Added support for allow domain aliases (#106)

bmonkman · web-flow · commit f6843de39f12 · 2020-09-23T10:48:04.000-07:00
Updated to new versions of certificates and hosting modules, changed args correspondingly.
Use alternate provider instead of providing region to cert, to match Aaron's change.
diff --git a/templates/terraform/environments/prod/main.tf b/templates/terraform/environments/prod/main.tf
@@ -38,10 +38,10 @@ module "prod" {
   # https://<% index .Params `region` %>.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.17%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=<% index .Params `region` %>
   eks_worker_ami = "<% index .Params `eksWorkerAMI` %>"
 
-  # Hosting configuration
-  s3_hosting_buckets = [
-    "<% index .Params `productionHostRoot` %>",
-    "<% index .Params `productionFrontendSubdomain` %><% index .Params `productionHostRoot` %>",
+  # Hosting configuration. Each domain will have a bucket created for it, but may have mulitple aliases pointing to the same bucket.
+  hosted_domains = [
+    { domain : "<% index .Params `productionHostRoot` %>", aliases : [] },
+    { domain : "<% index .Params `productionFrontendSubdomain` %><% index .Params `productionHostRoot` %>", aliases : [] },
   ]
   domain_name = "<% index .Params `productionHostRoot` %>"
   cf_signed_downloads = <% if eq (index .Params `fileUploads`) "yes" %>true<% else %>false<% end %>
diff --git a/templates/terraform/environments/stage/main.tf b/templates/terraform/environments/stage/main.tf
@@ -38,10 +38,10 @@ module "stage" {
   # https://<% index .Params `region` %>.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.17%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=<% index .Params `region` %>
   eks_worker_ami = "<% index .Params `eksWorkerAMI` %>"
 
-  # Hosting configuration
-  s3_hosting_buckets = [
-    "<% index .Params `stagingHostRoot` %>",
-    "<% index .Params `stagingFrontendSubdomain` %><% index .Params `stagingHostRoot` %>",
+  # Hosting configuration. Each domain will have a bucket created for it, but may have mulitple aliases pointing to the same bucket.
+  hosted_domains = [
+    { domain : "<% index .Params `stagingHostRoot` %>", aliases : [] },
+    { domain : "<% index .Params `stagingFrontendSubdomain` %><% index .Params `stagingHostRoot` %>", aliases : [] },
   ]
   domain_name = "<% index .Params `stagingHostRoot` %>"
   cf_signed_downloads = <% if eq (index .Params `fileUploads`) "yes" %>true<% else %>false<% end %>
diff --git a/templates/terraform/modules/environment/iam.tf b/templates/terraform/modules/environment/iam.tf
@@ -72,7 +72,7 @@ data "aws_iam_policy_document" "deploy_assets_policy" {
       "s3:ListBucket",
     ]
 
-    resources = formatlist("arn:aws:s3:::%s", var.s3_hosting_buckets)
+    resources = module.s3_hosting[*].bucket_arn
   }
 
   statement {
@@ -81,7 +81,7 @@ data "aws_iam_policy_document" "deploy_assets_policy" {
       "s3:GetBucketLocation",
     ]
 
-    resources = formatlist("arn:aws:s3:::%s/*", var.s3_hosting_buckets)
+    resources = formatlist("%s/*", module.s3_hosting[*].bucket_arn)
   }
 
   statement {
diff --git a/templates/terraform/modules/environment/main.tf b/templates/terraform/modules/environment/main.tf
@@ -52,35 +52,38 @@ module "eks" {
 
 module "wildcard_domain" {
   source  = "commitdev/zero/aws//modules/certificate"
-  version = "0.0.1"
+  version = "0.1.0"
 
-  region       = var.region
   zone_name    = var.domain_name
-  domain_names = ["*.${var.domain_name}"]
+  domain_name = "*.${var.domain_name}"
 }
 
 module "assets_domains" {
-  source  = "commitdev/zero/aws//modules/certificate"
-  version = "0.0.1"
+  source    = "commitdev/zero/aws//modules/certificate"
+  version   = "0.1.0"
+  count     = length(var.hosted_domains)
+  providers = {
+    aws = aws.for_cloudfront
+  }
 
-  region       = "us-east-1" # For CF, the cert must be in us-east-1
-  zone_name    = var.domain_name
-  domain_names = var.s3_hosting_buckets
+  zone_name         = var.domain_name
+  domain_name       = var.hosted_domains[count.index].domain
+  alternative_names = var.hosted_domains[count.index].aliases
 }
 
 module "s3_hosting" {
   source  = "commitdev/zero/aws//modules/s3_hosting"
-  version = "0.0.3"
-
-  # We need to wait for certificate validation to complete before using the certs
-  depends_on = [module.assets_domains.certificate_validations]
-
-  cf_signed_downloads = var.cf_signed_downloads
-  buckets             = var.s3_hosting_buckets
-  project             = var.project
-  environment         = var.environment
-  certificate_arns    = module.assets_domains.certificate_arns
-  route53_zone_id     = module.assets_domains.route53_zone_id
+  version = "0.1.0"
+  count   = length(var.hosted_domains)
+
+  cf_signed_downloads    = var.cf_signed_downloads
+  domain                 = var.hosted_domains[count.index].domain
+  aliases                = var.hosted_domains[count.index].aliases
+  project                = var.project
+  environment            = var.environment
+  certificate_arn        = module.assets_domains[count.index].certificate_arn
+  certificate_validation = module.assets_domains[count.index].certificate_validation
+  route53_zone_id        = module.assets_domains[count.index].route53_zone_id
 }
 
 module "db" {
diff --git a/templates/terraform/modules/environment/provider.tf b/templates/terraform/modules/environment/provider.tf
@@ -3,6 +3,11 @@ data "aws_iam_role" "eks_cluster_creator" {
   name = "${var.project}-eks-cluster-creator"
 }
 
+provider "aws" {
+  alias = "for_cloudfront"
+  region = "us-east-1"
+}
+
 # Used only for EKS creation to tie "cluster creator" to a role instead of the user who runs terraform
 # This allows us to rely on credentials pulled from the EKS cluster instead of the user's local kube config
 provider "aws" {
diff --git a/templates/terraform/modules/environment/variables.tf b/templates/terraform/modules/environment/variables.tf
@@ -44,9 +44,12 @@ variable "eks_worker_ami" {
   description = "The (EKS-optimized) AMI for EKS worker instances"
 }
 
-variable "s3_hosting_buckets" {
-  description = "S3 hosting buckets"
-  type = set(string)
+variable "hosted_domains" {
+  description = "Domains to host content for using S3 and Cloudfront. Requires a domain which will be the bucket name and the domain for the certificate, and optional aliases which will have records created for them and will be SubjectAltNames for the certificate. Only a single bucket and CF Distribution will be created per domain."
+  type = list( object( {
+    domain  = string
+    aliases = list(string)
+  } ) )
 }
 
 variable "domain_name" {

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ data "aws_iam_policy_document" "deploy_assets_policy" {`
`72`	`72`	`"s3:ListBucket",`
`73`	`73`	`]`
`74`	`74`
`75`		`- resources = formatlist("arn:aws:s3:::%s", var.s3_hosting_buckets)`
	`75`	`+ resources = module.s3_hosting[*].bucket_arn`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`statement {`
`@@ -81,7 +81,7 @@ data "aws_iam_policy_document" "deploy_assets_policy" {`
`81`	`81`	`"s3:GetBucketLocation",`
`82`	`82`	`]`
`83`	`83`
`84`		`- resources = formatlist("arn:aws:s3:::%s/*", var.s3_hosting_buckets)`
	`84`	`+ resources = formatlist("%s/", module.s3_hosting[].bucket_arn)`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`statement {`
Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,12 @@ variable "eks_worker_ami" {`
`44`	`44`	`description = "The (EKS-optimized) AMI for EKS worker instances"`
`45`	`45`	`}`
`46`	`46`
`47`		`-variable "s3_hosting_buckets" {`
`48`		`- description = "S3 hosting buckets"`
`49`		`- type = set(string)`
	`47`	`+variable "hosted_domains" {`
	`48`	`+ description = "Domains to host content for using S3 and Cloudfront. Requires a domain which will be the bucket name and the domain for the certificate, and optional aliases which will have records created for them and will be SubjectAltNames for the certificate. Only a single bucket and CF Distribution will be created per domain."`
	`49`	`+ type = list( object( {`
	`50`	`+ domain = string`
	`51`	`+ aliases = list(string)`
	`52`	`+ } ) )`
`50`	`53`	`}`
`51`	`54`
`52`	`55`	`variable "domain_name" {`