Verified Commit e4c0bca6 authored by doshitan's avatar doshitan

Update to Terraform 0.12

parent 31da43fc
variable "app_name" {}
variable "tld" {}
variable "domain" {}
variable "profile" {}
variable "region" {}
variable "src_bucket" {}
variable "app_name" {
}
variable "tld" {
}
variable "domain" {
}
variable "profile" {
}
variable "region" {
}
variable "src_bucket" {
}
provider "aws" {
alias = "us-east-1"
region = "us-east-1"
profile = "${var.profile}"
profile = var.profile
}
provider "aws" {
alias = "main"
region = "${var.region}"
profile = "${var.profile}"
region = var.region
profile = var.profile
}
# Content
resource "aws_s3_bucket" "site" {
provider = "aws.main"
provider = aws.main
bucket = "${var.src_bucket}"
bucket = var.src_bucket
acl = "public-read"
policy = <<POLICY
......@@ -41,6 +52,7 @@ resource "aws_s3_bucket" "site" {
}
POLICY
website {
index_document = "index.html"
}
......@@ -50,27 +62,27 @@ POLICY
allowed_headers = ["*"]
allowed_methods = ["GET"]
allowed_origins = ["https://doshitan.com"]
expose_headers = ["ETag"]
expose_headers = ["ETag"]
max_age_seconds = 3600
}
tags {
"project" = "${var.domain}"
tags = {
"project" = var.domain
}
}
resource "aws_s3_bucket" "www" {
provider = "aws.main"
provider = aws.main
bucket = "www.${var.domain}"
acl = "public-read"
acl = "public-read"
website {
redirect_all_requests_to = "https://${var.domain}"
}
tags {
"project" = "${var.domain}"
tags = {
"project" = var.domain
}
}
......@@ -93,46 +105,46 @@ resource "aws_s3_bucket" "www" {
# })
data "aws_acm_certificate" "domain" {
provider = "aws.us-east-1"
provider = aws.us-east-1
domain = "${var.domain}"
types = ["AMAZON_ISSUED"]
domain = var.domain
types = ["AMAZON_ISSUED"]
most_recent = true
}
# CDN
resource "aws_cloudfront_distribution" "site_distribution" {
provider = "aws.main"
provider = aws.main
origin {
domain_name = "${aws_s3_bucket.site.website_endpoint}"
origin_id = "${aws_s3_bucket.site.id}"
domain_name = aws_s3_bucket.site.website_endpoint
origin_id = aws_s3_bucket.site.id
custom_origin_config {
http_port = 80
https_port = 443
http_port = 80
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
enabled = true
is_ipv6_enabled = true
http_version = "http2"
enabled = true
is_ipv6_enabled = true
http_version = "http2"
default_root_object = "index.html"
aliases = ["${var.domain}"]
price_class = "PriceClass_100"
retain_on_delete = true
aliases = [var.domain]
price_class = "PriceClass_100"
retain_on_delete = true
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "${aws_s3_bucket.site.id}"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = aws_s3_bucket.site.id
forwarded_values {
query_string = false
headers = ["Origin"]
headers = ["Origin"]
cookies {
forward = "none"
......@@ -140,14 +152,14 @@ resource "aws_cloudfront_distribution" "site_distribution" {
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 31536000
max_ttl = 31536000
compress = true
min_ttl = 0
default_ttl = 31536000
max_ttl = 31536000
compress = true
lambda_function_association {
event_type = "viewer-response"
lambda_arn = "${aws_lambda_function.cloudfront.qualified_arn}"
lambda_arn = aws_lambda_function.cloudfront.qualified_arn
}
}
......@@ -155,9 +167,9 @@ resource "aws_cloudfront_distribution" "site_distribution" {
# TODO: use resource to generate this
# acm_certificate_arn = "${aws_acm_certificate.cert.arn}"
# acm_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
acm_certificate_arn = "${data.aws_acm_certificate.domain.arn}"
acm_certificate_arn = data.aws_acm_certificate.domain.arn
ssl_support_method = "sni-only"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2018"
}
......@@ -167,125 +179,125 @@ resource "aws_cloudfront_distribution" "site_distribution" {
}
}
tags {
"project" = "${var.domain}"
tags = {
"project" = var.domain
}
}
# DNS
resource "aws_route53_zone" "tld" {
provider = "aws.main"
provider = aws.main
name = "${var.tld}"
name = var.tld
tags {
"project" = "${var.domain}"
tags = {
"project" = var.domain
}
}
resource "aws_route53_record" "root_v4" {
provider = "aws.main"
provider = aws.main
zone_id = "${aws_route53_zone.tld.zone_id}"
name = "${var.domain}"
type = "A"
zone_id = aws_route53_zone.tld.zone_id
name = var.domain
type = "A"
alias {
name = "${aws_cloudfront_distribution.site_distribution.domain_name}"
zone_id = "${aws_cloudfront_distribution.site_distribution.hosted_zone_id}"
name = aws_cloudfront_distribution.site_distribution.domain_name
zone_id = aws_cloudfront_distribution.site_distribution.hosted_zone_id
evaluate_target_health = false
}
}
resource "aws_route53_record" "root_v6" {
provider = "aws.main"
provider = aws.main
zone_id = "${aws_route53_zone.tld.zone_id}"
name = "${var.domain}"
type = "AAAA"
zone_id = aws_route53_zone.tld.zone_id
name = var.domain
type = "AAAA"
alias {
name = "${aws_cloudfront_distribution.site_distribution.domain_name}"
zone_id = "${aws_cloudfront_distribution.site_distribution.hosted_zone_id}"
name = aws_cloudfront_distribution.site_distribution.domain_name
zone_id = aws_cloudfront_distribution.site_distribution.hosted_zone_id
evaluate_target_health = false
}
}
resource "aws_route53_record" "www_v4" {
provider = "aws.main"
provider = aws.main
zone_id = "${aws_route53_zone.tld.zone_id}"
name = "www.${var.domain}"
type = "A"
zone_id = aws_route53_zone.tld.zone_id
name = "www.${var.domain}"
type = "A"
alias {
name = "${aws_s3_bucket.www.website_domain}"
zone_id = "${aws_s3_bucket.www.hosted_zone_id}"
name = aws_s3_bucket.www.website_domain
zone_id = aws_s3_bucket.www.hosted_zone_id
evaluate_target_health = false
}
}
resource "aws_route53_record" "www_v6" {
provider = "aws.main"
provider = aws.main
zone_id = "${aws_route53_zone.tld.zone_id}"
name = "www.${var.domain}"
type = "AAAA"
zone_id = aws_route53_zone.tld.zone_id
name = "www.${var.domain}"
type = "AAAA"
alias {
name = "${aws_s3_bucket.www.website_domain}"
zone_id = "${aws_s3_bucket.www.hosted_zone_id}"
name = aws_s3_bucket.www.website_domain
zone_id = aws_s3_bucket.www.hosted_zone_id
evaluate_target_health = false
}
}
resource "aws_route53_record" "caa" {
provider = "aws.main"
provider = aws.main
zone_id = "${aws_route53_zone.tld.zone_id}"
name = "${var.domain}"
type = "CAA"
ttl = "300"
zone_id = aws_route53_zone.tld.zone_id
name = var.domain
type = "CAA"
ttl = "300"
# https://sslmate.com/caa/ is helpful
records = [
"0 issue \"amazon.com\""
"0 issue \"amazon.com\"",
]
}
# Lambda
data "archive_file" "cloudfront" {
type = "zip"
type = "zip"
output_path = "${path.module}/.zip/cloudfront.zip"
source {
filename = "lambda.js"
content = "${file("${path.module}/lambda.js")}"
content = file("${path.module}/lambda.js")
}
}
resource "aws_lambda_function" "cloudfront" {
provider = "aws.us-east-1"
function_name = "${var.app_name}-cloudfront"
filename = "${data.archive_file.cloudfront.output_path}"
source_code_hash = "${data.archive_file.cloudfront.output_base64sha256}"
role = "${aws_iam_role.cloudfront_lambda.arn}"
runtime = "nodejs10.x"
handler = "lambda.handler"
memory_size = 128
timeout = 3
publish = true
provider = aws.us-east-1
function_name = "${var.app_name}-cloudfront"
filename = data.archive_file.cloudfront.output_path
source_code_hash = data.archive_file.cloudfront.output_base64sha256
role = aws_iam_role.cloudfront_lambda.arn
runtime = "nodejs10.x"
handler = "lambda.handler"
memory_size = 128
timeout = 3
publish = true
}
data "aws_iam_policy_document" "edge_lambda" {
provider = "aws.main"
provider = aws.main
statement {
actions = ["sts:AssumeRole"]
......@@ -302,15 +314,15 @@ data "aws_iam_policy_document" "edge_lambda" {
}
resource "aws_iam_role" "cloudfront_lambda" {
provider = "aws.main"
provider = aws.main
name_prefix = "${var.app_name}"
assume_role_policy = "${data.aws_iam_policy_document.edge_lambda.json}"
name_prefix = var.app_name
assume_role_policy = data.aws_iam_policy_document.edge_lambda.json
}
resource "aws_iam_role_policy_attachment" "basic" {
provider = "aws.main"
provider = aws.main
role = "${aws_iam_role.cloudfront_lambda.name}"
role = aws_iam_role.cloudfront_lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
terraform {
required_version = ">= 0.12"
}
......@@ -23,7 +23,7 @@ in
# for development
cabal-install
# for infra/
pkgs.terraform
pkgs.terraform_0_12
# for font make targets
pkgs.unzip pkgs.curl
# misc. tools
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment