Support creation of CloudFront TLS certificates and Route53 records

README.md

@@ -24,6 +24,7 @@ Terraform module to host a static site generated by Publii
 
 | Name | Type |
 |------|------|
+| [aws_acm_certificate.cloudfront_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_cloudfront_distribution.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_distribution.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_function.frontend_viewer_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
@@ -36,6 +37,9 @@ Terraform module to host a static site generated by Publii
 | [aws_kms_key.s3_bucket_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_permission.cloudfront_invalidation_frontend_alllow_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_route53_record.cloudfront_frontend_tls_certificate_dns_validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_s3_bucket.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -61,6 +65,7 @@ Terraform module to host a static site generated by Publii
 | [aws_s3_bucket_website_configuration.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_wafv2_web_acl.cloudfront_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [random_id.project](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_route53_zone.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [template_file.cloudfront_frontend_viewer_request_function](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_cloudfront_read](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
@@ -80,8 +85,9 @@ Terraform module to host a static site generated by Publii
 | <a name="input_cloudfront_enable_apex_to_www_redirect"></a> [cloudfront\_enable\_apex\_to\_www\_redirect](#input\_cloudfront\_enable\_apex\_to\_www\_redirect) | Enable CloudFront apex to www redirect | `bool` | `true` | no |
 | <a name="input_cloudfront_enable_ipv6"></a> [cloudfront\_enable\_ipv6](#input\_cloudfront\_enable\_ipv6) | Enable IPv6 on CloudFront | `bool` | `true` | no |
 | <a name="input_cloudfront_enable_waf"></a> [cloudfront\_enable\_waf](#input\_cloudfront\_enable\_waf) | Enable CloudFront WAF | `bool` | `true` | no |
-| <a name="input_cloudfront_tls_certificate_arn"></a> [cloudfront\_tls\_certificate\_arn](#input\_cloudfront\_tls\_certificate\_arn) | CloudFront TLS certificate ARN (must be created in us-east-1 region) | `string` | n/a | yes |
+| <a name="input_cloudfront_tls_certificate_arn"></a> [cloudfront\_tls\_certificate\_arn](#input\_cloudfront\_tls\_certificate\_arn) | CloudFront TLS certificate ARN (must be created in us-east-1 region) | `string` | `""` | no |
 | <a name="input_enable_publii_pretty_urls"></a> [enable\_publii\_pretty\_urls](#input\_enable\_publii\_pretty\_urls) | If you hae enabled 'Pretty URLs' in Publii, set this to true | `bool` | `false` | no |
+| <a name="input_route53_hosted_zone_options"></a> [route53\_hosted\_zone\_options](#input\_route53\_hosted\_zone\_options) | If you have a Route53 zone, the required DNS records can be created automatically. | <pre>object({<br>    id                                        = string<br>    create_certificate_dns_validation_records = bool<br>    create_site_url_dns_records               = bool<br>  })</pre> | <pre>{<br>  "create_certificate_dns_validation_records": false,<br>  "create_site_url_dns_records": false,<br>  "id": ""<br>}</pre> | no |
 | <a name="input_s3_bucket_acl"></a> [s3\_bucket\_acl](#input\_s3\_bucket\_acl) | S3 bucket ACL | `string` | `"private"` | no |
 | <a name="input_site_url"></a> [site\_url](#input\_site\_url) | The desired site URL | `string` | n/a | yes |
 

certificates.tf

@@ -0,0 +1,17 @@
+resource "aws_acm_certificate" "cloudfront_frontend" {
+  provider = aws.useast1
+
+  count = local.cloudfront_tls_certificate_arn == "" ? 1 : 0
+
+  domain_name = local.site_url
+  subject_alternative_names = local.cloudfront_enable_apex_to_www_redirect ? [
+    "www.${local.site_url}"
+  ] : []
+
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+

cloudfront-frontend.tf

@@ -68,7 +68,7 @@ resource "aws_cloudfront_distribution" "frontend" {
   }
 
   viewer_certificate {
-    acm_certificate_arn      = local.cloudfront_tls_certificate_arn
+    acm_certificate_arn      = local.cloudfront_tls_certificate_arn == "" ? aws_acm_certificate.cloudfront_frontend.0.arn : local.cloudfront_tls_certificate_arn
     minimum_protocol_version = "TLSv1.2_2021"
     ssl_support_method       = "sni-only"
   }
@@ -82,4 +82,8 @@ resource "aws_cloudfront_distribution" "frontend" {
     bucket          = aws_s3_bucket.logs.bucket_domain_name
     prefix          = "cloudfront/frontend/"
   }
+
+  depends_on = [
+    aws_route53_record.cloudfront_frontend_tls_certificate_dns_validation
+  ]
 }

data.tf

@@ -0,0 +1,5 @@
+data "aws_route53_zone" "default" {
+  count = local.route53_hosted_zone_options.id != "" ? 1 : 0
+
+  zone_id = local.route53_hosted_zone_options.id
+}

locals.tf

@@ -7,4 +7,5 @@ locals {
   cloudfront_enable_waf                  = var.cloudfront_enable_waf
   cloudfront_enable_apex_to_www_redirect = var.cloudfront_enable_apex_to_www_redirect
   enable_publii_pretty_urls              = var.enable_publii_pretty_urls
+  route53_hosted_zone_options            = var.route53_hosted_zone_options
 }

route53.tf

@@ -0,0 +1,44 @@
+resource "aws_route53_record" "cloudfront_frontend_tls_certificate_dns_validation" {
+  count = local.cloudfront_tls_certificate_arn == "" ? (
+    local.route53_hosted_zone_options.create_certificate_dns_validation_records ? 1 : 0
+  ) : 0
+
+  zone_id = data.aws_route53_zone.default.0.zone_id
+  name    = tolist(aws_acm_certificate.cloudfront_frontend.0.domain_validation_options)[0].resource_record_name
+  type    = tolist(aws_acm_certificate.cloudfront_frontend.0.domain_validation_options)[0].resource_record_type
+  ttl     = "86400"
+
+  records = [
+    tolist(aws_acm_certificate.cloudfront_frontend.0.domain_validation_options)[0].resource_record_value,
+  ]
+}
+
+resource "aws_route53_record" "frontend" {
+  count = local.route53_hosted_zone_options.create_site_url_dns_records ? 1 : 0
+
+  zone_id = data.aws_route53_zone.default.0.zone_id
+  name    = local.cloudfront_enable_apex_to_www_redirect ? "www.${local.site_url}" : local.site_url
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.frontend.domain_name
+    zone_id                = aws_cloudfront_distribution.frontend.hosted_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_route53_record" "frontend_www_redirect" {
+  count = local.route53_hosted_zone_options.create_site_url_dns_records ? (
+    local.cloudfront_enable_apex_to_www_redirect ? 1 : 0
+  ) : 0
+
+  zone_id = data.aws_route53_zone.default.0.zone_id
+  name    = local.site_url
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.frontend_www_redirect.0.domain_name
+    zone_id                = aws_cloudfront_distribution.frontend_www_redirect.0.hosted_zone_id
+    evaluate_target_health = true
+  }
+}

variables.tf

@@ -12,6 +12,7 @@ variable "s3_bucket_acl" {
 variable "cloudfront_tls_certificate_arn" {
   description = "CloudFront TLS certificate ARN (must be created in us-east-1 region)"
   type        = string
+  default     = ""
 }
 
 variable "cloudfront_enable_ipv6" {
@@ -37,3 +38,17 @@ variable "enable_publii_pretty_urls" {
   type        = bool
   default     = false
 }
+
+variable "route53_hosted_zone_options" {
+  description = "If you have a Route53 zone, the required DNS records can be created automatically."
+  type = object({
+    id                                        = string
+    create_certificate_dns_validation_records = bool
+    create_site_url_dns_records               = bool
+  })
+  default = {
+    id                                        = ""
+    create_certificate_dns_validation_records = false
+    create_site_url_dns_records               = false
+  }
+}