-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.tf
More file actions
140 lines (117 loc) · 3.92 KB
/
main.tf
File metadata and controls
140 lines (117 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
provider "aws" {
region = "us-east-1"
}
####################################
# 1. S3 Bucket (Private)
####################################
resource "aws_s3_bucket" "cdn_bucket" {
bucket = var.bucket_name
force_destroy = true
}
resource "aws_s3_bucket_public_access_block" "cdn_bucket_block" {
bucket = aws_s3_bucket.cdn_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
####################################
# 2. CloudFront Origin Access Control (OAC)
####################################
resource "aws_cloudfront_origin_access_control" "oac" {
name = "cloudfront-oac-${var.environment}-${var.project_name}"
description = "OAC for CloudFront to access private S3 bucket"
signing_behavior = "always"
signing_protocol = "sigv4"
origin_access_control_origin_type = "s3"
}
####################################
# 3. SSL Certificate (ACM) - Must already be validated in us-east-1
####################################
data "aws_acm_certificate" "ssl_cert" {
domain = var.cdn_domain_name
statuses = ["ISSUED"]
most_recent = true
}
####################################
# 4. CloudFront Distribution
####################################
resource "aws_cloudfront_distribution" "cdn" {
enabled = true
is_ipv6_enabled = true
comment = "CDN for project ${var.project_name}"
default_root_object = "index.html"
price_class = "PriceClass_100"
aliases = [var.cdn_domain_name]
origin {
domain_name = aws_s3_bucket.cdn_bucket.bucket_regional_domain_name
origin_id = "s3-origin-${var.project_name}"
origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "s3-origin-${var.project_name}"
viewer_protocol_policy = "redirect-to-https"
cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" # AWS managed: CachingOptimized
compress = true
}
viewer_certificate {
acm_certificate_arn = data.aws_acm_certificate.ssl_cert.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
tags = {
Project = var.project_name
Environment = var.environment
ManagedBy = "Terraform"
}
}
####################################
# 5. S3 Bucket Policy for CloudFront OAC
####################################
data "aws_caller_identity" "current" {}
resource "aws_s3_bucket_policy" "cdn_bucket_policy" {
bucket = aws_s3_bucket.cdn_bucket.id
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "AllowCloudFrontServiceAccess",
Effect = "Allow",
Principal = {
Service = "cloudfront.amazonaws.com"
},
Action = "s3:GetObject",
Resource = "${aws_s3_bucket.cdn_bucket.arn}/*",
Condition = {
StringEquals = {
"AWS:SourceArn" = "arn:aws:cloudfront::${data.aws_caller_identity.current.account_id}:distribution/${aws_cloudfront_distribution.cdn.id}"
}
}
}
]
})
}
####################################
# 6. Route 53 Alias Record for CDN
####################################
data "aws_route53_zone" "selected" {
name = var.root_domain_name
private_zone = false
}
resource "aws_route53_record" "cdn_alias" {
zone_id = data.aws_route53_zone.selected.zone_id
name = var.subdomain
type = "A"
alias {
name = aws_cloudfront_distribution.cdn.domain_name
zone_id = aws_cloudfront_distribution.cdn.hosted_zone_id
evaluate_target_health = false
}
}