-
Notifications
You must be signed in to change notification settings - Fork 0
/
retriever-poc-cloudfront.tf
153 lines (126 loc) · 4.3 KB
/
retriever-poc-cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Cloud items required for the retriever proof of concept.
# https://github.com/redhatcloudx/cloud-image-retriever
locals {
s3_origin_id = "retriever-poc"
imagedirectory_domain = "imagedirectory.cloud"
}
# Set up an access identify for CloudFront. We use this in the S3 bucket policy so
# CloudFront can read our private bucket content.
resource "aws_cloudfront_origin_access_identity" "retriever_poc" {
comment = "Access identity for CF to access private S3 bucket ${aws_s3_bucket.cloudx_json_bucket.id}"
}
# Provision an automatically renewing certificate for the CloudFront
# distribution.
resource "aws_acm_certificate" "retriever_poc" {
domain_name = local.imagedirectory_domain
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
# Validate the certificate by creating a DNS record in Route 53.
resource "aws_route53_record" "retriever_poc" {
for_each = {
for dvo in aws_acm_certificate.retriever_poc.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.imagedirectory_cloud.zone_id
}
# Look up the AWS SimpleCORS policy.
data "aws_cloudfront_response_headers_policy" "simple_cors_policy" {
name = "Managed-SimpleCORS"
}
# Set up the CloudFront distribution.
resource "aws_cloudfront_distribution" "retriever_poc" {
origin {
domain_name = aws_s3_bucket.cloudx_json_bucket.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.retriever_poc.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
comment = "Retriever proof of concept"
default_root_object = "index.html"
logging_config {
include_cookies = false
bucket = aws_s3_bucket.cloudx_json_bucket.bucket_domain_name
prefix = "logs"
}
aliases = [local.imagedirectory_domain]
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
# Use the SimpleCORS policy from AWS that allows all origins to access the data.
# TODO(mhayden): We might want to adjust this later to something more limited.
response_headers_policy_id = data.aws_cloudfront_response_headers_policy.simple_cors_policy.id
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.retriever_poc.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}
custom_error_response {
error_caching_min_ttl = 300
error_code = 404
response_code = 200
response_page_path = "/index.html"
}
}
# Add a DNS record for the CloudFront distribution.
resource "aws_route53_record" "imagedirectory_frontend" {
zone_id = data.aws_route53_zone.imagedirectory_cloud.zone_id
name = local.imagedirectory_domain
type = "A"
lifecycle {
create_before_destroy = true
}
alias {
name = aws_cloudfront_distribution.retriever_poc.domain_name
zone_id = aws_cloudfront_distribution.retriever_poc.hosted_zone_id
evaluate_target_health = false
}
}
# DNS records for email forwarding.
resource "aws_route53_record" "imagedirectory_mail" {
zone_id = data.aws_route53_zone.imagedirectory_cloud.zone_id
name = local.imagedirectory_domain
type = "MX"
records = [
"10 fwd1.porkbun.com",
"20 fwd2.porkbun.com",
]
lifecycle {
create_before_destroy = true
}
ttl = "3600"
}