✨ feature: Adds distribution custom domain support

.deepsource.toml

@@ -6,8 +6,8 @@ name = "secrets"
 [[analyzers]]
 name = "terraform"
 
-#[[analyzers]]
-#name = "go"
-#
-#  [analyzers.meta]
-#  import_root = "github.com/bendoerr-terraform-modules/terraform-aws-cloudfront-with-s3-origin/test"
+[[analyzers]]
+name = "go"
+
+  [analyzers.meta]
+  import_root = "github.com/bendoerr-terraform-modules/terraform-aws-cloudfront-and-s3-origin/test"

.github/workflows/test.yml

@@ -29,11 +29,25 @@ jobs:
 
       - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
-          role-to-assume: arn:aws:iam::234656776442:role/brd-sndbx-ue1-core-apply
+          role-to-assume: ${{ vars.CORE_APPLY_ROLE }}
+          aws-region: us-east-1
+
+      - run: |
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile core-profile
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile core-profile
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile core-profile
+
+      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ vars.SANDBOX_APPLY_ROLE }}
           aws-region: us-east-1
 
       - shell: bash
         working-directory: test
+        env:
+          TF_VAR_route53_profile: core-profile
+          TF_VAR_route53_zone_id: ${{ secrets.CORE_HOSTED_ZONE_ID }}
+          TF_VAR_route53_zone_name: ${{ secrets.CORE_HOSTED_ZONE_NAME }}
         run: |
           go install github.com/jstemmer/go-junit-report@latest
           go test -timeout 20m -v ./... | tee report.txt

aws-acm.tf

@@ -0,0 +1,34 @@
+resource "aws_acm_certificate" "cert" {
+  domain_name               = local.default_alias
+  subject_alternative_names = flatten([[local.default_alias], local.extra_aliases])
+  validation_method         = "DNS"
+  tags                      = module.label_site.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "cert" {
+  for_each = {
+    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.domain_zone_id
+
+  provider = aws.route53
+}
+
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert : record.fqdn]
+}

aws-cloudfront.tf

@@ -6,7 +6,7 @@ resource "aws_cloudfront_distribution" "site" {
   tags    = module.label_site.tags
 
   price_class         = "PriceClass_100"
-  aliases             = var.cname_aliases
+  aliases             = flatten([[local.default_alias], local.extra_aliases])
   http_version        = "http2"
   default_root_object = var.default_root_object
   is_ipv6_enabled     = true
@@ -35,6 +35,8 @@ resource "aws_cloudfront_distribution" "site" {
 
   viewer_certificate {
     cloudfront_default_certificate = true
+    acm_certificate_arn            = aws_acm_certificate_validation.cert.certificate_arn
+    ssl_support_method             = "sni-only"
   }
 }
 

aws-route53.tf

@@ -0,0 +1,14 @@
+resource "aws_route53_record" "alias" {
+  for_each = toset(flatten([[module.label_site.dns_name], var.extra_domain_prefixes]))
+  name     = each.key
+  type     = "A"
+  zone_id  = var.domain_zone_id
+
+  alias {
+    evaluate_target_health = false
+    name                   = aws_cloudfront_distribution.site.domain_name
+    zone_id                = aws_cloudfront_distribution.site.hosted_zone_id
+  }
+
+  provider = aws.route53
+}

examples/simple/ctx.tf

@@ -1,8 +1,9 @@
 module "context" {
   source    = "bendoerr-terraform-modules/context/null"
-  version   = "0.4.1"
+  version   = "0.5.0"
   namespace = var.namespace
   role      = "cloudfront-s3-example"
   region    = "us-east-1"
   project   = "simple"
+  long_dns  = true
 }

examples/simple/infracost-usage.yml

@@ -4,71 +4,83 @@
 # See https://infracost.io/usage-file/ for docs
 version: 0.1
 resource_usage:
+  #
+  # The following usage values apply to individual resources and override any value defined in the resource_type_default_usage section.
+  # All values are commented-out, you can uncomment resources and customize as needed.
+  #
+  module.cloudfront_with_s3_origin.aws_route53_record.alias["status.simple.ue1.cldfrnt-s3-xmpl.namespace-mock"]:
+    monthly_latency_based_queries: 0
+    monthly_geo_queries: 0
+    monthly_standard_queries: 2678400
+  module.cloudfront_with_s3_origin.aws_route53_record.alias["status.test.namespace-mock"]:
+    monthly_latency_based_queries: 0
+    monthly_geo_queries: 0
+    monthly_standard_queries: 2678400
   module.cloudfront_with_s3_origin.module.s3_site.aws_s3_bucket.this[0]:
     object_tags: 0 # Total object tags. Only for AWS provider V3.
     standard:
-      storage_gb: 0.1 # Total storage in GB.
+      storage_gb: 0.01 # Total storage in GB.
       monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-      monthly_tier_2_requests: 1000 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_tier_2_requests: 2678400 # Monthly GET, SELECT, and all other requests (Tier 2).
       monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
       monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
-    # intelligent_tiering:
-    # frequent_access_storage_gb: 0.0 # Total storage for Frequent Access Tier in GB.
-    # infrequent_access_storage_gb: 0.0 # Total storage for Infrequent Access Tier in GB.
-    # monitored_objects: 0 # Total objects monitored by the Intelligent Tiering.
-    # monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-    # monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
-    # monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
-    # monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
-    # monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
-    # early_delete_gb: 0.0 # If an archive is deleted within 1 months of being uploaded, you will be charged an early deletion fee per GB.
-    # archive_access_storage_gb: 0.0
-    # deep_archive_access_storage_gb: 0.0
-    # standard_infrequent_access:
-    # storage_gb: 0.0 # Total storage in GB.
-    # monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-    # monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
-    # monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
-    # monthly_data_retrieval_gb: 0.0 # Monthly data retrievals in GB
-    # monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
-    # monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
-    # one_zone_infrequent_access:
-    # storage_gb: 0.0 # Total storage in GB.
-    # monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-    # monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
-    # monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
-    # monthly_data_retrieval_gb: 0.0 # Monthly data retrievals in GB
-    # monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
-    # monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
-    # glacier_flexible_retrieval:
-    # storage_gb: 0 # Total storage in GB.
-    # monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-    # monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
-    # monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
-    # monthly_standard_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for standard level of S3 Glacier).
-    # monthly_standard_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for standard level of S3 Glacier).
-    # monthly_bulk_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for bulk level of S3 Glacier)
-    # monthly_bulk_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for bulk level of S3 Glacier)
-    # monthly_expedited_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for expedited level of S3 Glacier)
-    # monthly_expedited_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for expedited level of S3 Glacier)
-    # monthly_standard_data_retrieval_requests: 0 # Monthly data Retrieval requests (for standard level of S3 Glacier).
-    # monthly_expedited_data_retrieval_requests: 0 # Monthly data Retrieval requests (for expedited level of S3 Glacier).
-    # monthly_standard_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for standard level of S3 Glacier).
-    # monthly_expedited_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for expedited level of S3 Glacier).
-    # early_delete_gb: 0.0 # If an archive is deleted within 3 months of being uploaded, you will be charged an early deletion fee per GB.
-    # glacier_deep_archive:
-    # storage_gb: 0.0 # Total storage in GB.
-    # monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
-    # monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
-    # monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
-    # monthly_standard_data_retrieval_requests: 0 # Monthly data Retrieval requests (for standard level of S3 Glacier).
-    # monthly_bulk_data_retrieval_requests: 0 # Monthly data Retrieval requests (for bulk level of S3 Glacier).
-    # monthly_standard_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for standard level of S3 Glacier).
-    # monthly_bulk_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for bulk level of S3 Glacier).
-    # early_delete_gb: 0.0 # If an archive is deleted within 6 months of being uploaded, you will be charged an early deletion fee per GB.
+    intelligent_tiering:
+      frequent_access_storage_gb: 0.0 # Total storage for Frequent Access Tier in GB.
+      infrequent_access_storage_gb: 0.0 # Total storage for Infrequent Access Tier in GB.
+      monitored_objects: 0 # Total objects monitored by the Intelligent Tiering.
+      monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+      monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
+      monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
+      monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
+      early_delete_gb: 0.0 # If an archive is deleted within 1 months of being uploaded, you will be charged an early deletion fee per GB.
+      archive_access_storage_gb: 0.0
+      deep_archive_access_storage_gb: 0.0
+    standard_infrequent_access:
+      storage_gb: 0.0 # Total storage in GB.
+      monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+      monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
+      monthly_data_retrieval_gb: 0.0 # Monthly data retrievals in GB
+      monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
+      monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
+    one_zone_infrequent_access:
+      storage_gb: 0.0 # Total storage in GB.
+      monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+      monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
+      monthly_data_retrieval_gb: 0.0 # Monthly data retrievals in GB
+      monthly_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB.
+      monthly_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB.
+    glacier_flexible_retrieval:
+      storage_gb: 0 # Total storage in GB.
+      monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+      monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
+      monthly_standard_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for standard level of S3 Glacier).
+      monthly_standard_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for standard level of S3 Glacier).
+      monthly_bulk_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for bulk level of S3 Glacier)
+      monthly_bulk_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for bulk level of S3 Glacier)
+      monthly_expedited_select_data_scanned_gb: 0.0 # Monthly data scanned by S3 Select in GB (for expedited level of S3 Glacier)
+      monthly_expedited_select_data_returned_gb: 0.0 # Monthly data returned by S3 Select in GB (for expedited level of S3 Glacier)
+      monthly_standard_data_retrieval_requests: 0 # Monthly data Retrieval requests (for standard level of S3 Glacier).
+      monthly_expedited_data_retrieval_requests: 0 # Monthly data Retrieval requests (for expedited level of S3 Glacier).
+      monthly_standard_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for standard level of S3 Glacier).
+      monthly_expedited_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for expedited level of S3 Glacier).
+      early_delete_gb: 0.0 # If an archive is deleted within 3 months of being uploaded, you will be charged an early deletion fee per GB.
+    glacier_deep_archive:
+      storage_gb: 0.0 # Total storage in GB.
+      monthly_tier_1_requests: 0 # Monthly PUT, COPY, POST, LIST requests (Tier 1).
+      monthly_tier_2_requests: 0 # Monthly GET, SELECT, and all other requests (Tier 2).
+      monthly_lifecycle_transition_requests: 0 # Monthly Lifecycle Transition requests.
+      monthly_standard_data_retrieval_requests: 0 # Monthly data Retrieval requests (for standard level of S3 Glacier).
+      monthly_bulk_data_retrieval_requests: 0 # Monthly data Retrieval requests (for bulk level of S3 Glacier).
+      monthly_standard_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for standard level of S3 Glacier).
+      monthly_bulk_data_retrieval_gb: 0.0 # Monthly data retrievals in GB (for bulk level of S3 Glacier).
+      early_delete_gb: 0.0 # If an archive is deleted within 6 months of being uploaded, you will be charged an early deletion fee per GB.
   module.cloudfront_with_s3_origin.aws_cloudfront_distribution.site:
     monthly_data_transfer_to_internet_gb:
-      us: 0.1 # United States, Mexico, Canada
+      us: 3.4 # United States, Mexico, Canada
       europe: 0 # Europe, Israel
       south_africa: 0 # South Africa, Kenya, Middle East
       south_america: 0 # South America
@@ -77,7 +89,7 @@ resource_usage:
       asia_pacific: 0 # Hong Kong, Philippines, Singapore, South Korea, Taiwan, Thailand
       india: 0 # India
     monthly_data_transfer_to_origin_gb:
-      us: 0.1 # United States, Mexico, Canada
+      us: 0 # United States, Mexico, Canada
       europe: 0 # Europe, Israel
       south_africa: 0 # South Africa, Kenya, Middle East
       south_america: 0 # South America
@@ -95,7 +107,7 @@ resource_usage:
       asia_pacific: 0 # Hong Kong, Philippines, Singapore, South Korea, Taiwan, Thailand
       india: 0 # India
     monthly_https_requests:
-      us: 1000 # United States, Mexico, Canada
+      us: 2678400 # United States, Mexico, Canada
       europe: 0 # Europe, Israel
       south_africa: 0 # South Africa, Kenya, Middle East
       south_america: 0 # South America
@@ -116,3 +128,7 @@ resource_usage:
     monthly_encryption_requests: 0 # Monthly number of field level encryption requests.
     monthly_log_lines: 0 # Monthly number of real-time log lines.
     custom_ssl_certificates: 0 # Number of dedicated IP custom SSL certificates.
+  module.cloudfront_with_s3_origin.aws_route53_record.cert:
+    monthly_standard_queries: 0 # Monthly number of Standard queries.
+    monthly_latency_based_queries: 0 # Monthly number of Latency Based Routing queries.
+    monthly_geo_queries: 0 # Monthly number of Geo DNS and Geoproximity queries.

examples/simple/main.tf

@@ -12,7 +12,26 @@ provider "aws" {
   region = "us-east-1"
 }
 
+# Route53 zones can often be in a different account. They cost $0.50 to exist
+# so if we are trying to keep costs down we may want to only have the minimum
+# needed to function.
+provider "aws" {
+  region  = "us-east-1"
+  alias   = "route53"
+  profile = var.route53_profile
+}
+
 module "cloudfront_with_s3_origin" {
-  source  = "../.."
+  source = "../.."
+
   context = module.context.shared
+  name    = "status"
+
+  domain_zone_name      = var.route53_zone_name
+  domain_zone_id        = var.route53_zone_id
+  extra_domain_prefixes = [format("status.test.%s", var.namespace)]
+
+  providers = {
+    aws.route53 = aws.route53
+  }
 }

examples/simple/outputs.tf

@@ -22,3 +22,13 @@ output "cloudfront_distribution_domain_name" {
   value       = module.cloudfront_with_s3_origin.cloudfront_distribution_domain_name
   description = "The domain name of the CloudFront distribution."
 }
+
+output "cloudfront_distribution_alias_domain_name" {
+  value       = module.cloudfront_with_s3_origin.cloudfront_distribution_alias_domain_name
+  description = "The custom domain name generated by bendoerr-terraform-modules/terraform-null-label."
+}
+
+output "cloudfront_distribution_extra_domain_names" {
+  value       = module.cloudfront_with_s3_origin.cloudfront_distribution_extra_domain_names
+  description = "Any extra domain names provided."
+}

examples/simple/variables.tf

@@ -2,3 +2,21 @@ variable "namespace" {
   type        = string
   description = "The context namespace"
 }
+
+variable "route53_profile" {
+  type        = string
+  description = "Dedicated AWS profile for accessing Route53"
+  nullable    = false
+}
+
+variable "route53_zone_id" {
+  type        = string
+  description = "The ZoneID for the Route53 Zone"
+  nullable    = false
+}
+
+variable "route53_zone_name" {
+  type        = string
+  description = "The Name of the Route53 Zone"
+  nullable    = false
+}

main.tf

@@ -2,5 +2,10 @@ module "label_site" {
   source  = "bendoerr-terraform-modules/label/null"
   version = "0.4.2"
   context = var.context
-  name    = "site"
+  name    = var.name
+}
+
+locals {
+  default_alias = format("%s.%s", module.label_site.dns_name, var.domain_zone_name)
+  extra_aliases = formatlist("%s.%s", var.extra_domain_prefixes, var.domain_zone_name)
 }

outputs.tf

@@ -22,3 +22,13 @@ output "cloudfront_distribution_domain_name" {
   value       = aws_cloudfront_distribution.site.domain_name
   description = "The domain name of the CloudFront distribution."
 }
+
+output "cloudfront_distribution_alias_domain_name" {
+  value       = local.default_alias
+  description = "The custom domain name generated by bendoerr-terraform-modules/terraform-null-label."
+}
+
+output "cloudfront_distribution_extra_domain_names" {
+  value       = local.extra_aliases
+  description = "Any extra domain names provided."
+}

test/.golangci.yml

@@ -72,7 +72,7 @@ linters-settings:
   gocognit:
     # Minimal code complexity to report.
     # Default: 30 (but we recommend 10-20)
-    min-complexity: 20
+    min-complexity: 30
 
   gocritic:
     # Settings passed to gocritic.
@@ -314,3 +314,5 @@ issues:
         - gosec
         - noctx
         - wrapcheck
+    - text: 'shadow: declaration of "(err|ctx)" shadows declaration at'
+      linters: [govet]