A static-website based on S3 with CloudFront CDN
The following requirements are needed by this module:
The following providers are used by this module:
No modules.
The following resources are used by this module:
- aws_acm_certificate.this (resource)
- aws_cloudfront_distribution.this (resource)
- aws_cloudfront_function.language_redirect (resource)
- aws_cloudfront_function.subdomain_to_path (resource)
- aws_cloudfront_origin_access_identity.this (resource)
- aws_kms_alias.this (resource)
- aws_kms_key.this (resource)
- aws_s3_bucket.access_log (resource)
- aws_s3_bucket.this (resource)
- aws_s3_bucket_acl.this (resource)
- aws_s3_bucket_cors_configuration.this (resource)
- aws_s3_bucket_lifecycle_configuration.access_log (resource)
- aws_s3_bucket_lifecycle_configuration.this (resource)
- aws_s3_bucket_ownership_controls.access_log (resource)
- aws_s3_bucket_policy.this (resource)
- aws_s3_bucket_public_access_block.access_log (resource)
- aws_s3_bucket_public_access_block.this (resource)
- aws_s3_bucket_server_side_encryption_configuration.this (resource)
- aws_s3_bucket_versioning.this (resource)
- aws_s3_bucket_website_configuration.this (resource)
- aws_wafv2_ip_set.allowed_cidrs (resource)
- aws_wafv2_ip_set.blocked_cidrs (resource)
- aws_wafv2_web_acl.this (resource)
- random_password.this (resource)
- random_pet.access_log (resource)
- random_pet.this (resource)
- aws_availability_zones.available (data source)
- aws_caller_identity.current (data source)
- aws_cloudfront_cache_policy.additional (data source)
- aws_cloudfront_cache_policy.default (data source)
- aws_cloudfront_cache_policy.disabled (data source)
- aws_cloudfront_origin_request_policy.additional (data source)
- aws_cloudfront_origin_request_policy.default (data source)
- aws_cloudfront_response_headers_policy.additional (data source)
- aws_cloudfront_response_headers_policy.default (data source)
- aws_iam_policy_document.kms (data source)
- aws_iam_policy_document.this (data source)
- aws_region.current (data source)
The following input variables are required:
Description: n/a
Type:
object({
domain_name = string
path = optional(string)
domain_alias = optional(set(string), [])
index_document = optional(string, "index.html")
error_document = optional(string, "error.html")
error_document_code = optional(set(string), [400, 405, 414, 416, 500, 501, 502, 503, 504])
response_headers_policy = optional(string, "Managed-SecurityHeadersPolicy")
force_ssl_in_transit = optional(bool, false)
kms_arn = optional(string)
acm_certificate_arn = optional(string)
log_retention = optional(number, 35)
expiration_days = optional(number, 0)
origin_shield_region = optional(string)
language_redirect = optional(map(string), {})
disallow_robots = optional(bool, false)
additional_origins = optional(map(object({
domain_name = string
path = optional(string)
shielded = optional(bool, false)
protocol_policy = optional(string, "https-only")
http_port = optional(number, 80)
https_port = optional(number, 443)
headers = optional(map(string), {})
})), {})
additional_behaviors = optional(map(object({
origin = string
origin_protocol_policy = optional(string, "https-only")
allowed_methods = optional(set(string), ["GET", "HEAD", "OPTIONS"])
cached_methods = optional(set(string), ["GET", "HEAD"])
cache_policy = optional(string, "Managed-CachingDisabled")
origin_request_policy = optional(string, "Managed-AllViewer")
response_headers_policy = optional(string, "Managed-SecurityHeadersPolicy")
viewer_request_function = optional(string)
viewer_response_function = optional(string)
})), {})
firewall = optional(object({
block_by_default = optional(bool, false)
aws_managed_rules = optional(map(object({
rule_action_override = optional(map(string), {})
})), {
AWSManagedRulesAmazonIpReputationList = {},
AWSManagedRulesCommonRuleSet = {}
})
blocked_ip_cidrs = optional(set(string), [])
blocked_countries = optional(set(string), [])
allowed_ip_cidrs = optional(set(string), [])
allowed_countries = optional(set(string), [])
rule_groups = optional(map(string), {})
bot_control = optional(object({
start_path = optional(string, "/")
inspection_level = optional(string, "COMMON")
}))
}), {})
})
module "website" {
source = "github.com/pippiio/aws-static-website"
providers = {
aws = aws
aws.use1 = aws.use1
}
name_prefix = replace("${terraform.workspace}-", "_", "-")
config = {
domain_name = "example"
error_document = "404.html"
log_retention = 35
expiration_days = 30
disallow_robots = true
language_redirect = {
"da" = "/da/"
"en" = "/en/"
"*" = "/en/"
}
firewall = {
block_by_default = length(var.allowed_ip_addresses) > 0
allowed_ip_cidrs = [for ip in var.allowed_ip_addresses : "${ip}/32"]
bot_control = {
start_path = "/api/"
inspection_level = "TARGETED"
}
aws_managed_rules = {
AWSManagedRulesAmazonIpReputationList = {},
AWSManagedRulesCommonRuleSet = {
rule_action_override = {
SizeRestrictions_BODY = "allow"
}
}
}
}
}
}
The following input variables are optional (have default values):
Description: A map of default tags, that will be applied to all resources applicable.
Type: map(string)
Default: {}
Description: A prefix that will be used on all named resources.
Type: string
Default: "pippi-"
The following outputs are exported:
Description: n/a
Description: n/a
Description: The domain name of the CloudFront distribution.
Description: The id of the CloudFront distribution.
Description: The ARN of the KMS Key.
Description: The website S3 bucket.
Description: The website S3 bucket ARN.
Description: The website S3 bucket.
Description: n/a