feat(DMVP-1338): extract out frontend-app setup into own module to re-use from different projects

Author: aramkarapetian

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.2.0
+  hooks:
+    - id: check-added-large-files
+    - id: check-merge-conflict
+    - id: check-vcs-permalinks
+    - id: end-of-file-fixer
+    - id: trailing-whitespace
+      args: [--markdown-linebreak-ext=md]
+      exclude: CHANGELOG.md
+    - id: check-yaml
+    - id: check-merge-conflict
+    - id: check-executables-have-shebangs
+    - id: check-case-conflict
+    - id: mixed-line-ending
+      args: [--fix=lf]
+    - id: detect-aws-credentials
+      args: ['--allow-missing-credentials']
+    - id: detect-private-key
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.62.3
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_docs
+  args:
+      - '--args=--lockfile=false'

cdn.tf

@@ -0,0 +1,29 @@
+
+module "cdn" {
+  source  = "dasmeta/modules/aws//modules/cloudfront-ssl-hsts"
+  version = "0.36.7"
+
+  zone       = [var.zone]
+  aliases    = [var.domain]
+  comment    = "cdn for ${var.domain}"
+  web_acl_id = try(module.waf[0].web_acl_arn, null)
+
+  origin = {
+    s3 = {
+      domain_name = module.s3.s3_bucket_website_endpoint
+      custom_origin_config = {
+        origin_protocol_policy = "http-only"
+      }
+    }
+  }
+
+  default_cache_behavior = {
+    target_origin_id     = "s3"
+    use_forwarded_values = true
+    headers              = []
+  }
+
+  providers = {
+    aws = aws.virginia
+  }
+}

dns.tf

@@ -0,0 +1,16 @@
+module "dns" {
+  source = "../dns"
+
+  count = var.zone == null ? 0 : 1
+
+  zone        = var.zone
+  create_zone = false
+
+  records = [
+    {
+      target_type     = "cdn"
+      name            = replace(var.domain, var.zone, "")
+      distribution_id = module.cdn.cloudfront_distribution_id
+    }
+  ]
+}

githooks/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo 'Start git pre-commit hooks and checks... ';
+pre-commit run -a;
+echo 'End git pre-commit hooks and checks... ';

outputs.tf

@@ -0,0 +1,14 @@
+output "s3_bucket_id" {
+  value       = module.s3.s3_bucket_id
+  description = "s3 bucket name/id"
+}
+
+output "distribution_id" {
+  value       = module.cdn.cloudfront_distribution_id
+  description = "cloudfront distribution id"
+}
+
+output "web_acl_id" {
+  value       = try(module.waf[0].web_acl_id, null)
+  description = "waf arm/id"
+}

s3.tf

@@ -0,0 +1,21 @@
+module "s3" {
+  source  = "dasmeta/modules/aws//modules/s3"
+  version = "0.36.7"
+
+  name                    = var.domain
+  acl                     = "private"
+  create_index_html       = true
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+  block_public_acls       = false
+  block_public_policy     = false
+
+  versioning = {
+    enabled = false
+  }
+  website = {
+    index_document = "index.html"
+    error_document = "index.html"
+  }
+  create_iam_user = false
+}

variables.tf

@@ -0,0 +1,18 @@
+
+variable "domain" {
+  type        = string
+  description = "domain full name"
+}
+
+variable "zone" {
+  type        = string
+  default     = null
+  description = "R53 zone name"
+}
+
+variable "waf" {
+  type        = any
+  default     = null
+  description = "waf configs"
+}
+

versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = "> 0.15.0"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}

waf.tf

@@ -0,0 +1,23 @@
+module "waf" {
+  source  = "dasmeta/modules/aws//modules/waf"
+  version = "0.33.4"
+
+  count = try(var.waf.enabled, false) ? 1 : 0
+
+  name = try(var.waf.name, "${replace(var.domain, "/[\\W|_|\\s]+/", "-")}-firewall")
+
+  scope                  = try(var.waf.scope, "CLOUDFRONT")
+  visibility_config      = try(var.waf.visibility_config, { cloudwatch_metrics_enabled = false, sampled_requests_enabled = true })
+  rules                  = try(var.waf.rules, [])
+  create_alb_association = try(var.waf.create_alb_association, false)
+  alb_arn_list           = try(var.waf.alb_arn_list, [])
+  allow_default_action   = try(var.waf.allow_default_action, true)
+  whitelist_ips          = try(var.waf.whitelist_ips, [])
+  enable_whitelist       = try(var.waf.enable_whitelist, true)
+
+  providers = {
+    // TODO: for cloudfront distribution the waf gets created in virginia, but for alb the specific region should be used,
+    // needs to decide how to accomplish this  
+    aws = aws.virginia
+  }
+}