Redirect naked domain to www when enable_naked_domain=false
Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
This commit is contained in:
parent
30d39b002f
commit
7116e5e16f
118
infra/main.tf
118
infra/main.tf
|
@ -35,6 +35,10 @@ locals {
|
||||||
"Environment", "${terraform.workspace}"
|
"Environment", "${terraform.workspace}"
|
||||||
)}"
|
)}"
|
||||||
cdn_origin_id = "${terraform.workspace}-origin-cdn"
|
cdn_origin_id = "${terraform.workspace}-origin-cdn"
|
||||||
|
www = "${var.enable_naked_domain ? "" : "www."}"
|
||||||
|
subdomain = "${var.subdomain == "" ? "" : "${var.subdomain}."}"
|
||||||
|
naked_domain = "${local.subdomain}${var.dns_apex}"
|
||||||
|
domain = "${local.www}${local.naked_domain}"
|
||||||
project_env = "${var.project}-${terraform.workspace}"
|
project_env = "${var.project}-${terraform.workspace}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -61,24 +65,27 @@ data "aws_route53_zone" "external" {
|
||||||
# Resources
|
# Resources
|
||||||
|
|
||||||
resource "aws_acm_certificate" "cert" {
|
resource "aws_acm_certificate" "cert" {
|
||||||
domain_name = "${var.dns_name}"
|
domain_name = "${local.domain}"
|
||||||
validation_method = "DNS"
|
subject_alternative_names = "${compact(list("${var.enable_naked_domain}" ? "" : "${local.naked_domain}"))}"
|
||||||
tags = "${local.common_tags}"
|
validation_method = "DNS"
|
||||||
|
tags = "${local.common_tags}"
|
||||||
|
|
||||||
provider = "aws.us_east_1"
|
provider = "aws.us_east_1"
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_route53_record" "cert_validation" {
|
resource "aws_route53_record" "cert_validation" {
|
||||||
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
|
count = "${1 + "${var.enable_naked_domain ? 0 : 1}"}"
|
||||||
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
|
|
||||||
zone_id = "${data.aws_route53_zone.external.id}"
|
zone_id = "${data.aws_route53_zone.external.id}"
|
||||||
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
|
name = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
|
||||||
ttl = 60
|
type = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
|
||||||
|
ttl = 60
|
||||||
|
records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_acm_certificate_validation" "cert" {
|
resource "aws_acm_certificate_validation" "cert" {
|
||||||
certificate_arn = "${aws_acm_certificate.cert.arn}"
|
certificate_arn = "${aws_acm_certificate.cert.arn}"
|
||||||
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
|
validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
|
||||||
|
|
||||||
provider = "aws.us_east_1"
|
provider = "aws.us_east_1"
|
||||||
}
|
}
|
||||||
|
@ -95,6 +102,19 @@ resource "aws_s3_bucket" "static" {
|
||||||
tags = "${local.common_tags}"
|
tags = "${local.common_tags}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_s3_bucket" "static_redirect" {
|
||||||
|
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||||
|
|
||||||
|
bucket_prefix = "${local.project_env}"
|
||||||
|
acl = "private"
|
||||||
|
|
||||||
|
website {
|
||||||
|
redirect_all_requests_to = "https://${local.domain}"
|
||||||
|
}
|
||||||
|
|
||||||
|
tags = "${local.common_tags}"
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_s3_bucket" "static_logs" {
|
resource "aws_s3_bucket" "static_logs" {
|
||||||
bucket_prefix = "${local.project_env}"
|
bucket_prefix = "${local.project_env}"
|
||||||
acl = "private"
|
acl = "private"
|
||||||
|
@ -117,7 +137,7 @@ resource "aws_iam_access_key" "app_deploy" {
|
||||||
|
|
||||||
resource "aws_route53_record" "static" {
|
resource "aws_route53_record" "static" {
|
||||||
zone_id = "${data.aws_route53_zone.external.zone_id}"
|
zone_id = "${data.aws_route53_zone.external.zone_id}"
|
||||||
name = "${var.dns_name}."
|
name = "${local.domain}."
|
||||||
type = "A"
|
type = "A"
|
||||||
|
|
||||||
alias {
|
alias {
|
||||||
|
@ -127,6 +147,20 @@ resource "aws_route53_record" "static" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_route53_record" "static_redirect" {
|
||||||
|
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||||
|
|
||||||
|
zone_id = "${data.aws_route53_zone.external.zone_id}"
|
||||||
|
name = "${local.naked_domain}."
|
||||||
|
type = "A"
|
||||||
|
|
||||||
|
alias {
|
||||||
|
name = "${aws_cloudfront_distribution.cdn_redirect.domain_name}"
|
||||||
|
zone_id = "${aws_cloudfront_distribution.cdn_redirect.hosted_zone_id}"
|
||||||
|
evaluate_target_health = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_s3_bucket_policy" "static_policy" {
|
resource "aws_s3_bucket_policy" "static_policy" {
|
||||||
bucket = "${aws_s3_bucket.static.id}"
|
bucket = "${aws_s3_bucket.static.id}"
|
||||||
policy = "${data.template_file.s3_origin_policy.rendered}"
|
policy = "${data.template_file.s3_origin_policy.rendered}"
|
||||||
|
@ -165,7 +199,7 @@ resource "aws_cloudfront_distribution" "cdn" {
|
||||||
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
|
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
|
||||||
}
|
}
|
||||||
|
|
||||||
aliases = ["${var.dns_name}"]
|
aliases = ["${local.domain}"]
|
||||||
|
|
||||||
default_cache_behavior {
|
default_cache_behavior {
|
||||||
allowed_methods = ["GET", "HEAD", "OPTIONS"]
|
allowed_methods = ["GET", "HEAD", "OPTIONS"]
|
||||||
|
@ -225,6 +259,70 @@ resource "aws_cloudfront_distribution" "cdn" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_cloudfront_distribution" "cdn_redirect" {
|
||||||
|
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||||
|
|
||||||
|
# Static file origin
|
||||||
|
origin {
|
||||||
|
domain_name = "${aws_s3_bucket.static_redirect.id}.${aws_s3_bucket.static_redirect.website_domain}"
|
||||||
|
origin_id = "${local.cdn_origin_id}"
|
||||||
|
|
||||||
|
custom_origin_config {
|
||||||
|
http_port = 80
|
||||||
|
https_port = 443
|
||||||
|
|
||||||
|
origin_ssl_protocols = ["TLSv1.1", "TLSv1.2"]
|
||||||
|
origin_protocol_policy = "http-only"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
is_ipv6_enabled = true
|
||||||
|
comment = "CDN redirect for ${var.project} (environment ${terraform.workspace})"
|
||||||
|
|
||||||
|
logging_config {
|
||||||
|
include_cookies = false
|
||||||
|
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
|
||||||
|
}
|
||||||
|
|
||||||
|
aliases = ["${local.naked_domain}"]
|
||||||
|
|
||||||
|
default_cache_behavior {
|
||||||
|
allowed_methods = ["GET", "HEAD", "OPTIONS"]
|
||||||
|
cached_methods = ["GET", "HEAD", "OPTIONS"]
|
||||||
|
target_origin_id = "${local.cdn_origin_id}"
|
||||||
|
|
||||||
|
forwarded_values {
|
||||||
|
query_string = false
|
||||||
|
|
||||||
|
cookies {
|
||||||
|
forward = "none"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
min_ttl = 0
|
||||||
|
default_ttl = 3600
|
||||||
|
max_ttl = 86400
|
||||||
|
viewer_protocol_policy = "redirect-to-https"
|
||||||
|
}
|
||||||
|
|
||||||
|
price_class = "PriceClass_100"
|
||||||
|
|
||||||
|
restrictions {
|
||||||
|
geo_restriction {
|
||||||
|
restriction_type = "none"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
tags = "${local.common_tags}"
|
||||||
|
|
||||||
|
viewer_certificate {
|
||||||
|
acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
|
||||||
|
ssl_support_method = "sni-only"
|
||||||
|
minimum_protocol_version = "TLSv1.1_2016"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "null_resource" "deploy_app" {
|
resource "null_resource" "deploy_app" {
|
||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
interpreter = ["bash", "-c"]
|
interpreter = ["bash", "-c"]
|
||||||
|
|
|
@ -1,2 +1,3 @@
|
||||||
dns_apex = "rekahsoft.ca"
|
dns_apex = "rekahsoft.ca"
|
||||||
dns_name = "blog.rekahsoft.ca"
|
subdomain = "blog"
|
||||||
|
enable_naked_domain = false
|
||||||
|
|
|
@ -15,4 +15,10 @@ variable "project" {
|
||||||
|
|
||||||
variable "dns_apex" {}
|
variable "dns_apex" {}
|
||||||
|
|
||||||
variable "dns_name" {}
|
variable "subdomain" {
|
||||||
|
default = ""
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "enable_naked_domain" {
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue