-
Notifications
You must be signed in to change notification settings - Fork 8
/
cloudfront.tf
146 lines (121 loc) · 3.95 KB
/
cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
locals {
cf_origin_id = "api_gateway_saml"
}
data "aws_route53_zone" "this" {
provider = aws.Perimeter-account
name = var.domain_name
}
resource "aws_route53_record" "login_app" {
provider = aws.Perimeter-account
zone_id = data.aws_route53_zone.this.zone_id
name = "login.${var.domain_name}"
type = "A"
alias {
name = aws_cloudfront_distribution.geofencing.domain_name
zone_id = aws_cloudfront_distribution.geofencing.hosted_zone_id
evaluate_target_health = false
}
}
resource "aws_acm_certificate" "this" {
provider = aws.iam-security-account-us-east-1
domain_name = "login.${var.domain_name}"
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_route53_record" "this_acm" {
provider = aws.Perimeter-account
for_each = {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.this.zone_id
}
resource "aws_acm_certificate_validation" "this" {
provider = aws.iam-security-account-us-east-1
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.this_acm : record.fqdn]
}
resource "aws_cloudfront_distribution" "geofencing" {
provider = aws.iam-security-account
depends_on = [
aws_api_gateway_deployment.samlpost]
origin {
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = [
"TLSv1.2"]
}
domain_name = trimsuffix(trimprefix(aws_api_gateway_deployment.samlpost.invoke_url, "https://"), "/${aws_api_gateway_deployment.samlpost.stage_name}")
origin_id = local.cf_origin_id
}
enabled = true
is_ipv6_enabled = true
comment = "geofencing"
// - logging should probably be in a central location (centralized-logging account?) - in an aggregated/shared bucket and perhaps also synced into a bucket within the account where the aws-login app is deployed
// - prefix should follow SEA convention like <account>/<region>/<service name> eg. 12345678/ca-central-1/cloudfront
//
// logging_config {
// include_cookies = false
// bucket = "<mylogs>.s3.amazonaws.com"
// prefix = "geofencing"
// }
default_cache_behavior {
allowed_methods = [
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"]
cached_methods = [
"GET",
"HEAD"]
target_origin_id = local.cf_origin_id
forwarded_values {
query_string = true
cookies {
forward = "all"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
aliases = ["login.${var.domain_name}"]
default_root_object = "${aws_api_gateway_deployment.samlpost.stage_name}/redirect"
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = [
"CA"]
}
}
tags = local.common_tags
viewer_certificate {
cloudfront_default_certificate = false
acm_certificate_arn = aws_acm_certificate_validation.this.certificate_arn
minimum_protocol_version = "TLSv1.2_2021"
ssl_support_method = "sni-only"
}
}
output "cloudfront_url" {
value = "https://${aws_cloudfront_distribution.geofencing.domain_name}/${aws_api_gateway_deployment.samlpost.stage_name}"
}
output "login_domain_name" {
value = "https://login.${var.domain_name}/${aws_api_gateway_deployment.samlpost.stage_name}"
}