rekahsoft
/
blog-rekahsoft-ca
1
1
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
blog-rekahsoft-ca/infra/main.tf

359 lines
9.3 KiB
Terraform
Raw Normal View History

Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
terraform {
backend "s3" {
region = "ca-central-1"
bucket = "rekahsoft-terraform"
key = "blog-rekahsoft-ca/blog-rekahsoft-ca.tfstate"
dynamodb_table = "rekahsoft-terraform"
}
}
provider "aws" {
region = "${var.region}"
Update terraform providers to the latest version Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2019-06-14 02:53:47 +00:00
version = "~> 2.15"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
assume_role = [{
role_arn = "${var.workspace_iam_roles[terraform.workspace]}"
}]
}
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
Update terraform providers to the latest version Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2019-06-14 02:53:47 +00:00
version = "~> 2.1"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
assume_role = [{
role_arn = "${var.workspace_iam_roles[terraform.workspace]}"
}]
}
Add versions for null, random, and template providers Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:36:58 +00:00
provider "null" {
Update terraform providers to the latest version Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2019-06-14 02:53:47 +00:00
version = "~> 2.1"
Add versions for null, random, and template providers Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:36:58 +00:00
}
provider "random" {
Update terraform providers to the latest version Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2019-06-14 02:53:47 +00:00
version = "~> 2.1"
Add versions for null, random, and template providers Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:36:58 +00:00
}
provider "template" {
Update terraform providers to the latest version Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2019-06-14 02:53:47 +00:00
version = "~> 2.1"
Add versions for null, random, and template providers Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:36:58 +00:00
}
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
#
# Local values to be re-used throughout this template
locals {
common_tags = "${map(
"Project", "${var.project}",
"Environment", "${terraform.workspace}"
)}"
cdn_origin_id = "${terraform.workspace}-origin-cdn"
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
www = "${var.enable_naked_domain ? "" : "www."}"
subdomain = "${var.subdomain == "" ? "" : "${var.subdomain}."}"
naked_domain = "${local.subdomain}${var.dns_apex}"
domain = "${local.www}${local.naked_domain}"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
project_env = "${var.project}-${terraform.workspace}"
}
#
# Data Sources
data "template_file" "s3_origin_policy" {
template = "${file("templates/s3_origin_policy.json")}"
vars {
bucket_arn = "${aws_s3_bucket.static.arn}"
user_arn = "${aws_iam_user.app_deploy.arn}"
cloudfront_arn = "${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"
}
}
data "aws_route53_zone" "external" {
name = "${var.dns_apex}."
}
#
# Resources
resource "aws_acm_certificate" "cert" {
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
domain_name = "${local.domain}"
subject_alternative_names = "${compact(list("${var.enable_naked_domain}" ? "" : "${local.naked_domain}"))}"
validation_method = "DNS"
tags = "${local.common_tags}"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
provider = "aws.us_east_1"
}
resource "aws_route53_record" "cert_validation" {
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
count = "${1 + "${var.enable_naked_domain ? 0 : 1}"}"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
zone_id = "${data.aws_route53_zone.external.id}"
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
name = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
ttl = 60
records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
provider = "aws.us_east_1"
}
resource "aws_s3_bucket" "static" {
bucket_prefix = "${local.project_env}"
acl = "private"
website {
index_document = "index.html"
error_document = "error.html"
}
tags = "${local.common_tags}"
}
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
resource "aws_s3_bucket" "static_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
bucket_prefix = "${local.project_env}"
acl = "private"
website {
redirect_all_requests_to = "https://${local.domain}"
}
tags = "${local.common_tags}"
}
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
resource "aws_s3_bucket" "static_logs" {
bucket_prefix = "${local.project_env}"
acl = "private"
}
resource "random_string" "app_deploy_username" {
length = 16
special = true
override_special = "_+=,.@-"
}
resource "aws_iam_user" "app_deploy" {
name = "${random_string.app_deploy_username.result}"
}
resource "aws_iam_access_key" "app_deploy" {
user = "${aws_iam_user.app_deploy.name}"
# pgp_key = "keybase:some_person_that_exists"
}
resource "aws_route53_record" "static" {
zone_id = "${data.aws_route53_zone.external.zone_id}"
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
name = "${local.domain}."
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
type = "A"
alias {
name = "${aws_cloudfront_distribution.cdn.domain_name}"
zone_id = "${aws_cloudfront_distribution.cdn.hosted_zone_id}"
evaluate_target_health = true
}
}
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
resource "aws_route53_record" "static_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
zone_id = "${data.aws_route53_zone.external.zone_id}"
name = "${local.naked_domain}."
type = "A"
alias {
name = "${aws_cloudfront_distribution.cdn_redirect.domain_name}"
zone_id = "${aws_cloudfront_distribution.cdn_redirect.hosted_zone_id}"
evaluate_target_health = true
}
}
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
resource "aws_s3_bucket_policy" "static_policy" {
bucket = "${aws_s3_bucket.static.id}"
policy = "${data.template_file.s3_origin_policy.rendered}"
}
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
comment = "Origin access policy for ${local.project_env}"
}
resource "aws_cloudfront_distribution" "cdn" {
# Static file origin
origin {
domain_name = "${aws_s3_bucket.static.bucket_regional_domain_name}"
origin_id = "${local.cdn_origin_id}"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
}
}
enabled = true
is_ipv6_enabled = true
comment = "CDN for ${var.project} (environment ${terraform.workspace})"
default_root_object = "index.html"
# Return index.html for any route that is not found
custom_error_response {
error_caching_min_ttl = 0
error_code = 403
response_code = 200
response_page_path = "/index.html"
}
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
}
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
aliases = ["${local.domain}"]
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${local.cdn_origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
viewer_protocol_policy = "redirect-to-https"
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "index.html"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${local.cdn_origin_id}"
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 0
max_ttl = 0
compress = true
viewer_protocol_policy = "redirect-to-https"
Redirect naked domain to www when enable_naked_domain=false Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 12:21:28 +00:00
}
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags = "${local.common_tags}"
viewer_certificate {
acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
}
resource "aws_cloudfront_distribution" "cdn_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
# Static file origin
origin {
domain_name = "${aws_s3_bucket.static_redirect.id}.${aws_s3_bucket.static_redirect.website_domain}"
origin_id = "${local.cdn_origin_id}"
custom_origin_config {
http_port = 80
https_port = 443
origin_ssl_protocols = ["TLSv1.1", "TLSv1.2"]
origin_protocol_policy = "http-only"
}
}
enabled = true
is_ipv6_enabled = true
comment = "CDN redirect for ${var.project} (environment ${terraform.workspace})"
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
}
aliases = ["${local.naked_domain}"]
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${local.cdn_origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
viewer_protocol_policy = "redirect-to-https"
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
}
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags = "${local.common_tags}"
viewer_certificate {
acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
}
resource "null_resource" "deploy_app" {
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = <<SCRIPT
Use temporary config/credentials files when deploying app This is primarily useful when testing locally, so that the users aws config/credentials aren't polluted, and adds little no value otherwise. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 18:06:21 +00:00
: Create temporary aws config and credentials files
export AWS_CONFIG_FILE=$(mktemp);
export AWS_SHARED_CREDENTIALS_FILE=$(mktemp);
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
: Add default AWS account profile;
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id};
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret};
aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region};
: Sync latest app build to s3 bucket;
aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/;
Use temporary config/credentials files when deploying app This is primarily useful when testing locally, so that the users aws config/credentials aren't polluted, and adds little no value otherwise. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
2018-12-08 18:06:21 +00:00
: Cleanup temporary aws config and credentials files
rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE};
Site infrastructure and deployment now managed with terraform Create a classic static site deployment using cloudfront with a s3 origin. Provision, verify and utilize a ACM certificate to enable (and force) https for cloudfront. This assumes that the build resources are available at ./_site as a null_resource is used to sync it to the s3 origin backing cloudfront. A IAM user and policy is provisioned prior to the null_resource execution with least privilege access to the s3 bucket. Note: The required terraform backend resources were manually provisioned. Signed-off-by: Collin J. Doering <collin.doering@rekahsoft.ca>
2018-07-15 03:37:51 +00:00
SCRIPT
}
}