Merge pull request #5 from dasmeta/DMVP-5087-frontend-app-improvement

Dmvp-5087 frontend app improvement

.github/workflows/checkov.yaml

@@ -17,7 +17,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/checkov@main
       with:

.github/workflows/terraform-test.yaml

@@ -16,7 +16,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/terraform-test@main
       with:

.github/workflows/tflint.yaml

@@ -18,7 +18,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/tflint@main
       with:

.pre-commit-config.yaml

@@ -15,7 +15,7 @@ repos:
       - id: mixed-line-ending
         args: [--fix=lf]
       - id: detect-aws-credentials
-        args: ['--allow-missing-credentials']
+        args: ["--allow-missing-credentials"]
       - id: detect-private-key
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.64.1
@@ -26,3 +26,11 @@ repos:
           - --hook-config=--path-to-file=README.md
           - --hook-config=--add-to-existing-file=true
           - --hook-config=--create-file-if-not-exist=true
+  - repo: https://github.com/qoomon/git-conventional-commits
+    rev: v2.4.0
+    hooks:
+      - id: conventional-commits
+  - repo: https://github.com/zricethezav/gitleaks
+    rev: v8.12.0
+    hooks:
+      - id: gitleaks

README.md

@@ -1,2 +1,63 @@
 # terraform-aws-frontend-app
-Repo spins up frontend application setup which include CloudFront distribution, S3 bucket and DNS record.
+Repo spins up frontend application setup which include CloudFront distribution, S3 bucket and DNS record, waf.
+
+## Example
+```hcl
+module "this" {
+  source  = "dasmeta/frontend-app/aws"
+  version = "1.1.0"
+
+  domain = "basic-test-front-app.devops.dasmeta.com"
+  zone   = "devops.dasmeta.com"
+
+  providers = { aws : aws, aws.virginia : aws.virginia }
+}
+```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.27.0, < 6.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cdn"></a> [cdn](#module\_cdn) | dasmeta/modules/aws//modules/cloudfront-ssl-hsts | 2.16.0 |
+| <a name="module_dns"></a> [dns](#module\_dns) | dasmeta/dns/aws | 1.0.4 |
+| <a name="module_dns_alternative"></a> [dns\_alternative](#module\_dns\_alternative) | dasmeta/dns/aws | 1.0.4 |
+| <a name="module_s3"></a> [s3](#module\_s3) | dasmeta/s3/aws | 1.2.1 |
+| <a name="module_waf"></a> [waf](#module\_waf) | dasmeta/modules/aws//modules/waf | 2.15.6 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alternative_domains"></a> [alternative\_domains](#input\_alternative\_domains) | n/a | `list(string)` | `[]` | no |
+| <a name="input_alternative_zones"></a> [alternative\_zones](#input\_alternative\_zones) | n/a | `list(string)` | `[]` | no |
+| <a name="input_cdn_configs"></a> [cdn\_configs](#input\_cdn\_configs) | CDN configuration options | <pre>object({<br>    default_root_object = optional(string, "index.html")<br>    additional_origins  = optional(any, [])<br>  })</pre> | <pre>{<br>  "additional_origins": [],<br>  "default_root_object": "index.html"<br>}</pre> | no |
+| <a name="input_domain"></a> [domain](#input\_domain) | domain full name | `string` | n/a | yes |
+| <a name="input_enable_http_security_headers"></a> [enable\_http\_security\_headers](#input\_enable\_http\_security\_headers) | Whether to enable http security headers by creating pass through lambda handler for cdn | `bool` | `false` | no |
+| <a name="input_s3_configs"></a> [s3\_configs](#input\_s3\_configs) | S3 bucket configuration options | <pre>object({<br>    acl                     = optional(string, "private")<br>    create_index_html       = optional(bool, true)<br>    ignore_public_acls      = optional(bool, true)<br>    restrict_public_buckets = optional(bool, true)<br>    block_public_acls       = optional(bool, true)<br>    block_public_policy     = optional(bool, true)<br><br>    versioning      = optional(object({ enabled = bool }), { enabled = false })<br>    website         = optional(object({ index_document = string, error_document = string }), { index_document = "index.html", error_document = "index.html" })<br>    create_iam_user = optional(bool, false)<br>  })</pre> | <pre>{<br>  "acl": "private",<br>  "block_public_acls": true,<br>  "block_public_policy": true,<br>  "create_iam_user": false,<br>  "create_index_html": true,<br>  "ignore_public_acls": true,<br>  "restrict_public_buckets": true,<br>  "versioning": {<br>    "enabled": false<br>  },<br>  "website": {<br>    "error_document": "index.html",<br>    "index_document": "index.html"<br>  }<br>}</pre> | no |
+| <a name="input_waf"></a> [waf](#input\_waf) | waf configs | `any` | `null` | no |
+| <a name="input_zone"></a> [zone](#input\_zone) | R53 zone name | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_distribution_id"></a> [distribution\_id](#output\_distribution\_id) | cloudfront distribution id |
+| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | s3 bucket name/id |
+| <a name="output_s3_config"></a> [s3\_config](#output\_s3\_config) | n/a |
+| <a name="output_web_acl_id"></a> [web\_acl\_id](#output\_web\_acl\_id) | waf arm/id |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

cdn.tf

@@ -1,29 +1,28 @@
 
 module "cdn" {
   source  = "dasmeta/modules/aws//modules/cloudfront-ssl-hsts"
-  version = "1.1.2"
+  version = "2.16.0"
 
-  zone       = concat([var.zone], var.alternative_zones)
-  aliases    = concat([var.domain], var.alternative_domains)
-  comment    = "cdn for ${var.domain}"
-  web_acl_id = try(module.waf[0].web_acl_arn, null)
+  zone                = concat([var.zone], var.alternative_zones)
+  aliases             = concat([var.domain], var.alternative_domains)
+  comment             = "cdn for ${var.domain}"
+  web_acl_id          = try(module.waf[0].web_acl_arn, null)
+  create_hsts         = var.enable_http_security_headers
+  default_root_object = var.cdn_configs.default_root_object
 
-  origin = {
-    s3 = {
-      domain_name = module.s3.s3_bucket_website_endpoint
-      custom_origin_config = {
-        origin_protocol_policy = "http-only"
+  origins = concat(
+    var.cdn_configs.additional_origins,
+    [
+      {
+        id          = "s3" # the last one is default origin/behavior, we suppose the front app is default one
+        domain_name = module.s3.s3_bucket_id
+        type        = "bucket"
       }
-    }
-  }
-
-  default_cache_behavior = {
-    target_origin_id     = "s3"
-    use_forwarded_values = true
-    headers              = []
-  }
+    ]
+  )
 
   providers = {
-    aws = aws.virginia
+    aws          = aws
+    aws.virginia = aws.virginia
   }
 }

dns.tf

@@ -1,6 +1,6 @@
 module "dns" {
   source  = "dasmeta/dns/aws"
-  version = "0.1.0"
+  version = "1.0.4"
 
   count = var.zone == null ? 0 : 1
 
@@ -15,3 +15,25 @@ module "dns" {
     }
   ]
 }
+
+module "dns_alternative" {
+  source  = "dasmeta/dns/aws"
+  version = "1.0.4"
+
+  for_each = { for key, domain in var.alternative_domains : domain => {
+    domain : domain
+    key : key
+    zone : try(var.alternative_zones[key], var.zone)
+  } }
+
+  zone        = each.value.zone
+  create_zone = false
+
+  records = [
+    {
+      target_type     = "cdn"
+      name            = replace(each.value.domain, each.value.zone, "")
+      distribution_id = module.cdn.cloudfront_distribution_id
+    }
+  ]
+}

githooks/commit-msg

@@ -1,86 +1,20 @@
-#!/bin/bash
-
-RED='\033[1;31m'
-YELLOW='\033[1;33m'
-GREEN='\033[1;32m'
-NC='\033[0m'
-
-isNvmOk=false
-isYarnOk=false
-isNodeOk=false
-isGccOk=false
-
-source ~/.nvm/nvm.sh > /dev/null 2>&1
-nvm -v > /dev/null 2>&1
-if [ ! $? -eq 0 ]; then
-  mkdir ~/.nvm > /dev/null 2>&1
-  (curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash) > /dev/null 2>&1
-
-  source ~/.nvm/nvm.sh
-
-  if [ `command -v nvm` ]; then
-      isNvmOk=true
-      #echo -e "$${GREEN}[ OK ]$${NC} nvm installed successfully"
-  else
-      isNvmOk=false
-      #echo -e "$${RED}[ FAIL ]$${NC} Error during nvm installation"
-  fi
-fi
-
-
-if  [  `command -v node`  ]; then
-    isNodeOk=true
-    #echo -e "$${GREEN}[ OK ]$${NC} npm and node is already installed"
-else
-  #echo -e "$${YELLOW}[ WAIT ]$${NC} npm is not installed.. installing"
-  nvm install node > /dev/null 2>&1
-  if [ `command -v node` ] && [ `command -v npm` ]; then
-      isNodeOk=true
-      #echo -e "$${GREEN}[ OK ]$${NC} npm installed successfully"
-  fi
-
-#  mkdir ~/.npm-global > /dev/null 2>&1
-#  npm config set prefix '~/.npm-global' > /dev/null 2>&1
-#  export PATH=~/.npm-global/bin:$PATH > /dev/null 2>&1
-#  source ~/.profile > /dev/null 2>&1
-
-fi
-
-
-if [ `command -v yarn` ]; then
-  isYarnOk=true
-  #echo -e "$${GREEN}[ OK ]$${NC} Yarn already installed"
-
-else
-  rm -rf ~/.yarn
-  (curl -o- -L https://yarnpkg.com/install.sh | bash) > /dev/null 2>&1
-  export PATH="$HOME/.yarn/bin:$PATH"
-  yarn config set prefix ~/.yarn -g > /dev/null 2>&1
-
-  if [ `command -v yarn` ]; then
-    isYarnOk=true
-     # echo $yarn_result
-    #  echo -e "$${GREEN}[ OK ]$${NC} Yarn installed successfully"
-  fi
-fi
-
-#echo -e "$${GREEN}[ OK ]$${NC}" nvm cache clear --force
-
-PATH="/c/Program Files/nodejs:$HOME/AppData/Roaming/npm/:$PATH"
-
-npm install --global git-conventional-commits > /dev/null 2>&1
-if [ $? -eq 0 ]; then
-    isGccOk=true
-   # echo -e "$${GREEN}[ OK ]$${NC} git-conventional-commit successfully installed"
-  else
-    isGccOk=false
-   # echo -e "$${RED}[ FAIL ]$${NC} Error during installation of git-conventional-commit"
-fi
-
-git-conventional-commits commit-msg-hook "$1"
-
-if [[ $isNodeOk && $isYarnOk && $isNvmOk && $isNodeOk ]]; then
-    echo -e "$${GREEN}[ OK ]$${NC} Dependencies installed successfully"
+#!/usr/bin/env bash
+# File generated by pre-commit: https://pre-commit.com
+# ID: 138fd403232d2ddd5efb44317e38bf03
+
+# start templated
+INSTALL_PYTHON=/usr/bin/python3
+ARGS=(hook-impl --config=.pre-commit-config.yaml --hook-type=commit-msg)
+# end templated
+
+HERE="$(cd "$(dirname "$0")" && pwd)"
+ARGS+=(--hook-dir "$HERE" -- "$@")
+
+if command -v pre-commit > /dev/null; then
+    exec pre-commit "${ARGS[@]}"
+elif [ -x "$INSTALL_PYTHON" ]; then
+    exec "$INSTALL_PYTHON" -mpre_commit "${ARGS[@]}"
 else
-    echo -e "$${RED}[ FAIL ]$${NC} Error during dependency installation"
+    echo '`pre-commit` not found.  Did you forget to activate your virtualenv?' 1>&2
+    exit 1
 fi

outputs.tf

@@ -12,3 +12,7 @@ output "web_acl_id" {
   value       = try(module.waf[0].web_acl_id, null)
   description = "waf arm/id"
 }
+
+output "s3_config" {
+  value = var.s3_configs
+}

s3.tf

@@ -1,21 +1,15 @@
 module "s3" {
-  source  = "dasmeta/modules/aws//modules/s3"
-  version = "0.36.7"
+  source  = "dasmeta/s3/aws"
+  version = "1.2.1"
 
   name                    = var.domain
-  acl                     = "private"
-  create_index_html       = true
-  ignore_public_acls      = false
-  restrict_public_buckets = false
-  block_public_acls       = false
-  block_public_policy     = false
-
-  versioning = {
-    enabled = false
-  }
-  website = {
-    index_document = "index.html"
-    error_document = "index.html"
-  }
-  create_iam_user = false
+  acl                     = var.s3_configs.acl
+  create_index_html       = var.s3_configs.create_index_html
+  ignore_public_acls      = var.s3_configs.ignore_public_acls
+  restrict_public_buckets = var.s3_configs.restrict_public_buckets
+  block_public_acls       = var.s3_configs.block_public_acls
+  block_public_policy     = var.s3_configs.block_public_policy
+  versioning              = var.s3_configs.versioning
+  website                 = var.s3_configs.website
+  create_iam_user         = var.s3_configs.create_iam_user
 }