mirror of
https://github.com/Hestia-Homes/Model.git
synced 2026-06-08 11:17:27 +00:00
add certificate for cdn
This commit is contained in:
Daniel Roth
parent
0540d4bab5
commit
e9f37e7959
12 changed files with 172 additions and 5 deletions
47
.github/workflows/deploy_terraform.yml
vendored
47
.github/workflows/deploy_terraform.yml
vendored
|
|
@ -346,11 +346,56 @@ jobs:
|
|||
TF_VAR_epc_auth_token: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
|
||||
TF_VAR_google_solar_api_key: ${{ secrets.DEV_GOOGLE_SOLAR_API_KEY }}
|
||||
|
||||
# ============================================================
|
||||
# Deploy ACM Certificate for Cloudfront
|
||||
# ============================================================
|
||||
cloudfront_acm:
|
||||
needs: [determine_stage, fast_api_lambda]
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
STAGE: ${{ needs.determine_stage.outputs.stage }}
|
||||
TERRAFORM_APPLY: ${{ needs.determine_stage.outputs.terraform_apply }}
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- uses: aws-actions/configure-aws-credentials@v4
|
||||
with:
|
||||
aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
|
||||
aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
|
||||
aws-region: ${{ secrets.DEV_AWS_REGION }}
|
||||
|
||||
- uses: hashicorp/setup-terraform@v3
|
||||
|
||||
- name: Terraform Init
|
||||
working-directory: infrastructure/terraform/cdn_certificate
|
||||
run: terraform init -reconfigure
|
||||
|
||||
- name: Terraform Workspace
|
||||
working-directory: infrastructure/terraform/cdn_certificate
|
||||
run: |
|
||||
terraform workspace select $STAGE \
|
||||
|| terraform workspace new $STAGE
|
||||
|
||||
- name: Terraform Plan
|
||||
working-directory: infrastructure/terraform/cdn_certificate
|
||||
run: |
|
||||
terraform plan \
|
||||
-var="stage=${STAGE}" \
|
||||
-out=tfplan
|
||||
|
||||
- name: Terraform Apply
|
||||
if: env.TERRAFORM_APPLY == 'true'
|
||||
working-directory: infrastructure/terraform/cdn_certificate
|
||||
run: terraform apply -auto-approve tfplan
|
||||
|
||||
|
||||
# ============================================================
|
||||
# Deploy Cloudfront CDN
|
||||
# ============================================================
|
||||
cloudfront_cdn:
|
||||
needs: [determine_stage, shared_terraform, fast_api_lambda]
|
||||
needs: [determine_stage, shared_terraform, cloudfront_acm]
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
|
|
|
|||
|
|
@ -16,7 +16,19 @@ data "terraform_remote_state" "shared" {
|
|||
data "terraform_remote_state" "fast_api" {
|
||||
backend = "s3"
|
||||
config = {
|
||||
bucket = "ara-fast-api-terraform-state"
|
||||
bucket = data.terraform_remote_state.shared.ara_fast_api_state_bucket
|
||||
key = "env:/${var.stage}/terraform.tfstate"
|
||||
region = "eu-west-2"
|
||||
}
|
||||
}
|
||||
|
||||
############################################
|
||||
# Load CDN Certificate Terraform State
|
||||
############################################
|
||||
data "terraform_remote_state" "cdn_certificate" {
|
||||
backend = "s3"
|
||||
config = {
|
||||
bucket = data.terraform_remote_state.shared.cdn_certificate_state_bucket
|
||||
key = "env:/${var.stage}/terraform.tfstate"
|
||||
region = "eu-west-2"
|
||||
}
|
||||
|
|
@ -28,8 +40,9 @@ data "terraform_remote_state" "fast_api" {
|
|||
module "cdn" {
|
||||
source = "../modules/cloudfront"
|
||||
|
||||
aliases = []
|
||||
# aliases = [data.terraform_remote_state.fast_api.outputs.domain_name]
|
||||
aliases = [data.terraform_remote_state.fast_api.outputs.domain_name]
|
||||
|
||||
acm_certificate_arn = data.terraform_remote_state.cdn_certificate.outputs.certificate_arn
|
||||
|
||||
origins = [
|
||||
# ---- S3 ----
|
||||
|
|
|
|||
28
infrastructure/terraform/cdn_certificate/main.tf
Normal file
28
infrastructure/terraform/cdn_certificate/main.tf
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
############################################
|
||||
# Load FastAPI Terraform State
|
||||
############################################
|
||||
data "terraform_remote_state" "fast_api" {
|
||||
backend = "s3"
|
||||
config = {
|
||||
bucket = "ara-fast-api-terraform-state"
|
||||
key = "env:/${var.stage}/terraform.tfstate"
|
||||
region = "eu-west-2"
|
||||
}
|
||||
}
|
||||
|
||||
############################################
|
||||
# Define Certificate
|
||||
############################################
|
||||
module "cdn_certificate" {
|
||||
source = "../modules/acm_certificate"
|
||||
|
||||
providers = {
|
||||
aws = aws.us_east_1
|
||||
}
|
||||
|
||||
domain_name = data.terraform_remote_state.fast_api.outputs.domain_name
|
||||
|
||||
tags = {
|
||||
Environment = var.stage
|
||||
}
|
||||
}
|
||||
3
infrastructure/terraform/cdn_certificate/outputs.tf
Normal file
3
infrastructure/terraform/cdn_certificate/outputs.tf
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
output "certificate_arn" {
|
||||
value = module.cdn_certificate.certificate_arn
|
||||
}
|
||||
17
infrastructure/terraform/cdn_certificate/provider.tf
Normal file
17
infrastructure/terraform/cdn_certificate/provider.tf
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
terraform {
|
||||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = ">= 5.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
region = var.region
|
||||
}
|
||||
|
||||
provider "aws" {
|
||||
alias = "us_east_1"
|
||||
region = "us-east-1"
|
||||
}
|
||||
3
infrastructure/terraform/cdn_certificate/variables.tf
Normal file
3
infrastructure/terraform/cdn_certificate/variables.tf
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
variable "stage" {
|
||||
type = string
|
||||
}
|
||||
11
infrastructure/terraform/modules/acm_certificate/main.tf
Normal file
11
infrastructure/terraform/modules/acm_certificate/main.tf
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
resource "aws_acm_certificate" "this" {
|
||||
domain_name = var.domain_name
|
||||
subject_alternative_names = var.subject_alternative_names
|
||||
validation_method = "DNS"
|
||||
|
||||
lifecycle {
|
||||
create_before_destroy = true
|
||||
}
|
||||
|
||||
tags = var.tags
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
output "certificate_arn" {
|
||||
value = aws_acm_certificate.this.arn
|
||||
}
|
||||
|
||||
output "domain_validation_options" {
|
||||
value = aws_acm_certificate.this.domain_validation_options
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
variable "domain_name" {
|
||||
description = "Primary domain name for the certificate"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "subject_alternative_names" {
|
||||
description = "Additional domains for the certificate"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
description = "Tags to apply to the certificate"
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
@ -1,3 +1,6 @@
|
|||
#############################################
|
||||
# Use Managed Caching and Forwarding Policies
|
||||
#############################################
|
||||
data "aws_cloudfront_cache_policy" "caching_disabled" {
|
||||
name = "Managed-CachingDisabled"
|
||||
}
|
||||
|
|
@ -113,7 +116,11 @@ resource "aws_cloudfront_distribution" "this" {
|
|||
##########################################
|
||||
|
||||
viewer_certificate {
|
||||
cloudfront_default_certificate = true
|
||||
acm_certificate_arn = var.acm_certificate_arn
|
||||
ssl_support_method = var.acm_certificate_arn != null ? "sni-only" : null
|
||||
minimum_protocol_version = var.acm_certificate_arn != null ? "TLSv1.2_2021" : null
|
||||
|
||||
cloudfront_default_certificate = var.acm_certificate_arn == null
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,4 +11,10 @@ variable "origins" {
|
|||
|
||||
variable "aliases" {
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "acm_certificate_arn" {
|
||||
description = "ACM certificate ARN for custom aliases"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
|
@ -562,4 +562,15 @@ output "fast_api_s3_read_and_write_arn" {
|
|||
value = module.fast_api_s3_read_and_write.policy_arn
|
||||
}
|
||||
|
||||
################################################
|
||||
# CDN Certificate
|
||||
################################################
|
||||
module "cdn_certificate_state_bucket" {
|
||||
source = "../modules/tf_state_bucket"
|
||||
bucket_name = "cdn-certificate-terraform-state"
|
||||
}
|
||||
|
||||
output "cdn_certificate_state_bucket" {
|
||||
value = module.cdn_certificate_state_bucket.bucket_name
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue