DTPK-210 feature: add a capability to have option to create dns recor…

…ds and fix some vars confusion (#9)

* feature: add is_automatic_create_dns_record to add option to choose whether to auto create or not

* fix: index route53 hosted zone data

* feature: remove vars:acm_cert_domain_name and add vars: domain_alias,domain_aliases_extra

* feature: add capable of to create dns records for all cloudfront aliases

* fix: changelog date

* feature: add readme for example and combine domain_alias and domain_aliases_extra to domain_aliases

* fix: vars domain_aliases type and update readme

* feature: update changelog

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this module will be documented in this file.
 
+## [1.0.4] - 2022-08-03
+
+### Added
+
+- add vars `is_automatic_create_dns_record` for enable an option to choose whether to automatically create dns records or not
+- dns records is now capable to create record for all cloudfront aliases
+- support using cloudfront certificate viewer instead of custom one
+
+### Changed
+
+- remove vars `acm_cert_domain_name`
+- vars `domain_aliases` is now only vars that use as cloudfront aliases
+
 ## [1.0.3] - 2022-07-22
 
 ### Changed
@@ -30,7 +43,6 @@ All notable changes to this module will be documented in this file.
 - variables
   - `is_create_log_access_role`
 
-
 ## [1.0.0] - 2022-04-28
 
 ### Added

SECURITY.md

@@ -20,4 +20,4 @@ Your can also report the vulnerabilities by emailing to Oozou DevOps team at:
 devops@oozou.com
 ```
 
-We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.
+We will acknowledge your email within 72 hours on workday, and will send a more details response within 5 days. After the initial email start, we will investigate the security issue snd fix it as soon as possible.

dns.tf

@@ -1,8 +1,9 @@
 # DNS Mapping
 resource "aws_route53_record" "application" {
-  zone_id = data.aws_route53_zone.hosted_zone.id
-  name    = var.acm_cert_domain_name
-  type    = "A"
+  for_each = var.is_automatic_create_dns_record ? local.aliases_records : {}
+  zone_id  = data.aws_route53_zone.hosted_zone[0].id
+  name     = each.value.name
+  type     = "A"
 
   alias {
     name                   = lower(aws_cloudfront_distribution.distribution.domain_name)

examples/complete/README.md

@@ -0,0 +1,33 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_acm_virginia"></a> [acm\_virginia](#module\_acm\_virginia) | git::ssh://git@github.com/oozou/terraform-aws-acm.git | v1.0.1 |
+| <a name="module_cloudfront_distribution"></a> [cloudfront\_distribution](#module\_cloudfront\_distribution) | ../../ | n/a |
+| <a name="module_s3_for_cloudfront_logs"></a> [s3\_for\_cloudfront\_logs](#module\_s3\_for\_cloudfront\_logs) | git@github.com:oozou/terraform-aws-s3.git | v1.0.4 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | `map(string)` | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/complete/main.tf

@@ -16,7 +16,7 @@ module "cloudfront_distribution" {
   }
 
   # By-default, fqdn for the CDN should be added, it should be the one for which certificate is issued
-  domain_aliases      = ["example.example.com"]
+  domain_aliases      = ["example.example.com", "example1.example.com"]
   default_root_object = ""
 
   # Default behavior
@@ -34,14 +34,14 @@ module "cloudfront_distribution" {
 
 
   # DNS Mapping variables
-  cdn_certificate_arn        = module.acm_virginia.certificate_arn[0]
-  acm_cert_domain_name       = "example.example.com"
-  route53_domain_name        = "example.com"
-  is_enable_waf              = true
-  is_enable_waf_default_rule = false
-  waf_default_action         = "allow"
-  tags                       = var.custom_tags
+  is_automatic_create_dns_record = true
+  cdn_certificate_arn            = module.acm_virginia.certificate_arn[0]
+  route53_domain_name            = "example.com"
+  is_enable_waf                  = true
+  is_enable_waf_default_rule     = false
+  waf_default_action             = "allow"
+  tags                           = var.custom_tags
   providers = {
     aws = aws.virginia
-   }
+  }
 }

locals.tf

@@ -5,6 +5,8 @@ locals {
   enable_s3_origin                   = var.s3_origin != null ? true : false
   enable_lambda_function_association = var.lambda_function_association != null ? true : false
   resource_name                      = "${var.prefix}-${var.environment}-${var.name}-cf"
+  aliases_records                    = { for name in var.domain_aliases : name => { "name" = name } }
+  is_use_cloudfront_cert_viewer      = var.cdn_certificate_arn == null && var.is_automatic_create_dns_record == false && length(var.domain_aliases) == 0 ? true : false
 
   tags = merge(
     {

main.tf

@@ -1,4 +1,5 @@
 data "aws_route53_zone" "hosted_zone" {
+  count        = var.is_automatic_create_dns_record ? 1 : 0
   name         = var.route53_domain_name
   private_zone = false
 }
@@ -101,7 +102,7 @@ resource "aws_cloudfront_distribution" "distribution" {
   default_root_object = var.default_root_object
 
   # By-default, fqdn for the CDN should be added, it should be the one for which certificate is issued
-  aliases = concat([var.acm_cert_domain_name], var.domain_aliases)
+  aliases = var.domain_aliases
 
   default_cache_behavior {
     allowed_methods  = lookup(var.default_cache_behavior, "allowed_methods", ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
@@ -280,10 +281,10 @@ resource "aws_cloudfront_distribution" "distribution" {
   }
 
   viewer_certificate {
-    acm_certificate_arn            = var.cdn_certificate_arn
-    cloudfront_default_certificate = false
-    minimum_protocol_version       = "TLSv1.2_2018"
-    ssl_support_method             = "sni-only"
+    acm_certificate_arn            = local.is_use_cloudfront_cert_viewer ? null : var.cdn_certificate_arn
+    cloudfront_default_certificate = local.is_use_cloudfront_cert_viewer ? true : false
+    minimum_protocol_version       = local.is_use_cloudfront_cert_viewer ? "TLSv1" : "TLSv1.2_2018"
+    ssl_support_method             = local.is_use_cloudfront_cert_viewer ? null : "sni-only"
   }
 
   logging_config {

variables.tf

@@ -43,7 +43,7 @@ variable "log_aggregation_s3_bucket_name" {
 }
 
 variable "domain_aliases" {
-  description = "Extra CNAMEs (alternate domain names) for the distribution (apart from FQDN for which SSL certificate is issued, it will be added by-default)"
+  description = "CNAMEs (domain names) for the distribution"
   type        = list(string)
   default     = []
 }
@@ -111,20 +111,23 @@ variable "origin_read_timeout" {
 
 #  ACM variables
 # domain name for the created CDN
-variable "acm_cert_domain_name" {
-  description = "[Required] The FQDN of the certificate to issue (i.e.: 'prime.spike.abc.cloud'). The Route53 zone must already exist."
-  type        = string
+variable "is_automatic_create_dns_record" {
+  description = "Whether to automatically create cloudfront A record."
+  type        = bool
+  default     = true
 }
 
 # name of the hosted zone for the route 53 record for CDN
 variable "route53_domain_name" {
   description = "[Required] The Name of the already existing Route53 Hosted Zone (i.e.: 'spike.abc.cloud')"
   type        = string
+  default     = null
 }
 
 variable "cdn_certificate_arn" {
   description = "Specify ARN for CDN certificate"
   type        = string
+  default     = null
 }
 
 variable "default_root_object" {