Merge branch '4-use-www-domain-instead-of-naked' of rekahsoft/blog-rekahsoft-ca into master

This commit is contained in:
Collin J. Doering 2018-12-08 18:13:45 +00:00 committed by Gitea
commit 164503707f
4 changed files with 141 additions and 13 deletions

View File

@ -26,6 +26,18 @@ provider "aws" {
}]
}
provider "null" {
version = "~> 1.0"
}
provider "random" {
version = "~> 1.3"
}
provider "template" {
version = "~> 1.0"
}
#
# Local values to be re-used throughout this template
@ -35,6 +47,10 @@ locals {
"Environment", "${terraform.workspace}"
)}"
cdn_origin_id = "${terraform.workspace}-origin-cdn"
www = "${var.enable_naked_domain ? "" : "www."}"
subdomain = "${var.subdomain == "" ? "" : "${var.subdomain}."}"
naked_domain = "${local.subdomain}${var.dns_apex}"
domain = "${local.www}${local.naked_domain}"
project_env = "${var.project}-${terraform.workspace}"
}
@ -61,24 +77,27 @@ data "aws_route53_zone" "external" {
# Resources
resource "aws_acm_certificate" "cert" {
domain_name = "${var.dns_name}"
validation_method = "DNS"
tags = "${local.common_tags}"
domain_name = "${local.domain}"
subject_alternative_names = "${compact(list("${var.enable_naked_domain}" ? "" : "${local.naked_domain}"))}"
validation_method = "DNS"
tags = "${local.common_tags}"
provider = "aws.us_east_1"
}
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
count = "${1 + "${var.enable_naked_domain ? 0 : 1}"}"
zone_id = "${data.aws_route53_zone.external.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
name = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
ttl = 60
records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
provider = "aws.us_east_1"
}
@ -95,6 +114,19 @@ resource "aws_s3_bucket" "static" {
tags = "${local.common_tags}"
}
resource "aws_s3_bucket" "static_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
bucket_prefix = "${local.project_env}"
acl = "private"
website {
redirect_all_requests_to = "https://${local.domain}"
}
tags = "${local.common_tags}"
}
resource "aws_s3_bucket" "static_logs" {
bucket_prefix = "${local.project_env}"
acl = "private"
@ -117,7 +149,7 @@ resource "aws_iam_access_key" "app_deploy" {
resource "aws_route53_record" "static" {
zone_id = "${data.aws_route53_zone.external.zone_id}"
name = "${var.dns_name}."
name = "${local.domain}."
type = "A"
alias {
@ -127,6 +159,20 @@ resource "aws_route53_record" "static" {
}
}
resource "aws_route53_record" "static_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
zone_id = "${data.aws_route53_zone.external.zone_id}"
name = "${local.naked_domain}."
type = "A"
alias {
name = "${aws_cloudfront_distribution.cdn_redirect.domain_name}"
zone_id = "${aws_cloudfront_distribution.cdn_redirect.hosted_zone_id}"
evaluate_target_health = true
}
}
resource "aws_s3_bucket_policy" "static_policy" {
bucket = "${aws_s3_bucket.static.id}"
policy = "${data.template_file.s3_origin_policy.rendered}"
@ -165,7 +211,7 @@ resource "aws_cloudfront_distribution" "cdn" {
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
}
aliases = ["${var.dns_name}"]
aliases = ["${local.domain}"]
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
@ -225,10 +271,78 @@ resource "aws_cloudfront_distribution" "cdn" {
}
}
resource "aws_cloudfront_distribution" "cdn_redirect" {
count = "${var.enable_naked_domain ? 0 : 1}"
# Static file origin
origin {
domain_name = "${aws_s3_bucket.static_redirect.id}.${aws_s3_bucket.static_redirect.website_domain}"
origin_id = "${local.cdn_origin_id}"
custom_origin_config {
http_port = 80
https_port = 443
origin_ssl_protocols = ["TLSv1.1", "TLSv1.2"]
origin_protocol_policy = "http-only"
}
}
enabled = true
is_ipv6_enabled = true
comment = "CDN redirect for ${var.project} (environment ${terraform.workspace})"
logging_config {
include_cookies = false
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
}
aliases = ["${local.naked_domain}"]
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${local.cdn_origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
viewer_protocol_policy = "redirect-to-https"
}
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags = "${local.common_tags}"
viewer_certificate {
acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
}
resource "null_resource" "deploy_app" {
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = <<SCRIPT
: Create temporary aws config and credentials files
export AWS_CONFIG_FILE=$(mktemp);
export AWS_SHARED_CREDENTIALS_FILE=$(mktemp);
: Add default AWS account profile;
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_access_key_id ${aws_iam_access_key.app_deploy.id};
aws configure --profile ${aws_iam_user.app_deploy.name} set aws_secret_access_key ${aws_iam_access_key.app_deploy.secret};
@ -236,6 +350,9 @@ aws configure --profile ${aws_iam_user.app_deploy.name} set region ${var.region}
: Sync latest app build to s3 bucket;
aws --profile ${aws_iam_user.app_deploy.name} s3 sync --delete ../_site s3://${aws_s3_bucket.static.id}/;
: Cleanup temporary aws config and credentials files
rm $${AWS_CONFIG_FILE} $${AWS_SHARED_CREDENTIALS_FILE};
SCRIPT
}
}

View File

@ -1,2 +1,3 @@
dns_apex = "rekahsoft.ca"
dns_name = "blog.rekahsoft.ca"
dns_apex = "rekahsoft.ca"
subdomain = "blog"
enable_naked_domain = false

3
infra/staging.tfvars Normal file
View File

@ -0,0 +1,3 @@
dns_apex = "rekahsoft.ca"
subdomain = "blog.staging"
enable_naked_domain = false

View File

@ -1,6 +1,7 @@
variable "workspace_iam_roles" {
default = {
default = "arn:aws:iam::068963069293:role/pipeline-role"
staging = "arn:aws:iam::068963069293:role/pipeline-role"
production = "arn:aws:iam::068963069293:role/pipeline-role"
}
}
@ -15,4 +16,10 @@ variable "project" {
variable "dns_apex" {}
variable "dns_name" {}
variable "subdomain" {
default = ""
}
variable "enable_naked_domain" {
default = false
}