This repository has been archived by the owner on Sep 22, 2024. It is now read-only.
forked from gruntwork-io/terraform-google-static-assets
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
152 lines (120 loc) · 5.2 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# DEPLOY A STATIC SITE
# This module deploys a Cloud Storage static website
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
terraform {
# This module is now only being tested with Terraform 1.0.x. However, to make upgrading easier, we are setting
# 0.12.26 as the minimum version, as that version added support for required_providers with source URLs, making it
# forwards compatible with 1.0.x code.
required_version = ">= 0.12.26"
}
# ------------------------------------------------------------------------------
# PREPARE LOCALS
#
# NOTE: Due to limitations in terraform and heavy use of nested sub-blocks in the resource,
# we have to construct some of the configuration values dynamically
# ------------------------------------------------------------------------------
locals {
# We have to use dashes instead of dots in the access log bucket, because that bucket is not a website
website_domain_name_dashed = replace(var.website_domain_name, ".", "-")
bucket_name = var.bucket_name == "" ? var.website_domain_name : var.bucket_name
access_log_kms_keys = var.access_logs_kms_key_name == "" ? [] : [var.access_logs_kms_key_name]
website_kms_keys = var.website_kms_key_name == "" ? [] : [var.website_kms_key_name]
}
# ------------------------------------------------------------------------------
# CREATE THE WEBSITE BUCKET
# ------------------------------------------------------------------------------
resource "google_storage_bucket" "website" {
provider = google-beta
project = var.project
name = local.bucket_name
location = var.website_location
storage_class = var.website_storage_class
versioning {
enabled = var.enable_versioning
}
website {
main_page_suffix = var.index_page
not_found_page = var.not_found_page
}
dynamic "cors" {
for_each = var.enable_cors ? ["cors"] : []
content {
origin = var.cors_origins
method = var.cors_methods
response_header = var.cors_extra_headers
max_age_seconds = var.cors_max_age_seconds
}
}
force_destroy = var.force_destroy_website
dynamic "encryption" {
for_each = local.website_kms_keys
content {
default_kms_key_name = encryption.value
}
}
labels = var.custom_labels
logging {
log_bucket = google_storage_bucket.access_logs.name
log_object_prefix = var.access_log_prefix != "" ? var.access_log_prefix : local.website_domain_name_dashed
}
}
# ------------------------------------------------------------------------------
# CONFIGURE BUCKET ACLS
# ------------------------------------------------------------------------------
resource "google_storage_default_object_acl" "website_acl" {
provider = google-beta
bucket = google_storage_bucket.website.name
role_entity = var.website_acls
}
# ---------------------------------------------------------------------------------------------------------------------
# CREATE A SEPARATE BUCKET TO STORE ACCESS LOGS
# ---------------------------------------------------------------------------------------------------------------------
resource "google_storage_bucket" "access_logs" {
provider = google-beta
project = var.project
# Use the dashed domain name
name = var.bucket_name == "" ? "${local.website_domain_name_dashed}-logs" : "${var.bucket_name}-logs"
location = var.website_location
storage_class = var.website_storage_class
force_destroy = var.force_destroy_access_logs_bucket
dynamic "encryption" {
for_each = local.access_log_kms_keys
content {
default_kms_key_name = encryption.value
}
}
lifecycle_rule {
action {
type = "Delete"
}
condition {
age = var.access_logs_expiration_time_in_days
}
}
labels = var.custom_labels
}
# ---------------------------------------------------------------------------------------------------------------------
# GRANT WRITER ACCESS TO GOOGLE ANALYTICS
# ---------------------------------------------------------------------------------------------------------------------
resource "google_storage_bucket_acl" "analytics_write" {
provider = google-beta
bucket = google_storage_bucket.access_logs.name
# The actual identity is '[email protected]', but
# we're required to prefix that with the type of identity
role_entity = ["WRITER:[email protected]"]
}
# ---------------------------------------------------------------------------------------------------------------------
# CREATE OPTIONAL CNAME ENTRY IN CLOUD DNS
# ---------------------------------------------------------------------------------------------------------------------
resource "google_dns_record_set" "cname" {
provider = google-beta
count = var.create_dns_entry ? 1 : 0
depends_on = [google_storage_bucket.website]
project = var.project
name = "${var.website_domain_name}."
managed_zone = var.dns_managed_zone_name
type = "CNAME"
ttl = var.dns_record_ttl
rrdatas = ["c.storage.googleapis.com."]
}