diff --git a/.github/workflows/testsuite-master.yaml b/.github/workflows/testsuite-master.yaml
index dbdb345..ba53cea 100644
--- a/.github/workflows/testsuite-master.yaml
+++ b/.github/workflows/testsuite-master.yaml
@@ -9,11 +9,11 @@ jobs:
tflint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: setup Terraform
- uses: hashicorp/setup-terraform@v1.3.2
+ uses: hashicorp/setup-terraform@v2.0.0
with:
- terraform_version: 0.15.5
+ terraform_version: 1.1.7
- name: Terraform init
run: terraform init --backend=false
- name: tflint
@@ -27,11 +27,11 @@ jobs:
tfsec:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: setup Terraform
- uses: hashicorp/setup-terraform@v1.3.2
+ uses: hashicorp/setup-terraform@v2.0.0
with:
- terraform_version: 0.15.5
+ terraform_version: 1.1.7
- name: Terraform init
run: terraform init --backend=false
- name: tfsec
@@ -44,21 +44,21 @@ jobs:
misspell:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: misspell
- uses: reviewdog/action-misspell@v1
+ uses: reviewdog/action-misspell@v1.12.0
with:
github_token: ${{ secrets.ACTIONS_TOKEN }}
- locale: "US"
+ locale: "UK"
reporter: github-check
filter_mode: added
level: error
yamllint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: yamllint
- uses: reviewdog/action-yamllint@v1.2.0
+ uses: reviewdog/action-yamllint@v1.6.0
with:
github_token: ${{ secrets.ACTIONS_TOKEN }}
reporter: github-check
diff --git a/.github/workflows/testsuite.yaml b/.github/workflows/testsuite.yaml
index dd1a909..7a42940 100644
--- a/.github/workflows/testsuite.yaml
+++ b/.github/workflows/testsuite.yaml
@@ -7,7 +7,7 @@ jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: Set up Python
uses: actions/setup-python@v2.2.2
- name: Install prerequisites
@@ -24,7 +24,7 @@ jobs:
no-commit-to-branch,
terraform_tflint_nocreds,
terraform_tfsec
- - uses: stefanzweifel/git-auto-commit-action@v4.11.0
+ - uses: stefanzweifel/git-auto-commit-action@v4.14.1
if: ${{ failure() }}
with:
commit_message: Apply automatic changes
@@ -36,11 +36,11 @@ jobs:
tflint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: setup Terraform
- uses: hashicorp/setup-terraform@v1.3.2
+ uses: hashicorp/setup-terraform@v2.0.0
with:
- terraform_version: 0.15.5
+ terraform_version: 1.1.7
- name: Terraform init
run: terraform init --backend=false
- name: tflint
@@ -54,11 +54,11 @@ jobs:
tfsec:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: setup Terraform
- uses: hashicorp/setup-terraform@v1.3.2
+ uses: hashicorp/setup-terraform@v2.0.0
with:
- terraform_version: 0.15.5
+ terraform_version: 1.1.7
- name: Terraform init
run: terraform init --backend=false
- name: tfsec
@@ -71,21 +71,21 @@ jobs:
misspell:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: misspell
- uses: reviewdog/action-misspell@v1
+ uses: reviewdog/action-misspell@v1.12.0
with:
github_token: ${{ secrets.ACTIONS_TOKEN }}
- locale: "US"
+ locale: "UK"
reporter: github-pr-check
filter_mode: added
level: error
yamllint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v3.0.2
- name: yamllint
- uses: reviewdog/action-yamllint@v1.2.0
+ uses: reviewdog/action-yamllint@v1.6.0
with:
github_token: ${{ secrets.ACTIONS_TOKEN }}
reporter: github-pr-check
diff --git a/.gitignore b/.gitignore
index fa0ed18..c240c4e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ modules/codebuild/codebuild_files/php.ini
# *.tfstate
# *.tfstate.*
.terraform.lock.hcl
+
plan.plan
# Crash log files
crash.log
@@ -35,3 +36,4 @@ override.tf.json
# example: *tfplan*
.idea
+.vscode
diff --git a/.header.md b/.header.md
index f3f5bb2..a8de632 100644
--- a/.header.md
+++ b/.header.md
@@ -47,11 +47,11 @@ As such you should include the following in your provider configuration:
```
terraform {
- required_version = "> 0.15.1"
+ required_version = "> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 3.0"
+ version = "~> 4.0"
configuration_aliases = [aws.ue1]
}
}
@@ -66,6 +66,9 @@ provider "aws" {
The `ue1` alias is essential for this module to work correctly.
+## Severless Static Wordpress V2 Upgrade Guide
+See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
+
## Module instantiation example
```
@@ -206,6 +209,28 @@ in your module definition.
Gentle reminder that no backup options are currently bundled with this module - the most effective means would be to
generate and retain a backup from within Wordpress for maximum flexibility. We recommend the UpdraftPlus plugin.
+## Permanent Redirects
+
+Basic url path based permanent redirects are supported via the CloudFront function. The variable `cloudfront_function_301_redirects` can be set with a custom map of match to destination mappings.
+
+Some aspects that need to be taken into consideration for the match:
+
+* It's a regular expression
+* Group replacements are supported
+* Runs in a Javascript function, escaping needs to be taken into consideration
+* Passed through a TF var, so escaping that needs to be taking into account as well
+
+An example to match a path like `/category-name`, a suitable match would be `"^\\/(category-name)$"`. Breaking down the `\\/` part, the first `\` tells TF to escape the second `\`, which is the Regex escape for the `/` character.
+
+An example:
+
+```
+cloudfront_function_301_redirects = {
+ # Redirects /travel to /category/travel/
+ "^\\/(travel)$": "/category/$1/",
+}
+```
+
## Troubleshooting
If you experience issues with the publish element of WP2Static, you can retry. It can be more reliable to proceed to
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index affc785..4b84e9d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -33,7 +33,7 @@ repos:
args: ["--output-file", "README.md", "markdown", "modules/waf"]
pass_filenames: false
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.31.0
+ rev: v1.64.0
hooks:
- id: terraform_fmt
- id: terraform_tflint
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 69d0c09..ba97e98 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,16 +1,35 @@
# Changelog
+## 0.2.0 - UNRELEASED
+
+! BREAKING CHANGES ! - See [UPGRADING.md](docs/UPGRADING.md) for guidance on upgrading from v0.1.x
+
+ ### **Maintenance**:
+
+ - Module upgraded to AWS Terraform v4. Existing installations will need Terraform state moved for forwards
+compatibility.
+
+### **New Features**
+- Added support for Graviton-based CodeBuild if supported in deployment region. Will gracefully fallback to
+non-Graviton if not supported.
+- Added support for Graviton-based ECS Fargate if supported in deployment region. Will fallback to non-Graviton
+if not supported, however source docker image used for ECS container MUST be AMD64/ARM64 architecture respectively.
+Note FARGATE_SPOT is not supported for Graviton-based ECS at this time.
+- Added healthCheeck block to ECS Task Definition.
+- Added EventBridge monitoring for ECS Service Action events (which captures placement failures when using FARGATE_SPOT
+ capacity provider)
+
## 0.1.2 - 23rd June 2021
-Bugfix: Changed special characters used in RDS password generation to ensure compatibility.
-Docs: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
+- **Bugfix**: Changed special characters used in RDS password generation to ensure compatibility.
+- **Docs**: Updated to fix typos in helper commands, and detailed supported RDS Aurora v1 regions.
## 0.1.1 - 19th June 2021
-Bugfix: Refactor md5 calculation on archive_file in codebuild child module.
-Bugfix: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
-Bugfix: Fix passed WAF variable values if set to inactive.
+- **Bugfix**: Refactor md5 calculation on archive_file in codebuild child module.
+- **Bugfix**: Re-typed AWS account number as string to avoid rounding on account numbers prepended with zeros.
+-- **Bugfix**: Fix passed WAF variable values if set to inactive.
## 0.1.0 - 19th June 2021
-Initial release of Serverless Static Wordpress Terraform module.
+- Initial release of Serverless Static Wordpress Terraform module.
diff --git a/README.md b/README.md
index b60f4c5..bd0419c 100644
--- a/README.md
+++ b/README.md
@@ -48,11 +48,11 @@ As such you should include the following in your provider configuration:
```
terraform {
- required_version = "> 0.15.1"
+ required_version = "> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 3.0"
+ version = "~> 4.0"
configuration_aliases = [aws.ue1]
}
}
@@ -67,6 +67,9 @@ provider "aws" {
The `ue1` alias is essential for this module to work correctly.
+## Severless Static Wordpress V2 Upgrade Guide
+See [UPGRADING](docs/UPGRADING.md) for Version 2 upgrade guidance, including for Version 4 of the AWS Terraform Provider.
+
## Module instantiation example
```
@@ -207,6 +210,28 @@ in your module definition.
Gentle reminder that no backup options are currently bundled with this module - the most effective means would be to
generate and retain a backup from within Wordpress for maximum flexibility. We recommend the UpdraftPlus plugin.
+## Permanent Redirects
+
+Basic url path based permanent redirects are supported via the CloudFront function. The variable `cloudfront_function_301_redirects` can be set with a custom map of match to destination mappings.
+
+Some aspects that need to be taken into consideration for the match:
+
+* It's a regular expression
+* Group replacements are supported
+* Runs in a Javascript function, escaping needs to be taken into consideration
+* Passed through a TF var, so escaping that needs to be taking into account as well
+
+An example to match a path like `/category-name`, a suitable match would be `"^\\/(category-name)$"`. Breaking down the `\\/` part, the first `\` tells TF to escape the second `\`, which is the Regex escape for the `/` character.
+
+An example:
+
+```
+cloudfront_function_301_redirects = {
+ # Redirects /travel to /category/travel/
+ "^\\/(travel)$": "/category/$1/",
+}
+```
+
## Troubleshooting
If you experience issues with the publish element of WP2Static, you can retry. It can be more reliable to proceed to
@@ -227,8 +252,12 @@ For any issues relating to this module, [raise an issue against this repo.](http
| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID into which resources will be launched. | `string` | n/a | yes |
| <a name="input_cloudfront_aliases"></a> [cloudfront\_aliases](#input\_cloudfront\_aliases) | The domain and sub-domain aliases to use for the cloudfront distribution. | `list(any)` | `[]` | no |
| <a name="input_cloudfront_class"></a> [cloudfront\_class](#input\_cloudfront\_class) | The [price class](https://aws.amazon.com/cloudfront/pricing/) for the distribution. One of: PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `"PriceClass_All"` | no |
+| <a name="input_cloudfront_function_301_redirects"></a> [cloudfront\_function\_301\_redirects](#input\_cloudfront\_function\_301\_redirects) | A list of key value pairs of Regex match and destination for 301 redirects at CloudFront. | `map(any)` | <pre>{<br> "^(.*)index\\.php$": "$1"<br>}</pre> | no |
| <a name="input_ecs_cpu"></a> [ecs\_cpu](#input\_ecs\_cpu) | The CPU limit password to the Wordpress container definition. | `number` | `256` | no |
+| <a name="input_ecs_healthcheck_enabled"></a> [ecs\_healthcheck\_enabled](#input\_ecs\_healthcheck\_enabled) | Runs an healtchcheck against the container. | `bool` | `true` | no |
| <a name="input_ecs_memory"></a> [ecs\_memory](#input\_ecs\_memory) | The memory limit password to the Wordpress container definition. | `number` | `512` | no |
+| <a name="input_graviton_codebuild_enabled"></a> [graviton\_codebuild\_enabled](#input\_graviton\_codebuild\_enabled) | Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html). | `bool` | `false` | no |
+| <a name="input_graviton_fargate_enabled"></a> [graviton\_fargate\_enabled](#input\_graviton\_fargate\_enabled) | Flag that controls whether ECS Fargate should use Graviton-based containers in [supported regions]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate-Regions.html). | `bool` | `false` | no |
| <a name="input_hosted_zone_id"></a> [hosted\_zone\_id](#input\_hosted\_zone\_id) | The Route53 HostedZone ID to use to create records in. | `string` | n/a | yes |
| <a name="input_launch"></a> [launch](#input\_launch) | The number of tasks to launch of the Wordpress container. Used as a toggle to start/stop your Wordpress management session. | `number` | `"0"` | no |
| <a name="input_main_vpc_id"></a> [main\_vpc\_id](#input\_main\_vpc\_id) | The VPC ID into which to launch resources. | `string` | n/a | yes |
@@ -244,7 +273,10 @@ For any issues relating to this module, [raise an issue against this repo.](http
| <a name="input_wordpress_admin_email"></a> [wordpress\_admin\_email](#input\_wordpress\_admin\_email) | The email address of the default wordpress admin user. | `string` | `"admin@example.com"` | no |
| <a name="input_wordpress_admin_password"></a> [wordpress\_admin\_password](#input\_wordpress\_admin\_password) | The password of the default wordpress admin user. | `string` | `"techtospeech.com"` | no |
| <a name="input_wordpress_admin_user"></a> [wordpress\_admin\_user](#input\_wordpress\_admin\_user) | The username of the default wordpress admin user. | `string` | `"supervisor"` | no |
+| <a name="input_wordpress_memory_limit"></a> [wordpress\_memory\_limit](#input\_wordpress\_memory\_limit) | The memory to allow the Wordpress process to use (in M) | `string` | `"256M"` | no |
| <a name="input_wordpress_subdomain"></a> [wordpress\_subdomain](#input\_wordpress\_subdomain) | The subdomain used for the Wordpress container. | `string` | `"wordpress"` | no |
+| <a name="input_wp2static_s3_addon_version"></a> [wp2static\_s3\_addon\_version](#input\_wp2static\_s3\_addon\_version) | Version of the WP2Static S3 Add-on to use from https://github.com/leonstafford/wp2static-addon-s3/releases/ | `string` | `"1.0"` | no |
+| <a name="input_wp2static_version"></a> [wp2static\_version](#input\_wp2static\_version) | Version of WP2Static to use from https://github.com/WP2Static/wp2static/releases | `string` | `"7.1.7"` | no |
## Modules
| Name | Source | Version |
@@ -265,8 +297,8 @@ For any issues relating to this module, [raise an issue against this repo.](http
| Name | Version |
|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1.0 |
## Resources
@@ -279,14 +311,17 @@ For any issues relating to this module, [raise an issue against this repo.](http
| [aws_db_subnet_group.main_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
| [aws_ecr_repository.serverless_wordpress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_ecs_cluster.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster) | resource |
+| [aws_ecs_cluster_capacity_providers.wordpress_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster_capacity_providers) | resource |
| [aws_ecs_service.wordpress_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) | resource |
| [aws_ecs_task_definition.wordpress_container](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) | resource |
| [aws_efs_access_point.wordpress_efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_access_point) | resource |
| [aws_efs_file_system.wordpress_persistent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
| [aws_efs_mount_target.wordpress_efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
| [aws_iam_policy.wordpress_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.wordpress_ecs_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.wordpress_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.wordpress_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.wordpress_ecs_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.wordpress_role_attachment_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.wordpress_role_attachment_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_rds_cluster.serverless_wordpress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource |
@@ -307,4 +342,6 @@ For any issues relating to this module, [raise an issue against this repo.](http
| [random_password.serverless_wordpress_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_iam_policy_document.ecs_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.wordpress_bucket_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.wordpress_ecs_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
<!-- END_TF_DOCS -->
diff --git a/docs/UPGRADING.md b/docs/UPGRADING.md
new file mode 100644
index 0000000..70d5e2f
--- /dev/null
+++ b/docs/UPGRADING.md
@@ -0,0 +1,36 @@
+## Upgrading from 0.1.x to 0.2.x
+
+Version 0.2 of Serverless Static Wordpress makes numerous updates to the resources used to deploy the solution, as well
+as expanding functionality with additional options.
+
+Where possible, this has been done in a way to be as backwards compatible as reasonably possible - however there are a
+variety of quirks of Terraform behaviour that can mean that this is imperfect, and may require a manual tweak either to
+the configuration in AWS, or to the Terraform state backing the resources.
+
+### Upgrading to Version 4 of the Terraform AWS Provider
+Version 4 of the AWS Provider introduced a few breaking changes to the way ECS and S3 resources are defined. Attributes
+that would normally be specified as part of the single resource definition have now been split out into their own
+resources. To cope with this, we have created these resources, and _existing_ resources can be handled with some
+terraform state operations. To date, these are documented as follows.
+
+NOTE, in these examples, the example `site_name` is `peterdotcloud` and the resources are named accordingly. You will
+need to substitute these values with the value used for your own deployment
+
+```
+terraform import module.peterdotcloud_website.aws_ecs_cluster_capacity_providers.wordpress_cluster peterdotcloud_wordpress
+terraform state rm module.peterdotcloud_website.module.codebuild.aws_s3_bucket_object.wordpress_dockerbuild
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_object.wordpress_dockerbuild peterdotcloud-build/wordpress_docker.zip
+terraform import module.peterdotcloud_website.module.cloudfront.aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket www.peter.cloud
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_acl.code_source peterdotcloud-build
+terraform import module.peterdotcloud_website.module.codebuild.aws_s3_bucket_server_side_encryption_configuration.code_source peterdotcloud-build
+```
+### Graviton
+
+With support for ARM in CodeBuild, and in ECS in regions where it is supported (strictly better for cost/performance),
+the module will need to recreate your task definition and ECS service. This is nothing to be concerned with however you
+ **must** ensure your base image of Wordpress is an arm64 platform version (and preferably linux/arm64/v8) otherwise
+ your Wordpress container will error out with `exec user process caused: exec format error` which indicates your image
+ is of the mismatched architecture.
+
+ Note that when using Graviton-based containers for ECS, FARGATE_SPOT is not currently available (bear this in mind for
+ cost).
diff --git a/ecs.tf b/ecs.tf
index 21dd3f1..75c217d 100644
--- a/ecs.tf
+++ b/ecs.tf
@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
resource "aws_efs_file_system" "wordpress_persistent" {
encrypted = true
lifecycle_policy {
@@ -42,6 +44,19 @@ data "aws_iam_policy_document" "wordpress_bucket_access" {
}
}
+data "aws_iam_policy_document" "wordpress_ecs_exec" {
+ statement {
+ actions = [
+ "ssmmessages:CreateControlChannel",
+ "ssmmessages:CreateDataChannel",
+ "ssmmessages:OpenControlChannel",
+ "ssmmessages:OpenDataChannel"
+ ]
+ effect = "Allow"
+ resources = ["*"]
+ }
+}
+
resource "aws_iam_policy" "wordpress_bucket_access" {
name = "${var.site_name}_WordpressBucketAccess"
description = "The role that allows Wordpress task to do necessary operations"
@@ -53,6 +68,17 @@ resource "aws_iam_role_policy_attachment" "wordpress_bucket_access" {
policy_arn = aws_iam_policy.wordpress_bucket_access.arn
}
+resource "aws_iam_policy" "wordpress_ecs_exec" {
+ name = "${var.site_name}_WordpressECSExec"
+ description = "Allows ECS Exec to the Wordpress container"
+ policy = data.aws_iam_policy_document.wordpress_ecs_exec.json
+}
+
+resource "aws_iam_role_policy_attachment" "wordpress_ecs_exec" {
+ role = aws_iam_role.wordpress_task.name
+ policy_arn = aws_iam_policy.wordpress_ecs_exec.arn
+}
+
resource "aws_iam_role" "wordpress_task" {
name = "${var.site_name}_WordpressTaskRole"
assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
@@ -104,25 +130,32 @@ resource "aws_cloudwatch_log_group" "wordpress_container" {
resource "aws_ecs_task_definition" "wordpress_container" {
family = "${var.site_name}_wordpress"
container_definitions = templatefile("${path.module}/task-definitions/wordpress.json", {
- db_host = aws_rds_cluster.serverless_wordpress.endpoint,
- db_user = aws_rds_cluster.serverless_wordpress.master_username,
- db_password = random_password.serverless_wordpress_password.result,
- db_name = aws_rds_cluster.serverless_wordpress.database_name,
- wordpress_image = "${aws_ecr_repository.serverless_wordpress.repository_url}:latest",
- wp_dest = "https://${var.site_prefix}.${var.site_domain}",
- wp_region = var.s3_region,
- wp_bucket = module.cloudfront.wordpress_bucket_id,
- container_dns = "${var.wordpress_subdomain}.${var.site_domain}",
- container_dns_zone = var.hosted_zone_id,
- container_cpu = var.ecs_cpu,
- container_memory = var.ecs_memory
- efs_source_volume = "${var.site_name}_wordpress_persistent"
- wordpress_admin_user = var.wordpress_admin_user
- wordpress_admin_password = var.wordpress_admin_password
- wordpress_admin_email = var.wordpress_admin_email
- site_name = var.site_name
+ db_host = aws_rds_cluster.serverless_wordpress.endpoint
+ db_user = aws_rds_cluster.serverless_wordpress.master_username
+ db_password = random_password.serverless_wordpress_password.result
+ db_name = aws_rds_cluster.serverless_wordpress.database_name
+ wordpress_image = "${aws_ecr_repository.serverless_wordpress.repository_url}:latest"
+ wp_dest = "https://${var.site_prefix}.${var.site_domain}"
+ wp_region = var.s3_region
+ wp_bucket = module.cloudfront.wordpress_bucket_id
+ container_dns = "${var.wordpress_subdomain}.${var.site_domain}"
+ container_dns_zone = var.hosted_zone_id
+ container_cpu = var.ecs_cpu
+ container_memory = var.ecs_memory
+ container_healthcheck_enabled = var.ecs_healthcheck_enabled
+ efs_source_volume = "${var.site_name}_wordpress_persistent"
+ wordpress_admin_user = var.wordpress_admin_user
+ wordpress_admin_password = var.wordpress_admin_password
+ wordpress_admin_email = var.wordpress_admin_email
+ site_name = var.site_name
+ wordpress_memory_limit = var.wordpress_memory_limit
})
+ runtime_platform {
+ operating_system_family = "LINUX"
+ cpu_architecture = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "X86_64" : "ARM64") : "X86_64"
+ }
+
cpu = var.ecs_cpu
memory = var.ecs_memory
requires_compatibilities = ["FARGATE"]
@@ -212,13 +245,15 @@ resource "aws_security_group_rule" "wordpress_sg_egress_3306" {
resource "aws_ecs_service" "wordpress_service" {
- name = "${var.site_name}_wordpress"
- task_definition = "${aws_ecs_task_definition.wordpress_container.family}:${aws_ecs_task_definition.wordpress_container.revision}"
- cluster = aws_ecs_cluster.wordpress_cluster.arn
- desired_count = var.launch
+ name = "${var.site_name}_wordpress"
+ task_definition = "${aws_ecs_task_definition.wordpress_container.family}:${aws_ecs_task_definition.wordpress_container.revision}"
+ cluster = aws_ecs_cluster.wordpress_cluster.arn
+ desired_count = var.launch
+ enable_execute_command = true
+
# iam_role =
capacity_provider_strategy {
- capacity_provider = "FARGATE_SPOT"
+ capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE_SPOT"
weight = "100"
base = "1"
}
@@ -236,10 +271,14 @@ resource "aws_ecs_service" "wordpress_service" {
# TODO: Add option to enable container insights
#tfsec:ignore:AWS090
resource "aws_ecs_cluster" "wordpress_cluster" {
- name = "${var.site_name}_wordpress"
- capacity_providers = ["FARGATE_SPOT"]
+ name = "${var.site_name}_wordpress"
+}
+
+resource "aws_ecs_cluster_capacity_providers" "wordpress_cluster" {
+ cluster_name = aws_ecs_cluster.wordpress_cluster.name
+ capacity_providers = [var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE_SPOT"]
default_capacity_provider_strategy {
- capacity_provider = "FARGATE_SPOT"
+ capacity_provider = var.graviton_fargate_enabled ? (contains(local.graviton_fargate_regions_unsupported, data.aws_region.current) ? "FARGATE_SPOT" : "FARGATE") : "FARGATE_SPOT"
weight = "100"
base = "1"
}
diff --git a/main.tf b/main.tf
index 7fd9575..572f1b5 100644
--- a/main.tf
+++ b/main.tf
@@ -7,14 +7,17 @@ module "lambda_slack" {
}
module "codebuild" {
- source = "./modules/codebuild"
- site_name = var.site_name
- site_domain = var.site_domain
- codebuild_bucket = "${var.site_name}-build"
- main_vpc_id = var.main_vpc_id
- wordpress_ecr_repository = aws_ecr_repository.serverless_wordpress.name
- aws_account_id = var.aws_account_id
- container_memory = var.ecs_memory
+ source = "./modules/codebuild"
+ graviton_codebuild_enabled = var.graviton_codebuild_enabled
+ site_name = var.site_name
+ site_domain = var.site_domain
+ codebuild_bucket = "${var.site_name}-build"
+ main_vpc_id = var.main_vpc_id
+ wordpress_ecr_repository = aws_ecr_repository.serverless_wordpress.name
+ aws_account_id = var.aws_account_id
+ container_memory = var.ecs_memory
+ wp2static_version = var.wp2static_version
+ wp2static_s3_addon_version = var.wp2static_s3_addon_version
}
module "cloudfront" {
@@ -28,8 +31,10 @@ module "cloudfront" {
}
depends_on = [aws_acm_certificate_validation.wordpress_site,
module.waf]
- cloudfront_class = var.cloudfront_class
- waf_acl_arn = var.waf_enabled ? module.waf[0].waf_acl_arn : null
+
+ cloudfront_class = var.cloudfront_class
+ waf_acl_arn = var.waf_enabled ? module.waf[0].waf_acl_arn : null
+ cloudfront_function_301_redirects = var.cloudfront_function_301_redirects
}
module "waf" {
diff --git a/modules/cloudfront/README.md b/modules/cloudfront/README.md
index f28b636..0b8ae16 100644
--- a/modules/cloudfront/README.md
+++ b/modules/cloudfront/README.md
@@ -9,6 +9,7 @@ This module sets up the CloudFront distribution that fronts the static wordpress
|------|-------------|------|---------|:--------:|
| <a name="input_cloudfront_aliases"></a> [cloudfront\_aliases](#input\_cloudfront\_aliases) | The domain and sub-domain aliases to use for the cloudfront distribution. | `list(any)` | `[]` | no |
| <a name="input_cloudfront_class"></a> [cloudfront\_class](#input\_cloudfront\_class) | The [price class](https://aws.amazon.com/cloudfront/pricing/) for the distribution. One of: PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `"PriceClass_All"` | no |
+| <a name="input_cloudfront_function_301_redirects"></a> [cloudfront\_function\_301\_redirects](#input\_cloudfront\_function\_301\_redirects) | A list of key value pairs of Regex match and destination for 301 redirects at CloudFront. | `map(any)` | <pre>{<br> "^(.*)index\\.php$": "$1"<br>}</pre> | no |
| <a name="input_cloudfront_ssl"></a> [cloudfront\_ssl](#input\_cloudfront\_ssl) | The ARN of the ACM certificate used for the CloudFront domain. | `string` | n/a | yes |
| <a name="input_site_domain"></a> [site\_domain](#input\_site\_domain) | The site domain name to configure (without any subdomains such as 'www') | `string` | n/a | yes |
| <a name="input_site_name"></a> [site\_name](#input\_site\_name) | The unique name for this instance of the module. Required to deploy multiple wordpress instances to the same AWS account (if desired). | `string` | n/a | yes |
@@ -33,18 +34,11 @@ No requirements.
| Name | Type |
|------|------|
| [aws_cloudfront_distribution.wordpress_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_function.object_rewrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
| [aws_cloudfront_origin_access_identity.wordpress_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
-| [aws_cloudwatch_log_group.object_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.object_redirect_ue1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.object_redirect_ue1_local](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_role.lambda-edge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.lambda-edge-cloudwatch-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_iam_role_policy_attachment.basic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_lambda_function.object_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_cloudwatch_log_group.object_rewrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_s3_bucket.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_policy.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [archive_file.index_html](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
-| [aws_iam_policy_document.lambda-edge-cloudwatch-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.lambda-edge-service-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_s3_bucket_server_side_encryption_configuration.wordpress_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
<!-- END_TF_DOCS -->
diff --git a/modules/cloudfront/distribution.tf b/modules/cloudfront/distribution.tf
index 9e79890..4296f26 100644
--- a/modules/cloudfront/distribution.tf
+++ b/modules/cloudfront/distribution.tf
@@ -1,14 +1,16 @@
# TODO: Add optional logging for S3 bucket
# TODO: Add optional versioning for S3 bucket
-#tfsec:ignore:AWS002 #tfsec:ignore:AWS077
+#tfsec:ignore:AWS002 #tfsec:ignore:AWS017 #tfsec:ignore:AWS077
resource "aws_s3_bucket" "wordpress_bucket" {
bucket = "${var.site_prefix}.${var.site_domain}"
force_destroy = true
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "wordpress_bucket" {
+ bucket = aws_s3_bucket.wordpress_bucket.bucket
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
@@ -59,9 +61,9 @@ resource "aws_cloudfront_distribution" "wordpress_distribution" {
}
}
- lambda_function_association {
- event_type = "origin-request"
- lambda_arn = "${aws_lambda_function.object_redirect.arn}:${aws_lambda_function.object_redirect.version}"
+ function_association {
+ event_type = "viewer-request"
+ function_arn = aws_cloudfront_function.object_rewrite.arn
}
viewer_protocol_policy = "redirect-to-https"
diff --git a/modules/cloudfront/function_rewrite/index.js.tftpl b/modules/cloudfront/function_rewrite/index.js.tftpl
new file mode 100644
index 0000000..a379415
--- /dev/null
+++ b/modules/cloudfront/function_rewrite/index.js.tftpl
@@ -0,0 +1,34 @@
+function handler(event) {
+ var request = event.request;
+ var uri = request.uri;
+
+ try {
+ %{ for match, target in REDIRECTS }
+ if (/${match}/.test(uri)) {
+ return permanentRedirect(uri, /${match}/, '${target}');
+ }
+ %{ endfor ~}
+
+ // Check whether the URI is missing a file name.
+ if (uri.endsWith('/')) {
+ request.uri += 'index.html';
+ return request;
+ }
+ }
+ catch (e) {
+ // console.error is not supported
+ console.log(e);
+ }
+
+ return request;
+}
+
+function permanentRedirect(uri, match, target) {
+ return {
+ statusCode: 301,
+ statusDescription: 'Moved Permanently',
+ headers: {
+ 'location': { value: uri.replace(match, target) }
+ }
+ };
+}
diff --git a/modules/cloudfront/lambda_redirect/index_html/index.js b/modules/cloudfront/lambda_redirect/index_html/index.js
deleted file mode 100644
index 44b6d6a..0000000
--- a/modules/cloudfront/lambda_redirect/index_html/index.js
+++ /dev/null
@@ -1,30 +0,0 @@
-// Add index.html to any request URLs that end in /
-// This allows "friendly" URLs in static websites, e.g.
-// /about-us/ is converted to /about-us/index.html
-
-// https://aws.amazon.com/blogs/compute/implementing-default-directory-indexes-in-amazon-s3-backed-amazon-cloudfront-origins-using-lambdaedge/
-
-'use strict';
-exports.handler = (event, context, callback) => {
- // Extract the request from the CloudFront event that is sent to Lambda@Edge
- var request = event.Records[0].cf.request;
-
- // Extract the URI from the request
- var olduri = request.uri;
-
- // Match any '/' that occurs at the end of a URI. Replace it with a default index
- // Match also any calls to 'index.php' which Wordpress would ordinarily look for
-
- var newuri = olduri.replace(/\/$/, '\/index.html');
- newuri = newuri.replace(/\/index.php$/, '\/index.html');
-
- // For debugging: Log the URI as received by CloudFront and the new URI to be used to fetch from origin
- // console.log("Old URI: " + olduri);
- // console.log("New URI: " + newuri);
-
- // Replace the received URI with the URI that includes the index page
- request.uri = newuri;
-
- // Return to CloudFront
- return callback(null, request);
-};
diff --git a/modules/cloudfront/main.tf b/modules/cloudfront/main.tf
index 7659151..35a401a 100644
--- a/modules/cloudfront/main.tf
+++ b/modules/cloudfront/main.tf
@@ -1,76 +1,24 @@
-data "archive_file" "index_html" {
- type = "zip"
- source_dir = "${path.module}/lambda_redirect/index_html"
- output_path = "${path.module}/lambda_redirect/dst/index_html.zip"
-}
-
-#tfsec:ignore:AWS089
-resource "aws_cloudwatch_log_group" "object_redirect" {
- name = "/aws/lambda/${var.site_name}_redirect_index_html"
- retention_in_days = 7
-}
-
-#tfsec:ignore:AWS089
-resource "aws_cloudwatch_log_group" "object_redirect_ue1_local" {
- name = "/aws/lambda/us-east-1.${var.site_name}_redirect_index_html"
- retention_in_days = 7
-}
-
-# TODO: A solution to create/manage default log groups in all Edge Cache Regions
#tfsec:ignore:AWS089
-resource "aws_cloudwatch_log_group" "object_redirect_ue1" {
- name = "/aws/lambda/us-east-1.${var.site_name}_redirect_index_html"
+resource "aws_cloudwatch_log_group" "object_rewrite" {
+ name = "/aws/cloudfront/function/${var.site_name}_rewrite"
retention_in_days = 7
- provider = aws.ue1
+ # CloudFront Functions always creates log streams in us-east-1, no matter which edge location ran the function.
+ # The purpose of this resource is to set the retention days.
+ provider = aws.ue1
}
-resource "aws_lambda_function" "object_redirect" {
- provider = aws.ue1
- filename = data.archive_file.index_html.output_path
- function_name = "${var.site_name}_redirect_index_html"
- role = aws_iam_role.lambda-edge.arn
- handler = "index.handler"
- source_code_hash = data.archive_file.index_html.output_base64sha256
- runtime = "nodejs12.x"
- publish = true
- memory_size = 128
- timeout = 3
+resource "aws_cloudfront_function" "object_rewrite" {
depends_on = [
- aws_cloudwatch_log_group.object_redirect,
- aws_cloudwatch_log_group.object_redirect_ue1,
- aws_cloudwatch_log_group.object_redirect_ue1_local
+ aws_cloudwatch_log_group.object_rewrite
]
-}
-data "aws_iam_policy_document" "lambda-edge-service-role" {
- statement {
- actions = ["sts:AssumeRole"]
- principals {
- type = "Service"
- identifiers = ["edgelambda.amazonaws.com", "lambda.amazonaws.com"]
+ name = "${var.site_name}_rewrite"
+ runtime = "cloudfront-js-1.0"
+ publish = true
+ code = templatefile(
+ "${path.module}/function_rewrite/index.js.tftpl",
+ {
+ REDIRECTS = var.cloudfront_function_301_redirects
}
- }
-}
-
-resource "aws_iam_role" "lambda-edge" {
- name = "${var.site_name}-lambda-edge-service-role"
- assume_role_policy = data.aws_iam_policy_document.lambda-edge-service-role.json
-}
-
-resource "aws_iam_role_policy_attachment" "basic" {
- role = aws_iam_role.lambda-edge.name
- policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-data "aws_iam_policy_document" "lambda-edge-cloudwatch-logs" {
- statement {
- actions = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
- resources = ["arn:aws:logs:*:*:*"]
- }
-}
-
-resource "aws_iam_role_policy" "lambda-edge-cloudwatch-logs" {
- name = "${var.site_name}-lambda-edge-cloudwatch-logs"
- role = aws_iam_role.lambda-edge.name
- policy = data.aws_iam_policy_document.lambda-edge-cloudwatch-logs.json
+ )
}
diff --git a/modules/cloudfront/variables.tf b/modules/cloudfront/variables.tf
index ad773fa..b2a8ee8 100644
--- a/modules/cloudfront/variables.tf
+++ b/modules/cloudfront/variables.tf
@@ -36,3 +36,11 @@ variable "waf_acl_arn" {
default = null
description = "The ARN of the WAF ACL applied to the CloudFront distribution."
}
+
+variable "cloudfront_function_301_redirects" {
+ type = map(any)
+ default = {
+ "^(.*)index\\.php$" : "$1"
+ }
+ description = "A list of key value pairs of Regex match and destination for 301 redirects at CloudFront."
+}
diff --git a/modules/codebuild/README.md b/modules/codebuild/README.md
index b0fe45b..4ff068e 100644
--- a/modules/codebuild/README.md
+++ b/modules/codebuild/README.md
@@ -10,10 +10,13 @@ This module sets up the build to take a vanilla Wordpress image and bake customi
| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID into which resources will be launched. | `string` | n/a | yes |
| <a name="input_codebuild_bucket"></a> [codebuild\_bucket](#input\_codebuild\_bucket) | The name of the bucket used for codebuild of the image. | `string` | n/a | yes |
| <a name="input_container_memory"></a> [container\_memory](#input\_container\_memory) | The memory allocated to the container (in MB) | `number` | n/a | yes |
+| <a name="input_graviton_codebuild_enabled"></a> [graviton\_codebuild\_enabled](#input\_graviton\_codebuild\_enabled) | Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html). | `bool` | `false` | no |
| <a name="input_main_vpc_id"></a> [main\_vpc\_id](#input\_main\_vpc\_id) | The VPC ID into which to launch resources. | `string` | n/a | yes |
| <a name="input_site_domain"></a> [site\_domain](#input\_site\_domain) | The site domain name to configure (without any subdomains such as 'www') | `string` | n/a | yes |
| <a name="input_site_name"></a> [site\_name](#input\_site\_name) | The unique name for this instance of the module. Required to deploy multiple wordpress instances to the same AWS account (if desired). | `string` | n/a | yes |
| <a name="input_wordpress_ecr_repository"></a> [wordpress\_ecr\_repository](#input\_wordpress\_ecr\_repository) | The ECR repository where the Wordpress image is stored. | `string` | n/a | yes |
+| <a name="input_wp2static_s3_addon_version"></a> [wp2static\_s3\_addon\_version](#input\_wp2static\_s3\_addon\_version) | Version of the WP2Static S3 Add-on to use from https://github.com/leonstafford/wp2static-addon-s3/releases/ | `string` | `"1.0"` | no |
+| <a name="input_wp2static_version"></a> [wp2static\_version](#input\_wp2static\_version) | Version of WP2Static to use from https://github.com/WP2Static/wp2static/releases | `string` | `"7.1.7"` | no |
## Modules
No modules.
@@ -35,8 +38,10 @@ No requirements.
| [aws_iam_role.codebuild_service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.codebuild_role_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket.code_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_object.wordpress_dockerbuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
+| [aws_s3_bucket_acl.code_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_public_access_block.code_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.code_source](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_object.wordpress_dockerbuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [aws_security_group.codebuild_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [local_file.php_ini](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [archive_file.code_build_package](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
diff --git a/modules/codebuild/codebuild_files/Dockerfile_serverless_wordpress b/modules/codebuild/codebuild_files/Dockerfile_serverless_wordpress
index 8b09544..9bb4669 100644
--- a/modules/codebuild/codebuild_files/Dockerfile_serverless_wordpress
+++ b/modules/codebuild/codebuild_files/Dockerfile_serverless_wordpress
@@ -1,12 +1,17 @@
ARG aws_account_id
ARG aws_region
ARG ecr_repo_name
+ARG wp2static_version
+ARG wp2static_s3_addon_version
FROM ${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com/${ecr_repo_name}:base
-COPY ["wp-cli.phar", "serverless-wordpress-wp2static.zip","serverless-wordpress-s3-addon.zip","/tmp/"]
+COPY ["wp-cli.phar", "/tmp/"]
COPY docker-entrypoint.sh /usr/local/bin/
RUN apt-get update && apt-get install -y sudo jq awscli mariadb-client && chmod +x /usr/local/bin/docker-entrypoint.sh && chmod +x /tmp/wp-cli.phar && mv /tmp/wp-cli.phar /usr/local/bin/wp \
&& rm -rf /var/lib/apt/lists/*
+RUN curl https://github.com/WP2Static/wp2static/archive/refs/tags/${wp2static_version}.zip -o /tmp/serverless-wordpress-wp2static.zip
+RUN curl https://github.com/leonstafford/wp2static-addon-s3/archive/refs/tags/${wp2static_s3_addon_version}.zip -o /tmp/serverless-wordpress-s3-addon.zip
+
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
COPY ["php.ini", "$PHP_INI_DIR/conf.d/"]
diff --git a/modules/codebuild/codebuild_files/buildspec.yml b/modules/codebuild/codebuild_files/buildspec.yml
index 5a181c7..dcdd872 100644
--- a/modules/codebuild/codebuild_files/buildspec.yml
+++ b/modules/codebuild/codebuild_files/buildspec.yml
@@ -21,7 +21,9 @@ phases:
docker build -t $IMAGE_REPO_NAME:$IMAGE_TAG --build-arg
aws_account_id=$AWS_ACCOUNT_ID --build-arg
aws_region=$AWS_DEFAULT_REGION --build-arg
- ecr_repo_name=$IMAGE_REPO_NAME -f Dockerfile_serverless_wordpress .
+ ecr_repo_name=$IMAGE_REPO_NAME --build-arg
+ wp2static_version=$WP2STATIC_VERSION --build-arg
+ wp2static_s3_addon_version=$WP2STATIC_S3_ADDON_VERSION -f Dockerfile_serverless_wordpress .
# yamllint disable-line rule:line-length
- docker tag $IMAGE_REPO_NAME:$IMAGE_TAG $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$IMAGE_TAG
post_build:
diff --git a/modules/codebuild/codebuild_files/docker-entrypoint.sh b/modules/codebuild/codebuild_files/docker-entrypoint.sh
index d7ee68e..1e97c5c 100644
--- a/modules/codebuild/codebuild_files/docker-entrypoint.sh
+++ b/modules/codebuild/codebuild_files/docker-entrypoint.sh
@@ -318,6 +318,8 @@ fi
if ! sudo -u www-data wp plugin is-installed wp2static-addon-s3; then
sudo -u www-data wp plugin install /tmp/serverless-wordpress-s3-addon.zip --activate --path=/var/www/html || true
fi
+# Update WP_MEMORY_LIMIT
+sudo -u www-data wp config set WP_MEMORY_LIMIT ${WP_MEMORY_LIMIT}
# # Update Wordpress options with IP of running container
sudo -u www-data wp option update siteurl "http://${CONTAINER_DNS}" || true
sudo -u www-data wp option update home "http://${CONTAINER_DNS}" || true
diff --git a/modules/codebuild/codebuild_files/serverless-wordpress-s3-addon.zip b/modules/codebuild/codebuild_files/serverless-wordpress-s3-addon.zip
deleted file mode 100644
index a31de89..0000000
Binary files a/modules/codebuild/codebuild_files/serverless-wordpress-s3-addon.zip and /dev/null differ
diff --git a/modules/codebuild/codebuild_files/serverless-wordpress-wp2static.zip b/modules/codebuild/codebuild_files/serverless-wordpress-wp2static.zip
deleted file mode 100644
index cb76453..0000000
Binary files a/modules/codebuild/codebuild_files/serverless-wordpress-wp2static.zip and /dev/null differ
diff --git a/modules/codebuild/main.tf b/modules/codebuild/main.tf
index 70fbe2e..d04ef20 100644
--- a/modules/codebuild/main.tf
+++ b/modules/codebuild/main.tf
@@ -2,16 +2,22 @@ data "aws_region" "current" {}
# TODO: Add optional logging for S3 bucket
# TODO: Add optional versioning for S3 bucket
-#tfsec:ignore:AWS002 #tfsec:ignore:AWS077
+#tfsec:ignore:AWS002 #tfsec:ignore:AWS017 #tfsec:ignore:AWS077
resource "aws_s3_bucket" "code_source" {
bucket = var.codebuild_bucket
- acl = "private"
force_destroy = true
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
+}
+
+resource "aws_s3_bucket_acl" "code_source" {
+ bucket = aws_s3_bucket.code_source.bucket
+ acl = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "code_source" {
+ bucket = aws_s3_bucket.code_source.bucket
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
}
@@ -55,7 +61,7 @@ resource "aws_iam_role_policy_attachment" "codebuild_role_attachment" {
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}
-resource "aws_s3_bucket_object" "wordpress_dockerbuild" {
+resource "aws_s3_object" "wordpress_dockerbuild" {
bucket = aws_s3_bucket.code_source.id
key = "wordpress_docker.zip"
source = "${path.module}/codebuild_files/wordpress_docker.zip"
@@ -100,9 +106,10 @@ resource "aws_codebuild_project" "wordpress_docker_build" {
}
environment {
- compute_type = "BUILD_GENERAL1_SMALL"
- image = "aws/codebuild/standard:4.0"
- type = "LINUX_CONTAINER"
+ compute_type = "BUILD_GENERAL1_SMALL"
+ image = var.graviton_codebuild_enabled ? "aws/codebuild/amazonlinux2-aarch64-standard:2.0" : "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
+ # Use ARM for codebuild if in supporting region
+ type = var.graviton_codebuild_enabled ? (contains(local.arm_container_regions, data.aws_region.current.name) ? "ARM_CONTAINER" : "LINUX_CONTAINER") : "LINUX_CONTAINER"
image_pull_credentials_type = "CODEBUILD"
privileged_mode = true
@@ -122,6 +129,14 @@ resource "aws_codebuild_project" "wordpress_docker_build" {
name = "IMAGE_TAG"
value = "latest"
}
+ environment_variable {
+ name = "WP2STATIC_VERSION"
+ value = var.wp2static_version
+ }
+ environment_variable {
+ name = "WP2STATIC_S3_ADDON_VERSION"
+ value = var.wp2static_s3_addon_version
+ }
}
logs_config {
@@ -133,7 +148,7 @@ resource "aws_codebuild_project" "wordpress_docker_build" {
source {
type = "S3"
- location = "${aws_s3_bucket.code_source.id}/${aws_s3_bucket_object.wordpress_dockerbuild.id}"
+ location = "${aws_s3_bucket.code_source.id}/${aws_s3_object.wordpress_dockerbuild.id}"
}
}
diff --git a/modules/codebuild/variables.tf b/modules/codebuild/variables.tf
index 304200b..96273ad 100644
--- a/modules/codebuild/variables.tf
+++ b/modules/codebuild/variables.tf
@@ -1,3 +1,24 @@
+locals {
+ # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html
+ # Regions supporting Graviton for CodeBuild
+ arm_container_regions = [
+ "us-east-2",
+ "us-east-1",
+ "us-west-1",
+ "us-west-2",
+ "ap-south-1",
+ "ap-southeast-1",
+ "ap-southeast-2",
+ "ap-northeast-1",
+ "ap-northeast-2",
+ "ca-central-1",
+ "eu-west-1",
+ "eu-west-2",
+ "eu-west-3",
+ "eu-central-1"
+ ]
+}
+
variable "codebuild_bucket" {
type = string
description = "The name of the bucket used for codebuild of the image. "
@@ -36,3 +57,21 @@ variable "container_memory" {
type = number
description = "The memory allocated to the container (in MB)"
}
+
+variable "graviton_codebuild_enabled" {
+ type = bool
+ default = false
+ description = "Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html)."
+}
+
+variable "wp2static_version" {
+ type = string
+ description = "Version of WP2Static to use from https://github.com/WP2Static/wp2static/releases"
+ default = "7.1.7"
+}
+
+variable "wp2static_s3_addon_version" {
+ type = string
+ description = "Version of the WP2Static S3 Add-on to use from https://github.com/leonstafford/wp2static-addon-s3/releases/"
+ default = "1.0"
+}
diff --git a/modules/lambda_slack/README.md b/modules/lambda_slack/README.md
index 6383c21..55101c6 100644
--- a/modules/lambda_slack/README.md
+++ b/modules/lambda_slack/README.md
@@ -24,12 +24,14 @@ No requirements.
| Name | Type |
|------|------|
| [aws_cloudwatch_event_rule.ecs_wordpress_instance_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.ecs_wordpress_service_action](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_rule.ecs_wordpress_service_deployment_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_rule.ecs_wordpress_task_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_rule.rds_wordpress_cluster_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.lambda_slack_cluster_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.lambda_slack_deployment_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.lambda_slack_instance_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.lambda_slack_service_action](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.lambda_slack_task_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.lambda_slack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_iam_role.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -39,6 +41,7 @@ No requirements.
| [aws_lambda_permission.allow_rule_cluster_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.allow_rule_deployment_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.allow_rule_instance_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.allow_rule_service_action](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.allow_rule_task_state](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [archive_file.lambda_slack](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
| [aws_iam_policy_document.lambda-cloudwatch-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/modules/lambda_slack/main.tf b/modules/lambda_slack/main.tf
index 0879609..37aef3f 100644
--- a/modules/lambda_slack/main.tf
+++ b/modules/lambda_slack/main.tf
@@ -120,26 +120,26 @@ resource "aws_cloudwatch_event_rule" "ecs_wordpress_instance_state" {
)
}
-# resource "aws_cloudwatch_event_rule" "ecs_wordpress_service_action" {
-# name = "ecs-wordpress-service-action"
-# description = "Event on Wordpress ECS Service Action"
-
-# event_pattern = jsonencode(
-# {
-# "source": [
-# "aws.ecs"
-# ],
-# "detail-type": [
-# "ECS Service Action"
-# ],
-# "detail": {
-# "clusterArn": [
-# aws_ecs_cluster.wordpress_cluster.arn
-# ]
-# }
-# }
-# )
-# }
+resource "aws_cloudwatch_event_rule" "ecs_wordpress_service_action" {
+ name = "${var.site_name}-ecs-wordpress-service-action"
+ description = "Event on Wordpress ECS Service Action"
+
+ event_pattern = jsonencode(
+ {
+ "source" : [
+ "aws.ecs"
+ ],
+ "detail-type" : [
+ "ECS Service Action"
+ ],
+ "detail" : {
+ "clusterArn" : [
+ var.ecs_cluster_arn
+ ]
+ }
+ }
+ )
+}
resource "aws_cloudwatch_event_rule" "ecs_wordpress_service_deployment_state" {
name = "${var.site_name}-ecs-wordpress-deployment-state"
@@ -178,10 +178,10 @@ resource "aws_cloudwatch_event_target" "lambda_slack_task_state" {
rule = aws_cloudwatch_event_rule.ecs_wordpress_task_state.id
}
-# resource "aws_cloudwatch_event_target" "lambda_slack_service_action" {
-# arn = aws_lambda_function.lambda_slack.arn
-# rule = aws_cloudwatch_event_rule.ecs_wordpress_service_action.id
-# }
+resource "aws_cloudwatch_event_target" "lambda_slack_service_action" {
+ arn = aws_lambda_function.lambda_slack.arn
+ rule = aws_cloudwatch_event_rule.ecs_wordpress_service_action.id
+}
resource "aws_cloudwatch_event_target" "lambda_slack_instance_state" {
arn = aws_lambda_function.lambda_slack.arn
@@ -206,13 +206,13 @@ resource "aws_lambda_permission" "allow_rule_task_state" {
source_arn = aws_cloudwatch_event_rule.ecs_wordpress_task_state.arn
}
-# resource "aws_lambda_permission" "allow_rule_service_action" {
-# statement_id = "AllowExecutionFromECSServiceAction"
-# action = "lambda:InvokeFunction"
-# function_name = aws_lambda_function.lambda_slack.function_name
-# principal = "events.amazonaws.com"
-# source_arn = aws_cloudwatch_event_rule.ecs_wordpress_service_action.arn
-# }
+resource "aws_lambda_permission" "allow_rule_service_action" {
+ statement_id = "AllowExecutionFromECSServiceAction"
+ action = "lambda:InvokeFunction"
+ function_name = aws_lambda_function.lambda_slack.function_name
+ principal = "events.amazonaws.com"
+ source_arn = aws_cloudwatch_event_rule.ecs_wordpress_service_action.arn
+}
resource "aws_lambda_permission" "allow_rule_instance_state" {
statement_id = "AllowExecutionFromECSInstanceState"
diff --git a/provider.tf b/provider.tf
index 4766ad4..1ab964a 100644
--- a/provider.tf
+++ b/provider.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15.1"
+ required_version = ">= 1.1.7"
required_providers {
aws = {
source = "hashicorp/aws"
# https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md
- version = "~> 3.0"
+ version = "~> 4.0"
configuration_aliases = [aws.ue1]
}
random = {
diff --git a/task-definitions/wordpress.json b/task-definitions/wordpress.json
index 86f8533..64aa2d6 100644
--- a/task-definitions/wordpress.json
+++ b/task-definitions/wordpress.json
@@ -1,48 +1,60 @@
[
- ${jsonencode({
- "cpu": tonumber(container_cpu),
- "environment": [
- {"name": "ECS_ENABLE_CONTAINER_METADATA", "value": "true"},
- {"name": "WORDPRESS_DB_HOST", "value": "${db_host}"},
- {"name": "WORDPRESS_DB_USER", "value": "${db_user}"},
- {"name": "WORDPRESS_DB_PASSWORD", "value": "${db_password}"},
- {"name": "WORDPRESS_DB_NAME", "value": "${db_name}"},
- {"name": "WPSTATIC_DEST", "value": "${wp_dest}"},
- {"name": "WPSTATIC_REGION", "value": "${wp_region}"},
- {"name": "WPSTATIC_BUCKET", "value": "${wp_bucket}"},
- {"name": "CONTAINER_DNS", "value": "${container_dns}"},
- {"name": "CONTAINER_DNS_ZONE", "value": "${container_dns_zone}"},
- {"name": "WORDPRESS_ADMIN_USER", "value": "${wordpress_admin_user}"},
- {"name": "WORDPRESS_ADMIN_PASSWORD", "value": "${wordpress_admin_password}"},
- {"name": "WORDPRESS_ADMIN_EMAIL", "value": "${wordpress_admin_email}"}
- ],
- "essential": true,
- "image": "${wordpress_image}",
- "memory": tonumber(container_memory),
- "name": "wordpress",
- "portMappings": [
- {
- "containerPort": 80,
- "hostPort": 80,
- "protocol": "tcp"
+ {
+ "cpu": ${tonumber(container_cpu)},
+ "environment": [
+ {"name": "ECS_ENABLE_CONTAINER_METADATA", "value": "true"},
+ {"name": "WORDPRESS_DB_HOST", "value": "${db_host}"},
+ {"name": "WORDPRESS_DB_USER", "value": "${db_user}"},
+ {"name": "WORDPRESS_DB_PASSWORD", "value": "${db_password}"},
+ {"name": "WORDPRESS_DB_NAME", "value": "${db_name}"},
+ {"name": "WPSTATIC_DEST", "value": "${wp_dest}"},
+ {"name": "WPSTATIC_REGION", "value": "${wp_region}"},
+ {"name": "WPSTATIC_BUCKET", "value": "${wp_bucket}"},
+ {"name": "CONTAINER_DNS", "value": "${container_dns}"},
+ {"name": "CONTAINER_DNS_ZONE", "value": "${container_dns_zone}"},
+ {"name": "WORDPRESS_ADMIN_USER", "value": "${wordpress_admin_user}"},
+ {"name": "WORDPRESS_ADMIN_PASSWORD", "value": "${wordpress_admin_password}"},
+ {"name": "WORDPRESS_ADMIN_EMAIL", "value": "${wordpress_admin_email}"},
+ {"name": "WP_MEMORY_LIMIT", "value": "${wordpress_memory_limit}"}
+ ],
+ "essential": true,
+ "image": "${wordpress_image}",
+ "memory": ${tonumber(container_memory)},
+ "name": "wordpress",
+ "portMappings": [
+ {
+ "containerPort": 80,
+ "hostPort": 80,
+ "protocol": "tcp"
+ }
+ ],
+ "mountPoints" : [
+ {
+ "sourceVolume": "${efs_source_volume}",
+ "containerPath": "/var/www/html",
+ "readOnly": false
+ }
+ ],
+ %{if container_healthcheck_enabled }
+ "healthCheck": {
+ "retries": 10,
+ "command": [ "CMD-SHELL", "curl -f http://localhost:80/ || exit 1" ],
+ "timeout": 5,
+ "interval": 10,
+ "startPeriod": 60
+ },
+ %{ endif }
+ "volumesFrom" : [],
+ "logConfiguration": {
+ "logDriver": "awslogs",
+ "options": {
+ "awslogs-group": "/aws/ecs/${site_name}-serverless-wordpress-container",
+ "awslogs-region": "${wp_region}",
+ "awslogs-stream-prefix": "ecs"
+ }
+ },
+ "linuxParameters": {
+ "initProcessEnabled": true
}
- ],
- "mountPoints" : [
- {
- "sourceVolume": "${efs_source_volume}",
- "containerPath": "/var/www/html",
- "readOnly": false
- }
- ],
- "volumesFrom" : [],
- "logConfiguration": {
- "logDriver": "awslogs",
- "options": {
- "awslogs-group": "/aws/ecs/${site_name}-serverless-wordpress-container",
- "awslogs-region": "${wp_region}",
- "awslogs-stream-prefix": "ecs"
- }
- }
- })}
-
+ }
]
diff --git a/variables.tf b/variables.tf
index 34a5a15..b8dc880 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,10 @@
+locals {
+ graviton_fargate_regions_unsupported = [
+ "af-south-1",
+ "me-south-1"
+ ]
+}
+
variable "main_vpc_id" {
type = string
description = "The VPC ID into which to launch resources."
@@ -72,6 +79,12 @@ variable "ecs_memory" {
description = "The memory limit password to the Wordpress container definition."
}
+variable "ecs_healthcheck_enabled" {
+ default = true
+ description = "Runs an healtchcheck against the container."
+ type = bool
+}
+
variable "snapshot_identifier" {
description = "To create the RDS cluster from a previous snapshot in the same region, specify it by name."
type = string
@@ -97,6 +110,14 @@ variable "cloudfront_class" {
default = "PriceClass_All"
}
+variable "cloudfront_function_301_redirects" {
+ type = map(any)
+ default = {
+ "^(.*)index\\.php$" : "$1"
+ }
+ description = "A list of key value pairs of Regex match and destination for 301 redirects at CloudFront."
+}
+
variable "hosted_zone_id" {
type = string
description = "The Route53 HostedZone ID to use to create records in."
@@ -133,6 +154,24 @@ variable "wordpress_admin_email" {
default = "admin@example.com"
}
+variable "wordpress_memory_limit" {
+ type = string
+ description = "The memory to allow the Wordpress process to use (in M)"
+ default = "256M"
+}
+
+variable "wp2static_version" {
+ type = string
+ description = "Version of WP2Static to use from https://github.com/WP2Static/wp2static/releases"
+ default = "7.1.7"
+}
+
+variable "wp2static_s3_addon_version" {
+ type = string
+ description = "Version of the WP2Static S3 Add-on to use from https://github.com/leonstafford/wp2static-addon-s3/releases/"
+ default = "1.0"
+}
+
variable "waf_acl_rules" {
type = list(any)
description = "List of WAF rules to apply. Can be customized to apply others created outside of module."
@@ -166,3 +205,15 @@ variable "waf_acl_rules" {
}
]
}
+
+variable "graviton_codebuild_enabled" {
+ type = bool
+ default = false
+ description = "Flag that controls whether CodeBuild should use Graviton-based build agents in [supported regions](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html)."
+}
+
+variable "graviton_fargate_enabled" {
+ type = bool
+ default = false
+ description = "Flag that controls whether ECS Fargate should use Graviton-based containers in [supported regions]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate-Regions.html)."
+}