Implement simplified DNS/SSL configuration schema

This implements the approved OpenSpec change to simplify DNS and SSL
configuration, add ACM support, and fix security vulnerabilities.

Breaking Changes:
- Removed dns.app_name, dns.pattern, dns.custom_subdomain, dns.create_zone
- Removed ssl.staging
- dns.domain now accepts full domain (e.g., "test.lablink.example.com")
- ssl.provider now supports "acm" for AWS Certificate Manager

Infrastructure Changes:
- Updated main.tf to remove pattern-based DNS logic
- Added ALLOCATOR_FQDN computation and environment variable
- Created alb.tf for ACM/ALB support (conditional)
- Updated user_data.sh with conditional Caddy installation
- Added lifecycle hooks to Route53 records

Configuration Changes:
- Updated config.yaml with new schema
- Updated test.example.yaml with new schema
- Created 5 canonical use case examples:
  - ip-only.example.yaml (no DNS, no SSL)
  - cloudflare.example.yaml (CloudFlare DNS + SSL)
  - letsencrypt.example.yaml (Route53 + Let's Encrypt, Terraform-managed)
  - acm.example.yaml (Route53 + ACM via ALB)
  - letsencrypt-manual.example.yaml (Route53 + Let's Encrypt, manual DNS)

OpenSpec:
- Created proposal in openspec/changes/implement-simplified-dns-ssl/
- Added infrastructure spec deltas
- Created detailed tasks checklist

Related: talmolab/lablink#230

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: eberrigan

lablink-infrastructure/alb.tf

@@ -0,0 +1,173 @@
+# Application Load Balancer for ACM SSL termination
+# Only created when ssl.provider = "acm"
+
+# Security group for ALB (allow HTTP/HTTPS from internet)
+resource "aws_security_group" "alb_sg" {
+  count = local.create_alb ? 1 : 0
+  name  = "lablink-alb-sg-${var.resource_suffix}"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow HTTP from internet"
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow HTTPS from internet"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
+  }
+
+  tags = {
+    Name        = "lablink-alb-sg-${var.resource_suffix}"
+    Environment = var.resource_suffix
+  }
+}
+
+# Update allocator security group to allow traffic from ALB
+resource "aws_security_group_rule" "allow_alb_to_allocator" {
+  count                    = local.create_alb ? 1 : 0
+  type                     = "ingress"
+  from_port                = 5000
+  to_port                  = 5000
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.alb_sg[0].id
+  security_group_id        = aws_security_group.allow_http.id
+  description              = "Allow ALB to reach allocator on port 5000"
+}
+
+# Get default VPC for ALB
+data "aws_vpc" "default" {
+  count   = local.create_alb ? 1 : 0
+  default = true
+}
+
+# Get default subnets for ALB (requires at least 2 AZs)
+data "aws_subnets" "default" {
+  count = local.create_alb ? 1 : 0
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default[0].id]
+  }
+}
+
+# Application Load Balancer
+resource "aws_lb" "allocator_alb" {
+  count              = local.create_alb ? 1 : 0
+  name               = "lablink-alb-${var.resource_suffix}"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_sg[0].id]
+  subnets            = data.aws_subnets.default[0].ids
+
+  enable_deletion_protection = false
+
+  tags = {
+    Name        = "lablink-alb-${var.resource_suffix}"
+    Environment = var.resource_suffix
+  }
+}
+
+# Target group for allocator EC2 instance
+resource "aws_lb_target_group" "allocator_tg" {
+  count    = local.create_alb ? 1 : 0
+  name     = "lablink-tg-${var.resource_suffix}"
+  port     = 5000
+  protocol = "HTTP"
+  vpc_id   = data.aws_vpc.default[0].id
+
+  health_check {
+    enabled             = true
+    healthy_threshold   = 2
+    interval            = 30
+    matcher             = "200"
+    path                = "/health"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    timeout             = 5
+    unhealthy_threshold = 2
+  }
+
+  tags = {
+    Name        = "lablink-tg-${var.resource_suffix}"
+    Environment = var.resource_suffix
+  }
+}
+
+# Attach allocator EC2 instance to target group
+resource "aws_lb_target_group_attachment" "allocator_attachment" {
+  count            = local.create_alb ? 1 : 0
+  target_group_arn = aws_lb_target_group.allocator_tg[0].arn
+  target_id        = aws_instance.lablink_allocator_server.id
+  port             = 5000
+}
+
+# HTTP listener (redirect to HTTPS)
+resource "aws_lb_listener" "http" {
+  count             = local.create_alb ? 1 : 0
+  load_balancer_arn = aws_lb.allocator_alb[0].arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# HTTPS listener (forward to target group)
+resource "aws_lb_listener" "https" {
+  count             = local.create_alb ? 1 : 0
+  load_balancer_arn = aws_lb.allocator_alb[0].arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = local.ssl_certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.allocator_tg[0].arn
+  }
+}
+
+# DNS A record for ALB (alias record)
+resource "aws_route53_record" "lablink_alb_record" {
+  count   = local.dns_enabled && local.dns_terraform_managed && local.create_alb ? 1 : 0
+  zone_id = local.zone_id
+  name    = local.dns_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.allocator_alb[0].dns_name
+    zone_id                = aws_lb.allocator_alb[0].zone_id
+    evaluate_target_health = true
+  }
+
+  lifecycle {
+    # Prevent accidental deletion in production
+    prevent_destroy = false # Set to true for production environments
+  }
+}
+
+# Output ALB DNS name
+output "alb_dns_name" {
+  value       = local.create_alb ? aws_lb.allocator_alb[0].dns_name : "N/A"
+  description = "DNS name of the Application Load Balancer (when using ACM)"
+}

lablink-infrastructure/config/acm.example.yaml

@@ -0,0 +1,64 @@
+# LabLink Configuration: Use Case 4 - Route53 + ACM (AWS Certificate Manager)
+# Use AWS Route53 for DNS and ACM for SSL certificates via Application Load Balancer
+#
+# Prerequisites:
+# - Route53 hosted zone created
+# - ACM certificate requested and validated for your domain
+# - Certificate ARN obtained from ACM console
+#
+# Setup:
+# 1. Request ACM certificate in ACM console (us-west-2)
+# 2. Validate certificate (DNS or email validation)
+# 3. Copy certificate ARN to ssl.certificate_arn below
+# 4. Deploy infrastructure (Terraform creates ALB with HTTPS listener)
+#
+# Access URL: https://lablink.example.com
+#
+# Note: ALB adds ~$20/month cost but provides enterprise-grade SSL termination
+
+db:
+  dbname: "lablink_db"
+  user: "lablink"
+  password: "PLACEHOLDER_DB_PASSWORD"
+  host: "localhost"
+  port: 5432
+  table_name: "vms"
+  message_channel: "vm_updates"
+
+machine:
+  machine_type: "g4dn.xlarge"
+  image: "ghcr.io/talmolab/lablink-client-base-image:linux-amd64-latest-test"
+  ami_id: "ami-0601752c11b394251"  # us-west-2
+  repository: "https://github.com/talmolab/sleap-tutorial-data.git"
+  software: "sleap"
+  extension: "slp"
+
+allocator:
+  image_tag: "linux-amd64-latest-test"
+
+app:
+  admin_user: "admin"
+  admin_password: "PLACEHOLDER_ADMIN_PASSWORD"
+  region: "us-west-2"
+
+dns:
+  enabled: true  # Route53 DNS enabled
+  terraform_managed: true  # Terraform creates/destroys A record (alias to ALB)
+  domain: "lablink.example.com"  # Full domain
+  zone_id: ""  # Auto-lookup hosted zone
+
+eip:
+  strategy: "persistent"
+  tag_name: "lablink-eip"
+
+ssl:
+  provider: "acm"  # AWS Certificate Manager via ALB
+  email: ""  # Not needed for ACM
+  certificate_arn: "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-EXAMPLE11111"  # REPLACE with your ACM cert ARN
+
+startup_script:
+  enabled: false
+  path: "config/custom-startup.sh"
+  on_error: "continue"
+
+bucket_name: "tf-state-lablink-YOURORG"

lablink-infrastructure/config/cloudflare.example.yaml

@@ -0,0 +1,60 @@
+# LabLink Configuration: Use Case 2 - CloudFlare DNS + SSL
+# Use CloudFlare for DNS management and SSL termination
+#
+# Prerequisites:
+# - Domain registered and managed in CloudFlare
+# - CloudFlare proxy enabled (orange cloud icon)
+#
+# Setup:
+# 1. Create A record in CloudFlare: lablink.example.com → {allocator_public_ip}
+# 2. Enable CloudFlare proxy (orange cloud)
+# 3. SSL/TLS mode: Full (not Strict)
+#
+# Access URL: https://lablink.example.com (CloudFlare provides SSL)
+
+db:
+  dbname: "lablink_db"
+  user: "lablink"
+  password: "PLACEHOLDER_DB_PASSWORD"
+  host: "localhost"
+  port: 5432
+  table_name: "vms"
+  message_channel: "vm_updates"
+
+machine:
+  machine_type: "g4dn.xlarge"
+  image: "ghcr.io/talmolab/lablink-client-base-image:linux-amd64-latest-test"
+  ami_id: "ami-0601752c11b394251"  # us-west-2
+  repository: "https://github.com/talmolab/sleap-tutorial-data.git"
+  software: "sleap"
+  extension: "slp"
+
+allocator:
+  image_tag: "linux-amd64-latest-test"
+
+app:
+  admin_user: "admin"
+  admin_password: "PLACEHOLDER_ADMIN_PASSWORD"
+  region: "us-west-2"
+
+dns:
+  enabled: false  # DNS managed in CloudFlare, not Route53
+  terraform_managed: false
+  domain: "lablink.example.com"  # Used for Caddyfile configuration
+  zone_id: ""
+
+eip:
+  strategy: "persistent"
+  tag_name: "lablink-eip"
+
+ssl:
+  provider: "cloudflare"  # CloudFlare handles SSL termination
+  email: ""
+  certificate_arn: ""
+
+startup_script:
+  enabled: false
+  path: "config/custom-startup.sh"
+  on_error: "continue"
+
+bucket_name: "tf-state-lablink-YOURORG"

lablink-infrastructure/config/config.yaml

@@ -46,21 +46,17 @@ app:
 dns:
   enabled: true  # true = use DNS for allocator URL, false = IP-only access
   terraform_managed: true  # false = manual DNS records (you create in Route53), true = Terraform creates/destroys records
-  domain: "lablink-template-testing.com"  # Base hosted zone domain
+  domain: "ci-test.lablink-template-testing.com"  # Full domain name for the allocator (supports sub-subdomains)
   zone_id: "Z1038183268T83E91AYJF"  # (Optional) Hardcode zone ID to skip lookup - leave empty for auto-lookup
-  app_name: ""  # Not used with custom pattern
-  pattern: "custom"  # Using custom pattern
-  custom_subdomain: "ci-test"  # Creates: ci-test.lablink-template-testing.com
-  create_zone: false  # false = use existing zone, true = create new zone
 
 eip:
   strategy: "dynamic"  # "persistent" = reuse EIP with tag {tag_name}-{env}, "dynamic" = create new EIP with tag {tag_name}-{env}
   tag_name: "lablink-eip"  # Tag prefix for EIP name. Both strategies use {tag_name}-{env} format (e.g., lablink-eip-prod).
 
 ssl:
-  provider: "letsencrypt"  # "letsencrypt" = Caddy auto-SSL, "cloudflare" = CloudFlare proxy, "none" = HTTP only
+  provider: "letsencrypt"  # "letsencrypt" = Caddy auto-SSL, "cloudflare" = CloudFlare proxy, "acm" = AWS Certificate Manager, "none" = HTTP only
   email: "[email protected]"  # Email for Let's Encrypt notifications
-  staging: true  # true = staging/testing certs (unlimited), false = production Let's Encrypt certs (rate limited)
+  certificate_arn: ""  # Required when provider="acm" - ARN of ACM certificate
 
 startup_script:
   enabled: true # true = run custom startup script on client VMs, false = no script

lablink-infrastructure/config/ip-only.example.yaml

@@ -0,0 +1,56 @@
+# LabLink Configuration: Use Case 1 - IP-Only (No DNS, No SSL)
+# Simplest deployment: Access allocator via public IP address over HTTP
+#
+# Use this when:
+# - You don't have a domain name
+# - You want fastest setup for testing
+# - SSL/HTTPS is not required
+#
+# Access URL: http://52.40.142.146 (IP will be output after deployment)
+
+db:
+  dbname: "lablink_db"
+  user: "lablink"
+  password: "PLACEHOLDER_DB_PASSWORD"
+  host: "localhost"
+  port: 5432
+  table_name: "vms"
+  message_channel: "vm_updates"
+
+machine:
+  machine_type: "g4dn.xlarge"
+  image: "ghcr.io/talmolab/lablink-client-base-image:linux-amd64-latest-test"
+  ami_id: "ami-0601752c11b394251"  # us-west-2
+  repository: "https://github.com/talmolab/sleap-tutorial-data.git"
+  software: "sleap"
+  extension: "slp"
+
+allocator:
+  image_tag: "linux-amd64-latest-test"
+
+app:
+  admin_user: "admin"
+  admin_password: "PLACEHOLDER_ADMIN_PASSWORD"
+  region: "us-west-2"
+
+dns:
+  enabled: false  # No DNS - use IP address only
+  terraform_managed: false
+  domain: ""
+  zone_id: ""
+
+eip:
+  strategy: "dynamic"
+  tag_name: "lablink-eip"
+
+ssl:
+  provider: "none"  # No SSL - HTTP only
+  email: ""
+  certificate_arn: ""
+
+startup_script:
+  enabled: false
+  path: "config/custom-startup.sh"
+  on_error: "continue"
+
+bucket_name: "tf-state-lablink-YOURORG"