Make S3 website private; add S3 origin

[jmcgeheeiv]

What

In this PR I added these enhancements:

• Make the S3 website accessible only via CloudFront. You may prefer that I add a variable to make this optional. Let me know.
• Add S3 origins, which are different from the currently-supported custom origins
• Change http_port and https_port to numbers merely to dissuade observers from attempting to use null. null causes a very, very hard-to-diagnose error that does not reveal the line number.

I will further note that Terraform insists that the complete data structure appearing in variables.tf be specified for custom_origin and s3_origin variables. Thus lookup() with default values is immaterial.

Why

The reasons are included in the list of enhancements above. I hope it is more readable that way.

[jmcgeheeiv]

As I reported in #107, when using an S3 website origin, redirection from subdir/ to subdir/index.html works only when aliases is specified. I added a notation to that effect in the website_enabled documentation.

I am tempted to go further and make aliases a required variable, but that would break backward compatibility.

[mergify]

This pull request is now in conflict. Could you fix it @jmcgeheeiv? 🙏

[nitrocode]

@jmcgeheeiv can you fix the merge conflicts ?

Also, it looks like PR #108 put in the following

terraform-aws-cloudfront-s3-cdn/main.tf

Lines 249 to 255 in 0818b34

	dynamic "custom_header" {
	for_each = var.custom_origin_headers
	content {
	name = custom_header.value["name"]
	value = custom_header.value["value"]
	}
	}

How would that work with this PR ? does that PR make this one no longer relevant ?

[nitrocode]

/test all

[mergify]

This pull request is now in conflict. Could you fix it @jmcgeheeiv? 🙏

[jmcgeheeiv]

Okay @nitrocode, the code is tested with Terraform 0.13 and 0.14. The changes are in a single commit. I hope you can get this through before too many more commits come through.

[nitrocode]

/test all

[nitrocode]

It's not up to me. I'm not one of the approvers or in the engineering group. You'll have to be vocal in #pr-reviews channel to get this pr merged

[nitrocode]

Please fix the tests. You need to add the random provider with a version pin

[mergify]

This pull request is now in conflict. Could you fix it @jmcgeheeiv? 🙏

[nitrocode]

There are also a lot of prs going in and a recent bug i introduced. Let's get all the other stuff merged and come back to this one and then fix the conflicts. Otherwise you'll be driving yourself up a wall like me after every merge

[jmcgeheeiv]

Okay, holding until I hear from you, @nitrocode.

[nitrocode]

The bug was fixed in a now closed PR. Feel free to correct tests and fix conflicts. After you do, I'd post in #pr-reviews in slack to get attention to it.

[Gowiem]

/test all

[Gowiem]

@jmcgeheeiv looks like this one is close, but two things outstanding:

1. Bats tests are failing on the provider not being pinned properly:

not ok 6 check if terraform providers are properly pinned
# (in test file test/.test-harness/test/terraform/provider-pinning.bats, line 23)
#   `terraform-config-inspect --json . | jq '.required_providers | to_entries[] | "  - \(.key)|\(.value.version_constraints[])"' > $TMPFILE' failed with status 5
# /usr/local/bin/terraform-config-inspect
# jq: error (at <stdin>:1197): Cannot iterate over null (null)
not ok 7 check if terraform providers have explicit source locations for TF =>0.13
# (in test file test/.test-harness/test/terraform/provider-pinning.bats, line 55)
#   `exit 1' failed
# /usr/local/bin/terraform-config-inspect
# 
# * Cloud Posse requires all providers to use registry format introduced in Terraform 0.13, for example
#     aws = {
#        source  = "hashicorp/aws"
#        version = ">= 3.0"
#     }
# 
# * Please add constraints for these providers:
#   - random

2. You've got merge conflicts in the README. They seem easily so should be quick to knock out.

Get those updated and we'll give this a final pass and move it forward 🤙

[Gowiem]

@jmcgeheeiv something got gunked up with your PR / commits, so now we're seeing a changeset from a number of recent PRs instead of just your changes.

Sorry for this but can you do something along the following lines to get things back in order?

1. Check out a fresh origin/master
2. Create new branch
3. cherry-pick your commits onto that new branch
4. rename your old branch
5. name your new branch like your branch
6. force-push your new branch to your forked master

Feel free to go about that differently if your git-fu is better than mine (not hard obviously).

[jmcgeheeiv]

I force-pushed a better version.

@Gowiem I think I see the error I made. Last time, I did something similar to the six step procedure you describe. However, the local working master branch remains out of sync with origin/master. Therefore your procedure and I both need to remember that at the end we also need to update the local master in preparation for the next time:

git checkout master
git pull --force origin master

While I am certain there is a more elegant way to do this, this is what worked.

[Gowiem]

/test all

[Gowiem]

LGTM 👍

[Gowiem]

@jmcgeheeiv these bats tests are still failing -- Mind looking into them?

not ok 6 check if terraform providers are properly pinned
# (in test file test/.test-harness/test/terraform/provider-pinning.bats, line 23)
#   `terraform-config-inspect --json . | jq '.required_providers | to_entries[] | "  - \(.key)|\(.value.version_constraints[])"' > $TMPFILE' failed with status 5
# /usr/local/bin/terraform-config-inspect
# jq: error (at <stdin>:1175): Cannot iterate over null (null)
not ok 7 check if terraform providers have explicit source locations for TF =>0.13
# (in test file test/.test-harness/test/terraform/provider-pinning.bats, line 55)
#   `exit 1' failed
# /usr/local/bin/terraform-config-inspect
# 
# * Cloud Posse requires all providers to use registry format introduced in Terraform 0.13, for example
#     aws = {
#        source  = "hashicorp/aws"
#        version = ">= 3.0"
#     }
# 
# * Please add constraints for these providers:
#   - random
# 
# 

[nitrocode]

/test all

[jmcgeheeiv]

/test all

[Gowiem]

/test all

[jmcgeheeiv]

@Gowiem, it seems that chatops /test all works only for CloudPosse personnel. Is this true?

[Gowiem]

@jmcgeheeiv that's correct 😄 Leads to some confusion, but I believe it's done because Cloud Posse is spending money on an AWS bill out of its own pocket each time tests are run so they like to guard the fact that it could potentially be abused and they'd end up paying the full bill.

[Gowiem]

I believe this looks good, but I want to get a second set of eyes on it as well before we call it merged since it's a bigger PR. @nitrocode you mind giving a second approval?

[jmcgeheeiv]

Quick, before cloudpossebot changes its mind!

[jmcgeheeiv]

@Gowiem, yes, I was thinking that since /test all is not free, not everyone should be able to do it. Quite reasonable.

[jmcgeheeiv]

@3h4x @woz5999 please review while it's clean and green!

[woz5999]

the code changes lgtm but i've not super familiar with the implications of the changes, so i'd prefer to punt the actual merge to someone else.

[Gowiem]

@woz5999 haha I'm in the same boat and wanted another contributor to help me share the merge burden due to the large set of changes, but I shouldn't try to put that on others. I'll merge and deal with the fallout if this blows up this popular module. @jmcgeheeiv I'll be pinging you if that happens 😉

[Gowiem]

Thanks for the contribution @jmcgeheeiv (and working through our fun hoops on this one in particular)! Released as 0.61.0!