├── .gitignore ├── LICENSE ├── README.adoc ├── README.md ├── cloudfront.tf ├── data.tf ├── outputs.tf ├── s3.tf ├── sample-site ├── .gitignore ├── acm.tf ├── main.tf ├── outputs.tf ├── providers.tf ├── tf.tfvars ├── vars.tf └── versions.tf ├── variables.tf └── versions.tf /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | = Terraform module to setup a S3 redirection site with CloudFront, ACM 2 | 3 | This module helps you create a S3 website that performs HTTPS redirection, 4 | assuming that: 5 | 6 | * it runs HTTPS via Amazon's Certificate Manager ("ACM") 7 | * its domain is backed by a Route53 zone 8 | * and of course, your AWS account provides you access to all these resources necessary. 9 | 10 | This module is available on the https://registry.terraform.io/modules/riboseinc/s3-cloudfront-redirect/aws/[Terraform Registry]. 11 | 12 | This module is a pair with 13 | https://github.com/riboseinc/terraform-aws-s3-cloudfront-website[terraform-aws-s3-cloudfront-website], 14 | which handles hosting of a static S3 website with CloudFront and ACM. 15 | 16 | == Sample Usage 17 | 18 | You can literally copy and paste the following example, change the following attributes, and you're ready to go: 19 | 20 | * `fqdn` set to your static website's hostname 21 | * `redirect_target` set to where you want the hostname to redirect to (e.g. `example.com` => (this one) `www.example.com`) 22 | 23 | 24 | [source,hcl] 25 | ---- 26 | # AWS Region for S3 and other resources 27 | provider "aws" { 28 | region = "us-west-2" 29 | alias = "main" 30 | } 31 | 32 | # AWS Region for Cloudfront (ACM certs only supports us-east-1) 33 | provider "aws" { 34 | region = "us-east-1" 35 | alias = "cloudfront" 36 | } 37 | 38 | # Variables 39 | variable "fqdn" { 40 | description = "The fully-qualified domain name root of the resulting S3 website." 41 | default = "example.com" 42 | } 43 | 44 | variable "redirect_target" { 45 | description = "The fully-qualified domain name to redirect to." 46 | default = "www.example.com" 47 | } 48 | 49 | # Using this module 50 | module "main" { 51 | source = "github.com/riboseinc/terraform-aws-s3-cloudfront-redirect" 52 | 53 | fqdn = "${var.fqdn}" 54 | redirect_target = "${var.redirect_target}" 55 | ssl_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" 56 | 57 | refer_secret = "${base64sha512("REFER-SECRET-19265125-${var.fqdn}-52865926")}" 58 | force_destroy = "true" 59 | 60 | providers = { 61 | aws.main = aws.main 62 | aws.cloudfront = aws.cloudfront 63 | } 64 | 65 | # Optional WAF Web ACL ID, defaults to none. 66 | web_acl_id = "${data.terraform_remote_state.site.waf-web-acl-id}" 67 | } 68 | 69 | # ACM Certificate generation 70 | 71 | resource "aws_acm_certificate" "cert" { 72 | provider = "aws.cloudfront" 73 | domain_name = "${var.fqdn}" 74 | validation_method = "DNS" 75 | } 76 | 77 | resource "aws_route53_record" "cert_validation" { 78 | provider = aws.cloudfront 79 | for_each = { 80 | for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { 81 | name = dvo.resource_record_name 82 | record = dvo.resource_record_value 83 | type = dvo.resource_record_type 84 | } 85 | } 86 | 87 | allow_overwrite = true 88 | name = each.value.name 89 | records = [each.value.record] 90 | ttl = 60 91 | type = each.value.type 92 | zone_id = data.aws_route53_zone.main.zone_id 93 | } 94 | 95 | resource "aws_acm_certificate_validation" "cert" { 96 | provider = aws.cloudfront 97 | certificate_arn = aws_acm_certificate.cert.arn 98 | validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] 99 | } 100 | 101 | 102 | # Route 53 record for the static site 103 | 104 | data "aws_route53_zone" "main" { 105 | provider = "aws.main" 106 | name = "${var.fqdn}" 107 | private_zone = false 108 | } 109 | 110 | resource "aws_route53_record" "web" { 111 | provider = "aws.main" 112 | zone_id = "${data.aws_route53_zone.main.zone_id}" 113 | name = "${var.fqdn}" 114 | type = "A" 115 | 116 | alias { 117 | name = "${module.main.cf_domain_name}" 118 | zone_id = "${module.main.cf_hosted_zone_id}" 119 | evaluate_target_health = false 120 | } 121 | } 122 | 123 | # Outputs 124 | 125 | output "s3_bucket_id" { 126 | value = "${module.main.s3_bucket_id}" 127 | } 128 | 129 | output "s3_domain" { 130 | value = "${module.main.s3_website_endpoint}" 131 | } 132 | 133 | output "s3_hosted_zone_id" { 134 | value = "${module.main.s3_hosted_zone_id}" 135 | } 136 | 137 | output "cloudfront_domain" { 138 | value = "${module.main.cf_domain_name}" 139 | } 140 | 141 | output "cloudfront_hosted_zone_id" { 142 | value = "${module.main.cf_hosted_zone_id}" 143 | } 144 | 145 | output "cloudfront_distribution_id" { 146 | value = "${module.main.cf_distribution_id}" 147 | } 148 | 149 | output "route53_fqdn" { 150 | value = "${aws_route53_record.web.fqdn}" 151 | } 152 | 153 | output "acm_certificate_arn" { 154 | value = "${aws_acm_certificate_validation.cert.certificate_arn}" 155 | } 156 | ---- 157 | 158 | 159 | == Upgrading instructions 160 | 161 | NOTE: In this section you need to have https://github.com/tfutils/tfenv[`tfenv`] 162 | installed. 163 | 164 | === Upgrading from Terraform 0.13/0.14 to 0.15 165 | 166 | Remove the version restriction on the module: 167 | 168 | [source,hcl] 169 | ---- 170 | module "site-root" { 171 | source = "github.com/riboseinc/terraform-aws-s3-cloudfront-redirect" 172 | # ... 173 | } 174 | ---- 175 | 176 | Then: 177 | 178 | [source,sh] 179 | ---- 180 | tfenv use 0.15.4 181 | terraform init -upgrade 182 | terraform plan 183 | ---- 184 | 185 | When upgrading to 0.15.4, you need to update the ACM config from: 186 | 187 | Original: 188 | 189 | [source,hcl] 190 | ---- 191 | resource "aws_route53_record" "cert_validation" { 192 | provider = aws.cloudfront 193 | name = aws_acm_certificate.cert.domain_validation_options[0].resource_record_name 194 | type = aws_acm_certificate.cert.domain_validation_options[0].resource_record_type 195 | zone_id = data.aws_route53_zone.main.id 196 | records = [aws_acm_certificate.cert.domain_validation_options[0].resource_record_value] 197 | ttl = 60 198 | } 199 | 200 | resource "aws_acm_certificate_validation" "cert" { 201 | provider = aws.cloudfront 202 | certificate_arn = aws_acm_certificate.cert.arn 203 | validation_record_fqdns = [aws_route53_record.cert_validation.fqdn] 204 | } 205 | ---- 206 | 207 | Now: 208 | 209 | [source,hcl] 210 | ---- 211 | resource "aws_route53_record" "cert_validation" { 212 | provider = aws.cloudfront 213 | for_each = { 214 | for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { 215 | name = dvo.resource_record_name 216 | record = dvo.resource_record_value 217 | type = dvo.resource_record_type 218 | } 219 | } 220 | 221 | allow_overwrite = true 222 | name = each.value.name 223 | records = [each.value.record] 224 | ttl = 60 225 | type = each.value.type 226 | zone_id = data.aws_route53_zone.main.zone_id 227 | } 228 | 229 | resource "aws_acm_certificate_validation" "cert" { 230 | provider = aws.cloudfront 231 | certificate_arn = aws_acm_certificate.cert.arn 232 | validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] 233 | } 234 | ---- 235 | 236 | 237 | === Upgrading from Terraform 0.12 to 0.13 238 | 239 | First, link the module to a version that supported 0.13: 240 | 241 | [source,hcl] 242 | ---- 243 | module "site-root" { 244 | source = "github.com/riboseinc/terraform-aws-s3-cloudfront-redirect?ref=b4ab4a1ec7f373484074b27c73d93ce4bbe60b14" 245 | # ... 246 | } 247 | ---- 248 | 249 | Assume you are using Terraform 0.12, update module version and verify that you 250 | can run Terraform properly: 251 | 252 | [source,sh] 253 | ---- 254 | tfenv use 0.12.31 255 | terraform init -upgrade 256 | ---- 257 | 258 | If all went well, you can use Terraform 0.13, and upgrade the providers: 259 | 260 | [source,sh] 261 | ---- 262 | tfenv use 0.13.7 263 | terraform 0.13upgrade -yes 264 | terraform init -upgrade 265 | terraform state replace-provider -auto-approve registry.terraform.io/-/aws hashicorp/aws 266 | terraform state replace-provider -auto-approve registry.terraform.io/-/null registry.terraform.io/hashicorp/null 267 | terraform state replace-provider -auto-approve registry.terraform.io/-/archive registry.terraform.io/hashicorp/archive 268 | terraform state replace-provider -auto-approve registry.terraform.io/-/local registry.terraform.io/hashicorp/local 269 | ---- 270 | 271 | Then this will succeed: 272 | 273 | [source,sh] 274 | ---- 275 | terraform plan 276 | terraform apply -auto-approve 277 | ---- 278 | 279 | 280 | === Upgrading to Terraform 0.12 281 | 282 | This module now supports Terraform 0.12. 283 | 284 | To upgrade to Terraform 0.12 using this module, do this: 285 | 286 | [source,bash] 287 | ---- 288 | terraform init -upgrade 289 | terraform 0.12upgrade 290 | terraform plan 291 | terraform apply -auto-approve 292 | ---- 293 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Terraform module to setup a S3 Website with CloudFront, ACM 2 | 3 | This module helps you create a S3 website, assuming that: 4 | 5 | * it runs HTTPS via Amazon's Certificate Manager ("ACM") 6 | * its domain is backed by a Route53 zone 7 | * and of course, your AWS account provides you access to all these resources necessary. 8 | 9 | This module is available on the [Terraform Registry](https://registry.terraform.io/modules/riboseinc/s3-cloudfront-redirect/aws/). 10 | 11 | This module is a pair with 12 | [terraform-aws-s3-cloudfront-website](https://github.com/riboseinc/terraform-aws-s3-cloudfront-website), 13 | which handles hosting of a static S3 website with CloudFront and ACM. 14 | 15 | ## Sample Usage 16 | 17 | You can literally copy and paste the following example, change the following attributes, and you're ready to go: 18 | 19 | * `fqdn` set to your static website's hostname 20 | * `redirect_target` set to where you want the hostname to redirect to (e.g. `example.com` => (this one) `www.example.com`) 21 | 22 | 23 | ```hcl 24 | # AWS Region for S3 and other resources 25 | provider "aws" { 26 | region = "us-west-2" 27 | alias = "main" 28 | } 29 | 30 | # AWS Region for Cloudfront (ACM certs only supports us-east-1) 31 | provider "aws" { 32 | region = "us-east-1" 33 | alias = "cloudfront" 34 | } 35 | 36 | # Variables 37 | variable "fqdn" { 38 | description = "The fully-qualified domain name root of the resulting S3 website." 39 | default = "example.com" 40 | } 41 | 42 | variable "redirect_target" { 43 | description = "The fully-qualified domain name to redirect to." 44 | default = "www.example.com" 45 | } 46 | 47 | # Using this module 48 | module "main" { 49 | source = "github.com/riboseinc/terraform-aws-s3-cloudfront-redirect" 50 | 51 | fqdn = "${var.fqdn}" 52 | redirect_target = "${var.redirect_target}" 53 | ssl_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}" 54 | 55 | refer_secret = "${base64sha512("REFER-SECRET-19265125-${var.fqdn}-52865926")}" 56 | force_destroy = "true" 57 | 58 | providers = { 59 | aws.main = aws.main 60 | aws.cloudfront = aws.cloudfront 61 | } 62 | 63 | # Optional WAF Web ACL ID, defaults to none. 64 | web_acl_id = "${data.terraform_remote_state.site.waf-web-acl-id}" 65 | } 66 | 67 | # ACM Certificate generation 68 | 69 | resource "aws_acm_certificate" "cert" { 70 | provider = "aws.cloudfront" 71 | domain_name = "${var.fqdn}" 72 | validation_method = "DNS" 73 | } 74 | 75 | resource "aws_route53_record" "cert_validation" { 76 | provider = "aws.cloudfront" 77 | name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}" 78 | type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}" 79 | zone_id = "${data.aws_route53_zone.main.id}" 80 | records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"] 81 | ttl = 60 82 | } 83 | 84 | resource "aws_acm_certificate_validation" "cert" { 85 | provider = "aws.cloudfront" 86 | certificate_arn = "${aws_acm_certificate.cert.arn}" 87 | validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"] 88 | } 89 | 90 | 91 | # Route 53 record for the static site 92 | 93 | data "aws_route53_zone" "main" { 94 | provider = "aws.main" 95 | name = "${var.fqdn}" 96 | private_zone = false 97 | } 98 | 99 | resource "aws_route53_record" "web" { 100 | provider = "aws.main" 101 | zone_id = "${data.aws_route53_zone.main.zone_id}" 102 | name = "${var.fqdn}" 103 | type = "A" 104 | 105 | alias { 106 | name = "${module.main.cf_domain_name}" 107 | zone_id = "${module.main.cf_hosted_zone_id}" 108 | evaluate_target_health = false 109 | } 110 | } 111 | 112 | # Outputs 113 | 114 | output "s3_bucket_id" { 115 | value = "${module.main.s3_bucket_id}" 116 | } 117 | 118 | output "s3_domain" { 119 | value = "${module.main.s3_website_endpoint}" 120 | } 121 | 122 | output "s3_hosted_zone_id" { 123 | value = "${module.main.s3_hosted_zone_id}" 124 | } 125 | 126 | output "cloudfront_domain" { 127 | value = "${module.main.cf_domain_name}" 128 | } 129 | 130 | output "cloudfront_hosted_zone_id" { 131 | value = "${module.main.cf_hosted_zone_id}" 132 | } 133 | 134 | output "cloudfront_distribution_id" { 135 | value = "${module.main.cf_distribution_id}" 136 | } 137 | 138 | output "route53_fqdn" { 139 | value = "${aws_route53_record.web.fqdn}" 140 | } 141 | 142 | output "acm_certificate_arn" { 143 | value = "${aws_acm_certificate_validation.cert.certificate_arn}" 144 | } 145 | ``` 146 | 147 | ## Upgrading to Terraform 0.12 148 | 149 | This module now supports Terraform 0.12. 150 | 151 | To upgrade to Terraform 0.12 using this module, do this: 152 | 153 | ```bash 154 | terraform init -upgrade 155 | terraform 0.12upgrade 156 | terraform plan 157 | terraform apply -auto-approve 158 | ``` 159 | -------------------------------------------------------------------------------- /cloudfront.tf: -------------------------------------------------------------------------------- 1 | # resource "aws_cloudfront_origin_access_identity" "main" { 2 | # provider = "aws.cloudfront" 3 | # comment = "cf-origin-${var.fqdn}" 4 | # } 5 | 6 | resource "aws_cloudfront_distribution" "main" { 7 | provider = aws.cloudfront 8 | http_version = "http2" 9 | 10 | origin { 11 | origin_id = "origin-${var.fqdn}" 12 | domain_name = aws_s3_bucket_website_configuration.main.website_endpoint 13 | 14 | # https://docs.aws.amazon.com/AmazonCloudFront/latest/ 15 | # DeveloperGuide/distribution-web-values-specify.html 16 | custom_origin_config { 17 | # "HTTP Only: CloudFront uses only HTTP to access the origin." 18 | # "Important: If your origin is an Amazon S3 bucket configured 19 | # as a website endpoint, you must choose this option. Amazon S3 20 | # doesn't support HTTPS connections for website endpoints." 21 | origin_protocol_policy = "http-only" 22 | 23 | http_port = "80" 24 | https_port = "443" 25 | 26 | # TODO: given the origin_protocol_policy set to `http-only`, 27 | # not sure what this does... 28 | # "If the origin is an Amazon S3 bucket, CloudFront always uses TLSv1.2." 29 | origin_ssl_protocols = ["TLSv1.2"] 30 | } 31 | 32 | # s3_origin_config is not compatible with S3 website hosting, if this 33 | # is used, /news/index.html will not resolve as /news/. 34 | # https://www.reddit.com/r/aws/comments/6o8f89/can_you_force_cloudfront_only_access_while_using/ 35 | # s3_origin_config { 36 | # origin_access_identity = "${aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path}" 37 | # } 38 | # Instead, we use a secret to authenticate CF requests to S3 policy. 39 | # Not the best, but... 40 | custom_header { 41 | name = "User-Agent" 42 | value = var.refer_secret 43 | } 44 | } 45 | 46 | enabled = true 47 | 48 | aliases = [var.fqdn] 49 | 50 | price_class = "PriceClass_100" 51 | 52 | default_cache_behavior { 53 | target_origin_id = "origin-${var.fqdn}" 54 | allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] 55 | cached_methods = ["GET", "HEAD"] 56 | compress = true 57 | 58 | forwarded_values { 59 | query_string = false 60 | 61 | cookies { 62 | forward = "none" 63 | } 64 | } 65 | 66 | viewer_protocol_policy = "allow-all" 67 | min_ttl = 0 68 | default_ttl = 300 69 | max_ttl = 1200 70 | } 71 | 72 | restrictions { 73 | geo_restriction { 74 | restriction_type = "none" 75 | } 76 | } 77 | 78 | viewer_certificate { 79 | acm_certificate_arn = var.ssl_certificate_arn 80 | ssl_support_method = "sni-only" 81 | minimum_protocol_version = "TLSv1" 82 | } 83 | 84 | web_acl_id = var.web_acl_id 85 | } 86 | 87 | -------------------------------------------------------------------------------- /data.tf: -------------------------------------------------------------------------------- 1 | data "aws_region" "main" { 2 | provider = aws.main 3 | } 4 | 5 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | output "s3_bucket_id" { 2 | value = aws_s3_bucket.main.id 3 | } 4 | 5 | output "s3_website_endpoint" { 6 | # This doesn't work in terraform due to dependency issues: 7 | # https://github.com/terraform-providers/terraform-provider-aws/issues/1117 8 | # value = "${aws_s3_bucket.main.website_endpoint}" 9 | 10 | value = "${var.fqdn}.s3-website-${data.aws_region.main.name}.amazonaws.com" 11 | } 12 | 13 | output "s3_hosted_zone_id" { 14 | value = aws_s3_bucket.main.hosted_zone_id 15 | } 16 | 17 | output "cf_domain_name" { 18 | value = aws_cloudfront_distribution.main.domain_name 19 | } 20 | 21 | output "cf_hosted_zone_id" { 22 | value = aws_cloudfront_distribution.main.hosted_zone_id 23 | } 24 | 25 | output "cf_distribution_id" { 26 | value = aws_cloudfront_distribution.main.id 27 | } 28 | 29 | -------------------------------------------------------------------------------- /s3.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket_policy" "main" { 2 | bucket = aws_s3_bucket.main.id 3 | policy = data.aws_iam_policy_document.bucket_policy.json 4 | } 5 | 6 | resource "aws_s3_bucket_acl" "main" { 7 | bucket = aws_s3_bucket.main.id 8 | acl = "private" 9 | } 10 | 11 | 12 | resource "aws_s3_bucket_website_configuration" "main" { 13 | bucket = aws_s3_bucket.main.id 14 | 15 | redirect_all_requests_to { 16 | host_name = var.redirect_target 17 | } 18 | } 19 | 20 | 21 | resource "aws_s3_bucket" "main" { 22 | provider = aws.main 23 | bucket = var.fqdn 24 | 25 | force_destroy = var.force_destroy 26 | 27 | tags = merge( 28 | var.tags, 29 | { 30 | "Name" = var.fqdn 31 | }, 32 | ) 33 | } 34 | 35 | data "aws_iam_policy_document" "bucket_policy" { 36 | provider = aws.main 37 | 38 | statement { 39 | sid = "AllowCFOriginAccess" 40 | 41 | actions = [ 42 | "s3:GetObject", 43 | ] 44 | 45 | resources = [ 46 | "arn:aws:s3:::${var.fqdn}/*", 47 | ] 48 | 49 | condition { 50 | test = "StringEquals" 51 | variable = "aws:UserAgent" 52 | 53 | values = [ 54 | var.refer_secret, 55 | ] 56 | } 57 | 58 | principals { 59 | type = "*" 60 | identifiers = ["*"] 61 | } 62 | } 63 | } 64 | 65 | -------------------------------------------------------------------------------- /sample-site/.gitignore: -------------------------------------------------------------------------------- 1 | .terraform/ 2 | terraform.tfstate 3 | .terraform.tfstate.lock.info 4 | .terraform.lock.hcl 5 | -------------------------------------------------------------------------------- /sample-site/acm.tf: -------------------------------------------------------------------------------- 1 | # ACM Certificate generation 2 | resource "aws_acm_certificate" "cert" { 3 | provider = aws.cloudfront 4 | domain_name = var.fqdn 5 | validation_method = "DNS" 6 | } 7 | 8 | resource "aws_route53_record" "cert_validation" { 9 | for_each = { 10 | for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => { 11 | name = dvo.resource_record_name 12 | record = dvo.resource_record_value 13 | type = dvo.resource_record_type 14 | } 15 | } 16 | 17 | allow_overwrite = true 18 | name = each.value.name 19 | records = [each.value.record] 20 | ttl = 60 21 | type = each.value.type 22 | zone_id = data.aws_route53_zone.main.zone_id 23 | } 24 | 25 | resource "aws_acm_certificate_validation" "cert" { 26 | provider = aws.cloudfront 27 | certificate_arn = aws_acm_certificate.cert.arn 28 | validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] 29 | } 30 | 31 | # Route 53 record for the static site 32 | 33 | data "aws_route53_zone" "main" { 34 | provider = aws.main 35 | name = "kamehameha2.site" 36 | private_zone = false 37 | } 38 | 39 | resource "aws_route53_record" "web" { 40 | provider = aws.main 41 | zone_id = data.aws_route53_zone.main.zone_id 42 | name = var.fqdn 43 | type = "A" 44 | 45 | alias { 46 | name = module.main.cf_domain_name 47 | zone_id = module.main.cf_hosted_zone_id 48 | evaluate_target_health = false 49 | } 50 | } 51 | 52 | -------------------------------------------------------------------------------- /sample-site/main.tf: -------------------------------------------------------------------------------- 1 | module "main" { 2 | source = "../" 3 | 4 | fqdn = var.fqdn 5 | ssl_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn 6 | redirect_target = var.redirect_target 7 | 8 | providers = { 9 | aws.cloudfront = aws.cloudfront 10 | aws.main = aws.main 11 | } 12 | 13 | } 14 | 15 | -------------------------------------------------------------------------------- /sample-site/outputs.tf: -------------------------------------------------------------------------------- 1 | output "s3_domain" { 2 | value = module.main.s3_website_endpoint 3 | } 4 | 5 | output "cloudfront_domain" { 6 | value = module.main.cf_domain_name 7 | } 8 | 9 | output "cloudfront_hosted_zone_id" { 10 | value = module.main.cf_hosted_zone_id 11 | } 12 | 13 | output "cloudfront_distribution_id" { 14 | value = module.main.cf_distribution_id 15 | } 16 | 17 | output "route53_fqdn" { 18 | value = aws_route53_record.web.fqdn 19 | } 20 | 21 | output "acm_certificate_arn" { 22 | value = aws_acm_certificate_validation.cert.certificate_arn 23 | } 24 | 25 | -------------------------------------------------------------------------------- /sample-site/providers.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | alias = "main" 3 | region = "us-east-1" 4 | } 5 | 6 | provider "aws" { 7 | alias = "cloudfront" 8 | region = "us-east-1" 9 | } 10 | 11 | -------------------------------------------------------------------------------- /sample-site/tf.tfvars: -------------------------------------------------------------------------------- 1 | #fqdn = "mysite2.kamehameha.site" 2 | -------------------------------------------------------------------------------- /sample-site/vars.tf: -------------------------------------------------------------------------------- 1 | variable "fqdn" { 2 | default = "mysite2.kamehameha.site" 3 | } 4 | 5 | variable "redirect_target" { 6 | default = "google.com" 7 | } 8 | -------------------------------------------------------------------------------- /sample-site/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.0" 3 | } 4 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "fqdn" { 2 | type = string 3 | description = "The FQDN of the website and also name of the S3 bucket" 4 | } 5 | 6 | variable "redirect_target" { 7 | type = string 8 | description = "The FQDN to redirect to" 9 | } 10 | 11 | variable "force_destroy" { 12 | type = string 13 | description = "The force_destroy argument of the S3 bucket" 14 | default = "false" 15 | } 16 | 17 | variable "ssl_certificate_arn" { 18 | type = string 19 | description = "ARN of the certificate covering var.fqdn" 20 | } 21 | 22 | variable "web_acl_id" { 23 | type = string 24 | description = "WAF Web ACL ID to attach to the CloudFront distribution, optional" 25 | default = "" 26 | } 27 | 28 | variable "refer_secret" { 29 | type = string 30 | description = "A secret string to authenticate CF requests to S3" 31 | default = "345-VERY-SECRET-678" 32 | } 33 | 34 | variable "tags" { 35 | type = map(string) 36 | description = "Tags" 37 | default = {} 38 | } 39 | 40 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = "~> 4.0" 7 | configuration_aliases = [aws.main, aws.cloudfront] 8 | } 9 | } 10 | } 11 | --------------------------------------------------------------------------------