UKHomeOffice · beckywhitemartin · Oct 18, 2024 · Oct 18, 2024 · Oct 18, 2024 · Oct 21, 2024
diff --git a/WAF.tf b/WAF.tf
@@ -1,4 +1,5 @@
 resource "aws_wafv2_web_acl" "default" {
+  for_each    = toset(var.tenant_vars)
   name        = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
   description = "Static Site WAF rule for ${var.tenant_vars.product} ${var.tenant_vars.component}"
   scope       = "CLOUDFRONT"

diff --git a/cloudfront.tf b/cloudfront.tf
@@ -1,21 +1,23 @@
 resource "aws_cloudfront_origin_access_control" "static_site_identity" {
-  name                              = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
-  description                       = "Origin access control for ${var.tenant_vars.product} ${var.tenant_vars.component}"
+  for_each                          = toset(var.tenant_vars)
+  name                              = "cc-static-site-${each.value.product}-${each.value.component}"
+  description                       = "Origin access control for ${each.value.product} ${each.value.component}"
   origin_access_control_origin_type = "s3"
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
 }
 
 resource "aws_cloudfront_distribution" "static_site_distribution" {
+  for_each                   = toset(var.tenant_vars)
   origin {
-    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
-    origin_id                = aws_s3_bucket.static_site.id
-    origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity.id
+    domain_name              = aws_s3_bucket.static_site[each.key].bucket_regional_domain_name
+    origin_id                = aws_s3_bucket.static_site[each.key].id
+    origin_access_control_id = aws_cloudfront_origin_access_control.static_site_identity[each.key].id
   }
 
   enabled             = true
   is_ipv6_enabled     = true
-  comment             = "Cloudfront distribution for ${var.tenant_vars.product} ${var.tenant_vars.component}"
+  comment             = "Cloudfront distribution for ${each.value.product} ${each.value.component}"
   default_root_object = "index.html"
 
   # logging_config {
@@ -24,12 +26,12 @@ resource "aws_cloudfront_distribution" "static_site_distribution" {
   #   prefix          = "myprefix"
   # }
 
-  aliases = var.tenant_vars.cloudfront_aliases
+  aliases = each.value.cloudfront_aliases
 
   default_cache_behavior {
     allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
     cached_methods   = ["GET", "HEAD"]
-    target_origin_id = aws_s3_bucket.static_site.id
+    target_origin_id = aws_s3_bucket.static_site[each.key].id
 
     forwarded_values {
       query_string = false
@@ -46,7 +48,7 @@ resource "aws_cloudfront_distribution" "static_site_distribution" {
 
     function_association {
       event_type   = "viewer-request"
-      function_arn = var.tenant_vars.cloudfront_function_rewrite_arn
+      function_arn = each.value.cloudfront_function_rewrite_arn
     }
 
   }
@@ -70,10 +72,10 @@ resource "aws_cloudfront_distribution" "static_site_distribution" {
   tags = local.common_tags
 
   viewer_certificate {
-    acm_certificate_arn            = var.tenant_vars.cloudfront_cert
+    acm_certificate_arn            = each.value.cloudfront_cert
     minimum_protocol_version       = "TLSv1.2_2021"
     cloudfront_default_certificate = "false"
     ssl_support_method             = "sni-only"
   }
-  web_acl_id = aws_wafv2_web_acl.default.arn
+  web_acl_id = aws_wafv2_web_acl.default[each.key].arn
 }
diff --git a/iam.tf b/iam.tf
@@ -5,7 +5,8 @@ locals {
 }
 
 resource "aws_iam_role" "static_site_actions_push" {
-  name = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
+  for_each           = toset(var.tenant_vars)
+  name               = "cc-static-site-${each.value.product}-${each.value.component}"
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -18,7 +19,7 @@ resource "aws_iam_role" "static_site_actions_push" {
         }
         Condition = {
           StringLike = {
-            "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:environment:${var.tenant_vars.github_environment_name}"
+            "token.actions.githubusercontent.com:sub" : "repo:${each.value.repository}:environment:${each.value.github_environment_name}"
             "sts:RoleSessionName" : "GitHubActions"
           }
           StringEquals = {
@@ -33,16 +34,19 @@ resource "aws_iam_role" "static_site_actions_push" {
 
 
 resource "aws_iam_role_policy_attachment" "static_site_policy_attachment" {
-  policy_arn = aws_iam_policy.static_site_policy.arn
-  role       = aws_iam_role.static_site_actions_push.name
+  for_each   = toset(var.tenant_vars)
+  policy_arn = aws_iam_policy.static_site_policy[each.key].arn
+  role       = aws_iam_role.static_site_actions_push[each.key].name
 }
 
 resource "aws_iam_policy" "static_site_policy" {
-  name   = "static-site-iam-policy"
-  policy = data.aws_iam_policy_document.static_site_policy_document.json
+  for_each = toset(var.tenant_vars)
+  name     = "static-site-iam-policy"
+  policy   = data.aws_iam_policy_document.static_site_policy_document[each.key].json
 }
 
 data "aws_iam_policy_document" "static_site_policy_document" {
+  for_each = toset(var.tenant_vars)
   statement {
     sid = "WriteToBucket"
 
@@ -73,8 +77,8 @@ data "aws_iam_policy_document" "static_site_policy_document" {
     ]
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.static_site.id}",
-      "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*"
+      "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}",
+      "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*"
     ]
   }
   statement {
@@ -93,7 +97,7 @@ data "aws_iam_policy_document" "static_site_policy_document" {
     ]
 
     resources = [
-      aws_kms_key.static_site_kms.arn,
+      aws_kms_key.static_site_kms[each.key].arn,
     ]
   }
   statement {
@@ -104,7 +108,7 @@ data "aws_iam_policy_document" "static_site_policy_document" {
     ]
 
     resources = [
-      aws_cloudfront_distribution.static_site_distribution.arn,
+      aws_cloudfront_distribution.static_site_distribution[each.key].arn,
     ]
   }
 }
diff --git a/kms.tf b/kms.tf
@@ -1,12 +1,14 @@
 resource "aws_kms_key" "static_site_kms" {
+  for_each            = toset(var.tenant_vars)
   enable_key_rotation = true
   tags                = local.common_tags
 }
 
 
 resource "aws_kms_key_policy" "static_site_kms_policy" {
-  key_id = aws_kms_key.static_site_kms.id
-  policy = jsonencode({
+  for_each = toset(var.tenant_vars)
+  key_id   = aws_kms_key.static_site_kms[each.key].id
+  policy   = jsonencode({
     "Version" : "2012-10-17",
     "Id" : "static_site_kms_policy",
     "Statement" : [
@@ -33,7 +35,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" {
         "Resource" : "*",
         "Condition" : {
           "StringEquals" : {
-            "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution.arn
+            "aws:SourceArn" : aws_cloudfront_distribution.static_site_distribution[each.key].arn
           }
         }
       }
@@ -42,7 +44,7 @@ resource "aws_kms_key_policy" "static_site_kms_policy" {
 }
 
 resource "aws_kms_alias" "static_site_kms_alias" {
-  name          = "alias/static_site/${aws_s3_bucket.static_site.id}"
-  target_key_id = aws_kms_key.static_site_kms.key_id
+  for_each      = toset(var.tenant_vars)
+  name          = "alias/static_site/${aws_s3_bucket.static_site[each.key].id}"
+  target_key_id = aws_kms_key.static_site_kms[each.key].key_id
 }
-
diff --git a/outputs.tf b/outputs.tf
@@ -1,9 +1,9 @@
 output "s3_bucket_name" {
   description = "Output the name of the bucket to use in deployment"
-  value       = aws_s3_bucket.static_site.id
+  value       = values(aws_s3_bucket.static_site)[*].id
 }
 
 output "cloudfront_distribution_domain_name" {
   description = "The domain name corresponding to the distribution."
-  value       = aws_cloudfront_distribution.static_site_distribution.domain_name
+  value       = values(aws_cloudfront_distribution.static_site_distribution)[*].domain_name
 }
diff --git a/storage.tf b/storage.tf
@@ -1,11 +1,13 @@
 resource "aws_s3_bucket" "static_site" {
-  bucket = "cc-static-site-${var.tenant_vars.product}-${var.tenant_vars.component}"
+  for_each = toset(var.tenant_vars)
+  bucket   = "cc-static-site-${each.value.product}-${each.value.component}"
 
   tags = local.common_tags
 }
 
 resource "aws_s3_bucket_public_access_block" "static_site_acl" {
-  bucket = aws_s3_bucket.static_site.id
+  for_each = toset(var.tenant_vars)
+  bucket   = aws_s3_bucket.static_site[each.key].id
 
   block_public_acls       = true
   block_public_policy     = true
@@ -14,17 +16,19 @@ resource "aws_s3_bucket_public_access_block" "static_site_acl" {
 }
 
 resource "aws_s3_bucket_versioning" "static_site_versioning" {
-  bucket = aws_s3_bucket.static_site.id
+  for_each = toset(var.tenant_vars)
+  bucket   = aws_s3_bucket.static_site[each.key].id
   versioning_configuration {
     status = "Enabled"
   }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encryption" {
-  bucket = aws_s3_bucket.static_site.id
+  for_each = toset(var.tenant_vars)
+  bucket   = aws_s3_bucket.static_site[each.key].id
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.static_site_kms.arn
+      kms_master_key_id = aws_kms_key.static_site_kms[each.key].arn
       sse_algorithm     = "aws:kms"
     }
     bucket_key_enabled = true
@@ -33,6 +37,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "static_site_encry
 
 
 data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
+  for_each = toset(var.tenant_vars)
   statement {
     sid    = "AllowCloudFrontServicePrincipalReadOnly"
     effect = "Allow"
@@ -44,12 +49,12 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
       "s3:GetObject"
     ]
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.static_site.id}/*"
+      "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}/*"
     ]
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
-      values   = [aws_cloudfront_distribution.static_site_distribution.arn]
+      values   = [aws_cloudfront_distribution.static_site_distribution[each.key].arn]
     }
   }
   statement {
@@ -63,18 +68,19 @@ data "aws_iam_policy_document" "static_site_iam_storage_policy_document" {
       "s3:ListBucket"
     ]
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.static_site.id}"
+      "arn:aws:s3:::${aws_s3_bucket.static_site[each.key].id}"
     ]
     condition {
       test     = "StringEquals"
       variable = "aws:SourceArn"
-      values   = [aws_cloudfront_distribution.static_site_distribution.arn]
+      values   = [aws_cloudfront_distribution.static_site_distribution[each.key].arn]
     }
   }
 }
 
 resource "aws_s3_bucket_policy" "static_site_policy" {
-  bucket     = aws_s3_bucket.static_site.id
-  policy     = data.aws_iam_policy_document.static_site_iam_storage_policy_document.json
+  for_each   = toset(var.tenant_vars)
+  bucket     = aws_s3_bucket.static_site[each.key].id
+  policy     = data.aws_iam_policy_document.static_site_iam_storage_policy_document[each.key].json
   depends_on = [aws_s3_bucket_public_access_block.static_site_acl]
 }