This module provisions the infrasructure required for a static website hosted on AWS S3 and CloudFront and optionally allows syncronisation of the website content with a local directory.
- S3 Bucket to store website content.
- CloudFront Distribution to serve the website at edge locations at a low cost and high performance.
- Route 53 A records to utilise custom domain on website.
- Security First - S3 Bucket is private with IAM policies to provide permissions to CloudFront.
- Utilises aws S3 sync command to upload website content to S3 Bucket.
- Domain Name
- Route 53 Hosted zone which is the DNS provider for the domain. Making Amazon Route 53 the DNS service for an existing domain. Note: the hosted zone only needs to manage the DNS service, domain registration does not need to be migrated!
- A second aws porovider configured in us-east-1 as CloudFront and SSL certificates are only available in us-east-1.
For syncronisation of the website content with a local directory, the following is required:
- AWS CLI installed locally - installation instructions
- Configure a named profile using
aws configure --profile NAMEcommand. This is used for the aws s3 sync command which is executed locally. Profiles are preferred over keys and secrets.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.10.0"
}
}
}
# Default provider for resource creation
provider "aws" {
region = ""
profile = ""
}
# Provider required in useast1 for cloudfront, SSLM Certificate
provider "aws" {
alias = "useast1"
region = "us-east-1"
profile = ""
}
module "website" {
source = "XXX"
resource_uid = "DevOpsNavy"
domain_name = "XXX"
hosted_zone_id = "XXX"
profile = "XXX"
sync_directories = [{
local_source_directory = "./website_content"
s3_target_directory = ""
}]
providers = {
aws.useast1 = aws.useast1
}
}| Name | Version |
|---|---|
| aws | 4.10.0 |
| Name | Version |
|---|---|
| aws | 4.10.0 |
| aws.useast1 | 4.10.0 |
No modules.
| Name | Type |
|---|---|
| aws_acm_certificate.ssl_certificate | resource |
| aws_acm_certificate_validation.ssl_certificate_validation | resource |
| aws_cloudfront_distribution.s3_distribution | resource |
| aws_cloudfront_origin_access_identity.cloudfront_oai | resource |
| aws_route53_record.cert_validation | resource |
| aws_route53_record.root-a | resource |
| aws_route53_record.www-a | resource |
| aws_s3_bucket.website_files | resource |
| aws_s3_bucket_acl.website_files | resource |
| aws_s3_bucket_policy.website_files | resource |
| aws_s3_bucket_versioning.website_files | resource |
| null_resource.sync_remote_website_content | resource |
| archive_file.website_content_zip | data source |
| aws_caller_identity.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| Application | Environment to tag all resources created by this module | string |
"S3 Static Website" |
no |
| Environment | Environment to tag all resources created by this module | string |
"Automation" |
no |
| bucket_versioning | Enable bucket versioning | bool |
false |
no |
| cloudfront_geo_restriction_locations | The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist). | list(string) |
[] |
no |
| cloudfront_geo_restriction_type | The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. | string |
"none" |
no |
| cloudfront_minimum_protocol_version | The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. | string |
"TLSv1.1_2016" |
no |
| cloudfront_price_class | The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100 | string |
"PriceClass_200" |
no |
| cloudfront_ssl_support_method | Specifies how you want CloudFront to serve HTTPS requests. One of vip or sni-only. | string |
"sni-only" |
no |
| default_cache_allowed_methods | Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. | list(string) |
[ |
no |
| default_cache_default_ttl | The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header. | number |
3600 |
no |
| default_cache_forward_query_string | Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior. | bool |
false |
no |
| default_cache_max_ttl | The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of Cache-Control max-age, Cache-Control s-maxage, and Expires headers | number |
86400 |
no |
| default_cache_methods | Controls whether CloudFront caches the response to requests using the specified HTTP methods. | list(string) |
[ |
no |
| default_cache_min_ttl | The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. | number |
0 |
no |
| default_cache_viewer_protocol_policy | Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. | string |
"redirect-to-https" |
no |
| default_root_object | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | string |
"index.html" |
no |
| domain_name | The domain name for the website. | string |
n/a | yes |
| enable_cloudfront_distribution | Whether the distribution is enabled to accept end user requests for content. | bool |
true |
no |
| hosted_zone_id | The Hosted Zone ID. This is automatically generated and can be referenced by zone records. | string |
n/a | yes |
| profile | Credentials profile to use for aws s3 sync command | string |
n/a | yes |
| resource_uid | UID which will be prepended to resources created by this module | string |
n/a | yes |
| sync_directories | Directories to sync with S3 | list(object({ |
[] |
no |
| Name | Description |
|---|---|
| acm_certificate_arn | The ARN of the certificate |
| acm_certificate_domain_name | The domain name for which the certificate is issued |
| acm_certificate_status | Status of the certificate. |
| acm_certificate_validation_id | The time at which the certificate was issued |
| cloudfront_distribution_arn | The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID. |
| cloudfront_distribution_caller_reference | Internal value used by CloudFront to allow future updates to the distribution configuration. |
| cloudfront_distribution_domain_name | The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net. |
| cloudfront_distribution_etag | The current version of the distribution's information. For example: E2QWRUHAPOMQZL. |
| cloudfront_distribution_hosted_zone_id | The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to. This attribute is simply an alias for the zone ID Z2FDTNDATAQYW2. |
| cloudfront_distribution_id | The identifier for the distribution. For example: EDFDVBD632BHDS5. |
| cloudfront_distribution_in_progress_validation_batches | The number of invalidation batches currently in progress. |
| cloudfront_distribution_last_modified_time | The date and time the distribution was last modified. |
| cloudfront_distribution_status | The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system. |
| cloudfront_distribution_tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
| cloudfront_distribution_trusted_key_groups | List of nested attributes for active trusted key groups, if the distribution is set up to serve private content with signed URLs |
| cloudfront_distribution_trusted_signers | List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs |
| cloudfront_origin_access_identity_caller_reference | Internal value used by CloudFront to allow future updates to the origin access identity. |
| cloudfront_origin_access_identity_cloudfront_access_identity_path | A shortcut to the full path for the origin access identity to use in CloudFront, see below. |
| cloudfront_origin_access_identity_etag | The current version of the origin access identity's information. For example: E2QWRUHAPOMQZL. |
| cloudfront_origin_access_identity_iam_arn | A pre-generated ARN for use in S3 bucket policies (see below). Example: arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2QWRUHAPOMQZL. |
| cloudfront_origin_access_identity_id | The identifier for the distribution. For example: EDFDVBD632BHDS5. |
| cloudfront_origin_access_identity_s3_canonical_user_id | The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3. |
| route53_acm_certificate_validation_records | Route 53 validation records for the ACM certificate. |
| route53_root_a_record_name | The name of the root A record. |
| route53_root_www_record_name | The name of the www A record. |
| s3_bucket_access_policy | Bucket policy to allow CloudFront to access the S3 bucket. |
| s3_bucket_access_policy_json | JSON bucket policy to allow CloudFront to access the S3 bucket. |
| s3_bucket_acl | The ACL of the bucket. |
| s3_bucket_arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
| s3_bucket_id | The name of the bucket. |
| s3_bucket_region | The AWS region this bucket resides in. |
| s3_bucket_versioning | The bucket versioning status. |
Bug Reports & Feature Requests Please use the issue tracker to report any bugs or file feature requests.
Developing If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
Fork the repo on GitHub Clone the project to your own machine Commit changes to your own branch Push your work back up to your fork Submit a Pull Request so that we can review your changes NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
To dos are documented in the project associated with this repo.
Please use the issue tracker to report any bugs or file feature requests.
If you are interested in being a contributor and want to get involved in developing this project or with our other projects, we would love to hear from you! Shoot us an [email][Admin@devopsnavy.co.uk].
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
| Name | Role |
|---|---|
| Faizan Raza | Lead Developer |
| Vic Hassan | Developer |
Terraform Docs used for generating documentation.