feat: Support ALB origins.

.github/workflows/branch.yaml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
-      - name: Run Trivy vulnarability scanner
+      - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: config

README.md

@@ -13,7 +13,7 @@ to match your desired configuration. For example, to create a new distribution
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "dev"
@@ -76,7 +76,7 @@ distribution at `www.my-project.org`, you could use the following:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "dev"
@@ -136,6 +136,7 @@ webhooks_priority = 100
 | environment            | The environment for the deployment.                                                                                       | `string`       | `"dev"`       | no       |
 | [ip_set_rules]         | Custom IP Set rules for the WAF                                                                                           | `map(object)`  | `{}`          | no       |
 | [rate_limit_rules]     | Rate limiting configuration for the WAF.                                                                                  | `map(object)`  | `{}`          | no       |
+| origin_alb_arn         | ARN of the Application Load Balancer this deployment will point to. If set, `origin_domain` is ignored.                   | `string`       | n/a           | no       |
 | origin_domain          | Fully qualified domain name for the origin. Defaults to `origin.${subdomain}.${domain}`.                                  | `string`       | n/a           | no       |
 | passive                | Enable passive mode for the WAF, counting all requests rather than blocking.                                              | `bool`         | `false`       | no       |
 | request_policy         | Managed request policy to associate with the distribution. See the [managed policies][managed-policies] for valid values. | `string`       | `"AllViewer"` | no       |
@@ -160,7 +161,7 @@ Simply specify the headers you want to add in a map. For example:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "dev"
@@ -196,7 +197,7 @@ resource "aws_wafv2_ip_set" "security_scanners" {
 }
 
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "staging"
@@ -235,7 +236,7 @@ For example, to rate limit requests to 300 over a 5-minute period:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "staging"
@@ -281,7 +282,7 @@ ensure it comes after the common and SQLi rule sets.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "staging"
@@ -323,7 +324,7 @@ conditions that must be met for the request to be allowed through.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.9.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.10.0"
 
   project     = "my-project"
   environment = "staging"

data.tf

@@ -24,6 +24,19 @@ data "aws_cloudfront_response_headers_policy" "policy" {
   name = "Managed-SimpleCORS"
 }
 
+data "aws_lb" "origin" {
+  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+
+  arn = var.origin_alb_arn
+}
+
+data "aws_lb_listener" "origin" {
+  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+
+  load_balancer_arn = var.origin_alb_arn
+  port              = 443
+}
+
 data "aws_route53_zone" "domain" {
   name = var.domain
 }

dns.tf

@@ -46,3 +46,12 @@ resource "aws_acm_certificate_validation" "validation" {
     for record in aws_route53_record.validation : record.fqdn
   ]
 }
+
+resource "aws_lb_listener_certificate" "origin" {
+  # If the origin is an ALB, we need to attach our certificate to its listener
+  # so that it properly negotiates TLS with the CloudFront "Host" header.
+  for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
+
+  listener_arn    = data.aws_lb_listener.origin["this"].arn
+  certificate_arn = aws_acm_certificate.subdomain.arn
+}

locals.tf

@@ -1,7 +1,12 @@
 locals {
-  fqdn          = "${local.subdomain}.${var.domain}"
-  subdomain     = var.subdomain == "" ? var.environment : var.subdomain
-  origin_domain = var.origin_domain == "" ? "origin.${local.subdomain}.${var.domain}" : var.origin_domain
-  prefix        = "${var.project}-${var.environment}"
-  tags          = merge(var.tags, { domain : "${local.subdomain}.${var.domain}" })
+  fqdn      = "${local.subdomain}.${var.domain}"
+  subdomain = var.subdomain == "" ? var.environment : var.subdomain
+  # If an origin ALB ARN is provided, use its DNS name; otherwise, use the
+  # provided origin domain or construct one.
+  origin_domain = (var.origin_alb_arn != null
+    ? data.aws_lb.origin["this"].dns_name
+    : (var.origin_domain != "" ? var.origin_domain : join(".", ["origin", local.subdomain, var.domain]))
+  )
+  prefix = "${var.project}-${var.environment}"
+  tags   = merge(var.tags, { domain : "${local.subdomain}.${var.domain}" })
 }

trivy.yaml

@@ -1,5 +1,8 @@
 exit-code: 1
 misconfiguration:
+  # Pin to 1.11 until https://github.com/aquasecurity/trivy-checks/pull/494 is
+  # resolved and a new version is released.
+  checks-bundle-repository: mirror.gcr.io/aquasec/trivy-checks:1.11
   ignore-unfixed: true
   terraform:
     exclude-downloaded-modules: true

variables.tf

@@ -48,6 +48,12 @@ variable "log_group" {
   description = "CloudWatch log group to send WAF logs to."
 }
 
+variable "origin_alb_arn" {
+  type        = string
+  description = "ARN of the Application Load Balancer this deployment will point to. If set, origin_domain is ignored."
+  default     = null
+}
+
 variable "origin_domain" {
   type        = string
   description = "Origin domain this deployment will point to. Defaults to origin.subdomain.domain."