Configure DNS and TLS for grimoire.ca on AWS/CloudFront

author: Owen Jacobson <owen@grimoire.ca> 2018-03-12 21:04:19 -0400
committer: Owen Jacobson <owen@grimoire.ca> 2018-03-12 21:04:19 -0400
commit: a69deb0e26b4c16d2b43877762b6bd515716331b (patch)
tree: b10df107a4431140f2dc51db0deb847b9668f44a /bliki.tf
parent: 3c5335434c6c0b0c18e37714ea873dcf55c34627 (diff)
1 files changed, 58 insertions, 1 deletions
diff --git a/bliki.tf b/bliki.tf
index d83b5b4..a14df23 100644
--- a/bliki.tf
+++ b/bliki.tf
@@ -12,6 +12,24 @@ provider "aws" {
   region = "ca-central-1"
 }
 
+# CloudFront needs certificates in us-east-1.
+provider "aws" {
+  version = "~> 1.11"
+
+  alias  = "cloudfront"
+  region = "us-east-1"
+}
+
+data "terraform_remote_state" "dns" {
+  backend = "s3"
+
+  config {
+    bucket = "terraform.grimoire"
+    key    = "dns.tfstate"
+    region = "ca-central-1"
+  }
+}
+
 resource "aws_s3_bucket" "bliki" {
   bucket = "grimoire.ca"
 
@@ -37,7 +55,30 @@ resource "aws_s3_bucket_policy" "bliki" {
 POLICY
 }
 
+resource "aws_acm_certificate" "bliki" {
+  provider = "aws.cloudfront"
+
+  # There's a circular dependency between the zone, the distribution, and the
+  # cert here. Rather than trying to figure out how to make Terraform solve it,
+  # hard-code the domain name.
+  domain_name = "grimoire.ca"
+
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "bliki_validation" {
+  zone_id = "${data.terraform_remote_state.dns.zone_id}"
+  ttl     = 60
+  name    = "${aws_acm_certificate.bliki.domain_validation_options.0.resource_record_name}"
+  type    = "${aws_acm_certificate.bliki.domain_validation_options.0.resource_record_type}"
+  records = [
+    "${aws_acm_certificate.bliki.domain_validation_options.0.resource_record_value}"
+  ]
+}
+
 resource "aws_cloudfront_distribution" "bliki" {
+  provider = "aws.cloudfront"
+
   enabled             = true
   is_ipv6_enabled     = true
 
@@ -93,6 +134,22 @@ resource "aws_cloudfront_distribution" "bliki" {
   }
 
   viewer_certificate {
-    cloudfront_default_certificate = true
+    acm_certificate_arn      = "${aws_acm_certificate.bliki.arn}"
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1"
   }
 }
+
+resource "aws_route53_record" "bliki" {
+  zone_id = "${data.terraform_remote_state.dns.zone_id}"
+  name    = ""
+  type    = "A"
+
+  alias {
+    name    = "${aws_cloudfront_distribution.bliki.domain_name}"
+    zone_id = "${aws_cloudfront_distribution.bliki.hosted_zone_id}"
+
+    evaluate_target_health = false
+  }
+}
+
author	Owen Jacobson <owen@grimoire.ca>	2018-03-12 21:04:19 -0400
committer	Owen Jacobson <owen@grimoire.ca>	2018-03-12 21:04:19 -0400
commit	a69deb0e26b4c16d2b43877762b6bd515716331b (patch)
tree	b10df107a4431140f2dc51db0deb847b9668f44a /bliki.tf
parent	3c5335434c6c0b0c18e37714ea873dcf55c34627 (diff)