This Terraform module is to provision a private S3 bucket, and use it as a static website, and sit that behind a Cloudfront distribution. Certificate needs a delay adding before cloudfront uses it, until then run it twice.
Creates a static site with cloudfront distribution in front.
To use, add module.cloudfront.tf to your template and update your variables and values, see example/examplea for a full worked example.
module "cloudfront" {
source = "JamesWoolfenden/cloudfront-s3/aws"
version = "0.3.2"
common_tags = var.common_tags
bucket_name = var.bucket_name
}
Monthly cost estimate
Project: .
Name Monthly Qty Unit Monthly Cost
module.cloudfront.aws_acm_certificate.cert
└─ Certificate 1 requests $0.75
module.cloudfront.aws_cloudfront_distribution.website
├─ Field level encryption requests Cost depends on usage: $0.02 per 10k requests
├─ Real-time log requests Cost depends on usage: $0.01 per 1M lines
├─ Dedicated IP custom SSLs Cost depends on usage: $600.00 per certificates
├─ Invalidation requests (first 1k) Cost depends on usage: $0 per paths
├─ Data transfer out to internet
│ ├─ US, Mexico, Canada (first 10TB) Cost depends on usage: $0.09 per GB
│ ├─ Europe, Israel (first 10TB) Cost depends on usage: $0.09 per GB
│ ├─ South Africa, Kenya, Middle East (first 10TB) Cost depends on usage: $0.11 per GB
│ ├─ South America (first 10TB) Cost depends on usage: $0.11 per GB
│ ├─ Japan (first 10TB) Cost depends on usage: $0.11 per GB
│ ├─ Australia, New Zealand (first 10TB) Cost depends on usage: $0.11 per GB
│ ├─ Hong Kong, Philippines, Asia Pacific (first 10TB) Cost depends on usage: $0.12 per GB
│ └─ India (first 10TB) Cost depends on usage: $0.11 per GB
├─ Data transfer out to origin
│ ├─ US, Mexico, Canada Cost depends on usage: $0.02 per GB
│ ├─ Europe, Israel Cost depends on usage: $0.02 per GB
│ ├─ South Africa, Kenya, Middle East Cost depends on usage: $0.06 per GB
│ ├─ South America Cost depends on usage: $0.13 per GB
│ ├─ Japan Cost depends on usage: $0.06 per GB
│ ├─ Australia, New Zealand Cost depends on usage: $0.08 per GB
│ ├─ Hong Kong, Philippines, Asia Pacific Cost depends on usage: $0.06 per GB
│ └─ India Cost depends on usage: $0.16 per GB
├─ HTTP requests
│ ├─ US, Mexico, Canada Cost depends on usage: $0.0075 per 10k requests
│ ├─ Europe, Israel Cost depends on usage: $0.009 per 10k requests
│ ├─ South Africa, Kenya, Middle East Cost depends on usage: $0.009 per 10k requests
│ ├─ South America Cost depends on usage: $0.02 per 10k requests
│ ├─ Japan Cost depends on usage: $0.009 per 10k requests
│ ├─ Australia, New Zealand Cost depends on usage: $0.009 per 10k requests
│ ├─ Hong Kong, Philippines, Asia Pacific Cost depends on usage: $0.009 per 10k requests
│ └─ India Cost depends on usage: $0.009 per 10k requests
├─ HTTPS requests
│ ├─ US, Mexico, Canada Cost depends on usage: $0.01 per 10k requests
│ ├─ Europe, Israel Cost depends on usage: $0.01 per 10k requests
│ ├─ South Africa, Kenya, Middle East Cost depends on usage: $0.01 per 10k requests
│ ├─ South America Cost depends on usage: $0.02 per 10k requests
│ ├─ Japan Cost depends on usage: $0.01 per 10k requests
│ ├─ Australia, New Zealand Cost depends on usage: $0.01 per 10k requests
│ ├─ Hong Kong, Philippines, Asia Pacific Cost depends on usage: $0.01 per 10k requests
│ └─ India Cost depends on usage: $0.01 per 10k requests
└─ Origin shield HTTP requests
├─ US Cost depends on usage: $0.0075 per 10k requests
├─ Europe Cost depends on usage: $0.009 per 10k requests
├─ South America Cost depends on usage: $0.02 per 10k requests
├─ Japan Cost depends on usage: $0.009 per 10k requests
├─ Australia Cost depends on usage: $0.009 per 10k requests
├─ Singapore Cost depends on usage: $0.009 per 10k requests
├─ South Korea Cost depends on usage: $0.009 per 10k requests
└─ India Cost depends on usage: $0.009 per 10k requests
module.cloudfront.aws_route53_record.cert_validation["freebeer.site"]
├─ Standard queries (first 1B) Cost depends on usage: $0.40 per 1M queries
├─ Latency based routing queries (first 1B) Cost depends on usage: $0.60 per 1M queries
└─ Geo DNS queries (first 1B) Cost depends on usage: $0.70 per 1M queries
module.cloudfront.aws_s3_bucket.logging
└─ Standard
├─ Storage Cost depends on usage: $0.02 per GB-months
├─ PUT, COPY, POST, LIST requests Cost depends on usage: $0.0053 per 1k requests
├─ GET, SELECT, and all other requests Cost depends on usage: $0.00042 per 1k requests
├─ Select data scanned Cost depends on usage: $0.00225 per GB-months
└─ Select data returned Cost depends on usage: $0.0008 per GB-months
module.cloudfront.aws_s3_bucket.website
└─ Standard
├─ Storage Cost depends on usage: $0.02 per GB-months
├─ PUT, COPY, POST, LIST requests Cost depends on usage: $0.0053 per 1k requests
├─ GET, SELECT, and all other requests Cost depends on usage: $0.00042 per 1k requests
├─ Select data scanned Cost depends on usage: $0.00225 per GB-months
└─ Select data returned Cost depends on usage: $0.0008 per GB-months
PROJECT TOTAL $0.75
The default TTL values have been set very low, you will override these (but oh so helpful for development), for a more effective cache.
Name | Version |
---|---|
terraform | >=0.14.8 |
aws | 4.6.0 |
Name | Version |
---|---|
aws | 4.6.0 |
aws.useastone | 4.6.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_log_bucket | Name of your access logging bucket | string |
"logging" |
no |
acm_certificate_arn | The ARN of the certificate to be used | string |
"" |
no |
bucket_acl | n/a | string |
"Private" |
no |
bucket_name | name of the bucket | string |
n/a | yes |
cloudfront_default_certificate | use default SSL certificate | bool |
false |
no |
common_tags | Implements the common tags scheme | map(any) |
n/a | yes |
default_ttl | default ttl values | number |
90 |
no |
force_destroy | n/a | bool |
true |
no |
fqdn | The fully qualified domain Name | string |
n/a | yes |
header_policy_name | n/a | string |
n/a | yes |
kms_key | n/a | any |
n/a | yes |
locations | Locations for the Distribution | list(any) |
[ |
no |
max_ttl | max ttl values | number |
300 |
no |
min_ttl | min ttl values | number |
30 |
no |
price_class | n/a | string |
"PriceClass_100" |
no |
restriction_type | n/a | string |
"whitelist" |
no |
retain | Do you want to retain the distribution on delete? | bool |
false |
no |
sse_algorithm | The type of encryption algorithm to use | string |
"aws:kms" |
no |
ttl | n/a | string |
"300" |
no |
versioning | Switch to control versioning | string |
"Enabled" |
no |
web_acl_id | The id of the WAF | string |
n/a | yes |
zone | The route53 zone to use | string |
n/a | yes |
Name | Description |
---|---|
distribution | n/a |
identity | n/a |
logging | n/a |
policy | n/a |
website | n/a |
I have added:
#checkov:skip=CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
#checkov:skip=CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
As we will want to deploy to this bucket and it needs to be readable to the world if it's a website. There are also some exceptions on the logging bucket, e.g. logging of the logging bucket.
Address bridgecrewio/checkov#146
Check out these related projects.
- terraform-aws-s3 - S3 buckets
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2019-2022 James Woolfenden
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.