[DEV-1529] Create DNS for the CMS Media Library (#751)

.changeset/five-garlics-mix.md

@@ -0,0 +1,5 @@
+---
+"infrastructure": minor
+---
+
+Create DNS for CMS Media Library and link it to the CDN

apps/infrastructure/src/acm.tf

@@ -38,3 +38,21 @@ module "cms_ssl_certificate" {
   validation_method   = "DNS"
   dns_ttl             = 3600
 }
+
+## SSL certificate for Strapi Media Library CDN
+module "strapi_media_library_ssl_certificate" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-acm.git?ref=8d0b22f1f242a1b36e29b8cb38aaeac9b887500d" # v5.0.0
+
+  domain_name = format("cdn.%s", var.dns_domain_name)
+  zone_id     = aws_route53_zone.dev_portal.id
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  # Because it is ran in an automated pipeline
+  # https://github.com/terraform-aws-modules/terraform-aws-acm/blob/8d0b22f1f242a1b36e29b8cb38aaeac9b887500d/README.md?plain=1#L174
+  wait_for_validation = false
+  validation_method   = "DNS"
+  dns_ttl             = 3600
+}

apps/infrastructure/src/cloudfront.tf

@@ -112,13 +112,13 @@ resource "aws_cloudfront_distribution" "website" {
   }
 }
 
-## CDN to Medialibrary for CMS Strapi
+## CDN to Media Library for CMS Strapi
 module "cloudfront_cms" {
   source = "git::https://github.com/terraform-aws-modules/terraform-aws-cloudfront.git?ref=ed0f1f983f606304e00ad9f48399bd2fe0b79233" # v3.2.2
 
   create_origin_access_identity = true
   origin_access_identities = {
-    s3_cms = "Identity to access S3 bucket."
+    s3_cms = "Identity to access S3 bucket"
   }
 
   origin = {
@@ -132,7 +132,14 @@ module "cloudfront_cms" {
 
   enabled         = true
   is_ipv6_enabled = true
-  comment         = "CloudFront distribution for the medialibrary cms."
+  comment         = "CloudFront distribution for the CMS Media Library"
+
+  viewer_certificate = {
+    cloudfront_default_certificate = false
+    acm_certificate_arn            = module.strapi_media_library_ssl_certificate.acm_certificate_arn
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = "TLSv1.2_2021"
+  }
 
   default_cache_behavior = {
     allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
@@ -150,13 +157,9 @@ module "cloudfront_cms" {
         forward = "none"
       }
     }
+  }
 
-    viewer_certificate = {
-      cloudfront_default_certificate = true
-    }
-
-    geo_restriction = {
-      restriction_type = "none"
-    }
+  geo_restriction = {
+    restriction_type = "none"
   }
 }

apps/infrastructure/src/route53.tf

@@ -19,7 +19,8 @@ locals {
   domain_validations_options = setunion(
     aws_acm_certificate.website.domain_validation_options,
     aws_acm_certificate.auth.domain_validation_options,
-    module.cms_ssl_certificate.acm_certificate_domain_validation_options
+    module.cms_ssl_certificate.acm_certificate_domain_validation_options,
+    module.strapi_media_library_ssl_certificate.acm_certificate_domain_validation_options
   )
 }