Skip to content

Commit

Permalink
fix: DBTP-1398 Correct prod domain name for static content S3 buckets…
Browse files Browse the repository at this point in the history 
… (2nd pass)
  • Loading branch information
@WillGibson
WillGibson committed Oct 4, 2024
1 parent 33c6e57 commit 97006b5
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 24 deletions.
15 changes: 10 additions & 5 deletions s3/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
data "aws_caller_identity" "current" {}

locals {
serve_static_domain = var.environment == "prod" ? "${var.config.bucket_name}.${var.application}.prod.uktrade.digital" : "${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital"
}

resource "aws_s3_bucket" "this" {
# checkov:skip=CKV_AWS_144: Cross Region Replication not Required
# checkov:skip=CKV2_AWS_62: Requires wider discussion around log/event ingestion before implementing. To be picked up on conclusion of DBTP-974
# checkov:skip=CKV_AWS_18: Requires wider discussion around log/event ingestion before implementing. To be picked up on conclusion of DBTP-974
bucket = var.config.serve_static_content ? "${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital" : var.config.bucket_name
bucket = var.config.serve_static_content ? local.serve_static_domain : var.config.bucket_name

tags = local.tags
}
Expand Down Expand Up @@ -172,7 +177,7 @@ resource "aws_cloudfront_origin_access_control" "oac" {

name = "${var.config.bucket_name}.${var.environment}.${var.application}-oac"
provider = aws.domain-cdn
description = "Origin access control for Cloudfront distribution and ${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital static s3 bucket."
description = "Origin access control for Cloudfront distribution and ${local.serve_static_domain} static s3 bucket."
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
Expand Down Expand Up @@ -208,7 +213,7 @@ resource "aws_acm_certificate" "certificate" {
count = var.config.serve_static_content ? 1 : 0

provider = aws.domain-cdn
domain_name = "${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital"
domain_name = local.serve_static_domain
validation_method = "DNS"

lifecycle {
Expand Down Expand Up @@ -283,7 +288,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
count = var.config.serve_static_content ? 1 : 0

provider = aws.domain-cdn
aliases = ["${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital"]
aliases = [local.serve_static_domain]

origin {
domain_name = aws_s3_bucket.this.bucket_regional_domain_name
Expand Down Expand Up @@ -368,7 +373,7 @@ resource "aws_ssm_parameter" "cloudfront_alias" {

name = "/copilot/${var.application}/${var.environment}/secrets/STATIC_S3_ENDPOINT"
type = "SecureString"
value = var.environment == "prod" ? "${var.config.bucket_name}.${var.application}.prod.uktrade.digital" : "${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital"
value = local.serve_static_domain
key_id = aws_kms_key.s3-ssm-kms-key[0].arn

tags = local.tags
Expand Down
63 changes: 44 additions & 19 deletions s3/tests/unit.tftest.hcl
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
variables {
vpc_name = "s3-test-vpc-name"
application = "s3-test-application"
environment = "non-prod-environmnent"
environment = "dev"
name = "s3-test-name"
config = {
"bucket_name" = "dbt-terraform-test-s3-module",
Expand Down Expand Up @@ -37,7 +37,7 @@ run "aws_s3_bucket_unit_test" {
# Expecting default value for aws_s3_bucket.this.force_destroy == false, which we cannon test on a plan

assert {
condition = aws_s3_bucket.this.tags["environment"] == "non-prod-environmnent"
condition = aws_s3_bucket.this.tags["environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand All @@ -52,7 +52,7 @@ run "aws_s3_bucket_unit_test" {
}

assert {
condition = aws_s3_bucket.this.tags["copilot-environment"] == "non-prod-environmnent"
condition = aws_s3_bucket.this.tags["copilot-environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand Down Expand Up @@ -115,7 +115,7 @@ run "aws_kms_key_unit_test" {
}

assert {
condition = aws_kms_key.kms-key[0].tags["environment"] == "non-prod-environmnent"
condition = aws_kms_key.kms-key[0].tags["environment"] == "dev"
error_message = "Invalid value for aws_kms_key tags parameter."
}
}
Expand All @@ -124,8 +124,8 @@ run "aws_kms_alias_unit_test" {
command = plan

assert {
condition = aws_kms_alias.s3-bucket[0].name == "alias/s3-test-application-non-prod-environmnent-dbt-terraform-test-s3-module-key"
error_message = "Should be: alias/s3-test-application-non-prod-environmnent-dbt-terraform-test-s3-module-key"
condition = aws_kms_alias.s3-bucket[0].name == "alias/s3-test-application-dev-dbt-terraform-test-s3-module-key"
error_message = "Should be: alias/s3-test-application-dev-dbt-terraform-test-s3-module-key"
}
}

Expand Down Expand Up @@ -334,12 +334,12 @@ run "aws_cloudfront_origin_access_control_unit_test" {
}

assert {
condition = aws_cloudfront_origin_access_control.oac[0].name == "test.non-prod-environmnent.s3-test-application-oac"
condition = aws_cloudfront_origin_access_control.oac[0].name == "test.dev.s3-test-application-oac"
error_message = "Invalid value for aws_cloudfront_origin_access_control name."
}

assert {
condition = aws_cloudfront_origin_access_control.oac[0].description == "Origin access control for Cloudfront distribution and test.non-prod-environmnent.s3-test-application.uktrade.digital static s3 bucket."
condition = aws_cloudfront_origin_access_control.oac[0].description == "Origin access control for Cloudfront distribution and test.dev.s3-test-application.uktrade.digital static s3 bucket."
error_message = "Invalid value for aws_cloudfront_origin_access_control name."
}

Expand Down Expand Up @@ -372,7 +372,7 @@ run "aws_acm_certificate_unit_test" {
}

assert {
condition = aws_acm_certificate.certificate[0].domain_name == "test.non-prod-environmnent.s3-test-application.uktrade.digital"
condition = aws_acm_certificate.certificate[0].domain_name == "test.dev.s3-test-application.uktrade.digital"
error_message = "Invalid value for aws_acm_certificate domain name."
}

Expand All @@ -387,7 +387,7 @@ run "aws_acm_certificate_unit_test" {
}

assert {
condition = aws_acm_certificate.certificate[0].tags["environment"] == "non-prod-environmnent"
condition = aws_acm_certificate.certificate[0].tags["environment"] == "dev"
error_message = "Invalid value for aws_acm_certificate tags parameter."
}

Expand All @@ -402,7 +402,7 @@ run "aws_acm_certificate_unit_test" {
}

assert {
condition = aws_acm_certificate.certificate[0].tags["copilot-environment"] == "non-prod-environmnent"
condition = aws_acm_certificate.certificate[0].tags["copilot-environment"] == "dev"
error_message = "Invalid value for aws_acm_certificate tags parameter."
}

Expand Down Expand Up @@ -500,7 +500,7 @@ run "aws_cloudfront_distribution_unit_test" {
}

assert {
condition = contains(aws_cloudfront_distribution.s3_distribution[0].aliases, "test.non-prod-environmnent.s3-test-application.uktrade.digital")
condition = contains(aws_cloudfront_distribution.s3_distribution[0].aliases, "test.dev.s3-test-application.uktrade.digital")
error_message = "CloudFront distribution should include the correct alias."
}

Expand Down Expand Up @@ -535,7 +535,7 @@ run "aws_cloudfront_distribution_unit_test" {
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].tags["environment"] == "non-prod-environmnent"
condition = aws_ssm_parameter.cloudfront_alias[0].tags["environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand All @@ -550,7 +550,7 @@ run "aws_cloudfront_distribution_unit_test" {
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].tags["copilot-environment"] == "non-prod-environmnent"
condition = aws_ssm_parameter.cloudfront_alias[0].tags["copilot-environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand Down Expand Up @@ -612,7 +612,7 @@ run "aws_cloudfront_distribution_unit_test" {
# }

# assert {
# condition = contains(aws_kms_key_policy.s3-ssm-kms-key-policy[0].policy, "/copilot/s3-test-application/non-prod-environmnent/secrets/STATIC_S3_ENDPOINT")
# condition = contains(aws_kms_key_policy.s3-ssm-kms-key-policy[0].policy, "/copilot/s3-test-application/dev/secrets/STATIC_S3_ENDPOINT")
# error_message = "KMS key policy should include the correct SSM parameter name for encryption context."
# }

Expand All @@ -636,7 +636,7 @@ run "aws_ssm_parameter_cloudfront_alias_unit_test" {
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].name == "/copilot/s3-test-application/non-prod-environmnent/secrets/STATIC_S3_ENDPOINT"
condition = aws_ssm_parameter.cloudfront_alias[0].name == "/copilot/s3-test-application/dev/secrets/STATIC_S3_ENDPOINT"
error_message = "Invalid name for aws_ssm_parameter cloudfront alias."
}

Expand All @@ -646,12 +646,12 @@ run "aws_ssm_parameter_cloudfront_alias_unit_test" {
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].value == "test.non-prod-environmnent.s3-test-application.uktrade.digital"
condition = aws_ssm_parameter.cloudfront_alias[0].value == "test.dev.s3-test-application.uktrade.digital"
error_message = "Invalid value for aws_ssm_parameter cloudfront alias."
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].tags["environment"] == "non-prod-environmnent"
condition = aws_ssm_parameter.cloudfront_alias[0].tags["environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand All @@ -666,7 +666,7 @@ run "aws_ssm_parameter_cloudfront_alias_unit_test" {
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].tags["copilot-environment"] == "non-prod-environmnent"
condition = aws_ssm_parameter.cloudfront_alias[0].tags["copilot-environment"] == "dev"
error_message = "Invalid value for aws_s3_bucket tags parameter."
}

Expand All @@ -693,4 +693,29 @@ run "aws_ssm_parameter_cloudfront_alias_prod_domain_name_unit_test" {
condition = aws_ssm_parameter.cloudfront_alias[0].value == "test.s3-test-application.prod.uktrade.digital"
error_message = "Invalid value for aws_ssm_parameter cloudfront alias."
}

assert {
condition = aws_cloudfront_origin_access_control.oac[0].description == "Origin access control for Cloudfront distribution and test.s3-test-application.prod.uktrade.digital static s3 bucket."
error_message = "Invalid value for aws_cloudfront_origin_access_control name."
}

assert {
condition = aws_acm_certificate.certificate[0].domain_name == "test.s3-test-application.prod.uktrade.digital"
error_message = "Invalid value for aws_acm_certificate domain name."
}

assert {
condition = contains(aws_cloudfront_distribution.s3_distribution[0].aliases, "test.s3-test-application.prod.uktrade.digital")
error_message = "CloudFront distribution should include the correct alias."
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].value == "test.s3-test-application.prod.uktrade.digital"
error_message = "Invalid value for aws_ssm_parameter cloudfront alias."
}

assert {
condition = aws_ssm_parameter.cloudfront_alias[0].value == "test.s3-test-application.prod.uktrade.digital"
error_message = "Invalid value for aws_ssm_parameter cloudfront alias."
}
}

0 comments on commit 97006b5

Please sign in to comment.