fix(static-site): fix missing instance keys

- Fix instance key issues
- Ensure the certificate is created before being destroyed
- Perform certificate validation only if the domains match those in Route 53
- Standardise and clean up naming conventions for consistency

Author: Script47

static-site/acm.tf

@@ -4,10 +4,17 @@ resource "aws_acm_certificate" "cloudfront_cert" {
   validation_method         = "DNS"
   tags                      = var.tags
   provider                  = aws.acm
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_acm_certificate_validation" "cloudfront_cert_validation" {
-  certificate_arn         = aws_acm_certificate.cloudfront_cert.arn
-  validation_record_fqdns = [for record in aws_route53_record.acm_records : record.fqdn]
-  provider                = aws.acm
-}
+  certificate_arn = aws_acm_certificate.cloudfront_cert.arn
+  validation_record_fqdns = [
+    for record in aws_route53_record.acm_records : record.fqdn
+    if contains(local.internal_domains, record.fqdn)
+  ]
+  provider = aws.acm
+}

static-site/cloudfront.tf

@@ -1,5 +1,9 @@
 locals {
-  origin_id = "S3-${aws_s3_bucket.static_site.bucket}"
+  origin_id                   = "S3-${local.bucket_name}"
+  origin_path                 = var.origin_path == "" ? "" : var.origin_path
+  bucket_regional_domain_name = var.create_bucket ? aws_s3_bucket.static_site[0].bucket_regional_domain_name : data.aws_s3_bucket.user_created[0].bucket_regional_domain_name
+  oac_name                    = replace("${local.bucket_name}-${replace(local.origin_path, "/", "-")}", "/[^a-zA-Z0-9-]/", "")
+  rhp_name                    = local.primary_domain_normalised
 }
 
 resource "aws_cloudfront_distribution" "static_site" {
@@ -26,8 +30,8 @@ resource "aws_cloudfront_distribution" "static_site" {
   origin {
     origin_id                = local.origin_id
     origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
-    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
-    origin_path              = var.origin_path != "" ? "/${var.origin_path}" : ""
+    domain_name              = local.bucket_regional_domain_name
+    origin_path              = local.origin_path
   }
 
   default_cache_behavior {
@@ -68,16 +72,16 @@ resource "aws_cloudfront_distribution" "static_site" {
 }
 
 resource "aws_cloudfront_origin_access_control" "oac" {
-  name                              = "oac-for-${aws_s3_bucket.static_site.bucket}"
-  description                       = "OAC for ${aws_s3_bucket.static_site.bucket}"
+  name                              = local.oac_name
+  description                       = "OAC for ${local.bucket_name}"
   origin_access_control_origin_type = "s3"
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
   provider                          = aws.default
 }
 
 resource "aws_cloudfront_response_headers_policy" "cloudfront" {
-  name    = "cf-resp-hdrs-${local.primary_domain_normalised}"
+  name    = local.rhp_name
   comment = "Response headers policy for ${local.primary_domain}"
 
   cors_config {

static-site/data.tf

@@ -1,3 +1,7 @@
+locals {
+  custom_prefix = startswith(local.origin_path, "/") ? substr(local.origin_path, 1, length(local.origin_path)) : local.origin_path
+  bucket_prefix = local.origin_path == "" ? "*" : "${local.custom_prefix}/*"
+}
 data "aws_caller_identity" "current" {}
 
 data "aws_route53_zone" "hosted_zone" {
@@ -6,11 +10,16 @@ data "aws_route53_zone" "hosted_zone" {
   private_zone = false
 }
 
+data "aws_s3_bucket" "user_created" {
+  count  = !var.create_bucket ? 1 : 0
+  bucket = var.bucket_name
+}
+
 data "aws_iam_policy_document" "cloudfront_to_s3" {
   statement {
     sid       = "AllowCloudFrontToAccessBucket"
     actions   = ["s3:GetObject"]
-    resources = ["${aws_s3_bucket.static_site.arn}/*"]
+    resources = ["${local.bucket_arn}/${local.bucket_prefix}"]
 
     principals {
       type        = "Service"
@@ -29,4 +38,4 @@ data "aws_iam_policy_document" "cloudfront_to_s3" {
       values   = [data.aws_caller_identity.current.account_id]
     }
   }
-}
+}

static-site/locals.tf

@@ -1,10 +1,14 @@
 locals {
+  create_hosted_zone = var.hosted_zone == ""
+  hosted_zone_domain = local.create_hosted_zone ? local.primary_domain : data.aws_route53_zone.hosted_zone[0].name
   domains        = distinct(var.domains)
   primary_domain = local.domains[0]
-
-  primary_domain_normalised = replace(local.primary_domain, ".", "-")
-
-  create_hosted_zone = var.hosted_zone == ""
+  primary_domain_normalised = replace(replace(local.primary_domain, ".", "-"), "/[^a-zA-Z0-9-]/", "")
+  internal_domains = [
+    for d in local.domains : d
+    if endswith(d, local.hosted_zone_domain)
+  ]
 
   bucket_name = var.bucket_name == "" ? local.primary_domain : var.bucket_name
+  bucket_arn  = var.create_bucket ? aws_s3_bucket.static_site[0].arn : data.aws_s3_bucket.user_created[0].arn
 }

static-site/outputs.tf

@@ -1,7 +1,7 @@
 output "bucket" {
   value = {
-    arn = aws_s3_bucket.static_site.arn
-    id  = aws_s3_bucket.static_site.id
+    arn = var.create_bucket ? aws_s3_bucket.static_site[0].arn : data.aws_s3_bucket.user_created[0].arn
+    id  = local.bucket_name
   }
 }
 
@@ -13,3 +13,15 @@ output "cloudfront" {
     aliases     = aws_cloudfront_distribution.static_site.aliases
   }
 }
+
+output "external_validation_records" {
+  value = {
+    for dvo in aws_acm_certificate.cloudfront_cert.domain_validation_options :
+    dvo.domain_name => {
+      name   = dvo.resource_record_name
+      value  = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+    if !contains(local.internal_domains, dvo.domain_name)
+  }
+}

static-site/route53.tf

@@ -9,20 +9,21 @@ resource "aws_route53_zone" "hosted_zone" {
 #############################################
 resource "aws_route53_record" "acm_records" {
   for_each = {
-    for dvo in aws_acm_certificate.cloudfront_cert.domain_validation_options : dvo.domain_name => {
+    for dvo in aws_acm_certificate.cloudfront_cert.domain_validation_options :
+    dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
     }
   }
 
-  zone_id         = local.create_hosted_zone ? aws_route53_zone.hosted_zone[0].zone_id : data.aws_route53_zone.hosted_zone[0].zone_id
-  type            = each.value.type
-  name            = each.value.name
-  records         = [each.value.record]
-  ttl             = 60
+  zone_id = try(aws_route53_zone.hosted_zone[0].zone_id, data.aws_route53_zone.hosted_zone[0].zone_id)
+  type    = each.value.type
+  name    = each.value.name
+  records = [each.value.record]
+  ttl     = 60
+
   allow_overwrite = true
-  provider        = aws.default
 }
 
 #############################################
@@ -31,7 +32,7 @@ resource "aws_route53_record" "acm_records" {
 resource "aws_route53_record" "static_site_a_record" {
   count = length(local.domains)
 
-  zone_id = local.create_hosted_zone ? aws_route53_zone.hosted_zone[0].zone_id : data.aws_route53_zone.hosted_zone[0].zone_id
+  zone_id = try(aws_route53_zone.hosted_zone[0].zone_id, data.aws_route53_zone.hosted_zone[0].zone_id)
   type    = "A"
   name    = local.domains[count.index]
 
@@ -41,5 +42,7 @@ resource "aws_route53_record" "static_site_a_record" {
     evaluate_target_health = false
   }
 
+  allow_overwrite = true
+
   provider = aws.default
 }