From 837c949c418d318459cd78bbe4d8d68c6cc8de95 Mon Sep 17 00:00:00 2001
From: Mohamed El Mouctar HAIDARA <elmhaidara@gmail.com>
Date: Sun, 18 Feb 2024 18:01:44 +0100
Subject: [PATCH] feat: Add support for custom domain on OVH

remove comment
---
 frontend.tf |  7 +++++--
 main.tf     | 13 +++++++++++++
 r53-acm.tf  | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 r53-acm.tf

diff --git a/frontend.tf b/frontend.tf
index ec470fe..2d00494 100644
--- a/frontend.tf
+++ b/frontend.tf
@@ -109,6 +109,7 @@ resource "aws_cloudfront_distribution" "website" {
   comment             = "cloudfront distribution for devops challenge"
   price_class         = var.cloudfront_price_class
   default_root_object = "index.html"
+  aliases             = [local.frontend_fqdn]
 
   # As it's an SPA, we let the SPA handle access to files not found in the bucket
   custom_error_response {
@@ -142,8 +143,10 @@ resource "aws_cloudfront_distribution" "website" {
   }
 
   viewer_certificate {
-    # Because we don't use a custom domain with certificate
-    cloudfront_default_certificate = true
+    cloudfront_default_certificate = false
+    acm_certificate_arn            = aws_acm_certificate.cf_certificate.arn
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
   }
 
   logging_config {
diff --git a/main.tf b/main.tf
index b750e89..534d73e 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,12 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5"
     }
+
+    ovh = {
+      source  = "ovh/ovh"
+      version = "~> 0.37"
+    }
+
     archive = {
       source  = "hashicorp/archive"
       version = "~> 2"
@@ -21,4 +27,11 @@ provider "aws" {
   }
 }
 
+provider "aws" {
+  alias  = "cloudfront-us-east-1"
+  region = "us-east-1"
+}
 
+provider "ovh" {
+  endpoint = "ovh-eu"
+}
diff --git a/r53-acm.tf b/r53-acm.tf
new file mode 100644
index 0000000..96f08a3
--- /dev/null
+++ b/r53-acm.tf
@@ -0,0 +1,39 @@
+locals {
+  ovh_domain_name     = "haidara.io"
+  frontend_sub_domain = "demo-cloud-facile-${var.env}"
+  frontend_fqdn       = "${local.frontend_sub_domain}.${local.ovh_domain_name}"
+}
+
+
+resource "aws_acm_certificate" "cf_certificate" {
+  provider          = aws.cloudfront-us-east-1
+  domain_name       = local.frontend_fqdn
+  validation_method = "DNS"
+  tags              = merge({ Name = local.frontend_fqdn })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "ovh_domain_zone_record" "cf_record" {
+  fieldtype = "CNAME"
+  subdomain = local.frontend_sub_domain
+  target    = "${aws_cloudfront_distribution.website.domain_name}."
+  zone      = local.ovh_domain_name
+  ttl       = 60
+}
+
+resource "ovh_domain_zone_record" "cert_validation_record" {
+  fieldtype = "CNAME"
+  subdomain = replace(tolist(aws_acm_certificate.cf_certificate.domain_validation_options)[0].resource_record_name, ".${local.ovh_domain_name}.", "")
+  target    = tolist(aws_acm_certificate.cf_certificate.domain_validation_options)[0].resource_record_value
+  zone      = local.ovh_domain_name
+  ttl       = 60
+}
+
+resource "aws_acm_certificate_validation" "validation" {
+  provider                = aws.cloudfront-us-east-1
+  certificate_arn         = aws_acm_certificate.cf_certificate.arn
+  validation_record_fqdns = ["${ovh_domain_zone_record.cert_validation_record.subdomain}.${ovh_domain_zone_record.cert_validation_record.zone}"]
+}