Minor updates to simplify cloudfront usage (#892)

* Minor updates to simplify cloudfront usage * terraform fmt
run-x · May 23, 2022 · 213ba4d · 213ba4d
1 parent 34e7be6
commit 213ba4d
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 32 deletions.
diff --git a/modules/cloudfront_distribution/cloudfront-distribution.md b/modules/cloudfront_distribution/cloudfront-distribution.md
@@ -52,11 +52,7 @@ modules:
   - type: k8s-cluster
   - type: k8s-base
     name: testbase
-    cert_arn: "${{module.dns.cert_arn}}"
   - type: cloudfront-distribution
-    # Uncomment the following line if you want added security and are using a valid, non-self-signed ssl cert on the 
-    # load balancer (SSL certs created by opta when setting dns delegated true work fine). 
-    # forward_https: true
     links:
       - testbase
 ```

diff --git a/modules/cloudfront_distribution/cloudfront-distribution.yaml b/modules/cloudfront_distribution/cloudfront-distribution.yaml
@@ -16,15 +16,15 @@ inputs:
   - name: s3_log_bucket_name
     user_facing: false
     description: Name of the access log bucket
-    default: null
+    default: ""
   - name: s3_load_balancer_enabled
     user_facing: false
     description: Create S3 Cloudfront if set to true
     default: false
-  - name: load_balancer
+  - name: load_balancer_arn
     user_facing: false
-    description: Load Balancer URL
-    default: null
+    description: Arn of the loadbalancer to attach to Load Balancer
+    default: ""
   - name: eks_load_balancer_enabled
     user_facing: false
     description: Create LB Cloudfront if set to true
@@ -94,11 +94,6 @@ inputs:
     validator: str(required=False)
     description: ID of Route53 hosted zone to add a record for. By default uses the one created by the DNS module if the module is found.
     default: ""
-  - name: forward_https
-    user_facing: true
-    validator: bool(required=False)
-    description: Should cloudformation forward to https port 443 instead of http port 80?
-    default: false
 extra_validators: { }
 outputs:
   - name: cloudfront_domain

diff --git a/modules/cloudfront_distribution/cloudfront_distribution.py b/modules/cloudfront_distribution/cloudfront_distribution.py
@@ -94,6 +94,6 @@ def handle_s3_link(self, linked_module: "Module") -> None:
     def handle_k8s_base_link(self, linked_module: "Module") -> None:
         module_source = f"module.{linked_module.name}"
         self.module.data[
-            "load_balancer"
-        ] = f"${{{{{module_source}.load_balancer_raw_dns}}}}"
+            "load_balancer_arn"
+        ] = f"${{{{{module_source}.load_balancer_arn}}}}"
         self.module.data["eks_load_balancer_enabled"] = True
diff --git a/modules/cloudfront_distribution/tf_module/main.tf b/modules/cloudfront_distribution/tf_module/main.tf
@@ -1,18 +1,19 @@
 data "aws_s3_bucket" "current_bucket" {
-  count  = local.s3_distribution_count
+  count  = var.s3_load_balancer_enabled ? 1 : 0
   bucket = var.bucket_name
 }
 
 data "aws_s3_bucket" "logging_bucket" {
-  count  = var.s3_log_bucket_name == null ? 0 : 1
+  count  = var.s3_log_bucket_name == "" ? 0 : 1
   bucket = var.s3_log_bucket_name
 }
 
-locals {
-  lb_distribution_count = var.eks_load_balancer_enabled == true ? 1 : 0
-  s3_distribution_count = var.s3_load_balancer_enabled == true ? 1 : 0
+data "aws_lb" "ingress-nginx" {
+  count = var.eks_load_balancer_enabled ? 1 : 0
+  arn   = var.load_balancer_arn
 }
 
+
 # This is optional, see Opta docs for this here: https://docs.opta.dev/reference/aws/modules/cloudfront-distribution/
 #tfsec:ignore:aws-cloudfront-enable-waf
 resource "aws_cloudfront_distribution" "distribution" {
@@ -50,12 +51,12 @@ resource "aws_cloudfront_distribution" "distribution" {
   dynamic "origin" {
     for_each = var.eks_load_balancer_enabled == true ? [1] : []
     content {
-      domain_name = var.load_balancer
+      domain_name = data.aws_lb.ingress-nginx[0].dns_name
       origin_id   = local.lb_origin_id
       custom_origin_config {
         http_port              = 80
         https_port             = 443
-        origin_protocol_policy = var.forward_https ? "https-only" : "http-only"
+        origin_protocol_policy = "http-only"
         origin_ssl_protocols   = ["TLSv1.2", "TLSv1.1", "TLSv1"]
       }
     }
@@ -76,7 +77,7 @@ resource "aws_cloudfront_distribution" "distribution" {
   default_cache_behavior {
     allowed_methods        = var.allowed_methods
     cached_methods         = var.cached_methods
-    target_origin_id       = var.eks_load_balancer_enabled == true ? local.lb_origin_id : local.s3_origin_id
+    target_origin_id       = var.load_balancer_arn == "" ? local.s3_origin_id : local.lb_origin_id
     viewer_protocol_policy = "redirect-to-https"
 
     forwarded_values {

diff --git a/modules/cloudfront_distribution/tf_module/variables.tf b/modules/cloudfront_distribution/tf_module/variables.tf
@@ -55,18 +55,16 @@ variable "links" {
   default = []
 }
 
-variable "load_balancer" {
+variable "load_balancer_arn" {
   type = string
 }
 
 variable "eks_load_balancer_enabled" {
-  type    = bool
-  default = false
+  type = bool
 }
 
 variable "s3_load_balancer_enabled" {
-  type    = bool
-  default = false
+  type = bool
 }
 
 variable "allowed_methods" {
@@ -83,10 +81,6 @@ variable "enable_auto_dns" {
   type = bool
 }
 
-variable "forward_https" {
-  type = bool
-}
-
 variable "zone_id" {
   type = string
 }