eyulf
diff --git a/Diff for: ‎.gitignore
+16-4 b/Diff for: ‎.gitignore
+16-4
diff --git a/Diff for: ‎.pre-commit-config.yaml
+9-4 b/Diff for: ‎.pre-commit-config.yaml
+9-4
diff --git a/Diff for: ‎README.md
+175-70 b/Diff for: ‎README.md
+175-70
diff --git a/Diff for: ‎cloudfront.tf
+95 b/Diff for: ‎cloudfront.tf
+95
diff --git a/Diff for: ‎functions/main.tftpl
+31 b/Diff for: ‎functions/main.tftpl
+31
diff --git a/Diff for: ‎iam-bitbucket.tf
+51 b/Diff for: ‎iam-bitbucket.tf
+51
diff --git a/Diff for: ‎iam-github.tf
+51 b/Diff for: ‎iam-github.tf
+51
diff --git a/Diff for: ‎iam.tf
+26 b/Diff for: ‎iam.tf
+26
diff --git a/Diff for: ‎locals.tf
+18-2 b/Diff for: ‎locals.tf
+18-2
@@ -2,8 +2,20 @@
 **/.terraform/*
 
 # .tfstate files
-*.tfstate
-*.tfstate.*
+**.tfstate
+**.tfstate.*
 
-# .tfvars files
-*.tfvars
+# .plan files
+**.plan
+**.plan.*
+
+# .swp files
+**.swp
+
+# .hcl files
+**.hcl
+!.tflint.hcl
+
+# Checkov
+.external_modules/
+.external_modules/**
@@ -1,8 +1,13 @@
+---
 repos:
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.48.0
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.77.1
   hooks:
     - id: terraform_fmt
-    - id: terraform_tflint
-    - id: terraform_validate
     - id: terraform_docs
+    - id: terraform_tflint
+    - id: terraform_checkov
+      args:
+        - --args=--quiet
+        - --args=--compact
+        - --args=--download-external-modules=True
@@ -0,0 +1,95 @@
+### Cloudfront
+
+data "aws_cloudfront_cache_policy" "this" {
+  name = "Managed-CachingOptimized"
+}
+
+data "aws_cloudfront_origin_request_policy" "this" {
+  name = "Managed-CORS-S3Origin"
+}
+
+data "aws_cloudfront_response_headers_policy" "this" {
+  name = var.cloudfront_response_headers_policy_name
+}
+
+resource "aws_cloudfront_distribution" "this" {
+  aliases             = local.cloudfront_alias
+  comment             = "Static Website for ${var.website_domain}"
+  price_class         = var.cloudfront_price_class
+  enabled             = true
+  is_ipv6_enabled     = true
+  default_root_object = "index.html"
+  http_version        = "http2and3"
+  web_acl_id          = local.cloudfront_web_acl_arn
+
+  origin {
+    domain_name              = aws_s3_bucket.this.bucket_regional_domain_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.this.id
+    origin_id                = "S3-${var.website_domain}"
+  }
+
+  default_cache_behavior {
+    allowed_methods  = var.cloudfront_default_cache_allowed_methods
+    cached_methods   = var.cloudfront_default_cache_cached_methods
+    target_origin_id = "S3-${var.website_domain}"
+
+    viewer_protocol_policy = "redirect-to-https"
+    cache_policy_id            = data.aws_cloudfront_cache_policy.this.id
+    origin_request_policy_id   = data.aws_cloudfront_origin_request_policy.this.id
+    response_headers_policy_id = data.aws_cloudfront_response_headers_policy.this.id
+    compress                   = true
+
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.this.arn
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = local.cloudfront_certificate_arn
+    cloudfront_default_certificate = local.cloudfront_default_certificate
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = var.cloudfront_ssl_minimum_protocol
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  tags = local.tags
+
+  depends_on = [aws_acm_certificate.this]
+
+  #checkov:skip=CKV_AWS_68:WAF is enabled if ARN supplied via var.cloudfront_web_acl_arn
+  #checkov:skip=CKV_AWS_86:FIXME Add logging support
+  #checkov:skip=CKV2_AWS_32:Response header policy used is set via var.cloudfront_response_headers_policy_name
+  #checkov:skip=CKV2_AWS_47:WAF is enabled if ARN supplied via var.cloudfront_web_acl_arn
+}
+
+### Cloudfront Access
+
+resource "aws_cloudfront_origin_access_control" "this" {
+  name                              = var.website_domain
+  description                       = "Static Website for ${var.website_domain}"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+
+### Cloudfront Function
+
+resource "aws_cloudfront_function" "this" {
+  name    = replace(var.website_domain, ".", "-")
+  runtime = "cloudfront-js-1.0"
+  comment = "Viewer Request function for ${var.website_domain}"
+  publish = true
+  code    = templatefile(
+    "${path.module}/functions/main.tftpl",
+    {
+      domain = var.website_domain,
+      redirect_www = var.website_redirect_www,
+    }
+  )
+}
@@ -0,0 +1,31 @@
+function handler(event) {
+    var request = event.request;
+    var headers = request.headers;
+    var host = request.headers.host.value;
+
+    var uri = request.uri;
+
+    // Check whether the URI is missing a file name.
+    if (uri.endsWith('/')) {
+        request.uri += 'index.html';
+    }
+    // Check whether the URI is missing a file extension.
+    else if (!uri.includes('.')) {
+        request.uri += '/index.html';
+    }
+
+    %{~ if redirect_www ~}
+    // Redirect www to non-www
+    if (host === 'www.${domain}') {
+        var response = {
+            statusCode: 302,
+            statusDescription: 'Found',
+            headers:
+                { "location": { "value": "https://${domain}".concat(request.uri) } }
+            }
+        return response;
+    }
+    %{~ endif ~}
+
+    return request;
+}
@@ -0,0 +1,51 @@
+### OpenID
+
+resource "aws_iam_openid_connect_provider" "bitbucket" {
+  count = var.openid_provider_create && var.bitbucket_repo_uuid != "" ? 1 : 0
+
+  url            = "https://api.bitbucket.org/2.0/workspaces/${var.bitbucket_workspace_name}/pipelines-config/identity/oidc"
+  client_id_list = ["ari:cloud:bitbucket::workspace/${var.bitbucket_workspace_uuid}"]
+
+  # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+  thumbprint_list = [
+    "a031c46782e6e6c662c2c87c76da9aa62ccabd8e", # api.bitbucket.org (04/02/2023)
+  ]
+}
+
+### IAM Role
+
+resource "aws_iam_role" "bitbucket" {
+  count = var.bitbucket_repo_uuid != "" ? 1 : 0
+
+  name               = "OpenIdBitBucket-${replace(var.website_domain, ".", "-")}"
+  assume_role_policy = data.aws_iam_policy_document.bitbucket_assume.json
+}
+
+data "aws_iam_policy_document" "bitbucket_assume" {
+  statement {
+    sid     = "AllowRoleAssumptionWithWebIdentity"
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [var.openid_provider_create && var.bitbucket_openid_arn == "" ? aws_iam_openid_connect_provider.bitbucket[0].arn : var.bitbucket_openid_arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "api.bitbucket.org/2.0/workspaces/${var.bitbucket_workspace_name}/pipelines-config/identity/oidc:sub"
+      values   = ["${var.bitbucket_repo_uuid}:*"]
+    }
+  }
+}
+
+### IAM Policy
+
+resource "aws_iam_role_policy" "bitbucket" {
+  count = var.bitbucket_repo_uuid != "" ? 1 : 0
+
+  name   = "OpenIdBitBucket"
+  role   = aws_iam_role.bitbucket[0].id
+  policy = data.aws_iam_policy_document.pipeline.json
+}
@@ -0,0 +1,51 @@
+### OpenID
+
+resource "aws_iam_openid_connect_provider" "github" {
+  count = var.openid_provider_create && var.github_repo != "" ? 1 : 0
+
+  url            = "https://token.actions.githubusercontent.com"
+  client_id_list = ["sts.amazonaws.com"]
+
+  # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+  thumbprint_list = [
+    "f879abce0008e4eb126e0097e46620f5aaae26ad", # token.actions.githubusercontent.com (04/02/2023)
+  ]
+}
+
+### IAM Role
+
+resource "aws_iam_role" "github" {
+  count = var.github_repo != "" ? 1 : 0
+
+  name               = "OpenIdGitHub-${replace(var.website_domain, ".", "-")}"
+  assume_role_policy = data.aws_iam_policy_document.github_assume.json
+}
+
+data "aws_iam_policy_document" "github_assume" {
+  statement {
+    sid     = "AllowRoleAssumptionWithWebIdentity"
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [var.openid_provider_create && var.github_openid_arn == "" ? aws_iam_openid_connect_provider.github[0].arn : var.github_openid_arn]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repo}:*"]
+    }
+  }
+}
+
+### IAM Policy
+
+resource "aws_iam_role_policy" "github" {
+  count = var.github_repo != "" ? 1 : 0
+
+  name   = "OpenIdGitHub"
+  role   = aws_iam_role.github[0].id
+  policy = data.aws_iam_policy_document.pipeline.json
+}
@@ -0,0 +1,26 @@
+data "aws_iam_policy_document" "pipeline" {
+  statement {
+    sid    = "AllowUploadToS3${local.domain_titled}"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:DeleteObject",
+    ]
+    resources = [
+      aws_s3_bucket.this.arn,
+      "${aws_s3_bucket.this.arn}/*",
+    ]
+  }
+
+  statement {
+    sid    = "AllowCloudFrontInvalidate${local.domain_titled}"
+    effect = "Allow"
+    actions = ["cloudfront:CreateInvalidation"]
+    resources = [aws_cloudfront_distribution.this.arn]
+  }
+}
@@ -1,9 +1,25 @@
 locals {
-  origin_id = "S3-${var.website_domain}"
-
   tags = {
     role    = "website"
     domain  = var.website_domain
     managed = "terraform"
   }
+
+  domain_redirect = var.website_redirect_www ? ["www.${var.website_domain}"] : []
+  domains_all = concat(
+    [var.website_domain],
+    local.domain_redirect,
+    var.website_aliases,
+  )
+  domains_alias = concat(
+    local.domain_redirect,
+    var.website_aliases,
+  )
+
+  domain_titled = replace(replace(title(var.website_domain), ".", ""), "-", "")
+
+  cloudfront_certificate_arn = data.aws_acm_certificate.this.status == "ISSUED" ? aws_acm_certificate.this.arn : null
+  cloudfront_default_certificate = data.aws_acm_certificate.this.status != "ISSUED" ? true : null
+  cloudfront_alias = data.aws_acm_certificate.this.status == "ISSUED" ? local.domains_all : []
+  cloudfront_web_acl_arn = var.cloudfront_web_acl_arn != "" ? var.cloudfront_web_acl_arn : null
 }