From 981e881d1ae27fac47c380b7a45f5144c8c775cf Mon Sep 17 00:00:00 2001
From: "alexander.miehe" <alexander.miehe@flaconi.de>
Date: Wed, 7 Aug 2024 10:25:29 +0200
Subject: [PATCH] PLT-909 - Adjust the cdn to allow dns ttl and ipv6

* allow to adjust the dns ttl and create ipv6 alias
---
 README.md    |  3 +++
 main.tf      | 26 ++++++++++++++++++++++----
 variables.tf | 12 ++++++++++++
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 78f9bd8..0304187 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,7 @@ This module will create cdn endpoint with alias and SSL-certificate and optional
 | [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
 | [aws_cloudfront_function.functions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [aws_route53_record.additional_records](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.ipv6](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_s3_bucket_policy.s3_origin_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [null_resource.either_s3_origin_hostname_or_s3_origin_name_is_required](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -54,6 +55,8 @@ This module will create cdn endpoint with alias and SSL-certificate and optional
 | <a name="input_create_origin_access_control"></a> [create\_origin\_access\_control](#input\_create\_origin\_access\_control) | Controls if CloudFront origin access control should be created | `bool` | `false` | no |
 | <a name="input_create_origin_access_identity"></a> [create\_origin\_access\_identity](#input\_create\_origin\_access\_identity) | Controls if CloudFront origin access identity should be created | `bool` | `true` | no |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | `string` | `null` | no |
+| <a name="input_dns_ttl"></a> [dns\_ttl](#input\_dns\_ttl) | dns ttl for the cert validation records | `number` | `60` | no |
+| <a name="input_ipv6"></a> [ipv6](#input\_ipv6) | create also alias records for ipv6 | `bool` | `false` | no |
 | <a name="input_override_s3_origin_policy"></a> [override\_s3\_origin\_policy](#input\_override\_s3\_origin\_policy) | Overrides the S3-bucket policy to set OAI | `bool` | `false` | no |
 | <a name="input_s3_logging_hostname"></a> [s3\_logging\_hostname](#input\_s3\_logging\_hostname) | Hostname of S3-bucket to be used for logging | `string` | `""` | no |
 | <a name="input_s3_origin_hostname"></a> [s3\_origin\_hostname](#input\_s3\_origin\_hostname) | Hostname of S3-bucket to be used as origin | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 054e7f0..b7af7d5 100644
--- a/main.tf
+++ b/main.tf
@@ -79,7 +79,7 @@ data "aws_s3_bucket" "s3_origin" {
 
 module "certificate" {
   source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.1"
-  tags   = var.tags
+  tags   = merge(var.tags, { Region = "us-east-1" })
 
   domain_name               = local.r53_map["single"].hostname
   zone_id                   = local.r53_map["single"].zone_id
@@ -96,7 +96,7 @@ module "certificate" {
 module "certificate-validations" {
   source   = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.1"
   for_each = local.r53_map
-  tags     = var.tags
+  tags     = merge(var.tags, { Region = "us-east-1" })
 
   domain_name                               = each.value.hostname
   zone_id                                   = each.value.zone_id
@@ -108,6 +108,8 @@ module "certificate-validations" {
   providers = {
     aws = aws.us-east-1
   }
+
+  dns_ttl = var.dns_ttl
 }
 
 module "cloudfront" {
@@ -151,8 +153,9 @@ module "cloudfront" {
   }
 
   viewer_certificate = {
-    acm_certificate_arn = module.certificate.acm_certificate_arn
-    ssl_support_method  = "sni-only"
+    acm_certificate_arn      = module.certificate.acm_certificate_arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
   }
 }
 
@@ -212,6 +215,21 @@ resource "aws_route53_record" "this" {
   }
 }
 
+resource "aws_route53_record" "ipv6" {
+  count = var.create && var.ipv6 ? 1 : 0
+
+  zone_id = var.r53_zone_id
+  name    = var.r53_hostname
+  type    = "AAAA"
+
+  alias {
+    zone_id = module.cloudfront.cloudfront_distribution_hosted_zone_id
+    name    = module.cloudfront.cloudfront_distribution_domain_name
+
+    evaluate_target_health = false
+  }
+}
+
 resource "aws_route53_record" "additional_records" {
   for_each = var.additional_zones
 
diff --git a/variables.tf b/variables.tf
index f504ba4..251a7eb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -118,3 +118,15 @@ variable "validation_timeout" {
   type        = string
   default     = null
 }
+
+variable "dns_ttl" {
+  description = "dns ttl for the cert validation records"
+  type        = number
+  default     = 60
+}
+
+variable "ipv6" {
+  description = "create also alias records for ipv6"
+  type        = bool
+  default     = false
+}