Static Site Module update - full release of working module (#162)

* fix acl issue * change regional to cloudfront in WAF * typo * add us-east-1 provider * fix federation * Update iam.tf * Update iam.tf * update iam * add new variable * remove static site hosting config * change bucket name back for testing * remove variable * add acm cert arn * typo * add cloudfront_default_certificate = false * add ssl_support_method * add origin access control id * change vars to work with multiple tenants * update iam file --------- Co-authored-by: Dan Palmer <[email protected]>
UKHomeOffice · Jul 30, 2024 · f2c8851 · f2c8851
1 parent 84fa776
commit f2c8851
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 37 deletions.
diff --git a/modules/products/static-site/WAF.tf b/modules/products/static-site/WAF.tf
@@ -1,7 +1,8 @@
 resource "aws_wafv2_web_acl" "default" {
-  name        = "cc-static-site-${var.tags.product}-${var.tags.component}"
-  description = "Static Site WAF rule for ${var.tags.product} ${var.tags.component}"
-  scope       = "REGIONAL"
+  name        = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
+  description = "Static Site WAF rule for ${var.tenant_vars.product} ${var.tenant_vars.component}"
+  scope       = "CLOUDFRONT"
+  provider    = aws.us-east-1
 
   tags = local.common_tags
 
@@ -11,7 +12,7 @@ resource "aws_wafv2_web_acl" "default" {
 
   visibility_config {
     cloudwatch_metrics_enabled = false
-    metric_name                = "static-site-${var.tags.product}-${var.tags.component}"
+    metric_name                = "static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
     sampled_requests_enabled   = false
   }
 

diff --git a/modules/products/static-site/cloudfront.tf b/modules/products/static-site/cloudfront.tf
@@ -1,20 +1,21 @@
 resource "aws_cloudfront_origin_access_control" "static_site_identity" {
-  name                              = "cc-static-site-${var.tags.product}-${var.tags.component}"
-  description                       = "Origin access control for ${var.tags.product} ${var.tags.component}"
+  name                              = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
+  description                       = "Origin access control for ${var.tenant_vars.product} ${var.tenant_vars.component}"
   origin_access_control_origin_type = "s3"
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
 }
 
 resource "aws_cloudfront_distribution" "static_site_distribution" {
   origin {
-    domain_name = aws_s3_bucket.static_site.bucket_regional_domain_name
-    origin_id   = aws_s3_bucket.static_site.id
+    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
+    origin_id                = aws_s3_bucket.static_site.id
+    origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity.id
   }
 
   enabled             = true
   is_ipv6_enabled     = true
-  comment             = "Cloudfront distribution for ${var.tags.product} ${var.tags.component}"
+  comment             = "Cloudfront distribution for ${var.tenant_vars.product} ${var.tenant_vars.component}"
   default_root_object = "index.html"
 
   # logging_config {
@@ -23,7 +24,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" {
   #   prefix          = "myprefix"
   # }
 
-  aliases = var.cloud_front_vars.cloudfront_aliases
+  aliases = var.tenant_vars.cloudfront_aliases
 
   default_cache_behavior {
     allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
@@ -50,13 +51,15 @@ resource "aws_cloudfront_distribution" "static_site_distribution" {
     }
   }
 
-  price_class = var.cloud_front_vars.cloudfront_price_class
+  price_class = var.cloud_front_default_vars.cloudfront_price_class
 
   tags = local.common_tags
 
   viewer_certificate {
-    cloudfront_default_certificate = true
+    acm_certificate_arn            = var.tenant_vars.cloudfront_cert
     minimum_protocol_version       = "TLSv1.2_2021"
+    cloudfront_default_certificate = "false"
+    ssl_support_method             = "sni-only"
   }
-  web_acl_id = aws_wafv2_web_acl.default.id
+  web_acl_id = aws_wafv2_web_acl.default.arn
 }
diff --git a/modules/products/static-site/iam.tf b/modules/products/static-site/iam.tf
@@ -1,5 +1,11 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
 resource "aws_iam_role" "static_site_actions_push" {
-  name = "cc-static-site-${var.tags.product}-${var.tags.component}"
+  name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -8,24 +14,24 @@ resource "aws_iam_role" "static_site_actions_push" {
         Effect = "Allow"
         Sid    = ""
         Principal = {
-          Federated : "*"
+          Federated : "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
         }
         Condition = {
           StringLike = {
-            "token.actions.githubusercontent.com:sub:" : var.tags.repository
+            "token.actions.githubusercontent.com:sub" : var.tenant_vars.repository
             "sts:RoleSessionName" : "GitHubActions"
           }
           StringEquals = {
-            "token.actions.githubusercontent.com:aud:" : "sts.amazonaws.com"
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
           }
         },
       }
     ]
   })
-
   tags = local.common_tags
 }
 
+
 resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" {
   policy_arn = aws_iam_policy.static_site_policy.arn
   role       = aws_iam_role.static_site_actions_push.name

diff --git a/modules/products/static-site/main.tf b/modules/products/static-site/main.tf
@@ -2,8 +2,13 @@
 
 locals {
   common_tags = {
-    COST_CENTRE = var.tags.COST_CENTRE
-    PRODUCT     = var.tags.product
-    COMPONENT   = var.tags.component
+    COST_CENTRE = var.tenant_vars.COST_CENTRE
+    PRODUCT     = var.tenant_vars.product
+    COMPONENT   = var.tenant_vars.component
   }
 }
+
+provider "aws" {
+  region = "us-east-1"
+  alias  = "us-east-1"
+}
diff --git a/modules/products/static-site/storage.tf b/modules/products/static-site/storage.tf
@@ -1,21 +1,9 @@
 resource "aws_s3_bucket" "static_site" {
-  bucket = "cc-static-site-${var.tags.product}-${var.tags.component}"
+  bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
 
   tags = local.common_tags
 }
 
-resource "aws_s3_bucket_website_configuration" "static_site_config" {
-  bucket = aws_s3_bucket.static_site.id
-
-  index_document {
-    suffix = "index.html"
-  }
-
-  error_document {
-    key = "error.html"
-  }
-}
-
 resource "aws_s3_bucket_public_access_block" "static_site_acl" {
   bucket = aws_s3_bucket.static_site.id
 

diff --git a/modules/products/static-site/variables.tf b/modules/products/static-site/variables.tf
@@ -1,11 +1,11 @@
-variable "tags" {
+variable "tenant_vars" {
   type = any
 }
 
-variable "cloud_front_vars" {
+variable "cloud_front_default_vars" {
   type = any
 }
 
 variable "aws_region" {
   type = string
-}
+}