-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmain.tf
95 lines (82 loc) · 2.85 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
resource "aws_waf_ipset" "whitelisted_ips" {
count = length(var.whitelisted_ips) > 0 ? 1 : 0
name = "WhitelistedIps"
dynamic "ip_set_descriptors" {
for_each = var.whitelisted_ips
content {
type = ip_set_descriptors.value.type
value = ip_set_descriptors.value.value
}
}
}
resource "aws_waf_rule" "whitelisted_ips_rule" {
count = length(var.whitelisted_ips) > 0 ? 1 : 0
depends_on = [aws_waf_ipset.whitelisted_ips]
name = "${var.env}WhitelistedIPsRule"
metric_name = "${var.env}WhitelistedIPsRule"
predicates {
data_id = aws_waf_ipset.whitelisted_ips[0].id
negated = false
type = "IPMatch"
}
}
resource "aws_waf_web_acl" "whitelisted_ips_acl" {
count = length(var.whitelisted_ips) > 0 ? 1 : 0
depends_on = [aws_waf_rule.whitelisted_ips_rule]
name = "${var.env}WhitelistedIPsACL"
metric_name = "${var.env}WhitelistedIPsACL"
default_action {
type = "BLOCK"
}
rules {
action {
type = "ALLOW"
}
priority = 10
rule_id = aws_waf_rule.whitelisted_ips_rule[0].id
type = "REGULAR"
}
}
resource "aws_cloudformation_stack" "website_bucket_and_cf" {
name = "${var.env}-website-bucket-and-cf-stack"
capabilities = ["CAPABILITY_IAM"]
depends_on = [aws_waf_web_acl.whitelisted_ips_acl]
on_failure = "DELETE"
parameters = {
CertificateArn = var.cert_arn
CustomErrorResponsePagePath = var.custom_error_response_page_path
Debug = var.debug
Domain = var.domain
WebACLId = length(var.whitelisted_ips) > 0 ? "${join("", aws_waf_web_acl.whitelisted_ips_acl.*.id)}" : "none"
}
template_body = file("${path.module}/website_bucket_and_cf.yaml")
# CloudFront distributions can take a long time to create...
timeouts {
create = "2h"
delete = "2h"
update = "4h"
}
}
resource "aws_cloudformation_stack" "pipeline_bucket" {
name = "${var.env}-website-pipeline-bucket-stack"
on_failure = "DELETE"
template_body = file("${path.module}/pipeline_bucket.yaml")
}
resource "aws_cloudformation_stack" "website_cicd" {
capabilities = ["CAPABILITY_IAM"]
depends_on = [aws_cloudformation_stack.website_bucket_and_cf]
name = "${var.env}-website-cicd-stack"
on_failure = "DELETE"
parameters = {
BuildCommand = var.build_command
CodeBuildDockerImageIdentifier = var.code_build_docker_image_identifier
CodeStarSourceConnectionArn = var.code_star_connection_arn
CloudFrontDistributionId = aws_cloudformation_stack.website_bucket_and_cf.outputs["CloudFrontDistributionId"]
NotificationEmail = var.notification_email
PipelineBucket = aws_cloudformation_stack.pipeline_bucket.outputs["PipelineBucket"]
SourceRepoBranch = var.repo_branch
SourceRepoName = var.repo_name
WebsiteBucket = aws_cloudformation_stack.website_bucket_and_cf.outputs["WebsiteBucket"]
}
template_body = file("${path.module}/website_cicd.yaml")
}