AWS S3 Static Website

This Terraform module provides the required infrastructure to host a static website on S3.

Usage

Check versions for this module on:

• Github Releases: https://github.com/cn-terraform/terraform-aws-s3-static-website/releases
• Terraform Module Registry: https://registry.terraform.io/modules/cn-terraform/s3-static-website/aws

Install pre commit hooks.

Run this command right after cloning the repository.

    pre-commit install

For that you may need to install the following tools:

• Pre-commit
• Terraform Docs
• tfsec

In order to run all checks at any point run the following command:

    pre-commit run --all-files

Requirements

Name	Version
terraform	>= 0.13
aws	>= 4.0

Providers

Name	Version
aws.acm_provider	4.15.1
aws.main	4.15.1

Modules

Name	Source	Version
s3_logs_bucket	cn-terraform/logs-s3-bucket/aws	1.0.5

Resources

Name	Type
aws_acm_certificate.cert	resource
aws_acm_certificate_validation.cert_validation	resource
aws_cloudfront_distribution.website	resource
aws_cloudfront_origin_access_identity.cf_oai	resource
aws_route53_record.acm_certificate_validation_records	resource
aws_route53_record.website_cloudfront_record	resource
aws_route53_record.www_website_record	resource
aws_route53_zone.hosted_zone	resource
aws_s3_bucket.website	resource
aws_s3_bucket_acl.website	resource
aws_s3_bucket_cors_configuration.website	resource
aws_s3_bucket_logging.website	resource
aws_s3_bucket_policy.website	resource
aws_s3_bucket_public_access_block.website_bucket_public_access_block	resource
aws_s3_bucket_server_side_encryption_configuration.website_bucket_website_server_side_encryption_configuration	resource
aws_s3_bucket_versioning.website	resource

Inputs

Name	Description	Type	Default	Required
acm_certificate_arn_to_use	ACM Certificate ARN to use in case you disable automatic certificate creation. Certificate must be in us-east-1 region.	string	""	no
aws_accounts_with_read_view_log_bucket	List of AWS accounts with read permissions to log bucket	list(string)	[]	no
cloudfront_additional_origins	(Optional) List of origin configurations in addiiton to the bucket that hosts the static web site. No support yet for origin shield.	list(object)	[]	no
cloudfront_allowed_cached_methods	(Optional) Specifies which methods are allowed and cached by CloudFront. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and HEAD	list(string)	[ "GET", "HEAD" ]	no
cloudfront_custom_error_responses	A list of custom error responses	list(object({ error_caching_min_ttl = number error_code = number response_code = number response_page_path = string }))	[]	no
cloudfront_default_root_object	(Optional) - The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. Defaults to index.html	string	"index.html"	no
cloudfront_enable_compression	(Optional, Default:false) Enable compression with Gzip or Brotli for requests with a valid Accept-Encoding header	bool	false	no
cloudfront_function_association	(Optional - up to 2 per distribution) List containing information to associate a CF function to cloudfront. The first field is event_type of the CF function associated with default cache behavior, it can be viewer-request or viewer-response	list(object({ event_type = string function_arn = string }))	[]	no
cloudfront_geo_restriction_locations	(Optional) - The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist). Defaults to []	list(string)	[]	no
cloudfront_geo_restriction_type	The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. Defaults to none	string	"none"	no
cloudfront_http_version	(Optional) - The maximum HTTP version to support on the distribution. Allowed values are http1.1 and http2. The default is http2.	string	"http2"	no
cloudfront_ordered_cache_behaviors	(Optional) - List of ordered cache behavior configurations. No support yet for function associations or trusted key groups.	list(object)	[]	no
cloudfront_price_class	(Optional) - The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100. Defaults to PriceClass_100	string	"PriceClass_100"	no
cloudfront_viewer_protocol_policy	Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. Defautls to redirect-to-https	string	"redirect-to-https"	no
cloudfront_web_acl_id	(Optional) A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution.	string	null	no
cloudfront_website_retain_on_delete	(Optional) - Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. Defaults to false.	bool	false	no
cloudfront_website_wait_for_deployment	(Optional) - If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this tofalse will skip the process. Defaults to true.	bool	true	no
comment_for_cloudfront_website	Comment for the Website CloudFront Distribution	string	""	no
create_acm_certificate	Enable or disable automatic ACM certificate creation. If set to false, the variable acm_certificate_arn_to_use is required. Defaults to true	bool	true	no
create_route53_hosted_zone	Enable or disable Route 53 hosted zone creation. If set to false, the variable route53_hosted_zone_id is required. Defaults to true	bool	true	no
create_route53_website_records	Enable or disable creation of Route 53 records in the hosted zone. Defaults to true	bool	true	no
is_ipv6_enabled	(Optional) - Whether the IPv6 is enabled for the distribution. Defaults to true	bool	true	no
log_bucket_force_destroy	(Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the log bucket so that the bucket can be destroyed without error. These objects are not recoverable.	bool	false	no
log_bucket_versioning_mfa_delete	(Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. Defaults to Disabled	string	"Disabled"	no
log_bucket_versioning_status	(Optional) The versioning state of the bucket. Valid values: Enabled or Suspended. Defaults to Enabled	string	"Enabled"	no
name_prefix	Name prefix for resources on AWS	any	n/a	yes
route53_hosted_zone_id	The Route 53 hosted zone ID to use if create_route53_hosted_zone is false	string	""	no
tags	Resource tags	map(string)	{}	no
website_bucket_acl	(Optional) The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private.	string	"private"	no
website_bucket_force_destroy	(Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.	bool	false	no
website_cors_additional_allowed_origins	(Optional) Specifies which origins are allowed besides the domain name specified	list(string)	[]	no
website_cors_allowed_headers	(Optional) Specifies which headers are allowed. Defaults to Authorization and Content-Length	list(string)	[ "Authorization", "Content-Length" ]	no
website_cors_allowed_methods	(Optional) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and POST	list(string)	[ "GET", "POST" ]	no
website_cors_expose_headers	(Optional) Specifies expose header in the response.	list(string)	[]	no
website_cors_max_age_seconds	(Optional) Specifies time in seconds that browser can cache the response for a preflight request. Defaults to 3600	number	3600	no
website_domain_name	The domain name to use for the website	string	n/a	yes
website_error_document	(Optional) An absolute path to the document to return in case of a 4XX error. Defaults to 404.html	string	"404.html"	no
website_index_document	Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. Defaults to index.html	string	"index.html"	no
website_server_side_encryption_configuration	(Optional) Map containing server-side encryption configuration for the website bucket. Defaults to no encryption. See examples/complete/main.tf for configuration example.	any	{}	no
website_versioning_mfa_delete	(Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. Defaults to Disabled	string	"Disabled"	no
website_versioning_status	(Optional) The versioning state of the bucket. Valid values: Enabled or Suspended. Defaults to Enabled	string	"Enabled"	no
www_website_bucket_acl	(Optional) The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private.	string	"private"	no
www_website_bucket_force_destroy	(Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.	bool	false	no
www_website_redirect_enabled	(Optional) Whether to redirect www subdomain. Defaults to true.	bool	true	no
www_website_versioning_enabled	(Optional) Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. Defaults to true	bool	true	no
www_website_versioning_mfa_delete	(Optional) Enable MFA delete for either change the versioning state of your bucket or permanently delete an object version. Default is false. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS.	bool	false	no

Outputs

Name	Description
acm_certificate_arn	The ARN of the certificate
acm_certificate_domain_name	The domain name for which the certificate is issued
acm_certificate_domain_validation_options	Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g. if SANs are defined.
acm_certificate_id	The ARN of the certificate
acm_certificate_status	Status of the certificate.
acm_certificate_tags_all	A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
cert_validation_certificate_arn	The ARN of the certificate that is being validated.
cert_validation_id	The time at which the certificate was issued
cert_validation_validation_record_fqdns	List of FQDNs that implement the validation.
cloudfront_website_arn	The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
cloudfront_website_caller_reference	Internal value used by CloudFront to allow future updates to the distribution configuration.
cloudfront_website_domain_name	The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net.
cloudfront_website_etag	The current version of the distribution's information. For example: E2QWRUHAPOMQZL.
cloudfront_website_hosted_zone_id	The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to. This attribute is simply an alias for the zone ID Z2FDTNDATAQYW2.
cloudfront_website_id	The identifier for the distribution. For example: EDFDVBD632BHDS5.
cloudfront_website_in_progress_validation_batches	The number of invalidation batches currently in progress.
cloudfront_website_last_modified_time	The date and time the distribution was last modified.
cloudfront_website_status	The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system.
cloudfront_website_tags_all	A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
cloudfront_website_trusted_key_groups	List of nested attributes for active trusted key groups, if the distribution is set up to serve private content with signed URLs
cloudfront_website_trusted_signers	List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs
hosted_zone_id	The Hosted Zone ID. This can be referenced by zone records.
hosted_zone_name_servers	A list of name servers in the associated (or default) delegation set. Find more about delegation sets in AWS docs.
hosted_zone_tags_all	A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
route_53_record_website_fqdn	FQDN built using the zone domain and name.
route_53_record_website_name	The name of the record.
route_53_record_www_website_fqdn	FQDN built using the zone domain and name.
route_53_record_www_website_name	The name of the record.
website_bucket_arn	The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
website_bucket_domain_name	The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
website_bucket_hosted_zone_id	The Route 53 Hosted Zone ID for this bucket's region.
website_bucket_id	The name of the bucket.
website_bucket_region	The AWS region this bucket resides in.
website_bucket_regional_domain_name	The bucket region-specific domain name. The bucket domain name including the region name, please refer to https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoints when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
website_bucket_tags_all	A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
website_logs_bucket_id	The name of the bucket which holds the access logs