Conditionally create new cert and route53

acm.tf

@@ -0,0 +1,15 @@
+module "acm" {
+  count = local.should_create_cert ? 1 : 0
+
+  source  = "terraform-aws-modules/acm/aws"
+  version = "~> 5"
+
+  domain_name = var.route53.record_name
+  zone_id     = data.aws_route53_zone.root_zone.zone_id
+
+  wait_for_validation = false
+
+  tags = {
+    Name = var.route53.record_name
+  }
+}

cf.tf

@@ -2,6 +2,11 @@ resource "aws_cloudfront_origin_access_identity" "access_id" {
   comment = "Created to facilitate CF access to ${var.primary_fqdn} and the corresponding bucket."
 }
 
+locals {
+  should_create_cert = var.route53 != null && var.route53.create_cert
+  cert_arn           = local.should_create_cert ? module.acm[0].acm_certificate_arn : var.cert_arn
+}
+
 resource "aws_cloudfront_distribution" "web_distro" {
   enabled         = true
   is_ipv6_enabled = true
@@ -19,7 +24,7 @@ resource "aws_cloudfront_distribution" "web_distro" {
   }
 
   viewer_certificate {
-    acm_certificate_arn = var.cert_arn
+    acm_certificate_arn = local.cert_arn
     ssl_support_method  = "sni-only"
   }
 

main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3"
+      version = ">= 4.4"
     }
   }
 }

outputs.tf

@@ -17,3 +17,8 @@ output "s3_bucket_name" {
   description = "The name of the bucket. Probably the same as the FQDN, but this so you're 100% sure to get the name."
   value       = aws_s3_bucket.web.bucket
 }
+
+output "fqdn" {
+  description = "The fqdn of the route53 record created. Only defined if you requested the creation of a route53 record."
+  value       = aws_route53_record.a_record[0].name
+}

route53.tf

@@ -0,0 +1,16 @@
+data "aws_route53_zone" "root_zone" {
+  name = var.route53.zone_name
+}
+
+resource "aws_route53_record" "a_record" {
+  count   = var.route53 ? 1 : 0
+  type    = "A"
+  name    = var.route53.record_name
+  zone_id = data.aws_route53_zone.root_zone.zone_id
+
+  alias {
+    name                   = aws_cloudfront_distribution.web_distro.domain_name
+    zone_id                = aws_cloudfront_distribution.web_distro.hosted_zone_id
+    evaluate_target_health = false
+  }
+}

s3.tf

@@ -12,15 +12,15 @@ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
 }
 
 resource "aws_s3_bucket_acl" "web_acl" {
-  count = var.bucket_object_ownership == "BucketOwnerEnforced" ? 0 : 1
+  count  = var.bucket_object_ownership == "BucketOwnerEnforced" ? 0 : 1
   bucket = aws_s3_bucket.web.id
   acl    = "public-read"
 
   depends_on = [aws_s3_bucket_public_access_block.allow_public_acl, aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
 }
 
 resource "aws_s3_bucket_public_access_block" "allow_public_acl" {
-  count = var.bucket_object_ownership == "BucketOwnerEnforced" ? 0 : 1
+  count             = var.bucket_object_ownership == "BucketOwnerEnforced" ? 0 : 1
   bucket            = aws_s3_bucket.web.id
   block_public_acls = false
 }

variables.tf

@@ -16,6 +16,22 @@ variable "cert_arn" {
   description = "The ARN for a cert that will be fronting this distro. Make sure it exists."
 }
 
+variable "route53" {
+  description = "If the module should create a new cert for the distribution. Fill out the below information."
+  default     = null
+  type = object({
+    record_name = string
+    zone_name   = string
+    create_cert = bool
+  })
+}
+
+variable "create_cert" {
+  description = "If the module should create a new cert for the distribution. Fill out the below information."
+  default     = false
+  type        = bool
+}
+
 # Optional variables
 variable "routing_rules" {
   description = "A string containing a compatible policy document with routing rules to assign to the S3 bucket. Defaults to empty."