feat: Support setting no subdomain.

.github/workflows/codeql-analysis.yaml

@@ -12,36 +12,33 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
+      security-events: write
+      packages: read
       actions: read
       contents: read
-      security-events: write
-
     strategy:
       fail-fast: false
       matrix:
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-        # Using "javascript" to scan JSON and YAML files.
-        language: [ 'javascript' ]
-
+        include:
+          - language: actions
+            build_mode: none
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-
-      # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          queries: security-extended,security-and-quality
+          build-mode: ${{ matrix.build-mode }}
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{matrix.language}}"

dns.tf

@@ -1,6 +1,6 @@
 resource "aws_route53_record" "subdomain" {
   zone_id = data.aws_route53_zone.domain.zone_id
-  name    = "${local.subdomain}.${var.domain}"
+  name    = local.fqdn
   type    = "A"
 
   alias {
@@ -13,7 +13,7 @@ resource "aws_route53_record" "subdomain" {
 resource "aws_acm_certificate" "subdomain" {
   # Specify the name rather than referencing the resource directly. This allows
   # us to create the certificate before the DNS record exists.
-  domain_name       = "${local.subdomain}.${var.domain}"
+  domain_name       = local.fqdn
   validation_method = "DNS"
 
   lifecycle {

locals.tf

@@ -1,12 +1,12 @@
 locals {
-  fqdn      = "${local.subdomain}.${var.domain}"
-  subdomain = var.subdomain == "" ? var.environment : var.subdomain
+  fqdn      = join(".", compact([local.subdomain, var.domain]))
+  subdomain = var.subdomain != null ? var.subdomain : var.environment
   # If an origin ALB ARN is provided, use its DNS name; otherwise, use the
   # provided origin domain or construct one.
   origin_domain = (var.origin_alb_arn != null
     ? data.aws_lb.origin["this"].dns_name
-    : (var.origin_domain != "" ? var.origin_domain : join(".", ["origin", local.subdomain, var.domain]))
+    : (var.origin_domain != "" ? var.origin_domain : join(".", compact(["origin", local.subdomain, var.domain])))
   )
   prefix = "${var.project}-${var.environment}"
-  tags   = merge(var.tags, { domain : "${local.subdomain}.${var.domain}" })
+  tags   = merge(var.tags, { domain : local.fqdn })
 }

main.tf

@@ -2,7 +2,7 @@ resource "aws_cloudfront_distribution" "waf" {
   enabled         = true
   comment         = "Pass traffic through WAF before sending to the origin."
   is_ipv6_enabled = true
-  aliases         = ["${local.subdomain}.${var.domain}"]
+  aliases         = [local.fqdn]
   price_class     = "PriceClass_100"
   web_acl_id      = aws_wafv2_web_acl.waf.arn
 
@@ -50,7 +50,7 @@ resource "aws_cloudfront_distribution" "waf" {
   logging_config {
     include_cookies = false
     bucket          = var.log_bucket
-    prefix          = "cloudfront/${local.subdomain}.${var.domain}"
+    prefix          = "cloudfront/${local.fqdn}"
   }
 
   default_cache_behavior {
@@ -88,6 +88,9 @@ resource "aws_cloudfront_distribution" "waf" {
 resource "terraform_data" "prefix" {
   input = local.prefix
 }
+resource "terraform_data" "origin_alb" {
+  input = var.origin_alb_arn
+}
 
 resource "aws_cloudfront_vpc_origin" "this" {
   for_each = var.origin_alb_arn != null ? toset(["this"]) : toset([])
@@ -108,10 +111,11 @@ resource "aws_cloudfront_vpc_origin" "this" {
   tags = local.tags
 
   lifecycle {
-    # Name changes don't force a replacement, but will fail if the origin is in
-    # use. We want to force a replacement so that the name is updated properly.
+    # Some changes don't force a replacement, but will fail if the origin is in
+    # use. We want to force a replacement so that the origin is updated
+    # properly.
     create_before_destroy = true
-    replace_triggered_by  = [terraform_data.prefix]
+    replace_triggered_by  = [terraform_data.prefix, terraform_data.origin_alb]
   }
 }
 

variables.tf

@@ -105,7 +105,7 @@ variable "request_policy" {
 variable "subdomain" {
   type        = string
   description = "Subdomain for the distribution. Defaults to the environment."
-  default     = ""
+  default     = null
 }
 
 variable "tags" {