Support multiple domains

[phbnf]

No description provided.

[AlCutter]

This looks as though it might make all logs available on all provided subdomains(?)

While it's probably fiiiiiiine, it does kinda seem a little against the grain of static-ct-api, which says things like:

... and by two URL prefixes: the submission prefix for write APIs and the monitoring prefix for read APIs

and

... the origin line MUST be the submission prefix of the log ...

Which doesn't really leave much space for having multiple submission prefixes.

Maybe another way would be to make the map of logs you added recently have an object value like in the witness: https://github.com/transparency-dev/witness/blob/main/deployment/modules/gcp/loadbalancer/variables.tf and then you'd be able to provide a specific suffix for each (and could iterate over the map and union all the suffixes when creating the list of SANs for the TLS cert)?

[phbnf]

Right, that's the "description" that I forgot to write :)

This is meant to be temporary for as long as we have logs with different origin suffixes in a single project. I did consider writing a map, but concluded it was not worth it since this will all go away at some point.
Long term, I expect all logs in a single project will share the same suffix: we can remove this once the Arche logs have been transitioned. We won't even need a map then.

True that in the meantime each log will have two submission prefix, but as long as you don't share / use the "other one", everything is still specs compliant.

I've left a TODO for now in the interest of moving faster, but I'm happy to implement the map solution if you think if you have more faith in code than promises to fix TODOS 🙄.

[AlCutter]

Right, that's the "description" that I forgot to write :)

This is meant to be temporary for as long as we have logs with different origin suffixes in a single project. I did consider writing a map, but concluded it was not worth it since this will all go away at some point. Long term, I expect all logs in a single project will share the same suffix: we can remove this once the Arche logs have been transitioned. We won't even need a map then.

True that in the meantime each log will have two submission prefix, but as long as you don't share / use the "other one", everything is still specs compliant.

I've left a TODO for now in the interest of moving faster, but I'm happy to implement the map solution if you think if you have more faith in code than promises to fix TODOS 🙄.

I will leave it between you and your conscience :)

[phbnf]

Done PTAL.

[AlCutter]

As discussed IRL - maybe we could change this to submission_domain and add the . on L21 of loadbalancer/external/main.tf?
I think that might be a bit clearer on what's expected.

[phbnf]

Also added variable validation.