diff --git a/layers/services/00-backend.tf b/layers/services/00-backend.tf deleted file mode 100644 index f625713..0000000 --- a/layers/services/00-backend.tf +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -terraform { - backend "s3" { - key = "infrastructure/eu-west-3/services/terraform.tfstate" - use_lockfile = true - } -} diff --git a/layers/services/00-providers.tf b/layers/services/00-providers.tf deleted file mode 100644 index 60743fb..0000000 --- a/layers/services/00-providers.tf +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -provider "aws" { - default_tags { - tags = { - namespace = var.namespace - project_type = var.project_type - project = var.project_name - environment = var.environment - } - } -} - -provider "aws" { - alias = "cloudfront" - region = "us-east-1" - default_tags { - tags = { - namespace = var.namespace - project_type = var.project_type - project = var.project_name - environment = var.environment - } - } -} diff --git a/layers/services/00-versions.tf b/layers/services/00-versions.tf deleted file mode 100644 index 5b025c5..0000000 --- a/layers/services/00-versions.tf +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -terraform { - required_version = "~> 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } -} diff --git a/layers/services/20-ecs-variables.tf b/layers/services/20-ecs-variables.tf deleted file mode 100644 index 290f663..0000000 --- a/layers/services/20-ecs-variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -variable "container_insight_setting_value" { - type = string - description = "Container insight value." -} - -variable "capacity_provider" { - type = string - description = "Capacity of the provider" -} diff --git a/layers/services/30-parameters-variables.tf b/layers/services/30-parameters-variables.tf deleted file mode 100644 index e0f79d4..0000000 --- a/layers/services/30-parameters-variables.tf +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -variable "parameters_list" { - type = list(string) - description = "List of parameters (name only) used in Iroco" - default = [ - "clerk_audience", - "clerk_issuer", - "clerk_public_key", - "clerk_publishable_key" - ] -} diff --git a/layers/services/40-ses-variables.tf b/layers/services/40-ses-variables.tf deleted file mode 100644 index 4c18f8f..0000000 --- a/layers/services/40-ses-variables.tf +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -variable "email_addresses" { - default = [] - type = list(string) - description = "List of email addresses to be used by SES to send emails to Iroco's responsibles" -} diff --git a/layers/services/50-cloudfront-certs.tf b/layers/services/50-cloudfront-certs.tf deleted file mode 100644 index 532f459..0000000 --- a/layers/services/50-cloudfront-certs.tf +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -resource "aws_acm_certificate" "cert" { - provider = aws.cloudfront - domain_name = local.domain_name - validation_method = "DNS" - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_route53_record" "cert_cname" { - provider = aws.cloudfront - for_each = { - for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { - name = dvo.resource_record_name - record = dvo.resource_record_value - type = dvo.resource_record_type - } - } - - allow_overwrite = true - name = each.value.name - records = [each.value.record] - ttl = 60 - type = each.value.type - zone_id = data.aws_route53_zone.selected.zone_id -} - - -resource "aws_acm_certificate_validation" "acm_cert_validation" { - provider = aws.cloudfront - certificate_arn = aws_acm_certificate.cert.arn - validation_record_fqdns = [for record in aws_route53_record.cert_cname : record.fqdn] -} diff --git a/layers/services/50-cloudfront-datasources.tf b/layers/services/50-cloudfront-datasources.tf deleted file mode 100644 index 68aa876..0000000 --- a/layers/services/50-cloudfront-datasources.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -data "aws_route53_zone" "selected" { - name = var.zone_name -} diff --git a/layers/services/50-cloudfront-parameters.tf b/layers/services/50-cloudfront-parameters.tf deleted file mode 100644 index fc84fb6..0000000 --- a/layers/services/50-cloudfront-parameters.tf +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -resource "aws_ssm_parameter" "cloudfront_bucket_id" { - name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/CLOUDFRONT_BUCKET_ID") - type = "SecureString" - value = aws_s3_bucket.bucket.id -} - -resource "aws_ssm_parameter" "cloudfront_distribution_id" { - name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/CLOUDFRONT_DISTRIBUTION_ID") - type = "SecureString" - value = aws_cloudfront_distribution.s3_distribution.id -} \ No newline at end of file diff --git a/layers/services/50-cloudfront.tf b/layers/services/50-cloudfront.tf deleted file mode 100644 index 9504cfc..0000000 --- a/layers/services/50-cloudfront.tf +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright 2025 Ippon Technologies -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -resource "aws_cloudfront_origin_access_control" "cloudfront_oac" { - provider = aws.cloudfront - name = "${var.namespace}-${var.environment}-frontend" - description = "cloudfront irocal access policy" - origin_access_control_origin_type = "s3" - signing_behavior = "always" - signing_protocol = "sigv4" -} - -resource "aws_cloudfront_distribution" "s3_distribution" { - provider = aws.cloudfront - origin { - domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name - origin_id = "S3-bucket" - origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_oac.id - } - - enabled = true - default_root_object = "index.html" - - aliases = [local.domain_name] - - default_cache_behavior { - allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] - cached_methods = ["GET", "HEAD"] - target_origin_id = "S3-bucket" - - forwarded_values { - query_string = false - cookies { - forward = "none" - } - } - - viewer_protocol_policy = "redirect-to-https" - min_ttl = 0 - default_ttl = 3600 - max_ttl = 86400 - } - - custom_error_response { - error_code = 403 - response_code = 200 - response_page_path = "/index.html" - } - - - restrictions { - geo_restriction { - restriction_type = "none" - } - } - - viewer_certificate { - acm_certificate_arn = aws_acm_certificate_validation.acm_cert_validation.certificate_arn - ssl_support_method = "sni-only" - } -} - -resource "aws_s3_bucket" "bucket" { - provider = aws.cloudfront - bucket = "${var.namespace}-cloudfront-${var.environment}-bucket" -} - -resource "aws_s3_bucket_cors_configuration" "cors" { - provider = aws.cloudfront - bucket = aws_s3_bucket.bucket.bucket - cors_rule { - allowed_headers = ["*"] - allowed_methods = ["GET", "POST"] - allowed_origins = ["*"] - max_age_seconds = 3000 - } -} - -resource "aws_s3_bucket_policy" "bucket_policy" { - provider = aws.cloudfront - bucket = aws_s3_bucket.bucket.bucket - policy = data.aws_iam_policy_document.s3_policy.json -} - -data "aws_iam_policy_document" "s3_policy" { - provider = aws.cloudfront - statement { - sid = "AllowCloudFrontServicePrincipal" - effect = "Allow" - actions = ["s3:GetObject"] - resources = ["arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*"] - principals { - type = "Service" - identifiers = ["cloudfront.amazonaws.com"] - } - - condition { - test = "StringEquals" - variable = "AWS:SourceArn" - values = [aws_cloudfront_distribution.s3_distribution.arn] - } - } -} diff --git a/layers/services/tfvars/env.tfvars.example b/layers/services/tfvars/env.tfvars.example deleted file mode 100644 index d853e25..0000000 --- a/layers/services/tfvars/env.tfvars.example +++ /dev/null @@ -1,3 +0,0 @@ -## ---------------------- ECS ---------------------------------- -container_insight_setting_value = "disabled" -capacity_provider = "FARGATE_SPOT" diff --git a/main.tf b/main.tf index fe342fc..0dd4152 100644 --- a/main.tf +++ b/main.tf @@ -1,8 +1,9 @@ module "network" { source = "./modules/network" - environment = var.environment - aws_region = var.aws_region + project_name = "network" + environment = var.environment + aws_region = var.aws_region cidr = var.cidr private_subnets = var.private_subnets @@ -11,3 +12,21 @@ module "network" { subdomain_name = var.subdomain_name zone_name = var.zone_name } + +module "services" { + source = "./modules/services" + + project_name = "services" + environment = var.environment + + container_insight_setting_value = var.container_insight_setting_value + capacity_provider = var.capacity_provider + subdomain_name = var.subdomain_name + zone_name = var.zone_name + email_addresses = var.email_addresses + + providers = { + aws = aws + aws.cloudfront = aws.cloudfront + } +} diff --git a/modules/network/00-variables.tf b/modules/network/00-variables.tf index ab2a3fc..8703f0a 100644 --- a/modules/network/00-variables.tf +++ b/modules/network/00-variables.tf @@ -33,7 +33,6 @@ variable "aws_region" { variable "project_name" { type = string description = "Project's name" - default = "network" } variable "zone_name" { diff --git a/modules/services/00-datasources.tf b/modules/services/00-datasources.tf new file mode 100644 index 0000000..cfc0492 --- /dev/null +++ b/modules/services/00-datasources.tf @@ -0,0 +1,3 @@ +data "aws_route53_zone" "selected" { + name = var.zone_name +} diff --git a/layers/services/00-locals.tf b/modules/services/00-locals.tf similarity index 100% rename from layers/services/00-locals.tf rename to modules/services/00-locals.tf diff --git a/layers/services/00-outputs.tf b/modules/services/00-outputs.tf similarity index 100% rename from layers/services/00-outputs.tf rename to modules/services/00-outputs.tf diff --git a/layers/services/00-variables.tf b/modules/services/00-variables.tf similarity index 68% rename from layers/services/00-variables.tf rename to modules/services/00-variables.tf index e9c0ea6..3e16f52 100644 --- a/layers/services/00-variables.tf +++ b/modules/services/00-variables.tf @@ -14,7 +14,6 @@ # # SPDX-License-Identifier: Apache-2.0 -##################### METADATA ##################### variable "namespace" { type = string description = "The namespace in which the project is." @@ -29,13 +28,6 @@ variable "environment" { variable "project_name" { type = string description = "Project's name" - default = "services" -} - -variable "project_type" { - type = string - description = "The type of project." - default = "infrastructure" } variable "zone_name" { @@ -47,3 +39,30 @@ variable "subdomain_name" { type = string description = "The subdomain that will be prefixed to the zone name to create the final domain name. Example : `iroco2` => iroco2.test.yourdomain.com" } + +variable "container_insight_setting_value" { + type = string + description = "Container insight value." +} + +variable "capacity_provider" { + type = string + description = "Capacity of the provider" +} + +variable "parameters_list" { + type = list(string) + description = "List of parameters (name only) used in Iroco" + default = [ + "clerk_audience", + "clerk_issuer", + "clerk_public_key", + "clerk_publishable_key" + ] +} + +variable "email_addresses" { + default = [] + type = list(string) + description = "List of email addresses to be used by SES to send emails to Iroco's responsibles" +} diff --git a/layers/services/10-ecr.tf b/modules/services/10-ecr.tf similarity index 97% rename from layers/services/10-ecr.tf rename to modules/services/10-ecr.tf index ba03d93..5c8327f 100644 --- a/layers/services/10-ecr.tf +++ b/modules/services/10-ecr.tf @@ -60,7 +60,8 @@ resource "aws_ecr_repository" "repository" { } tags = { - Name = each.value + Name = each.value + project = var.project_name } } diff --git a/layers/services/20-ecs.tf b/modules/services/20-ecs.tf similarity index 89% rename from layers/services/20-ecs.tf rename to modules/services/20-ecs.tf index 21c9d6d..010e1d4 100644 --- a/layers/services/20-ecs.tf +++ b/modules/services/20-ecs.tf @@ -22,9 +22,13 @@ resource "aws_ecs_cluster" "main" { name = "containerInsights" value = var.container_insight_setting_value } + + tags = { + project = var.project_name + } } -resource "aws_ecs_cluster_capacity_providers" "example" { +resource "aws_ecs_cluster_capacity_providers" "cluster_capacity" { cluster_name = aws_ecs_cluster.main.name capacity_providers = [var.capacity_provider] diff --git a/layers/services/30-parameters.tf b/modules/services/30-parameters.tf similarity index 95% rename from layers/services/30-parameters.tf rename to modules/services/30-parameters.tf index 4e6fc7b..326bc9b 100644 --- a/layers/services/30-parameters.tf +++ b/modules/services/30-parameters.tf @@ -24,4 +24,8 @@ resource "aws_ssm_parameter" "parameters_list" { lifecycle { ignore_changes = [value] } + + tags = { + project = var.project_name + } } diff --git a/layers/services/40-ses.tf b/modules/services/40-ses.tf similarity index 100% rename from layers/services/40-ses.tf rename to modules/services/40-ses.tf diff --git a/layers/services/60-cloudfront-certs.tf b/modules/services/50-cloudfront-certs.tf similarity index 61% rename from layers/services/60-cloudfront-certs.tf rename to modules/services/50-cloudfront-certs.tf index ed3bee6..e242f6f 100644 --- a/layers/services/60-cloudfront-certs.tf +++ b/modules/services/50-cloudfront-certs.tf @@ -14,6 +14,47 @@ # # SPDX-License-Identifier: Apache-2.0 +# Frontend certificate +resource "aws_acm_certificate" "cert" { + provider = aws.cloudfront + domain_name = local.domain_name + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } + + tags = { + project = var.project_name + } +} + +resource "aws_route53_record" "cert_cname" { + provider = aws.cloudfront + for_each = { + for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = data.aws_route53_zone.selected.zone_id +} + + +resource "aws_acm_certificate_validation" "acm_cert_validation" { + provider = aws.cloudfront + certificate_arn = aws_acm_certificate.cert.arn + validation_record_fqdns = [for record in aws_route53_record.cert_cname : record.fqdn] +} + +# Docs certificate resource "aws_acm_certificate" "cert_docs" { provider = aws.cloudfront domain_name = "docs.${local.domain_name}" @@ -22,6 +63,10 @@ resource "aws_acm_certificate" "cert_docs" { lifecycle { create_before_destroy = true } + + tags = { + project = var.project_name + } } resource "aws_route53_record" "cert_cname_docs" { @@ -42,14 +87,13 @@ resource "aws_route53_record" "cert_cname_docs" { zone_id = data.aws_route53_zone.selected.zone_id } - -resource "aws_acm_certificate_validation" "example_validation_docs" { +resource "aws_acm_certificate_validation" "validation_docs" { provider = aws.cloudfront certificate_arn = aws_acm_certificate.cert_docs.arn validation_record_fqdns = [for record in aws_route53_record.cert_cname_docs : record.fqdn] } -resource "aws_route53_record" "example_domain_a_docs" { +resource "aws_route53_record" "domain_a_docs" { provider = aws.cloudfront zone_id = data.aws_route53_zone.selected.zone_id name = "docs.${local.domain_name}" diff --git a/layers/services/60-cloudfront-docs-parameters.tf b/modules/services/50-cloudfront-parameters.tf similarity index 61% rename from layers/services/60-cloudfront-docs-parameters.tf rename to modules/services/50-cloudfront-parameters.tf index c582b2f..2a35b6d 100644 --- a/layers/services/60-cloudfront-docs-parameters.tf +++ b/modules/services/50-cloudfront-parameters.tf @@ -14,14 +14,44 @@ # # SPDX-License-Identifier: Apache-2.0 +# Frontend SSM parameters +resource "aws_ssm_parameter" "cloudfront_bucket_id" { + name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/CLOUDFRONT_BUCKET_ID") + type = "SecureString" + value = aws_s3_bucket.bucket.id + + tags = { + project = var.project_name + } +} + +resource "aws_ssm_parameter" "cloudfront_distribution_id" { + name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/CLOUDFRONT_DISTRIBUTION_ID") + type = "SecureString" + value = aws_cloudfront_distribution.s3_distribution.id + + tags = { + project = var.project_name + } +} + +# Docs SSM parameters resource "aws_ssm_parameter" "docs_cloudfront_bucket_id" { name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/DOCUMENTATION_CLOUDFRONT_BUCKET_ID") type = "SecureString" value = aws_s3_bucket.docs_bucket.id + + tags = { + project = var.project_name + } } resource "aws_ssm_parameter" "docs_cloudfront_distribution_id" { name = upper("/${var.namespace}/${var.environment}/PARAMETERS/FRONTEND/DOCUMENTATION_CLOUDFRONT_DISTRIBUTION_ID") type = "SecureString" value = aws_cloudfront_distribution.docs_distribution.id -} \ No newline at end of file + + tags = { + project = var.project_name + } +} diff --git a/layers/services/60-cloudfront-docs.tf b/modules/services/50-cloudfront.tf similarity index 52% rename from layers/services/60-cloudfront-docs.tf rename to modules/services/50-cloudfront.tf index 6b1bbe8..49bcfd7 100644 --- a/layers/services/60-cloudfront-docs.tf +++ b/modules/services/50-cloudfront.tf @@ -14,6 +14,119 @@ # # SPDX-License-Identifier: Apache-2.0 +# Frontend CloudFront distribution +resource "aws_cloudfront_origin_access_control" "cloudfront_oac" { + provider = aws.cloudfront + name = "${var.namespace}-${var.environment}-frontend" + description = "cloudfront irocal access policy" + origin_access_control_origin_type = "s3" + signing_behavior = "always" + signing_protocol = "sigv4" +} + +resource "aws_cloudfront_distribution" "s3_distribution" { + provider = aws.cloudfront + origin { + domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name + origin_id = "S3-bucket" + origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_oac.id + } + + enabled = true + default_root_object = "index.html" + + aliases = [local.domain_name] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "S3-bucket" + + forwarded_values { + query_string = false + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + custom_error_response { + error_code = 403 + response_code = 200 + response_page_path = "/index.html" + } + + + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + viewer_certificate { + acm_certificate_arn = aws_acm_certificate_validation.acm_cert_validation.certificate_arn + ssl_support_method = "sni-only" + } + + tags = { + Environment = var.environment + Name = "${var.namespace}-${var.environment}-s3-cloudfront" + project = var.project_name + } +} + +resource "aws_s3_bucket" "bucket" { + provider = aws.cloudfront + bucket = "${var.namespace}-cloudfront-${var.environment}-bucket" + + tags = { + project = var.project_name + } +} + +resource "aws_s3_bucket_cors_configuration" "cors" { + provider = aws.cloudfront + bucket = aws_s3_bucket.bucket.bucket + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["GET", "POST"] + allowed_origins = ["*"] + max_age_seconds = 3000 + } +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + provider = aws.cloudfront + bucket = aws_s3_bucket.bucket.bucket + policy = data.aws_iam_policy_document.s3_policy.json +} + +data "aws_iam_policy_document" "s3_policy" { + provider = aws.cloudfront + statement { + sid = "AllowCloudFrontServicePrincipal" + effect = "Allow" + actions = ["s3:GetObject"] + resources = ["arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*"] + principals { + type = "Service" + identifiers = ["cloudfront.amazonaws.com"] + } + + condition { + test = "StringEquals" + variable = "AWS:SourceArn" + values = [aws_cloudfront_distribution.s3_distribution.arn] + } + } +} + +# Docs CloudFront distribution resource "aws_cloudfront_origin_access_control" "docs" { provider = aws.cloudfront name = "${var.namespace}-${var.environment}-docs" @@ -74,19 +187,24 @@ resource "aws_cloudfront_distribution" "docs_distribution" { } viewer_certificate { - acm_certificate_arn = aws_acm_certificate_validation.example_validation_docs.certificate_arn + acm_certificate_arn = aws_acm_certificate_validation.validation_docs.certificate_arn ssl_support_method = "sni-only" } tags = { Environment = var.environment Name = "${var.namespace}-${var.environment}-docs" + project = var.project_name } } resource "aws_s3_bucket" "docs_bucket" { provider = aws.cloudfront bucket = "${var.namespace}-cloudfront-docs-${var.environment}-bucket" + + tags = { + project = var.project_name + } } resource "aws_s3_bucket_cors_configuration" "docs" { diff --git a/providers.tf b/providers.tf index bb22ca8..c0ebcf3 100644 --- a/providers.tf +++ b/providers.tf @@ -23,3 +23,16 @@ provider "aws" { } } } + +provider "aws" { + alias = "cloudfront" + region = "us-east-1" + + default_tags { + tags = { + namespace = var.namespace + project_type = var.project_type + environment = var.environment + } + } +} diff --git a/variables.tf b/variables.tf index a84af0e..24565b4 100644 --- a/variables.tf +++ b/variables.tf @@ -79,3 +79,20 @@ variable "single_nat_gateway" { type = bool default = false } + +## ---------------------- SERVICES ------------------------------ +variable "container_insight_setting_value" { + type = string + description = "Container insight value." +} + +variable "capacity_provider" { + type = string + description = "Capacity of the provider" +} + +variable "email_addresses" { + default = [] + type = list(string) + description = "List of email addresses to be used by SES to send emails to Iroco's responsibles" +}