Skip to content
/ aws-tf-s3-website Public

AWS Terraform module to setup infrastructure for a website hosted on S3.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kohirens/aws-tf-s3-website

BranchesTags

Repository files navigation

AWS Website

Terraform module composition to deploy infrastructure for hosing a website in AWS.

Status

CircleCI

Resource Details

The following resources will be made.

  • ACM Certificate - A certificate to allow CloudFront to serve the website over HTTPS.
  • CloudFront distribution - To allow caching content to reduce latency, multiple origins, and encryption in transit via HTTPS.
  • S3 bucket - Serve as cloud storage for static content and assets for generating dynamic content.
  • Lambda function - Using a Lambda function URL feature will allow it to be used as a CloudFront origin (backend) to serve dynamic content, with access to the S3 bucket to use as long-term storage.
  • IAM inline S3 policy - Granting CloudFront direct access.
  • IAM Role and Policy - Attached to the Lambda execution role, giving access to write to a CloudWatch log group and put/get objects from the S3 bucket.
  • Route 53 hosted zone - Optionally deploy the zone for the website.
  • Route 53 alias record - Directs traffic to the CloudFront distribution.

Resource Dependency Order

  1. S3 bucket inline policy depends on the Lambda function.
  2. Cloudfront Distribution depends on the Lambda function as an origin.
  3. Lambda function policy depends on CloudFront distribution ID.

IAM Policy Details

This statement allows access from CloudFront only. You can block all public access with this since the policy is a non-public policy.

There a several IAM policies in play. We'll try to clarify what each does.

Bucket Inline Policy

The policy-bucket.json is a non-public policy, so that all public access is blocked. Furthermore, it is locked down to the Lambda service principal and only Lambda functions listed as resources can get objects.

Lambda Inline Policy

The policy-lambda.json only allows the CloudFront service principal access to the function. The distribution sit in front of this function and expects an HTTP response to serve over HTTPS.

Lambda Role Managed Policy

This role has a policy on it to allow the lambda function to write CloudWatch logs.

Requirements

No requirements.

Providers

Name Version
aws 5.26.0
aws.cloud_front 5.26.0

Modules

Name Source Version
lambda_origin git@github.com:kohirens/aws-tf-lambda-function//. 2.1.0

Resources

Name Type
aws_acm_certificate.web resource
aws_acm_certificate_validation.web resource
aws_cloudfront_cache_policy.web resource
aws_cloudfront_distribution.web resource
aws_cloudfront_function.web resource
aws_cloudfront_origin_access_control.web resource
aws_iam_role_policy.lambda_s3_policy resource
aws_route53_record.acm_validations resource
aws_route53_record.web resource
aws_route53_zone.web_hosted_zone resource
aws_s3_bucket.web resource
aws_s3_bucket_policy.web resource
aws_s3_bucket_public_access_block.web resource
aws_s3_bucket_versioning.web resource
aws_cloudfront_cache_policy.web data source
aws_cloudfront_origin_request_policy.web data source

Inputs

Name Description Type Default Required
acm_validation_method ACM validation method string "DNS" no
allowed_http_methods List of HTTP verbs allowed. list(string) 
[
  "GET",
  "HEAD"
]
 no
alt_domain_names A list of alternate domain names for the distribution and function. list(string) [] no
authorization_code A base64 encoded "user:pass" for the Authorization header shared between the CloudFront distribution and Lambda function. string "" no
aws_account AWS account ID. number n/a yes
aws_region AWS region string n/a yes
cert_key_algorithm Certificate key algorithm and level. string "EC_prime256v1" no
cf_acm_certificate_arn SSL certificate to use when viewing the site. Will avoid making a new ACM certificate when this is set. string null no
cf_additional_origins Additional origins to add to the distribution, please note that the key will be used for the origin_id. 
map(object({ # these properties are a mix of ordered_cache_behavior and origin arguments.
    domain_name              = string
    cache_policy_id          = string
    origin_request_policy_id = optional(string)
    path_pattern             = string
    query_string             = bool
    custom_origin_config = optional(object({
      http_port                = string
      https_port               = string
      origin_protocol_policy   = string
      origin_ssl_protocols     = list(string)
      origin_keepalive_timeout = optional(number)
      origin_read_timeout      = optional(number)
    }))
    s3_origin_config = optional(object({
      origin_access_identity = string
    }))
  }))
 {} no
cf_cache_cookie_behavior Determines whether any cookies in viewer requests are included in the origin request key and automatically included in requests that CloudFront sends to the origin. string "none" no
cf_cache_cookies A list of HTTP cookie names to include in the CloudFront cache key. list(string) null no
cf_cache_default_ttl Default cache life in seconds. number 3600 no
cf_cache_header_behavior Determines whether any HTTP headers are included in the origin request key and automatically included in requests that CloudFront sends to the origin. string "whitelist" no
cf_cache_headers A list of HTTP headers names to include in the CloudFront cache key. list(string) 
[
  "viewer-host"
]
 no
cf_cache_max_ttl Max cache life in seconds. number 86400 no
cf_cache_min_ttl Minimum cache life. string 0 no
cf_cache_policy Provide the name of an existing cache policy to use. Setting variables that build a cache policy are ignored. string null no
cf_cache_query_string_behavior Whether URL query strings in viewer requests are included in the cache key and automatically included in requests. string "none" no
cf_cache_query_strings Configuration parameter that contains a list of query string parameter names. Just the name of the parameter is needed in this list. list(string) null no
cf_cached_methods HTTP method verbs like GET and POST. list(string) 
[
  "GET",
  "HEAD"
]
 no
cf_compress HTTP method verbs like GET and POST. bool true no
cf_custom_headers Map of custom headers, where the key is the header name. map(string) {} no
cf_enabled Enable/Disable the distribution. bool true no
cf_http_version Maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3. The default is http2. string "http2and3" no
cf_is_ipv6_enabled Enable IPv6. bool true no
cf_locations Enable/Disable the distribution. list(string) 
[
  "US"
]
 no
cf_minimum_protocol_version The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.Can set to be one of [SSLv3 TLSv1 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018 TLSv1.2_2019 TLSv1.2_2021], see options here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html string "TLSv1.2_2021" no
cf_origin_path_lambda Causes CloudFront to request your content from a directory in your default Lambda origin. string "" no
cf_origin_path_s3 Causes CloudFront to request your content from a directory in your S3 origin. string "" no
cf_origin_request_policy Provide the name of an origin request policy to use. string "Managed-AllViewerExceptHostHeader" no
cf_path_pattern Pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to. string "/assets/*" no
cf_price_class Options are [PriceClass_All, PriceClass_200, PriceClass_100], see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html. string "PriceClass_100" no
cf_region The regions where CloudFront expects your ACM certificate. string "us-east-1" no
cf_restriction_type GEO location restrictions. string "whitelist" no
cf_retain_on_delete False to delete the distribution on destroy, and true to disable it. bool false no
cf_ssl_support_method Specifies how you want CloudFront to serve HTTPS requests. One of vip or sni-only. Required if you specify acm_certificate_arn or iam_certificate_id. NOTE: vip causes CloudFront to use a dedicated IP address and may incur extra charges. string "sni-only" no
cf_wait_for_deployment Wait for the CloudFront Distribution status to change from Inprogress to Deployed. bool true no
cloudfront_default_certificate When you want viewers to use HTTPS to request your objects and you're using the CloudFront domain name for your distribution. bool false no
domain_name The website domain name, for example: test.example.com. string n/a yes
error_page Error page for 4xx HTTP status errors. string "400.html" no
force_destroy Setting this to true will allow the bucket and it content to be deleted on teardown or any action that causes a Terraform replace. bool true no
hosted_zone_id Use an existing hosted zone to add an A record for the domain_name. When this is set, it will skip making a new hosted zone for the domain_name. string null no
iac_source Version control repository for where the module was configured and deployed from. string n/a yes
index_page Set the home page. string "index.html" no
lf_architecture Instruction set architecture for your Lambda function. Valid values are x86_64 or arm64. Mind the square brackets and quotes. string "arm64" no
lf_description Provide a description string null no
lf_environment_vars A map of environment variables. map(string) null no
lf_handler Function entrypoint in your code (name of the executable for binaries. string "bootstrap" no
lf_invoke_mode Determines how the Lambda function responds to an invocation. Valid values are BUFFERED and RESPONSE_STREAM. string "BUFFERED" no
lf_log_retention_in_days Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0 they never expire. number 14 no
lf_policy_path Path to a IAM policy for the Lambda function. string null no
lf_reserved_concurrent_executions Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits. string -1 no
lf_role_arn ARN for the function to assume, this will be used instad of making a new role. string null no
lf_runtime Identifier of the function's runtime. See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime string "provided.al2" no
lf_source_file a file to zip up for your Lambda. Works well apps that build to a single binary. string null no
lf_source_zip Supply your own zip for he Lambda. string "bootstrap.zip" no
lf_url_alias n/a string null no
lf_url_authorization_type Valid values are NONE and AWS_IAM. string "NONE" no
lf_url_cors_allowed_headers HTTP headers allowed. list(string) 
[
  "date",
  "keep-alive"
]
 no
lf_url_cors_allowed_methods List of HTTP verbs allowed. list(string) 
[
  "GET",
  "POST"
]
 no
lf_url_cors_allowed_origins List of HTTP methods allowed. list(string) 
[
  "*"
]
 no
lf_url_cors_headers_to_expose List of HTTP headers to expose in te response. list(string) 
[
  "keep-alive",
  "date"
]
 no
lf_url_cors_max_age The maximum amount of time, in seconds, that web browsers can cache results of a preflight request. The maximum value is 86400. number 0 no
s3_enable_versioning Enable S3 versioning by setting to true, or disable with false. bool false no
viewer_protocol_policy to be one of [allow-all https-only redirect-to-https]. string "redirect-to-https" no

Outputs

Name Description
bucket_arn The ARN of the bucket.
bucket_domain_name The bucket domain name.
bucket_hosted_zone_id The Route 53 Hosted Zone ID for this bucket's region.
bucket_regional_domain_name The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
certificate_arn ACM certificate ARN
distribution_domain_name CloudFront distribution domain name
distribution_hosted_zone_id Hosted zone ID of the CloudFront distribution
distribution_id ID of the CloudFront distribution
distribution_status Status of the CloudFront distribution
dvo_list Domain validation list
fqdn The FQDN pointing to the CloudFront distribution
function_arn Amazon Resource Name (ARN) identifying the Lambda function.
function_iam_policy_arn Amazon Resource Name (ARN) identifying the policy that is attached to the Lambda IAM role.
function_iam_role_arn Amazon Resource Name (ARN) identifying the IAM assigned to the Lambda function.
function_iam_role_name Name of the IAM role used when the lambda is executed.
function_log_group_arn CloudWatch Log group assigned to the lambda function for receiving logs.
function_memory_size Amount of memory in MB the Lambda function can use at runtime.
function_url URL assigned to the Lambda function.
hosted_zone Name of the Route 53 zone containing the CloudFront Alias record
hosted_zone_id ID of the Route 53 zone containing the CloudFront Alias record
hosted_zone_ns Route 53 zone

About

AWS Terraform module to setup infrastructure for a website hosted on S3.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 10

2.1.0 - 2024-01-20 Latest
Jan 20, 2024
+ 9 releases

Packages

No packages published

Languages