From 60072fe6bcd41d59d1e8e9874da661e95ca37b47 Mon Sep 17 00:00:00 2001 From: Lawrence McDaniel Date: Fri, 22 Apr 2022 16:19:59 -0500 Subject: [PATCH] Revert to MongoDB. Upgrade Kubernetes to 1.22. Bump Terraform module and Helm versions (#6) * revert from DynamoDB to MongoDB * default eks to a1.large instances * bump terraform aws module versions * revert ec2 instance type to t3.large * bump kubernetes cluster version to 1.22.6 * bump tutor_contrib_s3_version to v0.2.1 * switch cluster version from numerical literal to string * kubernetes cluster version = 1.22 * parameterize helm release ingress-nginx and bump version from 3 to 4.1 * testing * rename parameter * switch version to stable * add back creation of region ssl certs for ELB * add back dns data declarations * revert to explicit version number * refactor kubernetes clb ingress code * smooth of version syntax * more version smoothing --- cookiecutter.json | 29 +++++---- hooks/post_gen_project.py | 13 ++++ tests/test.sh | 2 +- ...ploy_{{cookiecutter.environment_name}}.yml | 13 ++-- .../k8s/cluster-issuer.yml | 1 + .../k8s/ingress.yml | 1 + .../{{cookiecutter.environment_name}}/env.hcl | 2 +- .../terraform/modules/kubernetes/main.tf | 42 ++++++++++++ .../modules/kubernetes_ingress_clb/acm.tf | 15 ----- .../cert-manager-values.yaml.tpl | 4 +- .../kubernetes_ingress_clb/cert-manager.tf | 5 +- .../modules/kubernetes_ingress_clb/ingress.tf | 44 ------------- .../modules/kubernetes_ingress_clb/main.tf | 65 ++++++++----------- .../{admin.tf => admin_openedx.tf} | 0 .../modules/kubernetes_secrets/oauth.tf | 37 ----------- .../modules/vpc/certificate_manager.tf | 62 ++++++++++++++++++ 16 files changed, 179 insertions(+), 156 deletions(-) delete mode 100644 {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf delete mode 100644 {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf rename {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/{admin.tf => admin_openedx.tf} (100%) delete mode 100644 {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf create mode 100644 {{cookiecutter.github_repo_name}}/terraform/modules/vpc/certificate_manager.tf diff --git a/cookiecutter.json b/cookiecutter.json index 1556ae66..229bb5f2 100644 --- a/cookiecutter.json +++ b/cookiecutter.json @@ -4,6 +4,7 @@ "environment_name": "prod", "environment_subdomain": "courses", "environment_add_bastion": ["N", "Y"], + "environment_add_documentdb": ["N", "Y"], "global_platform_name": "yourschool", "global_platform_description": "Your School", "global_platform_region": "usa_east", @@ -22,11 +23,11 @@ "ci_build_xblock_repository": "edx-ora2", "ci_build_xblock_ref": "master", "ci_deploy_OPENEDX_COMMON_VERSION": "open-release/{{ cookiecutter.ci_build_open_edx_version }}", - "ci_deploy_hastexo_tutor_contrib_s3_version": "v0.2.0", + "ci_deploy_hastexo_tutor_contrib_s3_version": "v0.2.1", "ci_deploy_EMAIL_HOST": "email-smtp.{{ cookiecutter.global_aws_region|lower|replace(' ', '-') }}.amazonaws.com", "ci_deploy_EMAIL_PORT": 587, "ci_deploy_EMAIL_USE_TLS": "true", - "kubernetes_cluster_version": "1.21", + "kubernetes_cluster_version": "1.22", "kubernetes_cluster_compute_type": ["EC2", "Fargate"], "kubernetes_cluster_load_balancer_type": ["ALB", "CLB"], "kubernetes_cluster_ingress_controller_version": "v2.4.1", @@ -60,19 +61,21 @@ "terraform_required_version": "~> 1.1", "terraform_aws_modules_acm": "~> 3.4", "terraform_aws_modules_cloudfront": "~> 2.9", - "terraform_aws_modules_eks": "~> 18.15", - "terraform_aws_modules_iam": "~> 4.14", + "terraform_aws_modules_eks": "~> 18.20", + "terraform_aws_modules_iam": "~> 4.21", + "terraform_aws_modules_iam_assumable_role_with_oidc": "~> 4.21", "terraform_aws_modules_rds": "~> 4.2.0", - "terraform_aws_modules_s3": "~> 3.0", + "terraform_aws_modules_s3": "~> 3.1", "terraform_aws_modules_sg": "~> 4.9", - "terraform_aws_modules_vpc": "~> 3.13", - "terraform_helm_ingress_nginx": "~> 4", - "terraform_helm_cert_manager": "v1.7.1", - "terraform_helm_alb_controller_chart_version": "1.4.1", - "terraform_helm_aws_efs_csi_driver_version": "1.3.6", - "terraform_provider_kubernetes_version": "~> 2.9", - "terraform_provider_hashicorp_aws_version": "~> 4.6", - "terraform_provider_hashicorp_helm_version": "~> 2.4", + "terraform_aws_modules_vpc": "~> 3.14", + "terraform_helm_ingress_nginx": "~> 4.1", + "terraform_helm_cert_manager": "~> 1.8", + "terraform_helm_cert_manager_image_tag": "v1.8.0", + "terraform_helm_alb_controller_chart_version": "~> 1.4", + "terraform_helm_aws_efs_csi_driver_version": "~> 1.3", + "terraform_provider_kubernetes_version": "~> 2.10", + "terraform_provider_hashicorp_aws_version": "~> 4.11", + "terraform_provider_hashicorp_helm_version": "~> 2.5", "terraform_provider_hashicorp_local_version": "~> 2.2", "terraform_provider_hashicorp_random_version": "~> 3.1" } diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py index 9fec33a3..00f6ea50 100644 --- a/hooks/post_gen_project.py +++ b/hooks/post_gen_project.py @@ -20,10 +20,23 @@ def remove_bastion(): if os.path.exists(terragrunt_dir_path): shutil.rmtree(terragrunt_dir_path) +def remove_dynamodb(): + module_dir_path = os.path.join("terraform", "modules", "mongodb") + if os.path.exists(module_dir_path): + shutil.rmtree(module_dir_path) + + terragrunt_dir_path = os.path.join("terraform", "environments", "{{ cookiecutter.environment_name }}", "mongodb") + if os.path.exists(terragrunt_dir_path): + shutil.rmtree(terragrunt_dir_path) + + def main(): if "{{ cookiecutter.environment_add_bastion }}".upper() != "Y": remove_bastion() + if "{{ cookiecutter.environment_add_documentdb }}".upper() != "Y": + remove_dynamodb() + print(SUCCESS + "Your Open edX devops repo has been initialized." + TERMINATOR) diff --git a/tests/test.sh b/tests/test.sh index bb2951e3..18a7a8fc 100755 --- a/tests/test.sh +++ b/tests/test.sh @@ -10,7 +10,7 @@ #------------------------------------------------------------------------------ GITHUB_REPO="gh:lpm0073/cookiecutter-openedx-devops" -GITHUB_BRANCH="main" +GITHUB_BRANCH="mcdanie_20220422_mongodb" OUTPUT_FOLDER="/Users/mcdaniel/github/stepwisemath.ai/" cookiecutter --checkout $GITHUB_BRANCH \ diff --git a/{{cookiecutter.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml b/{{cookiecutter.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml index 51b3b6e6..d312a830 100644 --- a/{{cookiecutter.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml +++ b/{{cookiecutter.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml @@ -120,10 +120,15 @@ jobs: # Also note that we are using jq to add a prefix of "TUTOR_" to each of the parameter names # # see: https://github.com/{{ cookiecutter.github_account_name }}/{{ cookiecutter.github_repo_name }}/blob/main/terraform/modules/mongodb/main.tf - - name: MongoDB - run: |- - echo "TUTOR_RUN_MONGODB=false" >> $GITHUB_ENV - kubectl get secret mongodb-admin -n $NAMESPACE -o json | jq '.data | map_values(@base64d)' | jq -r 'keys[] as $k | "TUTOR_\($k|ascii_upcase)=\(.[$k])"' >> $GITHUB_ENV + + #-------------------------------------------------------------------- + # UN-COMMENT THIS BLOCK TO USE DYNAMODB INSTEAD OF MONGODB + #-------------------------------------------------------------------- + #- name: MongoDB + # run: |- + # echo "TUTOR_RUN_MONGODB=false" >> $GITHUB_ENV + # kubectl get secret mongodb-admin -n $NAMESPACE -o json | jq '.data | map_values(@base64d)' | jq -r 'keys[] as $k | "TUTOR_\($k|ascii_upcase)=\(.[$k])"' >> $GITHUB_ENV + #-------------------------------------------------------------------- # retrieve the Redis connection parameter that we created in Terraform: # REDIS_HOST: redis.{{ cookiecutter.environment_subdomain }}.{{ cookiecutter.global_root_domain }} diff --git a/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml b/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml index b2082fe1..0cf56f9d 100644 --- a/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml +++ b/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml @@ -5,6 +5,7 @@ # date: Aug-2021 # # usage: setup SSL certs for EKS load balancer worker node instances. +# see https://cert-manager.io/docs/ #------------------------------------------------------------------------------ --- apiVersion: cert-manager.io/v1 diff --git a/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml b/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml index 6422bb58..324efa23 100644 --- a/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml +++ b/{{cookiecutter.github_repo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml @@ -5,6 +5,7 @@ # date: Aug-2021 # # usage: setup nginx for EKS load balancer. +# see https://cert-manager.io/docs/ #------------------------------------------------------------------------------ apiVersion: networking.k8s.io/v1 kind: Ingress diff --git a/{{cookiecutter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl b/{{cookiecutter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl index 5ea99e6f..5443878a 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl +++ b/{{cookiecutter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl @@ -48,7 +48,7 @@ locals { # # see: https://aws.amazon.com/ec2/instance-types/ #---------------------------------------------------------------------------- - kubernetes_version = {{ cookiecutter.kubernetes_cluster_version }} + kubernetes_version = "{{ cookiecutter.kubernetes_cluster_version }}" eks_worker_group_instance_type = "t3.large" eks_worker_group_min_size = 1 eks_worker_group_max_size = 2 diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf index 1591fca1..13cf9433 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf +++ b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf @@ -31,6 +31,48 @@ locals { } } +resource "aws_security_group" "worker_group_mgmt" { + name_prefix = "${var.environment_namespace}-eks_worker_group_mgmt" + description = "openedx_devops: Ingress CLB worker group management" + vpc_id = var.vpc_id + + ingress { + description = "openedx_devops: Ingress CLB" + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + ] + } + + tags = var.tags + +} + +resource "aws_security_group" "all_worker_mgmt" { + name_prefix = "${var.environment_namespace}-eks_all_worker_management" + description = "openedx_devops: Ingress CLB worker management" + vpc_id = var.vpc_id + + ingress { + description = "openedx_devops: Ingress CLB" + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + ] + } + + tags = var.tags + +} + module "eks" { source = "terraform-aws-modules/eks/aws" version = "{{ cookiecutter.terraform_aws_modules_eks }}" diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf deleted file mode 100644 index 6d12c41b..00000000 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf +++ /dev/null @@ -1,15 +0,0 @@ -#------------------------------------------------------------------------------ -# written by: Lawrence McDaniel -# https://lawrencemcdaniel.com/ -# -# date: Feb-2022 -# -# usage: Add tls certs to us-east-1 for Cloudfront distributions. -#------------------------------------------------------------------------------ - -# FIX NOTE: do we even need this for anything? - -provider "aws" { - alias = "us-east-1" - region = "us-east-1" -} diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl index 1a4009ea..a9fbc176 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl +++ b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl @@ -3,10 +3,10 @@ global: enabled: true useAppArmor: true image: - tag: v1.4.0 + tag: {{ cookiecutter.terraform_helm_cert_manager_image_tag }} webhook: image: - tag: v1.4.0 + tag: {{ cookiecutter.terraform_helm_cert_manager_image_tag }} prometheus: enabled: false installCRDs: true diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf index 2c473cc4..36eebca3 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf +++ b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf @@ -5,10 +5,11 @@ # date: Aug-2021 # # usage: Add tls certs for EKS cluster load balancer +# see https://cert-manager.io/docs/ #------------------------------------------------------------------------------ module "cert_manager_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "~> 4.1" + version = "{{ cookiecutter.terraform_aws_modules_iam_assumable_role_with_oidc }}" create_role = true role_name = "${var.environment_namespace}-cert_manager-irsa" provider_url = replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "") @@ -30,7 +31,7 @@ resource "helm_release" "cert-manager" { chart = "cert-manager" repository = "https://charts.jetstack.io" - version = "v1.4.0" + version = "{{ cookiecutter.terraform_helm_cert_manager }}" values = [data.template_file.cert-manager-values.rendered ] } diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf deleted file mode 100644 index 5c4bc141..00000000 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf +++ /dev/null @@ -1,44 +0,0 @@ -#------------------------------------------------------------------------------ -# written by: Miguel Afonso -# https://www.linkedin.com/in/mmafonso/ -# -# date: Aug-2021 -# -# usage: Add nginx proxy for EKS cluster load balancer -#------------------------------------------------------------------------------ -locals { - external_dns_annotation = "*.${var.environment_domain}" -} - -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - } -} - -resource "helm_release" "nginx" { - name = "ingress-nginx" - namespace = "ingress-nginx" - create_namespace = true - - chart = "ingress-nginx" - repository = "https://kubernetes.github.io/ingress-nginx" - version = "~> 3" - - set { - name = "service.type" - value = "ClusterIP" - } -} - -data "kubernetes_service" "ingress_nginx_controller" { - metadata { - name = "ingress-nginx-controller" - namespace = "ingress-nginx" - } - depends_on = [helm_release.nginx] -} - -data "aws_elb_hosted_zone_id" "main" {} diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf index f3b806fa..fed0dffb 100644 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf +++ b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf @@ -7,6 +7,10 @@ # usage: build an EKS cluster load balancer #------------------------------------------------------------------------------ +#data "tls_certificate" "cluster" { +# url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer +#} + data "aws_eks_cluster" "eks" { name = var.environment_namespace } @@ -25,48 +29,35 @@ provider "kubernetes" { token = data.aws_eks_cluster_auth.cluster.token } -resource "aws_security_group" "worker_group_mgmt" { - name_prefix = "${var.environment_namespace}-eks_worker_group_mgmt" - description = "openedx_devops: Ingress CLB worker group management" - vpc_id = var.vpc_id - - ingress { - description = "openedx_devops: Ingress CLB" - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - ] +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token } - - tags = var.tags - } -resource "aws_security_group" "all_worker_mgmt" { - name_prefix = "${var.environment_namespace}-eks_all_worker_management" - description = "openedx_devops: Ingress CLB worker management" - vpc_id = var.vpc_id - - ingress { - description = "openedx_devops: Ingress CLB" - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16", - ] +data "kubernetes_service" "ingress_nginx_controller" { + metadata { + name = "ingress-nginx-controller" + namespace = "ingress-nginx" } + depends_on = [helm_release.nginx] +} - tags = var.tags +data "aws_elb_hosted_zone_id" "main" {} -} +resource "helm_release" "nginx" { + name = "ingress-nginx" + namespace = "ingress-nginx" + create_namespace = true -data "tls_certificate" "cluster" { - url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer + chart = "ingress-nginx" + repository = "https://kubernetes.github.io/ingress-nginx" + version = "{{ cookiecutter.terraform_helm_ingress_nginx }}" + + set { + name = "service.type" + value = "ClusterIP" + } } diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/admin.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/admin_openedx.tf similarity index 100% rename from {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/admin.tf rename to {{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/admin_openedx.tf diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf deleted file mode 100644 index fce6a807..00000000 --- a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf +++ /dev/null @@ -1,37 +0,0 @@ -#------------------------------------------------------------------------------ -# written by: Miguel Afonso -# https://www.linkedin.com/in/mmafonso/ -# -# date: Aug-2021 -# -# usage: create user credentials for oAuth provider in Open edX -# association occurs during Github Actions deployment workflow. -#------------------------------------------------------------------------------ -resource "random_password" "clientid_edx" { - length = 40 - special = false - keepers = { - version = "1" - } -} - -resource "random_password" "clientsecret_edx" { - length = 128 - special = false - keepers = { - version = "1" - } -} - - -resource "kubernetes_secret" "openedx" { - metadata { - name = "edx-api" - namespace = var.namespace - } - - data = { - CLIENT_ID = random_password.clientid_edx.result - CLIENT_SECRET = random_password.clientsecret_edx.result - } -} diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/vpc/certificate_manager.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/vpc/certificate_manager.tf new file mode 100644 index 00000000..1dee349f --- /dev/null +++ b/{{cookiecutter.github_repo_name}}/terraform/modules/vpc/certificate_manager.tf @@ -0,0 +1,62 @@ +#------------------------------------------------------------------------------ +# written by: Lawrence McDaniel +# https://lawrencemcdaniel.com/ +# +# date: Apr-2022 +# +# usage: Add DNS records and tls certs to environment aws_region for ELB. +# Also add certs to us-east-1 for Cloudfront distributions. +#------------------------------------------------------------------------------ +data "aws_route53_zone" "root_domain" { + name = var.root_domain +} + +data "aws_route53_zone" "environment_domain" { + name = var.environment_domain +} + +#------------------------------------------------------------------------------ +# SSL/TLS certs issued in the AWS region for ELB +#------------------------------------------------------------------------------ +provider "aws" { + alias = "environment_region" + region = var.aws_region +} + +module "acm_root_domain_environment_region" { + source = "terraform-aws-modules/acm/aws" + version = "{{ cookiecutter.terraform_aws_modules_acm }}" + + providers = { + aws = aws.environment_region + } + + domain_name = var.root_domain + zone_id = data.aws_route53_zone.root_domain.id + + subject_alternative_names = [ + "*.${var.root_domain}", + ] + + wait_for_validation = true + tags = var.tags +} + +module "acm_environment_environment_region" { + source = "terraform-aws-modules/acm/aws" + version = "{{ cookiecutter.terraform_aws_modules_acm }}" + + providers = { + aws = aws.environment_region + } + + domain_name = var.environment_domain + zone_id = data.aws_route53_zone.environment_domain.id + + subject_alternative_names = [ + "*.${var.environment_domain}", + ] + + wait_for_validation = true + tags = var.tags +}