feat!: Make origin ALB the default.

jamesiarmes · jamesiarmes · commit 9cf7b4701634 · 2026-01-27T17:47:36.000-05:00
diff --git a/README.md b/README.md
diff --git a/data.tf b/data.tf
@@ -1,7 +1,7 @@
 data "aws_acm_certificate" "imported" {
   for_each = var.certificate_imported ? toset(["this"]) : toset([])
 
-  domain      = var.certificate_domain != "" ? var.certificate_domain : local.fqdn
+  domain      = coalesce(var.certificate_domain, local.fqdn)
   statuses    = ["ISSUED"]
   types       = ["IMPORTED"]
   most_recent = true
@@ -25,13 +25,13 @@ data "aws_cloudfront_response_headers_policy" "policy" {
 }
 
 data "aws_lb" "origin" {
-  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+  for_each = var.use_custom_origin ? toset([]) : toset(["this"])
 
   arn = var.origin_alb_arn
 }
 
 data "aws_lb_listener" "origin" {
-  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+  for_each = var.use_custom_origin ? toset([]) : toset(["this"])
 
   load_balancer_arn = var.origin_alb_arn
   port              = 443
diff --git a/dns.tf b/dns.tf
@@ -50,7 +50,7 @@ resource "aws_acm_certificate_validation" "validation" {
 resource "aws_lb_listener_certificate" "origin" {
   # If the origin is an ALB, we need to attach our certificate to its listener
   # so that it properly negotiates TLS with the CloudFront "Host" header.
-  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+  for_each = var.use_custom_origin ? toset([]) : toset(["this"])
 
   listener_arn    = data.aws_lb_listener.origin["this"].arn
   certificate_arn = aws_acm_certificate.subdomain.arn
diff --git a/locals.tf b/locals.tf
@@ -1,12 +1,13 @@
 locals {
   fqdn      = join(".", compact([local.subdomain, var.domain]))
-  subdomain = var.subdomain != null ? var.subdomain : var.environment
-  # If an origin ALB ARN is provided, use its DNS name; otherwise, use the
-  # provided origin domain or construct one.
-  origin_domain = (var.origin_alb_arn != null
-    ? data.aws_lb.origin["this"].dns_name
-    : (var.origin_domain != "" ? var.origin_domain : join(".", compact(["origin", local.subdomain, var.domain])))
+  subdomain = coalesce(var.subdomain, var.environment)
+  prefix    = join("-", compact([var.project, var.environment]))
+  tags      = merge(var.tags, { domain : local.fqdn })
+
+  # When using a custom origin, use the provided domain or construct one.
+  # Otherwise, use the DNS name of the origin ALB.
+  origin_domain = (var.use_custom_origin
+    ? coalesce(var.origin_domain, join(".", compact(["origin", local.subdomain, var.domain])))
+    : data.aws_lb.origin["this"].dns_name
   )
-  prefix = "${var.project}-${var.environment}"
-  tags   = merge(var.tags, { domain : local.fqdn })
 }
diff --git a/main.tf b/main.tf
@@ -22,8 +22,7 @@ resource "aws_cloudfront_distribution" "waf" {
     }
 
     dynamic "custom_origin_config" {
-      # If we don't have an ALB origin, we need to set up a custom config.
-      for_each = var.origin_alb_arn == null ? toset(["this"]) : toset([])
+      for_each = var.use_custom_origin ? toset(["this"]) : toset([])
 
       content {
         http_port                = 80
@@ -36,8 +35,7 @@ resource "aws_cloudfront_distribution" "waf" {
     }
 
     dynamic "vpc_origin_config" {
-      # If we have an ALB origin, we want to use a VPC origin to connect.
-      for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+      for_each = var.use_custom_origin ? toset([]) : toset(["this"])
 
       content {
         origin_keepalive_timeout = 5
@@ -93,7 +91,7 @@ resource "terraform_data" "origin_alb" {
 }
 
 resource "aws_cloudfront_vpc_origin" "this" {
-  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+  for_each = var.use_custom_origin ? toset([]) : toset(["this"])
 
   vpc_origin_endpoint_config {
     name                   = local.prefix
@@ -133,7 +131,7 @@ resource "aws_wafv2_web_acl" "waf" {
   dynamic "rule" {
     for_each = var.ip_set_rules
     content {
-      name     = rule.value.name != "" ? rule.value.name : "${local.prefix}-${rule.key}"
+      name     = coalesce(rule.value.name, join("-", [local.prefix, rule.key]))
       priority = rule.value.priority != null ? rule.value.priority : index(var.ip_set_rules, rule.key)
 
       action {
@@ -206,7 +204,7 @@ resource "aws_wafv2_web_acl" "waf" {
   dynamic "rule" {
     for_each = var.rate_limit_rules
     content {
-      name     = rule.value.name != "" ? rule.value.name : "${local.prefix}-rate-${rule.key}"
+      name     = coalesce(rule.value.name, join("-", [local.prefix, "rate", rule.key]))
       priority = rule.value.priority != null ? rule.value.priority : index(var.ip_set_rules, rule.key) + length(var.ip_set_rules) + 1
 
       action {
diff --git a/variables.tf b/variables.tf
@@ -5,13 +5,18 @@ variable "domain" {
 
 variable "certificate_domain" {
   type        = string
-  description = "Domain for the imported certificate, if different from the endpoint. Used in conjunction with certificate_imported."
-  default     = ""
+  description = <<EOF
+    Domain for the imported certificate, if different from the endpoint. Used in
+    conjunction with `certificate_imported`.
+    EOF
+  default     = null
 }
 
 variable "certificate_imported" {
   type        = bool
-  description = "Look up an imported certificate instead of creating a managed one."
+  description = <<EOF
+    Look up an imported certificate instead of creating a managed one.
+    EOF
   default     = false
 }
 
@@ -29,7 +34,7 @@ variable "environment" {
 
 variable "ip_set_rules" {
   type = map(object({
-    name     = optional(string, "")
+    name     = optional(string, null)
     action   = optional(string, "allow")
     priority = optional(number, null)
     arn      = string
@@ -50,19 +55,28 @@ variable "log_group" {
 
 variable "origin_alb_arn" {
   type        = string
-  description = "ARN of the Application Load Balancer this deployment will point to. If set, origin_domain is ignored."
+  description = <<EOF
+    ARN of the Application Load Balancer this deployment will point to. Required
+    unless `use_custom_origin` is set to `true`.
+    EOF
   default     = null
 }
 
 variable "origin_domain" {
   type        = string
-  description = "Origin domain this deployment will point to. Defaults to origin.subdomain.domain."
-  default     = ""
+  description = <<EOF
+    Optional custom origin domain to point to. Defaults to
+    `origin.subdomain.domain`. Only used if `use_custom_origin` is set to
+    `true`.
+    EOF
+  default     = null
 }
 
 variable "passive" {
   type        = bool
-  description = "Enable passive mode for the WAF, counting all requests rather than blocking."
+  description = <<EOF
+    Enable passive mode for the WAF, counting all requests rather than blocking.
+    EOF
   default     = false
 }
 
@@ -73,7 +87,7 @@ variable "project" {
 
 variable "rate_limit_rules" {
   type = map(object({
-    name     = optional(string, "")
+    name     = optional(string, null)
     action   = optional(string, "block")
     limit    = optional(number, 10)
     window   = optional(number, 60)
@@ -98,7 +112,10 @@ variable "request_policy" {
       "Elemental-MediaTailor-PersonalizedManifests",
       "UserAgentRefererHeaders"
     ], var.request_policy)
-    error_message = "Invalid request policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html"
+    error_message = <<EOF
+      Invalid request policy. See
+      https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html
+      EOF
   }
 }
 
@@ -125,10 +142,22 @@ variable "upload_paths" {
 
 variable "upload_rules_capacity" {
   type        = number
-  description = "Capacity for the upload rules group. Attempts to determine the capacity if left empty."
+  description = <<EOF
+    Capacity for the upload rules group. Attempts to determine the capacity if
+    left empty.
+    EOF
   default     = null
 }
 
+variable "use_custom_origin" {
+  type        = bool
+  description = <<EOF
+    Use a custom origin configuration instead of an ALB. If set to `true`,
+    `origin_alb_arn` must also be set.
+    EOF
+  default     = false
+}
+
 variable "webhooks" {
   type = map(object({
     paths = list(object({
@@ -150,12 +179,18 @@ variable "webhooks" {
 
 variable "webhooks_priority" {
   type        = number
-  description = "Priority for the webhooks rule group. By default, an attempt is made to place it before other rules that block traffic."
+  description = <<EOF
+    Priority for the webhooks rule group. By default, an attempt is made to
+    place it before other rules that block traffic.
+    EOF
   default     = null
 }
 
 variable "webhook_rules_capacity" {
   type        = number
-  description = "Capacity for the webhook rules group. Attempts to determine the capacity if left empty."
+  description = <<EOF
+    Capacity for the webhook rules group. Attempts to determine the capacity if
+    left empty.
+    EOF
   default     = null
 }
diff --git a/versions.tf b/versions.tf
@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.6"
+  required_version = ">= 1.10"
 
   required_providers {
     aws = {
-      version = ">= 5.44"
+      version = ">= 6.0"
       source  = "hashicorp/aws"
     }
   }
diff --git a/webhooks.tf b/webhooks.tf
@@ -1,13 +1,13 @@
 resource "aws_wafv2_rule_group" "webhooks" {
   for_each = length(var.webhooks) > 0 ? toset(["this"]) : toset([])
 
-  name_prefix = "${local.prefix}-webhooks-"
+  name_prefix = join("-", [local.prefix, "webhooks"])
   scope       = "CLOUDFRONT"
   capacity    = var.webhook_rules_capacity == null ? 50 : var.webhook_rules_capacity
 
   visibility_config {
     cloudwatch_metrics_enabled = true
-    metric_name                = "${local.prefix}-webhooks"
+    metric_name                = join("-", [local.prefix, "webhooks"])
     sampled_requests_enabled   = true
   }
 
@@ -16,11 +16,11 @@ resource "aws_wafv2_rule_group" "webhooks" {
     for_each = var.webhooks
 
     content {
-      name     = "${local.prefix}-webhooks-${rule.key}-label"
+      name     = join("-", [local.prefix, "webhooks", rule.key, "label"])
       priority = index(keys(var.webhooks), rule.key)
 
       rule_label {
-        name = "webhook:${rule.key}"
+        name = join(":", ["webhook", rule.key])
       }
 
       action {
@@ -29,7 +29,7 @@ resource "aws_wafv2_rule_group" "webhooks" {
 
       visibility_config {
         cloudwatch_metrics_enabled = true
-        metric_name                = "${local.prefix}-webhooks-${rule.key}-label"
+        metric_name                = join("-", [local.prefix, "webhooks", rule.key, "label"])
         sampled_requests_enabled   = true
       }
 
@@ -91,7 +91,7 @@ resource "aws_wafv2_rule_group" "webhooks" {
     for_each = var.webhooks
 
     content {
-      name     = "${local.prefix}-webhooks-${rule.key}"
+      name     = join("-", [local.prefix, "webhooks", rule.key])
       priority = index(keys(var.webhooks), rule.key) + length(keys(var.webhooks))
 
       action {
@@ -113,7 +113,7 @@ resource "aws_wafv2_rule_group" "webhooks" {
 
       visibility_config {
         cloudwatch_metrics_enabled = true
-        metric_name                = "${local.prefix}-webhooks-${rule.key}"
+        metric_name                = join("-", [local.prefix, "webhooks", rule.key])
         sampled_requests_enabled   = true
       }
 

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,9 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.6"`
	`2`	`+ required_version = ">= 1.10"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`		`- version = ">= 5.44"`
	`6`	`+ version = ">= 6.0"`
`7`	`7`	`source = "hashicorp/aws"`
`8`	`8`	`}`
`9`	`9`	`}`