-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
124 lines (101 loc) · 3.14 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# -----------------------------------
# Terraform Configuration
# -----------------------------------
terraform {
# Backend configuration for storing the Terraform state in S3 with DynamoDB table for state locking
backend "s3" {
encrypt = true
bucket = "pillarbox-monitoring-tfstate"
key = "terraform/10-pillarbox-monitoring-route-53/terraform.tfstate"
dynamodb_table = "pillarbox-monitoring-terraform-statelock"
profile = "prod"
}
# Specify required providers and their versions
required_providers {
aws = {
source = "hashicorp/aws"
version = "~>5.4.0"
}
}
}
# -----------------------------------
# AWS Provider Setup
# -----------------------------------
provider "aws" {
# Apply default tags to all AWS resources
default_tags {
tags = local.default_tags
}
}
# -----------------------------------
# AWS Route 53 Configuration
# -----------------------------------
## Create Route 53 Hosted Zone
resource "aws_route53_zone" "main_zone" {
# Define the domain name for the hosted zone
name = var.domain_name
# Assign tags to the hosted zone
tags = {
Name = "${var.domain_name}-main-zone"
}
}
# -----------------------------------
# IAM Configuration for Route 53 Access
# -----------------------------------
## Define IAM Policy Document for Route 53 Access
data "aws_iam_policy_document" "route53_access_policy" {
# Create a policy that allows necessary Route 53 actions
statement {
sid = "AllowRoute53Management"
effect = "Allow"
actions = [
"route53:ListHostedZones",
"route53:GetHostedZone",
"route53:GetChange",
"route53:ListTagsForResource",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
]
# Specify the resource ARNs; use "*" for all resources or specify exact ARNs
resources = ["*"]
}
}
## Define IAM Policy Document for Assume Role
data "aws_iam_policy_document" "route53_assume_role_policy" {
# Allow specified principals to assume this role
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = var.allowed_account_ids
}
actions = ["sts:AssumeRole"]
}
}
## Create IAM Role for Route 53 Access
resource "aws_iam_role" "route53_access_role" {
# Create an IAM role to be assumed by entities that need Route 53 access
name = "route53-access-role"
assume_role_policy = data.aws_iam_policy_document.route53_assume_role_policy.json
# Attach the inline policy for Route 53 access
inline_policy {
name = "Route53AccessPolicy"
policy = data.aws_iam_policy_document.route53_access_policy.json
}
# Assign tags to the IAM role
tags = {
Name = "Route53AccessRole"
}
}
# -----------------------------------
# Route 53 Github Configuration
# -----------------------------------
# Define a new Route 53 CNAME Record for GitHub Pages
resource "aws_route53_record" "github_pages_cname" {
for_each = var.github_sub_domains
zone_id = aws_route53_zone.main_zone.zone_id
name = "${each.key}.${var.domain_name}"
type = "CNAME"
ttl = 300
records = ["srgssr.github.io"]
}