Redirect naked domain to www when enable_naked_domain=false
Adds the variables: - `enable_naked_domain` Whether or not to enable access to the site only via a naked domain. When `enable_naked_domain=true`: - This corresponds to the previous configuration. When `enable_naked_domain=false`: - Sets the domain_name to the www version of the domain and adds the naked domain as a SAN (Subject Alternative Name) on the ACM certificate - Create dns validation records for both the naked domain and www domain - Creates a s3 bucket with redirect policy which redirects all requests to the www version of the site - Creates a cloudfront web distribution with a custom origin of the website bucket url (this is required as s3 origins do not handle redirects) - `subdomain` The subdomain to use under the `dns_apex`, eg `<subdomain>.<dns_apex>`. Defaults to empty. Remember, `dns_apex` must correspond to a route53 public hosted zone. Signed-off-by: Collin J. Doering <collin@rekahsoft.ca>
This commit is contained in:
parent
30d39b002f
commit
7116e5e16f
118
infra/main.tf
118
infra/main.tf
|
@ -35,6 +35,10 @@ locals {
|
|||
"Environment", "${terraform.workspace}"
|
||||
)}"
|
||||
cdn_origin_id = "${terraform.workspace}-origin-cdn"
|
||||
www = "${var.enable_naked_domain ? "" : "www."}"
|
||||
subdomain = "${var.subdomain == "" ? "" : "${var.subdomain}."}"
|
||||
naked_domain = "${local.subdomain}${var.dns_apex}"
|
||||
domain = "${local.www}${local.naked_domain}"
|
||||
project_env = "${var.project}-${terraform.workspace}"
|
||||
}
|
||||
|
||||
|
@ -61,24 +65,27 @@ data "aws_route53_zone" "external" {
|
|||
# Resources
|
||||
|
||||
resource "aws_acm_certificate" "cert" {
|
||||
domain_name = "${var.dns_name}"
|
||||
validation_method = "DNS"
|
||||
tags = "${local.common_tags}"
|
||||
domain_name = "${local.domain}"
|
||||
subject_alternative_names = "${compact(list("${var.enable_naked_domain}" ? "" : "${local.naked_domain}"))}"
|
||||
validation_method = "DNS"
|
||||
tags = "${local.common_tags}"
|
||||
|
||||
provider = "aws.us_east_1"
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "cert_validation" {
|
||||
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
|
||||
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
|
||||
count = "${1 + "${var.enable_naked_domain ? 0 : 1}"}"
|
||||
|
||||
zone_id = "${data.aws_route53_zone.external.id}"
|
||||
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
|
||||
ttl = 60
|
||||
name = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
|
||||
type = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
|
||||
ttl = 60
|
||||
records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
|
||||
}
|
||||
|
||||
resource "aws_acm_certificate_validation" "cert" {
|
||||
certificate_arn = "${aws_acm_certificate.cert.arn}"
|
||||
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
|
||||
validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
|
||||
|
||||
provider = "aws.us_east_1"
|
||||
}
|
||||
|
@ -95,6 +102,19 @@ resource "aws_s3_bucket" "static" {
|
|||
tags = "${local.common_tags}"
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "static_redirect" {
|
||||
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||
|
||||
bucket_prefix = "${local.project_env}"
|
||||
acl = "private"
|
||||
|
||||
website {
|
||||
redirect_all_requests_to = "https://${local.domain}"
|
||||
}
|
||||
|
||||
tags = "${local.common_tags}"
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket" "static_logs" {
|
||||
bucket_prefix = "${local.project_env}"
|
||||
acl = "private"
|
||||
|
@ -117,7 +137,7 @@ resource "aws_iam_access_key" "app_deploy" {
|
|||
|
||||
resource "aws_route53_record" "static" {
|
||||
zone_id = "${data.aws_route53_zone.external.zone_id}"
|
||||
name = "${var.dns_name}."
|
||||
name = "${local.domain}."
|
||||
type = "A"
|
||||
|
||||
alias {
|
||||
|
@ -127,6 +147,20 @@ resource "aws_route53_record" "static" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "static_redirect" {
|
||||
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||
|
||||
zone_id = "${data.aws_route53_zone.external.zone_id}"
|
||||
name = "${local.naked_domain}."
|
||||
type = "A"
|
||||
|
||||
alias {
|
||||
name = "${aws_cloudfront_distribution.cdn_redirect.domain_name}"
|
||||
zone_id = "${aws_cloudfront_distribution.cdn_redirect.hosted_zone_id}"
|
||||
evaluate_target_health = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_policy" "static_policy" {
|
||||
bucket = "${aws_s3_bucket.static.id}"
|
||||
policy = "${data.template_file.s3_origin_policy.rendered}"
|
||||
|
@ -165,7 +199,7 @@ resource "aws_cloudfront_distribution" "cdn" {
|
|||
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
|
||||
}
|
||||
|
||||
aliases = ["${var.dns_name}"]
|
||||
aliases = ["${local.domain}"]
|
||||
|
||||
default_cache_behavior {
|
||||
allowed_methods = ["GET", "HEAD", "OPTIONS"]
|
||||
|
@ -225,6 +259,70 @@ resource "aws_cloudfront_distribution" "cdn" {
|
|||
}
|
||||
}
|
||||
|
||||
resource "aws_cloudfront_distribution" "cdn_redirect" {
|
||||
count = "${var.enable_naked_domain ? 0 : 1}"
|
||||
|
||||
# Static file origin
|
||||
origin {
|
||||
domain_name = "${aws_s3_bucket.static_redirect.id}.${aws_s3_bucket.static_redirect.website_domain}"
|
||||
origin_id = "${local.cdn_origin_id}"
|
||||
|
||||
custom_origin_config {
|
||||
http_port = 80
|
||||
https_port = 443
|
||||
|
||||
origin_ssl_protocols = ["TLSv1.1", "TLSv1.2"]
|
||||
origin_protocol_policy = "http-only"
|
||||
}
|
||||
}
|
||||
|
||||
enabled = true
|
||||
is_ipv6_enabled = true
|
||||
comment = "CDN redirect for ${var.project} (environment ${terraform.workspace})"
|
||||
|
||||
logging_config {
|
||||
include_cookies = false
|
||||
bucket = "${aws_s3_bucket.static_logs.bucket_domain_name}"
|
||||
}
|
||||
|
||||
aliases = ["${local.naked_domain}"]
|
||||
|
||||
default_cache_behavior {
|
||||
allowed_methods = ["GET", "HEAD", "OPTIONS"]
|
||||
cached_methods = ["GET", "HEAD", "OPTIONS"]
|
||||
target_origin_id = "${local.cdn_origin_id}"
|
||||
|
||||
forwarded_values {
|
||||
query_string = false
|
||||
|
||||
cookies {
|
||||
forward = "none"
|
||||
}
|
||||
}
|
||||
|
||||
min_ttl = 0
|
||||
default_ttl = 3600
|
||||
max_ttl = 86400
|
||||
viewer_protocol_policy = "redirect-to-https"
|
||||
}
|
||||
|
||||
price_class = "PriceClass_100"
|
||||
|
||||
restrictions {
|
||||
geo_restriction {
|
||||
restriction_type = "none"
|
||||
}
|
||||
}
|
||||
|
||||
tags = "${local.common_tags}"
|
||||
|
||||
viewer_certificate {
|
||||
acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
|
||||
ssl_support_method = "sni-only"
|
||||
minimum_protocol_version = "TLSv1.1_2016"
|
||||
}
|
||||
}
|
||||
|
||||
resource "null_resource" "deploy_app" {
|
||||
provisioner "local-exec" {
|
||||
interpreter = ["bash", "-c"]
|
||||
|
|
|
@ -1,2 +1,3 @@
|
|||
dns_apex = "rekahsoft.ca"
|
||||
dns_name = "blog.rekahsoft.ca"
|
||||
dns_apex = "rekahsoft.ca"
|
||||
subdomain = "blog"
|
||||
enable_naked_domain = false
|
||||
|
|
|
@ -15,4 +15,10 @@ variable "project" {
|
|||
|
||||
variable "dns_apex" {}
|
||||
|
||||
variable "dns_name" {}
|
||||
variable "subdomain" {
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "enable_naked_domain" {
|
||||
default = false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue