From 0c0c60c8f9d3d2267b2c674e2d756a4347283ea1 Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Fri, 18 Oct 2024 11:48:33 +0100 Subject: [PATCH 1/9] updates module to create resources for each static-sites sub-directory --- WAF.tf | 1 + cloudfront.tf | 2 ++ iam.tf | 10 +++++++--- kms.tf | 8 +++++--- storage.tf | 13 +++++++++---- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/WAF.tf b/WAF.tf index 1f3c686..ee2b7df 100644 --- a/WAF.tf +++ b/WAF.tf @@ -1,4 +1,5 @@ resource "aws_wafv2_web_acl" "default" { + for_each = toset(local.ss_dirs) name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" description = "Static Site WAF rule for ${var.tenant_vars.product} ${var.tenant_vars.component}" scope = "CLOUDFRONT" diff --git a/cloudfront.tf b/cloudfront.tf index 60dfb95..2edefb3 100644 --- a/cloudfront.tf +++ b/cloudfront.tf @@ -1,4 +1,5 @@ resource "aws_cloudfront_origin_access_control" "static_site_identity" { + for_each = toset(local.ss_dirs) name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" description = "Origin access control for ${var.tenant_vars.product} ${var.tenant_vars.component}" origin_access_control_origin_type = "s3" @@ -7,6 +8,7 @@ resource "aws_cloudfront_origin_access_control" "static_site_identity" { } resource "aws_cloudfront_distribution" "static_site_distribution" { + for_each = toset(local.ss_dirs) origin { domain_name = aws_s3_bucket.static_site.bucket_regional_domain_name origin_id = aws_s3_bucket.static_site.id diff --git a/iam.tf b/iam.tf index be0e1d2..d335c2a 100644 --- a/iam.tf +++ b/iam.tf @@ -5,7 +5,8 @@ locals { } resource "aws_iam_role" "static_site_actions_push" { - name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(local.ss_dirs) + name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -33,16 +34,19 @@ resource "aws_iam_role" "static_site_actions_push" { resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" { +for_each = toset(local.ss_dirs) policy_arn = aws_iam_policy.static_site_policy.arn role = aws_iam_role.static_site_actions_push.name } resource "aws_iam_policy" "static_site_policy" { - name = "static-site-iam-policy" - policy = data.aws_iam_policy_document.static_site_policy_document.json + for_each = toset(local.ss_dirs) + name = "static-site-iam-policy" + policy = data.aws_iam_policy_document.static_site_policy_document.json } data "aws_iam_policy_document" "static_site_policy_document" { + for_each = toset(local.ss_dirs) statement { sid = "WriteToBucket" diff --git a/kms.tf b/kms.tf index 587ae0f..770584d 100644 --- a/kms.tf +++ b/kms.tf @@ -1,12 +1,14 @@ resource "aws_kms_key" "static_site_kms" { + for_each = toset(local.ss_dirs) enable_key_rotation = true tags = local.common_tags } resource "aws_kms_key_policy" "static_site_kms_policy" { - key_id = aws_kms_key.static_site_kms.id - policy = jsonencode({ + for_each = toset(local.ss_dirs) + key_id = aws_kms_key.static_site_kms.id + policy = jsonencode({ "Version" : "2012-10-17", "Id" : "static_site_kms_policy", "Statement" : [ @@ -42,7 +44,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { } resource "aws_kms_alias" "static_site_kms_alias" { + for_each = toset(local.ss_dirs) name = "alias/static_site/${aws_s3_bucket.static_site.id}" target_key_id = aws_kms_key.static_site_kms.key_id } - diff --git a/storage.tf b/storage.tf index 4e9407f..70f60fa 100644 --- a/storage.tf +++ b/storage.tf @@ -1,11 +1,13 @@ resource "aws_s3_bucket" "static_site" { - bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(local.ss_dirs) + bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" tags = local.common_tags } resource "aws_s3_bucket_public_access_block" "static_site_acl" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(local.ss_dirs) + bucket = aws_s3_bucket.static_site.id block_public_acls = true block_public_policy = true @@ -14,14 +16,16 @@ resource "aws_s3_bucket_public_access_block" "static_site_acl" { } resource "aws_s3_bucket_versioning" "static_site_versioning" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(local.ss_dirs) + bucket = aws_s3_bucket.static_site.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encryption" { - bucket = aws_s3_bucket.static_site.id + for_each = toset(local.ss_dirs) + bucket = aws_s3_bucket.static_site.id rule { apply_server_side_encryption_by_default { kms_master_key_id = aws_kms_key.static_site_kms.arn @@ -74,6 +78,7 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { } resource "aws_s3_bucket_policy" "static_site_policy" { + for_each = toset(local.ss_dirs) bucket = aws_s3_bucket.static_site.id policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document.json depends_on = [aws_s3_bucket_public_access_block.static_site_acl] From 0f0234dace69d4064aafbb3f7ae149a67bfce66d Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Fri, 18 Oct 2024 17:04:51 +0100 Subject: [PATCH 2/9] do an each.value lookup for varibales from the combined tenant list --- cloudfront.tf | 14 +++++++------- iam.tf | 12 ++++++------ kms.tf | 6 +++--- storage.tf | 12 ++++++------ 4 files changed, 22 insertions(+), 22 deletions(-) diff --git a/cloudfront.tf b/cloudfront.tf index 2edefb3..4112f85 100644 --- a/cloudfront.tf +++ b/cloudfront.tf @@ -1,7 +1,7 @@ resource "aws_cloudfront_origin_access_control" "static_site_identity" { - for_each = toset(local.ss_dirs) - name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" - description = "Origin access control for ${var.tenant_vars.product} ${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + name = "cc-static-site-${each.value.product}-${each.value.component}" + description = "Origin access control for ${each.value.product} ${each.value.component}" origin_access_control_origin_type = "s3" signing_behavior = "always" signing_protocol = "sigv4" @@ -17,7 +17,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { enabled = true is_ipv6_enabled = true - comment = "Cloudfront distribution for ${var.tenant_vars.product} ${var.tenant_vars.component}" + comment = "Cloudfront distribution for ${each.value.product} ${each.value.component}" default_root_object = "index.html" # logging_config { @@ -26,7 +26,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { # prefix = "myprefix" # } - aliases = var.tenant_vars.cloudfront_aliases + aliases = each.value.cloudfront_aliases default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] @@ -48,7 +48,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { function_association { event_type = "viewer-request" - function_arn = var.tenant_vars.cloudfront_function_rewrite_arn + function_arn = each.value.cloudfront_function_rewrite_arn } } @@ -72,7 +72,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { tags = local.common_tags viewer_certificate { - acm_certificate_arn = var.tenant_vars.cloudfront_cert + acm_certificate_arn = each.value.cloudfront_cert minimum_protocol_version = "TLSv1.2_2021" cloudfront_default_certificate = "false" ssl_support_method = "sni-only" diff --git a/iam.tf b/iam.tf index d335c2a..3aaccbb 100644 --- a/iam.tf +++ b/iam.tf @@ -5,8 +5,8 @@ locals { } resource "aws_iam_role" "static_site_actions_push" { - for_each = toset(local.ss_dirs) - name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + name = "cc-static-site-${each.value.product}-${each.value.component}" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -19,7 +19,7 @@ resource "aws_iam_role" "static_site_actions_push" { } Condition = { StringLike = { - "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:environment:${var.tenant_vars.github_environment_name}" + "token.actions.githubusercontent.com:sub" : "repo:${each.value.repository}:environment:${each.value.github_environment_name}" "sts:RoleSessionName" : "GitHubActions" } StringEquals = { @@ -34,19 +34,19 @@ resource "aws_iam_role" "static_site_actions_push" { resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" { -for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) policy_arn = aws_iam_policy.static_site_policy.arn role = aws_iam_role.static_site_actions_push.name } resource "aws_iam_policy" "static_site_policy" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) name = "static-site-iam-policy" policy = data.aws_iam_policy_document.static_site_policy_document.json } data "aws_iam_policy_document" "static_site_policy_document" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) statement { sid = "WriteToBucket" diff --git a/kms.tf b/kms.tf index 770584d..c8d0243 100644 --- a/kms.tf +++ b/kms.tf @@ -1,12 +1,12 @@ resource "aws_kms_key" "static_site_kms" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) enable_key_rotation = true tags = local.common_tags } resource "aws_kms_key_policy" "static_site_kms_policy" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) key_id = aws_kms_key.static_site_kms.id policy = jsonencode({ "Version" : "2012-10-17", @@ -44,7 +44,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { } resource "aws_kms_alias" "static_site_kms_alias" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) name = "alias/static_site/${aws_s3_bucket.static_site.id}" target_key_id = aws_kms_key.static_site_kms.key_id } diff --git a/storage.tf b/storage.tf index 70f60fa..ff18380 100644 --- a/storage.tf +++ b/storage.tf @@ -1,12 +1,12 @@ resource "aws_s3_bucket" "static_site" { - for_each = toset(local.ss_dirs) - bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" + for_each = toset(var.tenant_vars) + bucket = "cc-static-site-${each.value.product}-${each.value.component}" tags = local.common_tags } resource "aws_s3_bucket_public_access_block" "static_site_acl" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) bucket = aws_s3_bucket.static_site.id block_public_acls = true @@ -16,7 +16,7 @@ resource "aws_s3_bucket_public_access_block" "static_site_acl" { } resource "aws_s3_bucket_versioning" "static_site_versioning" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) bucket = aws_s3_bucket.static_site.id versioning_configuration { status = "Enabled" @@ -24,7 +24,7 @@ resource "aws_s3_bucket_versioning" "static_site_versioning" { } resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encryption" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) bucket = aws_s3_bucket.static_site.id rule { apply_server_side_encryption_by_default { @@ -78,7 +78,7 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { } resource "aws_s3_bucket_policy" "static_site_policy" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) bucket = aws_s3_bucket.static_site.id policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document.json depends_on = [aws_s3_bucket_public_access_block.static_site_acl] From 40464d3dc5a50c9198de7a7dde0c3703f21f8a32 Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Fri, 18 Oct 2024 17:07:21 +0100 Subject: [PATCH 3/9] do an each.value lookup for varibales from the combined tenant list --- WAF.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WAF.tf b/WAF.tf index ee2b7df..f3b3e2e 100644 --- a/WAF.tf +++ b/WAF.tf @@ -1,5 +1,5 @@ resource "aws_wafv2_web_acl" "default" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}" description = "Static Site WAF rule for ${var.tenant_vars.product} ${var.tenant_vars.component}" scope = "CLOUDFRONT" From 04190e96347ffc8f95e7c2b75a8e83c842643e29 Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 13:34:09 +0100 Subject: [PATCH 4/9] refactor module to further support for_each loop --- cloudfront.tf | 12 ++++++------ kms.tf | 4 ++-- outputs.tf | 2 +- storage.tf | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cloudfront.tf b/cloudfront.tf index 4112f85..1026e61 100644 --- a/cloudfront.tf +++ b/cloudfront.tf @@ -8,11 +8,11 @@ resource "aws_cloudfront_origin_access_control" "static_site_identity" { } resource "aws_cloudfront_distribution" "static_site_distribution" { - for_each = toset(local.ss_dirs) + for_each = toset(var.tenant_vars) origin { - domain_name = aws_s3_bucket.static_site.bucket_regional_domain_name - origin_id = aws_s3_bucket.static_site.id - origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity.id + domain_name = aws_s3_bucket.static_site[each.key].bucket_regional_domain_name + origin_id = aws_s3_bucket.static_site[each.key].id + origin_access_control_id = aws_cloudfront_origin_access_control[each.key].static_site_identity.id } enabled = true @@ -31,7 +31,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] - target_origin_id = aws_s3_bucket.static_site.id + target_origin_id = aws_s3_bucket.static_site[each.key].id forwarded_values { query_string = false @@ -77,5 +77,5 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { cloudfront_default_certificate = "false" ssl_support_method = "sni-only" } - web_acl_id = aws_wafv2_web_acl.default.arn + web_acl_id = aws_wafv2_web_acl.default[each.key].arn } diff --git a/kms.tf b/kms.tf index c8d0243..3db083d 100644 --- a/kms.tf +++ b/kms.tf @@ -45,6 +45,6 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { resource "aws_kms_alias" "static_site_kms_alias" { for_each = toset(var.tenant_vars) - name = "alias/static_site/${aws_s3_bucket.static_site.id}" - target_key_id = aws_kms_key.static_site_kms.key_id + name = "alias/static_site/${aws_s3_bucket.static_site[each.key].id}" + target_key_id = aws_kms_key.static_site_kms[each.key].key_id } diff --git a/outputs.tf b/outputs.tf index 5ad071b..5cd5be7 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,6 +1,6 @@ output "s3_bucket_name" { description = "Output the name of the bucket to use in deployment" - value = aws_s3_bucket.static_site.id + value = aws_s3_bucket.static_site[each.key].id } output "cloudfront_distribution_domain_name" { diff --git a/storage.tf b/storage.tf index ff18380..5d32df8 100644 --- a/storage.tf +++ b/storage.tf @@ -7,7 +7,7 @@ resource "aws_s3_bucket" "static_site" { resource "aws_s3_bucket_public_access_block" "static_site_acl" { for_each = toset(var.tenant_vars) - bucket = aws_s3_bucket.static_site.id + bucket = aws_s3_bucket.static_site[each.key].id block_public_acls = true block_public_policy = true @@ -17,7 +17,7 @@ resource "aws_s3_bucket_public_access_block" "static_site_acl" { resource "aws_s3_bucket_versioning" "static_site_versioning" { for_each = toset(var.tenant_vars) - bucket = aws_s3_bucket.static_site.id + bucket = aws_s3_bucket.static_site[each.key].id versioning_configuration { status = "Enabled" } @@ -25,10 +25,10 @@ resource "aws_s3_bucket_versioning" "static_site_versioning" { resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encryption" { for_each = toset(var.tenant_vars) - bucket = aws_s3_bucket.static_site.id + bucket = aws_s3_bucket.static_site[each.key].id rule { apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.static_site_kms.arn + kms_master_key_id = aws_kms_key.static_site_kms[each.key].arn sse_algorithm = "aws:kms" } bucket_key_enabled = true From d896b3fdeaba27a1567ec04a104d31de7e56596a Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 13:39:18 +0100 Subject: [PATCH 5/9] refactor module to further support for_each loop --- cloudfront.tf | 2 +- outputs.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cloudfront.tf b/cloudfront.tf index 1026e61..27e2581 100644 --- a/cloudfront.tf +++ b/cloudfront.tf @@ -12,7 +12,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" { origin { domain_name = aws_s3_bucket.static_site[each.key].bucket_regional_domain_name origin_id = aws_s3_bucket.static_site[each.key].id - origin_access_control_id = aws_cloudfront_origin_access_control[each.key].static_site_identity.id + origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity[each.key].id } enabled = true diff --git a/outputs.tf b/outputs.tf index 5cd5be7..12ecbe9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,4 +1,5 @@ output "s3_bucket_name" { + for_each = toset(var.tenant_vars) description = "Output the name of the bucket to use in deployment" value = aws_s3_bucket.static_site[each.key].id } From 5db94ae517c406d5c76a1e294ecbca1cba68b23b Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 13:48:55 +0100 Subject: [PATCH 6/9] modify outputs to list all s3 bucket ids --- outputs.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/outputs.tf b/outputs.tf index 12ecbe9..76bdc22 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,7 +1,6 @@ output "s3_bucket_name" { - for_each = toset(var.tenant_vars) description = "Output the name of the bucket to use in deployment" - value = aws_s3_bucket.static_site[each.key].id + value = values(aws_s3_bucket.static_site)[*].id } output "cloudfront_distribution_domain_name" { From fcb3afdf02ca46286ebe74dd6ea66b6ab3313191 Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 13:56:57 +0100 Subject: [PATCH 7/9] modify later values in plan to support per-iteration loop --- iam.tf | 8 ++++---- kms.tf | 4 ++-- outputs.tf | 2 +- storage.tf | 8 ++++---- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/iam.tf b/iam.tf index 3aaccbb..fd80cbd 100644 --- a/iam.tf +++ b/iam.tf @@ -77,8 +77,8 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}", - "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}", + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*" ] } statement { @@ -97,7 +97,7 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - aws_kms_key.static_site_kms.arn, + aws_kms_key.static_site_kms[each.key].arn, ] } statement { @@ -108,7 +108,7 @@ data "aws_iam_policy_document" "static_site_policy_document" { ] resources = [ - aws_cloudfront_distribution.static_site_distribution.arn, + aws_cloudfront_distribution.static_site_distribution[each.key].arn, ] } } diff --git a/kms.tf b/kms.tf index 3db083d..4c909fe 100644 --- a/kms.tf +++ b/kms.tf @@ -7,7 +7,7 @@ resource "aws_kms_key" "static_site_kms" { resource "aws_kms_key_policy" "static_site_kms_policy" { for_each = toset(var.tenant_vars) - key_id = aws_kms_key.static_site_kms.id + key_id = aws_kms_key.static_site_kms[each.key].id policy = jsonencode({ "Version" : "2012-10-17", "Id" : "static_site_kms_policy", @@ -35,7 +35,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" { "Resource" : "*", "Condition" : { "StringEquals" : { - "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution.arn + "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution[each.key].arn } } } diff --git a/outputs.tf b/outputs.tf index 76bdc22..f663857 100644 --- a/outputs.tf +++ b/outputs.tf @@ -5,5 +5,5 @@ output "s3_bucket_name" { output "cloudfront_distribution_domain_name" { description = "The domain name corresponding to the distribution." - value = aws_cloudfront_distribution.static_site_distribution.domain_name + value = values(aws_cloudfront_distribution.static_site_distribution)[*].domain_name } diff --git a/storage.tf b/storage.tf index 5d32df8..47b98e3 100644 --- a/storage.tf +++ b/storage.tf @@ -48,12 +48,12 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { "s3:GetObject" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*" ] condition { test = "StringEquals" variable = "aws:SourceArn" - values = [aws_cloudfront_distribution.static_site_distribution.arn] + values = [aws_cloudfront_distribution.static_site_distribution[each.key].arn] } } statement { @@ -67,12 +67,12 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { "s3:ListBucket" ] resources = [ - "arn:aws:s3:::${aws_s3_bucket.static_site.id}" + "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}" ] condition { test = "StringEquals" variable = "aws:SourceArn" - values = [aws_cloudfront_distribution.static_site_distribution.arn] + values = [aws_cloudfront_distribution.static_site_distribution[each.key].arn] } } } From e00f8baea250c35c40bf541c8b0c9666f10e628e Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 14:02:48 +0100 Subject: [PATCH 8/9] modify later values in plan to support per-iteration loop --- iam.tf | 2 +- storage.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/iam.tf b/iam.tf index fd80cbd..65b253d 100644 --- a/iam.tf +++ b/iam.tf @@ -42,7 +42,7 @@ resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" { resource "aws_iam_policy" "static_site_policy" { for_each = toset(var.tenant_vars) name = "static-site-iam-policy" - policy = data.aws_iam_policy_document.static_site_policy_document.json + policy = data.aws_iam_policy_document.static_site_policy_document[each.key].json } data "aws_iam_policy_document" "static_site_policy_document" { diff --git a/storage.tf b/storage.tf index 47b98e3..84bd886 100644 --- a/storage.tf +++ b/storage.tf @@ -37,6 +37,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encry data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { + for_each = toset(var.tenant_vars) statement { sid = "AllowCloudFrontServicePrincipalReadOnly" effect = "Allow" From 807e3c217f4cfc098439dccebc52e753ef704988 Mon Sep 17 00:00:00 2001 From: Rebecca Whitehurst-Martin Date: Mon, 21 Oct 2024 14:08:23 +0100 Subject: [PATCH 9/9] modify later values in plan to support per-iteration loop --- iam.tf | 4 ++-- storage.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/iam.tf b/iam.tf index 65b253d..d89f209 100644 --- a/iam.tf +++ b/iam.tf @@ -35,8 +35,8 @@ resource "aws_iam_role" "static_site_actions_push" { resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" { for_each = toset(var.tenant_vars) - policy_arn = aws_iam_policy.static_site_policy.arn - role = aws_iam_role.static_site_actions_push.name + policy_arn = aws_iam_policy.static_site_policy[each.key].arn + role = aws_iam_role.static_site_actions_push[each.key].name } resource "aws_iam_policy" "static_site_policy" { diff --git a/storage.tf b/storage.tf index 84bd886..380a981 100644 --- a/storage.tf +++ b/storage.tf @@ -80,7 +80,7 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" { resource "aws_s3_bucket_policy" "static_site_policy" { for_each = toset(var.tenant_vars) - bucket = aws_s3_bucket.static_site.id - policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document.json + bucket = aws_s3_bucket.static_site[each.key].id + policy = data.aws_iam_policy_document.static_site_iam_storage_policy_document[each.key].json depends_on = [aws_s3_bucket_public_access_block.static_site_acl] }