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines.
Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway.
The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.
from azuretre.
I believe I've used tre_url
to configure the end to end tests to point to my local running API. Maybe it should be under developer settings. Not sure its related to custom domain configuration.
from azuretre.
I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:
So guessing tre_url in the config.yaml is now redundant.
Yes, I saw this looking through the code to find where that tre_rul
went.
I think you're right, it must be redundant. There's another place where it constructs that URL too.
from azuretre.
In terms of supporting a custom domain within the codebase (and not requiring a post deployment manual fix up)... how about the following?
-
Add a new parameter
CUSTOM_DOMAIN
in config.yaml (by default commented out). -
Feed the new parameter into the
make auth
target which adds SSO redirect URLs for the custom domain in addition to the default Azure one here:
AzureTRE/devops/scripts/aad/create_api_application.sh
Lines 241 to 246 in 1ffb09b
-
Feed the new parameter into the
make letsencrypt
target which when populated, generates a uploads a certificate for the custom domain instead of the cloudapp.azure.com domain. If not populated, it runs as the behaves as it does now generating a certificate for the default Azure domain. -
Modify Lets Encrypt GitHub Action to look for a CUSTOM_DOMAIN GH secret and pass in to the
make letsencrypt
flow. Again if CUSTOM_DOMAIN is present a cert is generated for it, if not it reverts to generating a cert for the default domain.
from azuretre.
You can find some insights here: #3908 (comment)
If it works, it would be nice if you could share a more detailed instruction about the steps to set up a custom domain.
Relevant: #1540
from azuretre.
Thanks @tim-allen-ck I've requested a new subdomain so I'll let you know how it goes.
from azuretre.
Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).
I noticed the following in config.yaml, though I'm not clear on what the comments mean:
# If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider
# uncomment and set this variable
# tre_url: __CHANGE_ME__
from azuretre.
Is it possible to add the custom domain as part of the TRE deployment build?...(rather than a manual fix up afterwards).
I noticed the following in config.yaml, though I'm not clear on what the comments mean:
# If you want to use TRE_URL to point to your local TRE API instance or be configured to another cloud provider # uncomment and set this variable # tre_url: __CHANGE_ME__
Hey @jonnyry, I've not tried adding the custom domain to the TRE deployment build.
I was assuming that that was the config value to change to be able to use a custom domain, but that comment doesn't make sense. Maybe @marrobi can shed some light?
from azuretre.
I'm also thinking that was the intention, though this line overwrites the value of TRE_URL with the native .cloudapp.azure.com domain:
So guessing tre_url in the config.yaml is now redundant.
from azuretre.
Hi @jonnyry I've got this to add to the docs, but I'll add it here too
Using a custom DNS and custom cert
A certificate named 'letsencrypt' has been generated in the primary TRE KeyVault. This must be substituted with a certificate for your DNS name. Terraform has been configured to ignore modifications to this resource, eliminating the possibility of any overwrites or conflicts when rerunning the pipelines. Additionally, a user with domain access will be required to redirect a custom domain name to the public IP of the App Gateway. The TRE UX App Registration within the Authentication section will require an update to include the new custom DNS and its corresponding 'oauth2-redirect'.
Got it working with the instructions above thanks :-)
Managed to piggyback the existing letsencrypt.sh
script to request & install the custom domain cert:
TRE_ID=mytre \
FQDN=mycustomdomain.org \
STORAGE_ACCOUNT=stweb$TRE_ID \
RESOURCE_GROUP_NAME=rg-$TRE_ID \
APPLICATION_GATEWAY=agw-$TRE_ID \
KEYVAULT=kv-$TRE_ID \
core/terraform/scripts/letsencrypt.sh
from azuretre.
Related Issues (20)
- Key Vaults should use RBAC instead of access policies for access control
- Storage accounts should use infrastructure encryption
- Azure resources should support customer-managed key for encryption at rest
- How Porter is used in Azure TRE link not working HOT 1
- Core deployment errors - Error: reading blob properties for Storage Account HOT 15
- Gitea shared service MySQL DB is destroyed if the shared service is upgraded
- Support .jsonc for template_schema files
- Add ability to reference core IP groups as destination in firewall rules
- Name of Airlock Notifier subnet is misspelled
- Use telemetry via the customer-attribution method to track deployments
- Inconsistent VM state between TRE and Azure portal leaves running VMs that can't be managed via the TRE HOT 1
- Troubleshooting Slurm Workload Manager Deployment Steps HOT 9
- Gitea container crashes and restarts HOT 1
- CycleCloud shared service does not deploy HOT 1
- Documentation does not render ending emoji Properly HOT 1
- Support "plan" mode deployment HOT 1
- How to scan large files for malware in the airlock? HOT 1
- Route Guacamole traffic through the app gateway HOT 3
- AppServiceFileAuditLogs diagnostic setting - remove?
- Data exfiltration via DNS tunneling HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azuretre.