Merge pull request #32 from DELTSV/terraform-update

Added storage S3 bucket with public cloudfront access

packages/infrastructure/project/backend/variables.tf

@@ -18,11 +18,6 @@ variable "domain_name" {
   type        = string
 }
 
-variable "public_cert_backend_arn" {
-  description = "The ARN of the certificate for the backend"
-  type        = string
-}
-
 variable "rds_db_url" {
   description = "The URL of the RDS database"
   type        = string

packages/infrastructure/project/certificates/cert.tf

@@ -1,4 +1,4 @@
-resource "aws_acm_certificate" "public-cert-frontend" {
+resource "aws_acm_certificate" "public_cert_frontend" {
   provider          = aws.virginia
   domain_name       = var.domain_name
   validation_method = "DNS"
@@ -10,20 +10,6 @@ resource "aws_acm_certificate" "public-cert-frontend" {
 
 resource "aws_acm_certificate_validation" "frontend" {
   provider                = aws.virginia
-  certificate_arn         = aws_acm_certificate.public-cert-frontend.arn
+  certificate_arn         = aws_acm_certificate.public_cert_frontend.arn
   validation_record_fqdns = [for record in aws_route53_record.frontend_validation : record.fqdn]
 }
-
-resource "aws_acm_certificate" "public-cert-backend" {
-  domain_name       = "${var.api_subdomain}.${var.domain_name}"
-  validation_method = "DNS"
-
-  tags = {
-    Name = "${var.namespace}_Backend_Certificate_${var.environment}"
-  }
-}
-
-resource "aws_acm_certificate_validation" "api" {
-  certificate_arn         = aws_acm_certificate.public-cert-backend.arn
-  validation_record_fqdns = [for record in aws_route53_record.api_validation : record.fqdn]
-}

packages/infrastructure/project/certificates/outputs.tf

@@ -1,13 +1,4 @@
-output "public-cert-frontend-arn" {
-  value = aws_acm_certificate.public-cert-frontend.arn
+output "public_cert_frontend_arn" {
+  value = aws_acm_certificate.public_cert_frontend.arn
   depends_on = [aws_acm_certificate_validation.frontend]
 }
-
-output "public-cert-backend-arn" {
-  value = aws_acm_certificate.public-cert-backend.arn
-  depends_on = [aws_acm_certificate_validation.api]
-}
-
-output "public-cert-backend-domain-name" {
-  value = aws_acm_certificate.public-cert-backend.domain_name
-}

packages/infrastructure/project/certificates/validation.tf

@@ -1,7 +1,7 @@
 resource "aws_route53_record" "frontend_validation" {
   provider = aws.virginia
   for_each = {
-    for dvo in aws_acm_certificate.public-cert-frontend.domain_validation_options : dvo.domain_name => {
+    for dvo in aws_acm_certificate.public_cert_frontend.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
@@ -14,21 +14,4 @@ resource "aws_route53_record" "frontend_validation" {
   ttl             = 60
   type            = each.value.type
   zone_id         = var.route53_hosted_zone_id
-}
-
-resource "aws_route53_record" "api_validation" {
-  for_each = {
-    for dvo in aws_acm_certificate.public-cert-backend.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    }
-  }
-
-  allow_overwrite = true
-  name            = each.value.name
-  records         = [each.value.record]
-  ttl             = 60
-  type            = each.value.type
-  zone_id         = var.route53_hosted_zone_id
-}
+}

packages/infrastructure/project/domain/variables.tf

@@ -3,11 +3,6 @@ variable "domain_name" {
   description = "The domain name to use for the Route 53 hosted zone"
 }
 
-variable "backend_domain_name" {
-  type        = string
-  description = "The domain name of the backend service"
-}
-
 variable "cloudfront_domain_name" {
   type        = string
   description = "The domain name of the CloudFront distribution"

packages/infrastructure/project/frontend/cloudfront.tf

@@ -35,6 +35,15 @@ resource "aws_cloudfront_distribution" "cf_dist_frontend" {
     }
   }
 
+  origin {
+    domain_name = var.application_storage_bucket_domain_name
+    origin_id   = var.application_storage_bucket_id
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.oai_frontend.cloudfront_access_identity_path
+    }
+  }
+
   origin {
     domain_name = var.alb_domain_name
     origin_id   = var.alb_domain_name
@@ -87,6 +96,24 @@ resource "aws_cloudfront_distribution" "cf_dist_frontend" {
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all.id
   }
 
+  ordered_cache_behavior {
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id       = var.application_storage_bucket_id
+    viewer_protocol_policy = "redirect-to-https"
+
+    path_pattern = "/storage/*"
+
+    forwarded_values {
+      headers      = []
+      query_string = true
+
+      cookies {
+        forward = "all"
+      }
+    }
+  }
+
   http_version = "http2and3"
 
   restrictions {
@@ -97,7 +124,7 @@ resource "aws_cloudfront_distribution" "cf_dist_frontend" {
   }
 
   viewer_certificate {
-    acm_certificate_arn      = var.public-cert-frontend-arn
+    acm_certificate_arn      = var.public_cert_frontend_arn
     ssl_support_method       = "sni-only"
     minimum_protocol_version = "TLSv1.2_2021"
   }

packages/infrastructure/project/frontend/outputs.tf

@@ -9,5 +9,11 @@ output "cloudfront_hosted_zone_id" {
 }
 
 output "alb_header_value" {
-  value = random_password.alb_header_value.result
+  value       = random_password.alb_header_value.result
+  description = "The value of the header to be used for the ALB"
+}
+
+output "cloudfront_oai_iam_arn" {
+  description = "The ARN of the CloudFront OAI"
+  value       = aws_cloudfront_origin_access_identity.oai_frontend.iam_arn
 }

packages/infrastructure/project/frontend/variables.tf

@@ -19,7 +19,17 @@ variable "alb_domain_name" {
 }
 
 
-variable "public-cert-frontend-arn" {
+variable "public_cert_frontend_arn" {
   type        = string
   description = "The ARN of the public certificate for the frontend"
+}
+
+variable "application_storage_bucket_id" {
+  type = string
+  description = "The ID of the S3 bucket used for application storage"
+}
+
+variable "application_storage_bucket_domain_name" {
+  type = string
+  description = "The domain name of the S3 bucket used for application storage"
 }

packages/infrastructure/project/modules.tf

@@ -1,8 +1,11 @@
 module "frontend" {
   source = "./frontend"
 
+  application_storage_bucket_domain_name = module.storage.application_storage_bucket_domain_name
+  application_storage_bucket_id          = module.storage.application_storage_bucket_id
+
   domain_name              = var.domain_name
-  public-cert-frontend-arn = module.certificates.public-cert-frontend-arn
+  public_cert_frontend_arn = module.certificates.public_cert_frontend_arn
   environment              = var.environment
   namespace                = var.namespace
   alb_domain_name          = module.backend.alb_domain_name
@@ -27,25 +30,22 @@ module "backend" {
   ghcr_username   = var.ghcr_username
   ghcr_image_tag  = var.ghcr_image_tag
 
-  public_cert_backend_arn = module.certificates.public-cert-backend-arn
-
   az_count           = var.az_count
   namespace          = var.namespace
   environment        = var.environment
   public_subnet_list = module.network.public_subnet_list
   vpc_id             = module.network.vpc_id
-  rds_db_password    = module.database.rds_db_password
+  rds_db_password    = module.storage.rds_db_password
   rds_db_username    = var.rds_pg_username
-  rds_db_url         = module.database.rds_db_url
+  rds_db_url         = module.storage.rds_db_url
 
   alb_header_value = module.frontend.alb_header_value
 }
 
 module "domain" {
   source = "./domain"
 
-  domain_name         = var.domain_name
-  backend_domain_name = module.certificates.public-cert-backend-domain-name
+  domain_name = var.domain_name
 
   cloudfront_domain_name    = module.frontend.cloudfront_domain_name
   cloudfront_hosted_zone_id = module.frontend.cloudfront_hosted_zone_id
@@ -72,10 +72,11 @@ module "certificates" {
   namespace   = var.namespace
 }
 
-module "database" {
-  source = "./database"
+module "storage" {
+  source = "./storage"
 
-  rds_pg_username = var.rds_pg_username
-  environment     = var.environment
-  namespace       = var.namespace
+  rds_pg_username        = var.rds_pg_username
+  environment            = var.environment
+  namespace              = var.namespace
+  cloudfront_oai_iam_arn = module.frontend.cloudfront_oai_iam_arn
 }

packages/infrastructure/project/storage/bucket.tf

@@ -0,0 +1,49 @@
+data "aws_iam_policy_document" "bucket_policy_document_application_storage" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = [
+      aws_s3_bucket.application_storage.arn,
+      "${aws_s3_bucket.application_storage.arn}/*"
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = [var.cloudfront_oai_iam_arn]
+    }
+  }
+}
+
+
+resource "aws_s3_bucket" "application_storage" {
+  bucket_prefix = "hollybike-application-storage"
+  force_destroy = false
+}
+
+resource "aws_s3_bucket_ownership_controls" "application_storage_acl_ownership" {
+  bucket = aws_s3_bucket.application_storage.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+
+resource "aws_s3_bucket_public_access_block" "public_block_application_storage" {
+  bucket                  = aws_s3_bucket.application_storage.id
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt" {
+  bucket = aws_s3_bucket.application_storage.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "bucket_frontend_policy" {
+  bucket = aws_s3_bucket.application_storage.id
+  policy = data.aws_iam_policy_document.bucket_policy_document_application_storage.json
+}

packages/infrastructure/project/storage/outputs.tf

@@ -0,0 +1,19 @@
+output "rds_db_url" {
+  value       = "jdbc:postgresql://${aws_db_instance.backend_db.address}:${aws_db_instance.backend_db.port}/${aws_db_instance.backend_db.db_name}"
+  description = "The URL of the RDS database"
+}
+
+output "rds_db_password" {
+  value       = random_password.master_password.result
+  description = "The password of the RDS database"
+}
+
+output "application_storage_bucket_id" {
+  value       = aws_s3_bucket.application_storage.id
+  description = "The ID of the S3 bucket used for application storage"
+}
+
+output "application_storage_bucket_domain_name" {
+  value       = aws_s3_bucket.application_storage.bucket_regional_domain_name
+  description = "The domain name of the S3 bucket used for application storage"
+}

packages/infrastructure/project/database/variables.tf → packages/infrastructure/project/storage/variables.tf

@@ -12,3 +12,9 @@ variable "rds_pg_username" {
   type        = string
   description = "Username for the RDS Postgres instance"
 }
+
+
+variable "cloudfront_oai_iam_arn" {
+  type        = string
+  description = "The ARN of the CloudFront OAI"
+}