diff --git a/WAF.tf b/WAF.tf index 1f3c686..f3b3e2e 100644 --- a/WAF.tf +++ b/WAF.tf @@ -1,4 +1,5 @@ resource "aws_wafv2_web_acl" "default" { + for_each = toset(var.tenant_vars) name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" description = "Static Site WAF rule for ${var.tenant_vars.product} ${var.tenant_vars.component}" scope = "CLOUDFRONT" diff --git a/cloudfront.tf b/cloudfront.tf index 60dfb95..27e2581 100644 --- a/cloudfront.tf +++ b/cloudfront.tf @@ -1,21 +1,23 @@ resource "aws_cloudfront_origin_access_control" "static_site_identity" { - name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" - description = "Origin access control for ${var.tenant_vars.product} ${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + name = "cc-static-site-${each.value.product}-${each.value.component}" + description = "Origin access control for ${each.value.product} ${each.value.component}" origin_access_control_origin_type = "s3" signing_behavior = "always" signing_protocol = "sigv4" } resource "aws_cloudfront_distribution" "static_site_distribution" { + for_each = toset(var.tenant_vars) origin { - domain_name = aws_s3_bucket.static_site.bucket_regional_domain_name - origin_id = aws_s3_bucket.static_site.id - origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity.id + domain_name = aws_s3_bucket.static_site[each.key].bucket_regional_domain_name + origin_id = aws_s3_bucket.static_site[each.key].id + origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity[each.key].id } enabled = true is_ipv6_enabled = true - comment = "Cloudfront distribution for ${var.tenant_vars.product} ${var.tenant_vars.component}" + comment = "Cloudfront distribution for ${each.value.product} ${each.value.component}" default_root_object = "index.html" # logging_config { @@ -24,12 +26,12 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { # prefix = "myprefix" # } - aliases = var.tenant_vars.cloudfront_aliases + aliases = each.value.cloudfront_aliases default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.static_site.id + target_origin_id = aws_s3_bucket.static_site[each.key].id forwarded_values { query_string = false @@ -46,7 +48,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { function_association { event_type = "viewer-request" - function_arn = var.tenant_vars.cloudfront_function_rewrite_arn + function_arn = each.value.cloudfront_function_rewrite_arn } } @@ -70,10 +72,10 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { tags = local.common_tags viewer_certificate { - acm_certificate_arn = var.tenant_vars.cloudfront_cert + acm_certificate_arn = each.value.cloudfront_cert minimum_protocol_version = "TLSv1.2_2021" cloudfront_default_certificate = "false" ssl_support_method = "sni-only" } - web_acl_id = aws_wafv2_web_acl.default.arn + web_acl_id = aws_wafv2_web_acl.default[each.key].arn } diff --git a/iam.tf b/iam.tf index be0e1d2..d89f209 100644 --- a/iam.tf +++ b/iam.tf @@ -5,7 +5,8 @@ locals { } resource "aws_iam_role" "static_site_actions_push" { - name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + name = "cc-static-site-${each.value.product}-${each.value.component}" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -18,7 +19,7 @@ resource "aws_iam_role" "static_site_actions_push" { } Condition = { StringLike = { - "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:environment:${var.tenant_vars.github_environment_name}" + "token.actions.githubusercontent.com:sub" : "repo:${each.value.repository}:environment:${each.value.github_environment_name}" "sts:RoleSessionName" : "GitHubActions" } StringEquals = { @@ -33,16 +34,19 @@ resource "aws_iam_role" "static_site_actions_push" { resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" { - policy_arn = aws_iam_policy.static_site_policy.arn - role = aws_iam_role.static_site_actions_push.name + for_each = toset(var.tenant_vars) + policy_arn = aws_iam_policy.static_site_policy[each.key].arn + role = aws_iam_role.static_site_actions_push[each.key].name } resource "aws_iam_policy" "static_site_policy" { - name = "static-site-iam-policy" - policy = data.aws_iam_policy_document.static_site_policy_document.json + for_each = toset(var.tenant_vars) + name = "static-site-iam-policy" + policy = data.aws_iam_policy_document.static_site_policy_document[each.key].json } data "aws_iam_policy_document" "static_site_policy_document" { + for_each = toset(var.tenant_vars) statement { sid = "WriteToBucket" @@ -73,8 +77,8 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}", - "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}", + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*" ] } statement { @@ -93,7 +97,7 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - aws_kms_key.static_site_kms.arn, + aws_kms_key.static_site_kms[each.key].arn, ] } statement { @@ -104,7 +108,7 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - aws_cloudfront_distribution.static_site_distribution.arn, + aws_cloudfront_distribution.static_site_distribution[each.key].arn, ] } } diff --git a/kms.tf b/kms.tf index 587ae0f..4c909fe 100644 --- a/kms.tf +++ b/kms.tf @@ -1,12 +1,14 @@ resource "aws_kms_key" "static_site_kms" { + for_each = toset(var.tenant_vars) enable_key_rotation = true tags = local.common_tags } resource "aws_kms_key_policy" "static_site_kms_policy" { - key_id = aws_kms_key.static_site_kms.id - policy = jsonencode({ + for_each = toset(var.tenant_vars) + key_id = aws_kms_key.static_site_kms[each.key].id + policy = jsonencode({ "Version" : "2012-10-17", "Id" : "static_site_kms_policy", "Statement" : [ @@ -33,7 +35,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { "Resource" : "*", "Condition" : { "StringEquals" : { - "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution.arn + "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution[each.key].arn } } } @@ -42,7 +44,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { } resource "aws_kms_alias" "static_site_kms_alias" { - name = "alias/static_site/${aws_s3_bucket.static_site.id}" - target_key_id = aws_kms_key.static_site_kms.key_id + for_each = toset(var.tenant_vars) + name = "alias/static_site/${aws_s3_bucket.static_site[each.key].id}" + target_key_id = aws_kms_key.static_site_kms[each.key].key_id } - diff --git a/outputs.tf b/outputs.tf index 5ad071b..f663857 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,9 +1,9 @@ output "s3_bucket_name" { description = "Output the name of the bucket to use in deployment" - value = aws_s3_bucket.static_site.id + value = values(aws_s3_bucket.static_site)[*].id } output "cloudfront_distribution_domain_name" { description = "The domain name corresponding to the distribution." - value = aws_cloudfront_distribution.static_site_distribution.domain_name + value = values(aws_cloudfront_distribution.static_site_distribution)[*].domain_name } diff --git a/storage.tf b/storage.tf index 4e9407f..380a981 100644 --- a/storage.tf +++ b/storage.tf @@ -1,11 +1,13 @@ resource "aws_s3_bucket" "static_site" { - bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + bucket = "cc-static-site-${each.value.product}-${each.value.component}" tags = local.common_tags } resource "aws_s3_bucket_public_access_block" "static_site_acl" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(var.tenant_vars) + bucket = aws_s3_bucket.static_site[each.key].id block_public_acls = true block_public_policy = true @@ -14,17 +16,19 @@ resource "aws_s3_bucket_public_access_block" "static_site_acl" { } resource "aws_s3_bucket_versioning" "static_site_versioning" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(var.tenant_vars) + bucket = aws_s3_bucket.static_site[each.key].id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encryption" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(var.tenant_vars) + bucket = aws_s3_bucket.static_site[each.key].id rule { apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.static_site_kms.arn + kms_master_key_id = aws_kms_key.static_site_kms[each.key].arn sse_algorithm = "aws:kms" } bucket_key_enabled = true @@ -33,6 +37,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encry data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { + for_each = toset(var.tenant_vars) statement { sid = "AllowCloudFrontServicePrincipalReadOnly" effect = "Allow" @@ -44,12 +49,12 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { "s3:GetObject" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*" ] condition { test = "StringEquals" variable = "aws:SourceArn" - values = [aws_cloudfront_distribution.static_site_distribution.arn] + values = [aws_cloudfront_distribution.static_site_distribution[each.key].arn] } } statement { @@ -63,18 +68,19 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { "s3:ListBucket" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}" ] condition { test = "StringEquals" variable = "aws:SourceArn" - values = [aws_cloudfront_distribution.static_site_distribution.arn] + values = [aws_cloudfront_distribution.static_site_distribution[each.key].arn] } } } resource "aws_s3_bucket_policy" "static_site_policy" { - bucket = aws_s3_bucket.static_site.id - policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document.json + for_each = toset(var.tenant_vars) + bucket = aws_s3_bucket.static_site[each.key].id + policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document[each.key].json depends_on = [aws_s3_bucket_public_access_block.static_site_acl] }