feat: Rebuild infra to host multiple website versions

kitten-science · Oct 4, 2024 · f242e4e · f242e4e
1 parent 237ad2b
commit f242e4e
Show file tree

Hide file tree

Showing 13 changed files with 143 additions and 181 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -6,28 +6,42 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.8.2 |
-| <a name="requirement_archive"></a> [archive](#requirement\_archive) | 2.5.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.64.0 |
+| <a name="requirement_archive"></a> [archive](#requirement\_archive) | 2.6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.69.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.64.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.69.0 |
+| <a name="provider_aws.global"></a> [aws.global](#provider\_aws.global) | 5.69.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kitten_science_website"></a> [kitten\_science\_website](#module\_kitten\_science\_website) | ./modules/kitten-science-website | n/a |
+| <a name="module_kitten_science_website_beta8"></a> [kitten\_science\_website\_beta8](#module\_kitten\_science\_website\_beta8) | ./modules/kitten-science-website | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_route53_record.github_validation](https://registry.terraform.io/providers/hashicorp/aws/5.64.0/docs/resources/route53_record) | resource |
-| [aws_route53_record.google_validation](https://registry.terraform.io/providers/hashicorp/aws/5.64.0/docs/resources/route53_record) | resource |
-| [aws_route53_zone.kitten_science](https://registry.terraform.io/providers/hashicorp/aws/5.64.0/docs/data-sources/route53_zone) | data source |
+| [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/cloudfront_response_headers_policy) | resource |
+| [aws_iam_policy.maintainer](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/iam_policy) | resource |
+| [aws_iam_role.maintainer](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.maintainer](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_route53_record.github_validation](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/route53_record) | resource |
+| [aws_route53_record.google_validation](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/route53_record) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/resources/s3_bucket_website_configuration) | resource |
+| [aws_iam_policy_document.maintainer](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.maintainer_assume_role](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.s3_public_read](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/data-sources/iam_policy_document) | data source |
+| [aws_route53_zone.kitten_science](https://registry.terraform.io/providers/hashicorp/aws/5.69.0/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 

diff --git a/...orm/modules/kitten-science-website/iam.tf → terraform/iam.tf b/...orm/modules/kitten-science-website/iam.tf → terraform/iam.tf
@@ -30,7 +30,7 @@ data "aws_iam_policy_document" "maintainer_assume_role" {
   }
 }
 resource "aws_iam_role" "maintainer" {
-  name               = "${var.bucket_name}-maintainer"
+  name               = "${local.bucket_name}-maintainer"
   assume_role_policy = data.aws_iam_policy_document.maintainer_assume_role.json
 }
 
@@ -47,13 +47,13 @@ data "aws_iam_policy_document" "maintainer" {
     effect  = "Allow"
     actions = ["cloudfront:*"]
     resources = [
-      aws_cloudfront_distribution.schema.arn,
-      aws_cloudfront_distribution.this.arn
+      module.kitten_science_website.cloudfront_distribution_arn,
+      module.kitten_science_website_beta8.cloudfront_distribution_arn,
     ]
   }
 }
 resource "aws_iam_policy" "maintainer" {
-  name        = "${var.bucket_name}-maintainer"
+  name        = "${local.bucket_name}-maintainer"
   description = "Allows changing the Kitten Science website."
   policy      = data.aws_iam_policy_document.maintainer.json
 }

diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -1,4 +1,5 @@
 locals {
+  bucket_name = "kitten-science-us0"
   domain_name = "kitten-science.com"
   tags = {
     "ks:group"     = "base"

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -1,8 +1,31 @@
 module "kitten_science_website" {
   source      = "./modules/kitten-science-website"
   bucket_name = "kitten-science-us0"
+  comment     = "Kitten Science Main"
   domain_name = local.domain_name
 
+  origin_domain_name         = aws_s3_bucket_website_configuration.this.website_endpoint
+  origin_id                  = aws_s3_bucket.this.bucket
+  response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id
+
+  providers = {
+    aws        = aws
+    aws.global = aws.global
+  }
+}
+module "kitten_science_website_beta8" {
+  source               = "./modules/kitten-science-website"
+  bucket_name          = "kitten-science-us0"
+  comment              = "Kitten Science v2.0.0-beta.8"
+  domain_name          = local.domain_name
+  lambda_function_name = "redirect-releases-beta8"
+  site_name            = "beta8"
+
+  origin_domain_name         = aws_s3_bucket_website_configuration.this.website_endpoint
+  origin_id                  = aws_s3_bucket.this.bucket
+  origin_path                = "/v2.0.0-beta.8"
+  response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id
+
   providers = {
     aws        = aws
     aws.global = aws.global

diff --git a/terraform/modules/kitten-science-website/README.md b/terraform/modules/kitten-science-website/README.md
@@ -27,48 +27,40 @@ No modules.
 |------|------|
 | [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
-| [aws_cloudfront_distribution.schema](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
-| [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_iam_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.maintainer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.maintainer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.aws_xray_write_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.maintainer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_function.redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.edgelambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [aws_route53_record.schema](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.validation_kitten_science](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.validation_rm_rf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
-| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_website_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
+| [aws_route53_record.validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [archive_file.redirect](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_cloudfront_cache_policy.uncached](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source |
 | [aws_cloudfront_origin_request_policy.cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source |
 | [aws_iam_policy.aws_xray_write_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.maintainer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.maintainer_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.redirect_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.s3_public_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_route53_zone.kitten_science](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
-| [aws_route53_zone.rm_rf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+| [aws_route53_zone.domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the S3 bucket to create for the website. | `string` | n/a | yes |
+| <a name="input_comment"></a> [comment](#input\_comment) | The comment for the CloudFront distribution | `string` | n/a | yes |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The name of the Route53 domain to use. | `string` | n/a | yes |
 | <a name="input_lambda_function_name"></a> [lambda\_function\_name](#input\_lambda\_function\_name) | n/a | `string` | `"redirect-releases"` | no |
+| <a name="input_origin_domain_name"></a> [origin\_domain\_name](#input\_origin\_domain\_name) | n/a | `string` | n/a | yes |
+| <a name="input_origin_id"></a> [origin\_id](#input\_origin\_id) | n/a | `string` | n/a | yes |
+| <a name="input_origin_path"></a> [origin\_path](#input\_origin\_path) | The path in the S3 bucket that should be served on the website. | `string` | `"/main"` | no |
+| <a name="input_response_headers_policy_id"></a> [response\_headers\_policy\_id](#input\_response\_headers\_policy\_id) | n/a | `string` | n/a | yes |
+| <a name="input_site_name"></a> [site\_name](#input\_site\_name) | n/a | `string` | `null` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudfront_distribution_arn"></a> [cloudfront\_distribution\_arn](#output\_cloudfront\_distribution\_arn) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/terraform/modules/kitten-science-website/cloudfront.tf b/terraform/modules/kitten-science-website/cloudfront.tf
@@ -1,62 +1,36 @@
 # Certificate
 resource "aws_acm_certificate" "this" {
-  domain_name       = var.domain_name
+  domain_name       = local.fqdn
   key_algorithm     = "EC_prime256v1"
   validation_method = "DNS"
 
-  subject_alternative_names = [
-    "schema.${var.domain_name}",
-    "ks.rm-rf.link"
-  ]
-
   lifecycle {
     create_before_destroy = true
   }
 
   provider = aws.global
 }
-resource "aws_route53_record" "validation_kitten_science" {
-  for_each = {
-    for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
-    } if endswith(dvo.domain_name, data.aws_route53_zone.kitten_science.name)
-  }
-
-  allow_overwrite = true
-  name            = each.value.name
-  records         = [each.value.record]
-  ttl             = 60
-  type            = each.value.type
-  zone_id         = data.aws_route53_zone.kitten_science.zone_id
-
-  provider = aws.global
-}
-resource "aws_route53_record" "validation_rm_rf" {
+resource "aws_route53_record" "validation" {
   for_each = {
     for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
-    } if endswith(dvo.domain_name, "rm-rf.link")
+    } if endswith(dvo.domain_name, data.aws_route53_zone.domain.name)
   }
 
   allow_overwrite = true
   name            = each.value.name
   records         = [each.value.record]
   ttl             = 60
   type            = each.value.type
-  zone_id         = data.aws_route53_zone.rm_rf.id
+  zone_id         = data.aws_route53_zone.domain.zone_id
 
   provider = aws.global
 }
 resource "aws_acm_certificate_validation" "this" {
-  certificate_arn = aws_acm_certificate.this.arn
-  validation_record_fqdns = concat(
-    [for record in aws_route53_record.validation_kitten_science : record.fqdn],
-    [for record in aws_route53_record.validation_rm_rf : record.fqdn]
-  )
+  certificate_arn         = aws_acm_certificate.this.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
 
   provider = aws.global
 }
@@ -73,17 +47,22 @@ resource "aws_cloudfront_distribution" "this" {
   depends_on = [aws_acm_certificate_validation.this]
 
   aliases = [
-    var.domain_name,
-    "ks.rm-rf.link"
+    local.fqdn
   ]
-  comment = "Kitten Science"
+  comment = var.comment
 
   enabled         = true
+  http_version    = "http2and3"
   is_ipv6_enabled = true
+  web_acl_id      = "arn:aws:wafv2:us-east-1:022327457572:global/webacl/CreatedByCloudFront-04e49c94-b220-44e4-9240-3da00e9602aa/d0878d05-aca4-4611-820d-26bbf1fd3ede"
+
+  retain_on_delete    = true
+  wait_for_deployment = false
 
   origin {
-    domain_name = aws_s3_bucket_website_configuration.this.website_endpoint
-    origin_id   = aws_s3_bucket.this.bucket
+    domain_name = var.origin_domain_name
+    origin_id   = var.origin_id
+    origin_path = var.origin_path
     custom_origin_config {
       http_port              = 80
       https_port             = 443
@@ -97,8 +76,8 @@ resource "aws_cloudfront_distribution" "this" {
     cached_methods             = ["GET", "HEAD", "OPTIONS"]
     cache_policy_id            = data.aws_cloudfront_cache_policy.uncached.id
     origin_request_policy_id   = data.aws_cloudfront_origin_request_policy.cors.id
-    response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id
-    target_origin_id           = aws_s3_bucket.this.bucket
+    response_headers_policy_id = var.response_headers_policy_id
+    target_origin_id           = var.origin_id
 
     lambda_function_association {
       event_type = "origin-request"
@@ -113,68 +92,6 @@ resource "aws_cloudfront_distribution" "this" {
     max_ttl                = 0
   }
 
-  #logging_config {
-  #  bucket = aws_s3_bucket.this.bucket_domain_name
-  #  prefix = "cloudfront-logs/"
-  #}
-
-  restrictions {
-    geo_restriction {
-      restriction_type = "none"
-    }
-  }
-
-  viewer_certificate {
-    acm_certificate_arn      = aws_acm_certificate.this.arn
-    minimum_protocol_version = "TLSv1.2_2021"
-    ssl_support_method       = "sni-only"
-  }
-
-  provider = aws.global
-}
-resource "aws_cloudfront_distribution" "schema" {
-  depends_on = [aws_acm_certificate_validation.this]
-
-  aliases = ["schema.${var.domain_name}"]
-  comment = "Kitten Science Schemas"
-
-  enabled         = true
-  is_ipv6_enabled = true
-
-  origin {
-    domain_name = aws_s3_bucket_website_configuration.this.website_endpoint
-    origin_id   = aws_s3_bucket.this.bucket
-    origin_path = "/schemas"
-    custom_origin_config {
-      http_port              = 80
-      https_port             = 443
-      origin_protocol_policy = "http-only"
-      origin_ssl_protocols   = ["TLSv1.2"]
-    }
-  }
-
-  default_cache_behavior {
-    allowed_methods            = ["GET", "HEAD", "OPTIONS"]
-    cached_methods             = ["GET", "HEAD", "OPTIONS"]
-    response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id
-    target_origin_id           = aws_s3_bucket.this.bucket
-
-    compress = true
-
-    forwarded_values {
-      query_string = false
-
-      cookies {
-        forward = "none"
-      }
-    }
-
-    viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 86400
-    max_ttl                = 31536000
-  }
-
   restrictions {
     geo_restriction {
       restriction_type = "none"
@@ -189,31 +106,3 @@ resource "aws_cloudfront_distribution" "schema" {
 
   provider = aws.global
 }
-
-resource "aws_cloudfront_response_headers_policy" "this" {
-  name = var.bucket_name
-
-  cors_config {
-    access_control_allow_credentials = false
-
-    access_control_allow_headers {
-      items = [
-        "Accept",
-        "Accept-Language",
-        "Content-Language",
-        "Content-Type",
-        "Range"
-      ]
-    }
-
-    access_control_allow_methods {
-      items = ["GET", "HEAD"]
-    }
-
-    access_control_allow_origins {
-      items = ["*"]
-    }
-
-    origin_override = true
-  }
-}
diff --git a/terraform/modules/kitten-science-website/data.tf b/terraform/modules/kitten-science-website/data.tf
@@ -1,6 +1,3 @@
-data "aws_route53_zone" "kitten_science" {
+data "aws_route53_zone" "domain" {
   name = var.domain_name
 }
-data "aws_route53_zone" "rm_rf" {
-  name = "rm-rf.link"
-}