feat: Removing hardcoded value for S3 ENDPOINT (#302)

uktrade · Dec 11, 2024 · cffd06a · cffd06a
1 parent 5819fbc
commit cffd06a
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/s3/main.tf b/s3/main.tf
@@ -2,6 +2,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   serve_static_domain = var.environment == "prod" ? "${var.config.bucket_name}.${var.application}.prod.uktrade.digital" : "${var.config.bucket_name}.${var.environment}.${var.application}.uktrade.digital"
+  ssm_param_name      = coalesce(var.config.serve_static_param_name, "STATIC_S3_ENDPOINT")
 }
 
 resource "aws_s3_bucket" "this" {
@@ -385,7 +386,7 @@ resource "aws_kms_key_policy" "s3-ssm-kms-key-policy" {
         Resource = aws_kms_key.s3-ssm-kms-key[0].arn
         Condition = {
           StringEquals = {
-            "kms:EncryptionContext:aws:ssm:parameterName" = "/copilot/${var.application}/${var.environment}/secrets/STATIC_S3_ENDPOINT"
+            "kms:EncryptionContext:aws:ssm:parameterName" = "/copilot/${var.application}/${var.environment}/secrets/${local.ssm_param_name}"
           }
         }
         Sid = "Enable SSM Permissions"
@@ -407,7 +408,7 @@ resource "aws_kms_key_policy" "s3-ssm-kms-key-policy" {
 resource "aws_ssm_parameter" "cloudfront_alias" {
   count = var.config.serve_static_content ? 1 : 0
 
-  name   = "/copilot/${var.application}/${var.environment}/secrets/STATIC_S3_ENDPOINT"
+  name   = "/copilot/${var.application}/${var.environment}/secrets/${local.ssm_param_name}"
   type   = "SecureString"
   value  = local.serve_static_domain
   key_id = aws_kms_key.s3-ssm-kms-key[0].arn

diff --git a/s3/tests/unit.tftest.hcl b/s3/tests/unit.tftest.hcl
@@ -864,6 +864,25 @@ run "aws_ssm_parameter_cloudfront_alias_unit_test" {
   }
 }
 
+run "aws_serve_static_param_name_override_unit_test" {
+  command = plan
+
+  variables {
+    config = {
+      "bucket_name"             = "test",
+      "serve_static_content"    = true,
+      "type"                    = "string",
+      "objects"                 = [],
+      "serve_static_param_name" = "ALTERNATIVE_STATIC_S3_ENDPOINT"
+    }
+  }
+
+  assert {
+    condition     = aws_ssm_parameter.cloudfront_alias[0].name == "/copilot/s3-test-application/dev/secrets/ALTERNATIVE_STATIC_S3_ENDPOINT"
+    error_message = "Invalid name for aws_ssm_parameter cloudfront alias."
+  }
+}
+
 run "aws_ssm_parameter_cloudfront_alias_prod_domain_name_unit_test" {
   command = plan
 

diff --git a/s3/variables.tf b/s3/variables.tf
@@ -42,8 +42,9 @@ variable "config" {
       cyber_sign_off_by = string
     })))
     # NOTE: readonly access is managed by Copilot server addon s3 policy.
-    readonly             = optional(bool)
-    serve_static_content = optional(bool, false)
+    readonly                = optional(bool)
+    serve_static_content    = optional(bool, false)
+    serve_static_param_name = optional(string)
     objects = optional(list(object({
       body         = string
       key          = string