Take in resources as variables instead of strings about the resources

[douglasnaphas]

This is so I can get dependencies working like in the docs on Conditional Creation of Objects.

This is to eliminate errors like:

Error: No certificate for domain "anagrampoems.com" found in this region

  on .terraform/modules/s3-cf-site/terraform-aws-s3-cf-site-0.1.0/cloudfront.tf line 1, in data "aws_acm_certificate" "tls_cert":
   1: data "aws_acm_certificate" "tls_cert" {

TODO

• [ ] Handle the CI identity by taking in a resource, instead of a hard-coded ARN.

[douglasnaphas]

Finally got a good plan output:

~/repos/anagrampoems/infra/prod $ AWS_PROFILE=douglas tf12 plan
Running plan in the remote backend. Output will stream here. Pressing Ctrl-C
will stop streaming the logs, but will not stop the plan running remotely.

Preparing the remote plan...

The remote workspace is configured to work with configuration at
infra/prod relative to the target repository.

Terraform will upload the contents of the following directory,
excluding files or directories as defined by a .terraformignore file
at /Users/dougnaphas/repos/anagrampoems/.terraformignore (if it is present),
in order to capture the filesystem context the remote workspace expects:
    /Users/dougnaphas/repos/anagrampoems

To view this run in a browser, visit:
https://app.terraform.io/app/anagrampoems/anagrampoems-prod/runs/run-NXawfuWpwDoBCCNH

Waiting for the plan to start...

Terraform v0.12.25
Configuring remote state backend...
Initializing Terraform configuration...
2020/05/18 00:39:37 [DEBUG] Using modified User-Agent: Terraform/0.12.25 TFC/4cc9979d34
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_route53_zone.this[0]: Refreshing state...
module.s3-cf-site.data.aws_route53_zone.zone: Refreshing state...

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.acm.aws_acm_certificate.this[0] will be created
  + resource "aws_acm_certificate" "this" {
      + arn                       = (known after apply)
      + domain_name               = "anagrampoems.com"
      + domain_validation_options = (known after apply)
      + id                        = (known after apply)
      + subject_alternative_names = [
          + "*.anagrampoems.com",
        ]
      + tags                      = {
          + "Name" = "anagrampoems.com"
        }
      + validation_emails         = (known after apply)
      + validation_method         = "DNS"
    }

  # module.acm.aws_acm_certificate_validation.this[0] will be created
  + resource "aws_acm_certificate_validation" "this" {
      + certificate_arn         = (known after apply)
      + id                      = (known after apply)
      + validation_record_fqdns = (known after apply)
    }

  # module.acm.aws_route53_record.validation[0] will be created
  + resource "aws_route53_record" "validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)                                                                                                                                                                                        
      + zone_id         = "Z01833392QU154S7GFL7Y"
    }

  # module.acm.aws_route53_record.validation[1] will be created
  + resource "aws_route53_record" "validation" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = (known after apply)
      + records         = (known after apply)
      + ttl             = 60
      + type            = (known after apply)
      + zone_id         = "Z01833392QU154S7GFL7Y"
    }

  # module.s3-cf-site.aws_cloudfront_distribution.cf_distro will be created
  + resource "aws_cloudfront_distribution" "cf_distro" {
      + active_trusted_signers         = (known after apply)
      + aliases                        = [
          + "anagrampoems.com",
        ]
      + arn                            = (known after apply)
      + caller_reference               = (known after apply)
      + comment                        = "anagrampoems.com, using OAI"
      + domain_name                    = (known after apply)
      + enabled                        = true
      + etag                           = (known after apply)
      + hosted_zone_id                 = (known after apply)
      + http_version                   = "http2"
      + id                             = (known after apply)
      + in_progress_validation_batches = (known after apply)
      + is_ipv6_enabled                = true
      + last_modified_time             = (known after apply)
      + price_class                    = "PriceClass_All"
      + retain_on_delete               = false
      + status                         = (known after apply)
      + wait_for_deployment            = true

      + default_cache_behavior {
          + allowed_methods        = [
              + "GET",
              + "HEAD",
            ]
          + cached_methods         = [
              + "GET",
              + "HEAD",
            ]
          + compress               = false
          + default_ttl            = 300
          + max_ttl                = 86400
          + min_ttl                = 0
          + smooth_streaming       = false                                                                                                                                                                                           
          + target_origin_id       = "S3-anagrampoems-origin.com"
          + viewer_protocol_policy = "redirect-to-https"

          + forwarded_values {
              + query_string = true

              + cookies {
                  + forward = "none"
                }
            }
        }

      + origin {
          + domain_name = "anagrampoems-origin.com.s3.amazonaws.com"
          + origin_id   = "S3-anagrampoems-origin.com"

          + s3_origin_config {
              + origin_access_identity = (known after apply)
            }
        }

      + restrictions {
          + geo_restriction {
              + restriction_type = "none"
            }
        }

      + viewer_certificate {
          + acm_certificate_arn            = (known after apply)
          + cloudfront_default_certificate = false
          + minimum_protocol_version       = "TLSv1.1_2016"
          + ssl_support_method             = "sni-only"
        }
    }

  # module.s3-cf-site.aws_cloudfront_origin_access_identity.cf_oai will be created
  + resource "aws_cloudfront_origin_access_identity" "cf_oai" {
      + caller_reference                = (known after apply)
      + cloudfront_access_identity_path = (known after apply)
      + comment                         = "anagrampoems.com cloudfront origin access identity, static content"
      + etag                            = (known after apply)
      + iam_arn                         = (known after apply)
      + id                              = (known after apply)
      + s3_canonical_user_id            = (known after apply)
    }

  # module.s3-cf-site.aws_route53_record.cf_alias will be created
  + resource "aws_route53_record" "cf_alias" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "anagrampoems.com"
      + type            = "A"
      + zone_id         = "Z01833392QU154S7GFL7Y"

      + alias {
          + evaluate_target_health = false
          + name                   = (known after apply)
          + zone_id                = (known after apply)
        }
    }

  # module.s3-cf-site.aws_s3_bucket.bucket will be created
  + resource "aws_s3_bucket" "bucket" {
      + acceleration_status         = (known after apply)
      + acl                         = "private"
      + arn                         = (known after apply)
      + bucket                      = "anagrampoems-origin.com"
      + bucket_domain_name          = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + versioning {
          + enabled    = true
          + mfa_delete = false
        }
    }

  # module.s3-cf-site.aws_s3_bucket_policy.bucket_policy will be created
  + resource "aws_s3_bucket_policy" "bucket_policy" {
      + bucket = "anagrampoems-origin.com"
      + id     = (known after apply)
      + policy = (known after apply)
    }

Plan: 9 to add, 0 to change, 0 to destroy.

This correlates to my commits just now on feature branches here, in anagrampoems, and in terraform-aws-acm.

[douglasnaphas]

The way I currently have it set up, with

data "aws_acm_certificate" "tls_cert" {
  domain = "${var.cert_domain}"
}

in cloudfront.tf, if there is a cert there already, it will use it, and that cert will not be managed as part of the Terraform stack. This is not what I want.

I want the cert to be created, always, and for the CloudFront distro to wait until the cert is created, and use it as the viewer certificate.

[douglasnaphas]

I can't really test this further now because I'm getting

Error requesting certificate: LimitExceededException: Cannot request more certificates in this account. Contact Customer Service for details.

whenever I run anything that would create certs.

[douglasnaphas]

This also applies to the ci_user_arn. I should take in a user or a role.

[douglasnaphas]

I'm trying to put a CF-S3 site at tf13.douglasnaphas.com to test this out and make sure the modules are working smoothly together. There's an additional complication related to the fact that I'm trying to put a site at a subdomain of a domain I own.

Ways to address this in my test setup could be:

1. Create a record (type NS) in the douglasnaphas.com hosted zone delegating authority over tf13.douglasnaphas.com to the tf13.douglasnaphas.com hosted zone; flip the use existing hosted zone flag to true for the acm module instance; include the tf13.douglasnaphas.com hosted zone in the Terraform configuration (might need/want to destroy the one that already exists first); have the acm module instance depend on the tf13.douglasnaphas.com hosted zone and the aforementioned NS record in the douglasnaphas.com hosted zone.
2. Use a cert for douglasnaphas.com in the CloudFront distribution.

[douglasnaphas]

I had to do this for this problem.