Skip to content

For hosting static sites on S3, cloudfront is required to SSL terminate $$$.

Notifications You must be signed in to change notification settings

JamesWoolfenden/terraform-aws-cloudfront-s3

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

terraform-aws-cloudfront-s3

Build Status Latest Release GitHub tag (latest SemVer) Terraform Version Infrastructure Tests pre-commit checkov Infrastructure Tests

This Terraform module is to provision a private S3 bucket, and use it as a static website, and sit that behind a Cloudfront distribution. Certificate needs a delay adding before cloudfront uses it, until then run it twice.

Usage

Creates a static site with cloudfront distribution in front.

alt text

To use, add module.cloudfront.tf to your template and update your variables and values, see example/examplea for a full worked example.

module "cloudfront" {
  source       = "JamesWoolfenden/cloudfront-s3/aws"
  version      = "0.3.2"
  common_tags = var.common_tags
  bucket_name = var.bucket_name
}

Costs

 Monthly cost estimate

Project: .

 Name                                                                       Monthly Qty  Unit                Monthly Cost

 module.cloudfront.aws_acm_certificate.cert
 └─ Certificate                                                                       1  requests                   $0.75

 module.cloudfront.aws_cloudfront_distribution.website
 ├─ Field level encryption requests                                     Cost depends on usage: $0.02 per 10k requests
 ├─ Real-time log requests                                              Cost depends on usage: $0.01 per 1M lines
 ├─ Dedicated IP custom SSLs                                            Cost depends on usage: $600.00 per certificates
 ├─ Invalidation requests (first 1k)                                    Cost depends on usage: $0 per paths
 ├─ Data transfer out to internet
 │  ├─ US, Mexico, Canada (first 10TB)                                  Cost depends on usage: $0.09 per GB
 │  ├─ Europe, Israel (first 10TB)                                      Cost depends on usage: $0.09 per GB
 │  ├─ South Africa, Kenya, Middle East (first 10TB)                    Cost depends on usage: $0.11 per GB
 │  ├─ South America (first 10TB)                                       Cost depends on usage: $0.11 per GB
 │  ├─ Japan (first 10TB)                                               Cost depends on usage: $0.11 per GB
 │  ├─ Australia, New Zealand (first 10TB)                              Cost depends on usage: $0.11 per GB
 │  ├─ Hong Kong, Philippines, Asia Pacific (first 10TB)                Cost depends on usage: $0.12 per GB
 │  └─ India (first 10TB)                                               Cost depends on usage: $0.11 per GB
 ├─ Data transfer out to origin
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.02 per GB
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.02 per GB
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.06 per GB
 │  ├─ South America                                                    Cost depends on usage: $0.13 per GB
 │  ├─ Japan                                                            Cost depends on usage: $0.06 per GB
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.08 per GB
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.06 per GB
 │  └─ India                                                            Cost depends on usage: $0.16 per GB
 ├─ HTTP requests
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.0075 per 10k requests
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.009 per 10k requests
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.009 per 10k requests
 │  ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
 │  ├─ Japan                                                            Cost depends on usage: $0.009 per 10k requests
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.009 per 10k requests
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.009 per 10k requests
 │  └─ India                                                            Cost depends on usage: $0.009 per 10k requests
 ├─ HTTPS requests
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.01 per 10k requests
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.01 per 10k requests
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.01 per 10k requests
 │  ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
 │  ├─ Japan                                                            Cost depends on usage: $0.01 per 10k requests
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.01 per 10k requests
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.01 per 10k requests
 │  └─ India                                                            Cost depends on usage: $0.01 per 10k requests
 └─ Origin shield HTTP requests
    ├─ US                                                               Cost depends on usage: $0.0075 per 10k requests
    ├─ Europe                                                           Cost depends on usage: $0.009 per 10k requests
    ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
    ├─ Japan                                                            Cost depends on usage: $0.009 per 10k requests
    ├─ Australia                                                        Cost depends on usage: $0.009 per 10k requests
    ├─ Singapore                                                        Cost depends on usage: $0.009 per 10k requests
    ├─ South Korea                                                      Cost depends on usage: $0.009 per 10k requests
    └─ India                                                            Cost depends on usage: $0.009 per 10k requests

 module.cloudfront.aws_route53_record.cert_validation["freebeer.site"]
 ├─ Standard queries (first 1B)                                         Cost depends on usage: $0.40 per 1M queries
 ├─ Latency based routing queries (first 1B)                            Cost depends on usage: $0.60 per 1M queries
 └─ Geo DNS queries (first 1B)                                          Cost depends on usage: $0.70 per 1M queries

 module.cloudfront.aws_s3_bucket.logging
 └─ Standard
    ├─ Storage                                                          Cost depends on usage: $0.02 per GB-months
    ├─ PUT, COPY, POST, LIST requests                                   Cost depends on usage: $0.0053 per 1k requests
    ├─ GET, SELECT, and all other requests                              Cost depends on usage: $0.00042 per 1k requests
    ├─ Select data scanned                                              Cost depends on usage: $0.00225 per GB-months
    └─ Select data returned                                             Cost depends on usage: $0.0008 per GB-months

 module.cloudfront.aws_s3_bucket.website
 └─ Standard
    ├─ Storage                                                          Cost depends on usage: $0.02 per GB-months
    ├─ PUT, COPY, POST, LIST requests                                   Cost depends on usage: $0.0053 per 1k requests
    ├─ GET, SELECT, and all other requests                              Cost depends on usage: $0.00042 per 1k requests
    ├─ Select data scanned                                              Cost depends on usage: $0.00225 per GB-months
    └─ Select data returned                                             Cost depends on usage: $0.0008 per GB-months

 PROJECT TOTAL                                                                                                      $0.75

The default TTL values have been set very low, you will override these (but oh so helpful for development), for a more effective cache.

Requirements

Name Version
terraform >=0.14.8
aws 4.6.0

Providers

Name Version
aws 4.6.0
aws.useastone 4.6.0

Modules

No modules.

Resources

Name Type
aws_acm_certificate.cert resource
aws_acm_certificate_validation.cert resource
aws_cloudfront_distribution.website resource
aws_cloudfront_origin_access_identity.website resource
aws_cloudfront_response_headers_policy.pass resource
aws_route53_record.cert_validation resource
aws_route53_record.cloudfront resource
aws_s3_bucket.logging resource
aws_s3_bucket.website resource
aws_s3_bucket_acl.logging resource
aws_s3_bucket_acl.website resource
aws_s3_bucket_cors_configuration.website resource
aws_s3_bucket_lifecycle_configuration.logging resource
aws_s3_bucket_logging.website resource
aws_s3_bucket_policy.cloudfront resource
aws_s3_bucket_public_access_block.logging resource
aws_s3_bucket_server_side_encryption_configuration.logging resource
aws_s3_bucket_versioning.logging resource
aws_s3_bucket_versioning.website resource
aws_s3_bucket_website_configuration.website resource
aws_s3_object.index resource
aws_iam_policy_document.cloudfront data source
aws_route53_zone.selected data source

Inputs

Name Description Type Default Required
access_log_bucket Name of your access logging bucket string "logging" no
acm_certificate_arn The ARN of the certificate to be used string "" no
bucket_acl n/a string "Private" no
bucket_name name of the bucket string n/a yes
cloudfront_default_certificate use default SSL certificate bool false no
common_tags Implements the common tags scheme map(any) n/a yes
default_ttl default ttl values number 90 no
force_destroy n/a bool true no
fqdn The fully qualified domain Name string n/a yes
header_policy_name n/a string n/a yes
kms_key n/a any n/a yes
locations Locations for the Distribution list(any)
[
"GB"
]
no
max_ttl max ttl values number 300 no
min_ttl min ttl values number 30 no
price_class n/a string "PriceClass_100" no
restriction_type n/a string "whitelist" no
retain Do you want to retain the distribution on delete? bool false no
sse_algorithm The type of encryption algorithm to use string "aws:kms" no
ttl n/a string "300" no
versioning Switch to control versioning string "Enabled" no
web_acl_id The id of the WAF string n/a yes
zone The route53 zone to use string n/a yes

Outputs

Name Description
distribution n/a
identity n/a
logging n/a
policy n/a
website n/a

Checkov Exclusion

I have added:

  #checkov:skip=CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
  #checkov:skip=CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"

As we will want to deploy to this bucket and it needs to be readable to the world if it's a website. There are also some exceptions on the logging bucket, e.g. logging of the logging bucket.

new checks

Address bridgecrewio/checkov#146

Related Projects

Check out these related projects.

Help

Got a question?

File a GitHub issue.

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Copyrights

Copyright © 2019-2022 James Woolfenden

License

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributors

James Woolfenden
James Woolfenden