feat: add additional variables and outputs for spa-s3-cloudfront (#1080)

Author: korenyoni

modules/spa-s3-cloudfront/README.md

@@ -240,6 +240,7 @@ components:
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br>List in order of precedence (first match wins). This is in addition to the default cache policy.<br>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.<br>Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.<br>Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | <pre>list(object({<br>    target_origin_id = string<br>    path_pattern     = string<br><br>    allowed_methods    = list(string)<br>    cached_methods     = list(string)<br>    compress           = bool<br>    trusted_signers    = list(string)<br>    trusted_key_groups = list(string)<br><br>    cache_policy_name          = optional(string)<br>    cache_policy_id            = optional(string)<br>    origin_request_policy_name = optional(string)<br>    origin_request_policy_id   = optional(string)<br><br>    viewer_protocol_policy     = string<br>    min_ttl                    = number<br>    default_ttl                = number<br>    max_ttl                    = number<br>    response_headers_policy_id = string<br><br>    forward_query_string              = bool<br>    forward_header_values             = list(string)<br>    forward_cookies                   = string<br>    forward_cookies_whitelisted_names = list(string)<br><br>    lambda_function_association = list(object({<br>      event_type   = string<br>      include_body = bool<br>      lambda_arn   = string<br>    }))<br><br>    function_association = list(object({<br>      event_type   = string<br>      function_arn = string<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_origin_allow_ssl_requests_only"></a> [origin\_allow\_ssl\_requests\_only](#input\_origin\_allow\_ssl\_requests\_only) | Set to `true` in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
+| <a name="input_origin_bucket"></a> [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
 | <a name="input_origin_deployment_actions"></a> [origin\_deployment\_actions](#input\_origin\_deployment\_actions) | List of actions to permit `origin_deployment_principal_arns` to perform on bucket and bucket prefixes (see `origin_deployment_principal_arns`) | `list(string)` | <pre>[<br>  "s3:PutObject",<br>  "s3:PutObjectAcl",<br>  "s3:GetObject",<br>  "s3:DeleteObject",<br>  "s3:ListBucket",<br>  "s3:ListBucketMultipartUploads",<br>  "s3:GetBucketLocation",<br>  "s3:AbortMultipartUpload"<br>]</pre> | no |
 | <a name="input_origin_deployment_principal_arns"></a> [origin\_deployment\_principal\_arns](#input\_origin\_deployment\_principal\_arns) | List of role ARNs to grant deployment permissions to the origin Bucket. | `list(string)` | `[]` | no |
 | <a name="input_origin_encryption_enabled"></a> [origin\_encryption\_enabled](#input\_origin\_encryption\_enabled) | When set to 'true' the origin Bucket will have aes256 encryption enabled by default. | `bool` | `true` | no |
@@ -255,6 +256,7 @@ components:
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS Region. | `string` | n/a | yes |
 | <a name="input_s3_object_ownership"></a> [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control on the origin bucket. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'. | `string` | `"ObjectWriter"` | no |
+| <a name="input_s3_origins"></a> [s3\_origins](#input\_s3\_origins) | A list of S3 [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) (in addition to the one created by this component) for this distribution.<br>S3 buckets configured as websites are `custom_origins`, not `s3_origins`.<br>Specifying `s3_origin_config.origin_access_identity` as `null` or `""` will have it translated to the `origin_access_identity` used by the origin created by this component. | <pre>list(object({<br>    domain_name = string<br>    origin_id   = string<br>    origin_path = string<br>    s3_origin_config = object({<br>      origin_access_identity = string<br>    })<br>  }))</pre> | `[]` | no |
 | <a name="input_s3_website_enabled"></a> [s3\_website\_enabled](#input\_s3\_website\_enabled) | Set to true to enable the created S3 bucket to serve as a website independently of CloudFront,<br>and to use that website as the origin.<br><br>Setting `preview_environment_enabled` will implicitly set this to `true`. | `bool` | `false` | no |
 | <a name="input_s3_website_password_enabled"></a> [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `s3_website_enabled` is also true, a password will be required in the `Referrer` field of the<br>HTTP request in order to access the website, and CloudFront will be configured to pass this password in its requests.<br>This will make it much harder for people to bypass CloudFront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
 | <a name="input_site_fqdn"></a> [site\_fqdn](#input\_site\_fqdn) | Fully qualified domain name of site to publish. Overrides site\_subdomain and parent\_zone\_name. | `string` | `""` | no |
@@ -269,6 +271,7 @@ components:
 |------|-------------|
 | <a name="output_cloudfront_distribution_alias"></a> [cloudfront\_distribution\_alias](#output\_cloudfront\_distribution\_alias) | Cloudfront Distribution Alias Record. |
 | <a name="output_cloudfront_distribution_domain_name"></a> [cloudfront\_distribution\_domain\_name](#output\_cloudfront\_distribution\_domain\_name) | Cloudfront Distribution Domain Name. |
+| <a name="output_cloudfront_distribution_identity_arn"></a> [cloudfront\_distribution\_identity\_arn](#output\_cloudfront\_distribution\_identity\_arn) | CloudFront Distribution Origin Access Identity IAM ARN. |
 | <a name="output_failover_s3_bucket_name"></a> [failover\_s3\_bucket\_name](#output\_failover\_s3\_bucket\_name) | Failover Origin bucket name, if enabled. |
 | <a name="output_github_actions_iam_role_arn"></a> [github\_actions\_iam\_role\_arn](#output\_github\_actions\_iam\_role\_arn) | ARN of IAM role for GitHub Actions |
 | <a name="output_github_actions_iam_role_name"></a> [github\_actions\_iam\_role\_name](#output\_github\_actions\_iam\_role\_name) | Name of IAM role for GitHub Actions |

modules/spa-s3-cloudfront/main.tf

@@ -32,7 +32,16 @@ locals {
   s3_website_enabled                  = var.s3_website_enabled || local.preview_environment_enabled
   s3_website_password_enabled         = var.s3_website_password_enabled || local.preview_environment_enabled
   s3_object_ownership                 = local.preview_environment_enabled ? "BucketOwnerEnforced" : var.s3_object_ownership
-  block_origin_public_access_enabled  = var.block_origin_public_access_enabled && !local.preview_environment_enabled
+  s3_failover_origin = local.failover_enabled ? [{
+    domain_name = data.aws_s3_bucket.failover_bucket[0].bucket_domain_name
+    origin_id   = data.aws_s3_bucket.failover_bucket[0].bucket
+    origin_path = null
+    s3_origin_config = {
+      origin_access_identity = null # will get translated to the origin_access_identity used by the origin created by this module.
+    }
+  }] : []
+  s3_origins                         = local.enabled ? concat(local.s3_failover_origin, var.s3_origins) : []
+  block_origin_public_access_enabled = var.block_origin_public_access_enabled && !local.preview_environment_enabled
 
   # SSL Requirements by s3 bucket configuration
   # | s3 website enabled | preview enabled | SSL Enabled |
@@ -120,22 +129,15 @@ module "spa_web" {
   lambda_function_association = local.cloudfront_lambda_function_association
 
   custom_origins = var.custom_origins
-
-  s3_origins = local.failover_enabled ? [{
-    domain_name = data.aws_s3_bucket.failover_bucket[0].bucket_domain_name
-    origin_id   = data.aws_s3_bucket.failover_bucket[0].bucket
-    origin_path = null
-    s3_origin_config = {
-      origin_access_identity = null # will get translated to the origin_access_identity used by the origin created by this module.
-    }
-  }] : []
+  origin_bucket  = var.origin_bucket
   origin_groups = local.failover_enabled ? [{
     primary_origin_id  = null # will get translated to the origin id of the origin created by this module.
     failover_origin_id = data.aws_s3_bucket.failover_bucket[0].bucket
     failover_criteria  = var.failover_criteria_status_codes
   }] : []
 
   s3_object_ownership = local.s3_object_ownership
+  s3_origins          = local.s3_origins
 
   context = module.this.context
 }

modules/spa-s3-cloudfront/outputs.tf

@@ -18,6 +18,11 @@ output "cloudfront_distribution_alias" {
   description = "Cloudfront Distribution Alias Record."
 }
 
+output "cloudfront_distribution_identity_arn" {
+  value       = module.spa_web.cf_identity_iam_arn
+  description = "CloudFront Distribution Origin Access Identity IAM ARN."
+}
+
 output "failover_s3_bucket_name" {
   value       = try(data.aws_s3_bucket.failover_bucket[0].bucket, null)
   description = "Failover Origin bucket name, if enabled."

modules/spa-s3-cloudfront/variables.tf

@@ -66,6 +66,29 @@ variable "s3_object_ownership" {
   description = "Specifies the S3 object ownership control on the origin bucket. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'."
 }
 
+variable "s3_origins" {
+  type = list(object({
+    domain_name = string
+    origin_id   = string
+    origin_path = string
+    s3_origin_config = object({
+      origin_access_identity = string
+    })
+  }))
+  default     = []
+  description = <<-EOT
+    A list of S3 [origins](https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#origin-arguments) (in addition to the one created by this component) for this distribution.
+    S3 buckets configured as websites are `custom_origins`, not `s3_origins`.
+    Specifying `s3_origin_config.origin_access_identity` as `null` or `""` will have it translated to the `origin_access_identity` used by the origin created by this component.
+    EOT
+}
+
+variable "origin_bucket" {
+  type        = string
+  default     = null
+  description = "Name of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using `var.name` and other context related inputs"
+}
+
 variable "origin_s3_access_logging_enabled" {
   type        = bool
   default     = null