-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
151 lines (124 loc) · 3.35 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
resource "aws_s3_bucket" "bucket" {
bucket = var.bucket_name
acl = "private"
tags = var.tags
region = var.region
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
resource "aws_s3_bucket_public_access_block" "bucket" {
bucket = aws_s3_bucket.bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
data "aws_iam_policy_document" "s3_bucket_policy" {
statement {
actions = [
"s3:GetObject",
]
resources = [
"${aws_s3_bucket.bucket.arn}/*",
]
principals {
type = "AWS"
identifiers = [
aws_cloudfront_origin_access_identity.default.iam_arn,
]
}
}
statement {
actions = [
"s3:ListBucket",
]
resources = [
aws_s3_bucket.bucket.arn,
]
principals {
type = "AWS"
identifiers = [
aws_cloudfront_origin_access_identity.default.iam_arn,
]
}
}
}
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = aws_s3_bucket.bucket.id
policy = data.aws_iam_policy_document.s3_bucket_policy.json
}
resource "aws_cloudfront_origin_access_identity" "default" {
comment = var.bucket_name
}
resource "aws_cloudfront_distribution" "default" {
origin {
domain_name = aws_s3_bucket.bucket.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
aliases = concat([var.cloudfront_distribution], [var.bucket_name], var.cloudfront_aliases)
comment = "CloudFront distribution for ${var.bucket_name}"
default_root_object = var.cloudfront_default_root_object
enabled = true
http_version = "http2"
is_ipv6_enabled = true
price_class = var.cloudfront_price_class
tags = var.tags
default_cache_behavior {
target_origin_id = local.s3_origin_id
allowed_methods = [
"GET",
"HEAD",
]
cached_methods = [
"GET",
"HEAD",
]
forwarded_values {
query_string = false
headers = [
"Access-Control-Request-Headers",
"Access-Control-Request-Method",
"Origin"
]
cookies {
forward = "none"
}
}
lambda_function_association {
event_type = "viewer-request"
lambda_arn = aws_lambda_function.lambda[0].qualified_arn
}
viewer_protocol_policy = "redirect-to-https"
}
wait_for_deployment = false
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
viewer_certificate {
acm_certificate_arn = var.cloudfront_acm_certificate_arn
ssl_support_method = "sni-only"
cloudfront_default_certificate = false
}
dynamic custom_error_response {
for_each = var.cloudfront_error_responses
content {
error_code = var.cloudfront_error_responses[custom_error_response.key].error_code
response_code = var.cloudfront_error_responses[custom_error_response.key].response_code
response_page_path = var.cloudfront_error_responses[custom_error_response.key].response_page_path
}
}
}