-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set up caching layer for dev endpoint using CloudFront #301
Conversation
Use CloudFront to set up a new caching layer for `dev.cid.contact`, accessible via `cdn.dev.cid.contact`.
Eventually we probably want to have only the cloudfront-protected ingress exposed. this seems like a good next step though |
For CloudFront to work, what it points to must be public I believe. I can switch domains around, pointing cloud front to |
Codecov Report
@@ Coverage Diff @@
## main #301 +/- ##
==========================================
+ Coverage 46.43% 46.44% +0.01%
==========================================
Files 82 82
Lines 6211 6211
==========================================
+ Hits 2884 2885 +1
+ Misses 2950 2949 -1
Partials 377 377
|
|
Thanks for the link @MarcoPolo yeah that should do it. ELB will still remain exposed from network routing perspective. Moving the cache into K8S would allow us to tighten this up and have more control over it. But hey, it's probably a YAGNI for now |
Another approach might be to maybe whitelist only cloudfront IP ranges in the ingress if we want to stick with cloudfront. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has a couple of comments, but looks OK. This PR should get approval from someone who is more familiar with CloudFront and can determine if anything is missing.
|
||
records = [ | ||
{ | ||
name = local.cdn_subdomain |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand what the purpose of this A-record is, so I am not sure if "local.x" is required or if it can be something more descriptive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what the purpose of this A-record is
This A record tells the nameservers of dev.cid.contact
to point anything hitting cdn
subdomain to the hostname created by cloudfront distribution (d2d8p2eae7i6lv.cloudfront.net
). The name
property is required to specify what that subdomain is.
"local.x"
The locals
block in HCL is used to define local variables that are then accessible using local.*
expression. Here we define a variable for the string value cdn
to make sure the subdomain we set in the record is the same as the prefix of alias defined in cloudfront distribution. The name of that variable is cdn_subdomain
which to me is quite descriptive :)
Do you have alternative suggestions for the name of that variable?
Context
Hitting
dev.cid.contact
makes a call to indexer every time. Considering the nature of data being served, this PR sets up caching using CloudFront accessible viacdn.dev.cid.contact
Proposed Changes
Define:
us-east-1
; existing cert used by ingress only lives in K8S.A
records forcdn.dev.cid.contact
Tests
$ curl -kIs https://cdn.dev.cid.contact | grep x-cache x-cache: Hit from cloudfront
Revert Strategy
git revert
thenterraform apply
Relates to: #286