Initial commit from existing TF

tabletcorry · tabletcorry · commit 6ab6a56ed957 · 2022-11-05T13:16:04.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,8 @@
 # Local .terraform directories
 **/.terraform/*
 
+/.idea
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
diff --git a/acm.tf b/acm.tf
@@ -0,0 +1,17 @@
+resource "aws_acm_certificate" "cloudfront" {
+  provider          = aws.us-east-1
+  domain_name       = var.primary_domain_name
+  validation_method = "DNS"
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  subject_alternative_names = var.secondary_domain_names
+
+}
+
+resource "aws_acm_certificate_validation" "cloudfront" {
+  provider                = aws.us-east-1
+  certificate_arn         = aws_acm_certificate.cloudfront.arn
+  validation_record_fqdns = [for record in aws_route53_record.cf_acm : record.fqdn]
+}
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -0,0 +1,128 @@
+resource "aws_cloudfront_origin_access_identity" "self" {
+}
+
+data "aws_cloudfront_cache_policy" "Managed-CachingOptimized" {
+  name = "Managed-CachingOptimized"
+}
+
+resource "aws_cloudfront_distribution" "self" {
+  origin {
+    domain_name = aws_s3_bucket.origin.bucket_regional_domain_name
+    origin_id   = local.s3_origin_id
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.self.cloudfront_access_identity_path
+    }
+  }
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  default_root_object = "index.html"
+  http_version        = "http2and3"
+
+  aliases = concat([var.primary_domain_name], var.secondary_domain_names)
+
+  logging_config {
+    include_cookies = false
+    bucket          = aws_s3_bucket.origin_logs.bucket_domain_name
+  }
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = local.s3_origin_id
+
+    cache_policy_id = data.aws_cloudfront_cache_policy.Managed-CachingOptimized.id
+
+
+    compress               = true
+    viewer_protocol_policy = "redirect-to-https"
+
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.request.arn
+    }
+
+    /*function_association {
+      event_type   = "viewer-response"
+      function_arn = aws_cloudfront_function.response.arn
+    }*/
+
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.self.id
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  price_class = "PriceClass_200"
+
+  viewer_certificate {
+    acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+
+  custom_error_response {
+    error_code            = 404
+    error_caching_min_ttl = 86400
+    response_page_path    = "/404.html"
+    response_code         = 404
+  }
+}
+
+resource "aws_cloudfront_function" "request" {
+  code    = file("${path.module}/request.js")
+  name    = "indexer"
+  runtime = "cloudfront-js-1.0"
+  publish = true
+}
+
+resource "aws_cloudfront_function" "response" {
+  code    = file("${path.module}/response.js")
+  name    = "response"
+  runtime = "cloudfront-js-1.0"
+  publish = true
+}
+
+resource "aws_cloudfront_response_headers_policy" "self" {
+  name = "blog"
+
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+
+    strict_transport_security {
+      access_control_max_age_sec = 31536000
+      include_subdomains         = true
+      override                   = true
+      preload                    = true
+    }
+
+    xss_protection {
+      mode_block = true
+      override   = true
+      protection = true
+    }
+
+    referrer_policy {
+      override        = true
+      referrer_policy = "strict-origin-when-cross-origin"
+    }
+
+    /*content_security_policy {
+      content_security_policy = "default-src 'none'; img-src 'self'; script-src 'unsafe-inline'; style-src 'self'"
+      override                = true
+    }*/
+
+
+  }
+}
diff --git a/data.tf b/data.tf
@@ -0,0 +1,3 @@
+data "aws_route53_zone" "self" {
+  name = var.primary_domain_name
+}
diff --git a/input.tf b/input.tf
@@ -0,0 +1,12 @@
+variable "name" {
+  type = string
+}
+
+variable "primary_domain_name" {
+  type = string
+}
+
+variable "secondary_domain_names" {
+  type = list(string)
+  default = []
+}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  s3_origin_id  = "blogs3origin"
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,14 @@
+provider "aws" {}
+
+provider "aws" {
+  alias  = "us-east-1"
+  region = "us-east-1"
+}
+
+terraform {
+  backend "s3" {
+    bucket = "net-corryh-terraform"
+    key    = "website/core.tf"
+    region = "us-west-2"
+  }
+}
diff --git a/route53.tf b/route53.tf
@@ -0,0 +1,40 @@
+resource "aws_route53_record" "cf" {
+  name    = var.primary_domain_name
+  type    = "A"
+  zone_id = data.aws_route53_zone.self.zone_id
+
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cloudfront_distribution.self.domain_name
+    zone_id                = aws_cloudfront_distribution.self.hosted_zone_id
+  }
+}
+
+resource "aws_route53_record" "cf_aaaa" {
+  name    = var.primary_domain_name
+  type    = "AAAA"
+  zone_id = data.aws_route53_zone.self.zone_id
+
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cloudfront_distribution.self.domain_name
+    zone_id                = aws_cloudfront_distribution.self.hosted_zone_id
+  }
+}
+
+resource "aws_route53_record" "cf_acm" {
+  for_each = {
+    for dvo in aws_acm_certificate.cloudfront.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.self.zone_id
+}
diff --git a/s3.tf b/s3.tf
@@ -0,0 +1,58 @@
+resource "aws_s3_bucket" "origin" {
+  bucket = var.name
+}
+
+resource "aws_s3_bucket" "origin_logs" {
+  bucket = "${var.name}-logs"
+}
+
+resource "aws_s3_bucket_acl" "origin" {
+  bucket = aws_s3_bucket.origin.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_acl" "origin_logs" {
+  bucket = aws_s3_bucket.origin_logs.id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_public_access_block" "origin" {
+  bucket = aws_s3_bucket.origin.id
+
+  block_public_acls   = true
+  block_public_policy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "origin_logs" {
+  bucket = aws_s3_bucket.origin_logs.id
+
+  block_public_acls   = true
+  block_public_policy = true
+}
+
+data "aws_iam_policy_document" "origin" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.origin.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.self.iam_arn}"]
+    }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["${aws_s3_bucket.origin.arn}"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.self.iam_arn}"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "origin" {
+  bucket = aws_s3_bucket.origin.id
+  policy = data.aws_iam_policy_document.origin.json
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+
+  required_version = ">= 0.15"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+data "aws_route53_zone" "self" {`
	`2`	`+ name = var.primary_domain_name`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ s3_origin_id = "blogs3origin"`
	`3`	`+}`