Create custom domain

christian-calabrese · christian-calabrese · commit bb349c4b3b34 · 2025-10-08T10:31:50.000+02:00
diff --git a/infra/resources/_modules/mcp_server/README.md b/infra/resources/_modules/mcp_server/README.md
@@ -10,6 +10,7 @@ No requirements.
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 0.1.3 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.47.0 |
 
 ## Modules
 
@@ -19,7 +20,10 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_acm_certificate.api_custom_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_apigatewayv2_api.mcp_server](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_api) | resource |
+| [aws_apigatewayv2_api_mapping.api_custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_api_mapping) | resource |
+| [aws_apigatewayv2_domain_name.api_custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_domain_name) | resource |
 | [aws_apigatewayv2_integration.lambda_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_integration) | resource |
 | [aws_apigatewayv2_route.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_route) | resource |
 | [aws_apigatewayv2_route.mcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_route) | resource |
@@ -31,13 +35,16 @@ No modules.
 | [aws_lambda_function.server](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.apigw_http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.mcp_knowledge_base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [azurerm_dns_cname_record.acm_validation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
+| [azurerm_dns_cname_record.api_gateway_custom](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | The AWS account ID where the MCP server resources will be created. | `string` | n/a | yes |
 | <a name="input_bedrock_knowledge_base_id"></a> [bedrock\_knowledge\_base\_id](#input\_bedrock\_knowledge\_base\_id) | The Bedrock knowledge base ID to be used by the MCP server. | `string` | n/a | yes |
+| <a name="input_dns"></a> [dns](#input\_dns) | DNS configuration for the MCP server, including zone name, resource group name, and custom domain name. | <pre>object({<br/>    zone_name           = string<br/>    resource_group_name = string<br/>    custom_domain_name  = string<br/>  })</pre> | n/a | yes |
 | <a name="input_naming_config"></a> [naming\_config](#input\_naming\_config) | n/a | <pre>object({<br/>    prefix          = string<br/>    environment     = string<br/>    region          = string<br/>    instance_number = number<br/>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resources. | `map(string)` | n/a | yes |
 
diff --git a/infra/resources/_modules/mcp_server/api_gateway.tf b/infra/resources/_modules/mcp_server/api_gateway.tf
@@ -1,3 +1,25 @@
+## Custom domain for API Gateway HTTP v2
+resource "aws_acm_certificate" "api_custom_domain" {
+  domain_name       = var.dns.custom_domain_name
+  validation_method = "DNS"
+  tags              = var.tags
+}
+
+resource "aws_apigatewayv2_domain_name" "api_custom" {
+  domain_name = var.dns.custom_domain_name
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate.api_custom_domain.arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+  tags = var.tags
+}
+
+resource "aws_apigatewayv2_api_mapping" "api_custom" {
+  api_id      = aws_apigatewayv2_api.mcp_server.id
+  domain_name = aws_apigatewayv2_domain_name.api_custom.domain_name
+  stage       = aws_apigatewayv2_stage.default.id
+}
 ## HTTP API Gateway v2 exposing the Lambda as a proxy
 resource "aws_apigatewayv2_api" "mcp_server" {
   name = provider::awsdx::resource_name(merge(var.naming_config, {
diff --git a/infra/resources/_modules/mcp_server/dns.tf b/infra/resources/_modules/mcp_server/dns.tf
@@ -0,0 +1,19 @@
+# ACM validation records (CNAME)
+resource "azurerm_dns_cname_record" "acm_validation" {
+  for_each = { for dvo in tolist(aws_acm_certificate.api_custom_domain.domain_validation_options) : dvo.resource_record_name => dvo }
+
+  name                = each.value.resource_record_name
+  zone_name           = var.dns.zone_name
+  resource_group_name = var.dns.resource_group_name
+  ttl                 = 300
+  record              = each.value.resource_record_value
+}
+
+# API Gateway custom domain CNAME
+resource "azurerm_dns_cname_record" "api_gateway_custom" {
+  name                = var.dns.custom_domain_name
+  zone_name           = var.dns.zone_name
+  resource_group_name = var.dns.resource_group_name
+  ttl                 = 300
+  record              = aws_apigatewayv2_domain_name.api_custom.domain_name_configuration[0].target_domain_name
+}
diff --git a/infra/resources/_modules/mcp_server/lambda.tf b/infra/resources/_modules/mcp_server/lambda.tf
@@ -86,7 +86,8 @@ resource "aws_iam_policy" "lambda_bedrock_access" {
         Action = [
           "bedrock:ListKnowledgeBases",
           "bedrock:GetKnowledgeBase",
-          "bedrock:QueryKnowledgeBase"
+          "bedrock:QueryKnowledgeBase",
+          "bedrock:Retrieve"
         ]
         Resource = "arn:aws:bedrock:${var.naming_config.region}:${var.account_id}:knowledge-base/${var.bedrock_knowledge_base_id}"
       }
diff --git a/infra/resources/_modules/mcp_server/variables.tf b/infra/resources/_modules/mcp_server/variables.tf
@@ -17,6 +17,15 @@ variable "bedrock_knowledge_base_id" {
   description = "The Bedrock knowledge base ID to be used by the MCP server."
 }
 
+variable "dns" {
+  type = object({
+    zone_name           = string
+    resource_group_name = string
+    custom_domain_name  = string
+  })
+  description = "DNS configuration for the MCP server, including zone name, resource group name, and custom domain name."
+}
+
 variable "tags" {
   type        = map(string)
   description = "A map of tags to assign to the resources."
diff --git a/infra/resources/dev/README.md b/infra/resources/dev/README.md
@@ -23,6 +23,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_aws_core_values"></a> [aws\_core\_values](#module\_aws\_core\_values) | pagopa-dx/aws-core-values-exporter/aws | ~> 0.0 |
+| <a name="module_azure_core_values"></a> [azure\_core\_values](#module\_azure\_core\_values) | pagopa-dx/azure-core-values-exporter/azurerm | ~> 0.0 |
 | <a name="module_mcp_server"></a> [mcp\_server](#module\_mcp\_server) | ../_modules/mcp_server | n/a |
 | <a name="module_testing"></a> [testing](#module\_testing) | ../_modules/testing | n/a |
 
diff --git a/infra/resources/dev/aws.tf b/infra/resources/dev/aws.tf
@@ -11,8 +11,14 @@ module "mcp_server" {
     aws = aws.eu-central-1
   }
 
-  naming_config             = local.aws_naming_config
+  naming_config             = merge(local.aws_naming_config, { region = "eu-central-1" })
   account_id                = data.aws_caller_identity.current.account_id
   bedrock_knowledge_base_id = "TWMAUIB8QZ"
-  tags                      = local.tags
+
+  dns = {
+    custom_domain_name  = "mcp.dev.dx.pagopa.it"
+    zone_name           = "dev.dx.pagopa.it"
+    resource_group_name = module.azure_core_values.network_resource_group_name
+  }
+  tags = local.tags
 }
diff --git a/infra/resources/dev/azure.tf b/infra/resources/dev/azure.tf
@@ -0,0 +1,6 @@
+module "azure_core_values" {
+  source  = "pagopa-dx/azure-core-values-exporter/azurerm"
+  version = "~> 0.0"
+
+  core_state = local.core_state
+}
diff --git a/infra/resources/dev/tfmodules.lock.json b/infra/resources/dev/tfmodules.lock.json
@@ -4,5 +4,11 @@
     "version": "0.1.1",
     "name": "aws_core_values_exporter",
     "source": "https://registry.terraform.io/modules/pagopa-dx/aws-core-values-exporter/aws/0.1.1"
+  },
+  "azure_core_values": {
+    "hash": "9d17c2786991abf8af52245d73bb724877914c4eb8f72389a831b5385878974e",
+    "version": "0.2.4",
+    "name": "azure_core_values_exporter",
+    "source": "https://registry.terraform.io/modules/pagopa-dx/azure-core-values-exporter/azurerm/0.2.4"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,8 @@ resource "aws_iam_policy" "lambda_bedrock_access" {`
`86`	`86`	`Action = [`
`87`	`87`	`"bedrock:ListKnowledgeBases",`
`88`	`88`	`"bedrock:GetKnowledgeBase",`
`89`		`- "bedrock:QueryKnowledgeBase"`
	`89`	`+ "bedrock:QueryKnowledgeBase",`
	`90`	`+ "bedrock:Retrieve"`
`90`	`91`	`]`
`91`	`92`	`Resource = "arn:aws:bedrock:${var.naming_config.region}:${var.account_id}:knowledge-base/${var.bedrock_knowledge_base_id}"`
`92`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,11 @@`
`4`	`4`	`"version": "0.1.1",`
`5`	`5`	`"name": "aws_core_values_exporter",`
`6`	`6`	`"source": "https://registry.terraform.io/modules/pagopa-dx/aws-core-values-exporter/aws/0.1.1"`
	`7`	`+ },`
	`8`	`+ "azure_core_values": {`
	`9`	`+ "hash": "9d17c2786991abf8af52245d73bb724877914c4eb8f72389a831b5385878974e",`
	`10`	`+ "version": "0.2.4",`
	`11`	`+ "name": "azure_core_values_exporter",`
	`12`	`+ "source": "https://registry.terraform.io/modules/pagopa-dx/azure-core-values-exporter/azurerm/0.2.4"`
`7`	`13`	`}`
`8`	`14`	`}`