From fecab0644fc9f10a6ae665613145ad2b78003203 Mon Sep 17 00:00:00 2001 From: Geoff Kendal Date: Thu, 1 Feb 2024 10:26:51 +0000 Subject: [PATCH] domains --- .github/workflows/build.yml | 4 +-- environments/prod/terragrunt.hcl | 2 +- terraform/acm.tf | 17 ++++++++++++ terraform/aws.tf | 7 ++++- terraform/cloudfront.tf | 9 +++---- terraform/iam.tf | 2 -- terraform/route53.tf | 46 ++++++++++++++++++++++++++++++++ terraform/s3.tf | 3 +-- 8 files changed, 77 insertions(+), 13 deletions(-) create mode 100644 terraform/acm.tf create mode 100644 terraform/route53.tf diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f926a4..3d6f7ab 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -71,10 +71,10 @@ jobs: path: accreditation - name: Copy to S3 - run: aws s3 sync accreditation s3://dev.stumblefunk.org.uk/accreditation + run: aws s3 sync accreditation s3://www.dev.stumblefunk.org.uk/accreditation - name: Load env config - run: aws s3 cp s3://dev.stumblefunk.org.uk/accreditation/config.js.env s3://dev.stumblefunk.org.uk/accreditation/config.js + run: aws s3 cp s3://www.dev.stumblefunk.org.uk/accreditation/config.js.env s3://www.dev.stumblefunk.org.uk/accreditation/config.js deploy-prod: diff --git a/environments/prod/terragrunt.hcl b/environments/prod/terragrunt.hcl index 3161f67..9b95ae9 100644 --- a/environments/prod/terragrunt.hcl +++ b/environments/prod/terragrunt.hcl @@ -10,5 +10,5 @@ include { # Specfic variables for this environment inputs = { - domain = "www.stumblefunk.org.uk" + domain = "stumblefunk.org.uk" } diff --git a/terraform/acm.tf b/terraform/acm.tf new file mode 100644 index 0000000..5bac325 --- /dev/null +++ b/terraform/acm.tf @@ -0,0 +1,17 @@ +resource "aws_acm_certificate" "this" { + domain_name = var.domain + subject_alternative_names = ["www.${var.domain}"] + validation_method = "DNS" + provider = aws.virginia + + lifecycle { + create_before_destroy = true + } +} + + +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn] + provider = aws.virginia +} \ No newline at end of file diff --git a/terraform/aws.tf b/terraform/aws.tf index 287213f..f4e2af1 100644 --- a/terraform/aws.tf +++ b/terraform/aws.tf @@ -11,4 +11,9 @@ terraform { provider "aws" { region = var.aws_region -} \ No newline at end of file +} + +provider "aws" { + alias = "virginia" + region = "us-east-1" +} diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf index 9301ec1..eeb68df 100644 --- a/terraform/cloudfront.tf +++ b/terraform/cloudfront.tf @@ -7,8 +7,6 @@ resource "aws_cloudfront_origin_access_control" "www" { } - - resource "aws_cloudfront_distribution" "www" { origin { domain_name = aws_s3_bucket.www.bucket_regional_domain_name @@ -18,9 +16,9 @@ resource "aws_cloudfront_distribution" "www" { enabled = true default_root_object = "index.html" + comment = "${var.product}-${var.environment}" - # Optional - Extra CNAMEs (alternate domain names), if any, for this distribution - # aliases = ["mysite.example.com", "yoursite.example.com"] + aliases = ["www.${var.domain}", var.domain] default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] @@ -57,7 +55,8 @@ resource "aws_cloudfront_distribution" "www" { } viewer_certificate { - cloudfront_default_certificate = true + acm_certificate_arn = aws_acm_certificate.this.arn + ssl_support_method = "sni-only" } } diff --git a/terraform/iam.tf b/terraform/iam.tf index 0238f97..8782862 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -10,8 +10,6 @@ data "aws_iam_policy_document" "lambda" { } - - resource "aws_iam_role" "lambda" { name = "${var.product}-role-${var.environment}" assume_role_policy = data.aws_iam_policy_document.lambda.json diff --git a/terraform/route53.tf b/terraform/route53.tf new file mode 100644 index 0000000..012676b --- /dev/null +++ b/terraform/route53.tf @@ -0,0 +1,46 @@ +data "aws_route53_zone" "this" { + name = "stumblefunk.org.uk" + private_zone = false +} + + +resource "aws_route53_record" "validation" { + for_each = { + for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = data.aws_route53_zone.this.zone_id +} + + +resource "aws_route53_record" "www" { + zone_id = data.aws_route53_zone.this.zone_id + name = "www.${var.domain}" + type = "A" + alias { + name = aws_cloudfront_distribution.www.domain_name + zone_id = aws_cloudfront_distribution.www.hosted_zone_id + evaluate_target_health = true + } +} + + +resource "aws_route53_record" "nowww" { + zone_id = data.aws_route53_zone.this.zone_id + name = var.domain + type = "A" + alias { + name = aws_cloudfront_distribution.www.domain_name + zone_id = aws_cloudfront_distribution.www.hosted_zone_id + evaluate_target_health = true + } +} \ No newline at end of file diff --git a/terraform/s3.tf b/terraform/s3.tf index 6f5a1e3..9f24a41 100644 --- a/terraform/s3.tf +++ b/terraform/s3.tf @@ -1,5 +1,5 @@ resource "aws_s3_bucket" "www" { - bucket = "${var.domain}" + bucket = "www.${var.domain}" force_destroy = true } @@ -12,7 +12,6 @@ resource "aws_s3_account_public_access_block" "www" { } - locals { folder_files = [ for file in flatten(fileset("${path.module}/public_html/**", "**")) :