Create static website module (#1)

alexander-sorokin-itomychstudio · web-flow · commit a247785a876c · 2023-11-09T21:26:27.000Z
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 DashDevs LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -1 +1,58 @@
-# terraform-aws-static-website
+# terraform-aws-static-website
+
+
+## Usage
+
+
+**IMPORTANT:** We do not pin modules to versions in our examples because of the
+difficulty of keeping the versions in the documentation in sync with the latest released versions.
+We highly recommend that in your code you pin the version to the exact version you are
+using so that your infrastructure remains stable, and update versions in a
+systematic way so that they do not catch you by surprise.
+
+### example usage for website module:
+```
+module "website" {
+  source             = "dashdevs/static-website/aws"
+  domain             = var.domain
+  domain_zone_name   = var.domain_zone_name
+  create_dns_records = true
+}
+
+```
+
+
+<!-- markdownlint-restore -->
+<!-- markdownlint-disable -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.34 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.34 |
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain"></a> [domain](#input\_domain) | Domain name for the site | `string` | `n/a` | yes |
+| <a name="input_domain_zone_name"></a> [domain\_zone\_name](#input\_domain\_zone\_name) | The name of the domain zone in the route53 service for which DNS records will be created. Must be set if create_dns_records is `true` | `string` | `null` | no |
+| <a name="input_create_dns_records"></a> [create\_dns\_records](#input\_create\_dns\_records) | If true, then DNS records are created in route53 for this site and connected to the cloudfront distribution | `bool` |`true`| no |
+| <a name="input_cors_allowed_origins"></a> [cors\_allowed\_origins](#input\_cors\_allowed\_origins) | Used to declare domains from which the site will be accessed as a storage of static resources | `null` |`list(string)`| no |
+
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | The S3 bucket identifier |
+| <a name="output_cloudfront_distribution_id"></a> [cloudfront\_distribution\_id](#output\_cloudfront\_distribution\_id) | The cloudfront distribution identifier assigned to the S3 bucket |
+| <a name="output_ssl_certificate_validation_dns_records"></a> [ssl\_certificate\_validation\_dns\_records](#output\_ssl\_certificate\_validation\_dns\_records) | List of text expressions of the certificate validation DNS records to create this records manually. Required if [create\_dns\_records](#input\_create\_dns\_records) is `false` |
+| <a name="output_resource_domain_record"></a> [resource\_domain\_record](#output\_resource\_domain\_record) | Text expressions of the website DNS record to create this records manually. Required if [create\_dns\_records](#input\_create\_dns\_records) is `false` |
diff --git a/main.tf b/main.tf
@@ -0,0 +1,261 @@
+/**
+ * Config
+ *
+ **/
+
+locals {
+  s3_origin_id              = "websiteorigin"
+  s3_root_object            = "index.html"
+  сreate_cors_configuration = var.cors_allowed_origins != null ? true : false
+}
+
+check "application_repository_validation" {
+  assert {
+    condition     = !(var.create_dns_records && var.domain_zone_name == null)
+    error_message = "If create_dns_records is true then domain_zone_name must be set!"
+  }
+}
+
+data "aws_route53_zone" "public_zone" {
+  count        = var.create_dns_records ? 1 : 0
+  name         = var.domain_zone_name
+  private_zone = false
+}
+
+
+/**
+ * Certificate
+ *
+ **/
+
+# To use an ACM certificate with CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia)
+provider "aws" {
+  alias  = "virginia"
+  region = "us-east-1"
+}
+
+resource "aws_acm_certificate" "website" {
+  provider = aws.virginia
+
+  domain_name       = var.domain
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "website_certificate_validation_records" {
+  provider = aws.virginia
+
+  for_each = {
+    for dvo in var.create_dns_records ? aws_acm_certificate.cerificate.domain_validation_options : [] : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.public_zone[0].zone_id
+}
+
+resource "aws_acm_certificate_validation" "website_certificate_validation" {
+  provider = aws.virginia
+
+  certificate_arn         = aws_acm_certificate.website.arn
+  validation_record_fqdns = [for record in aws_route53_record.website_certificate_validation_records : record.fqdn]
+}
+
+
+/**
+ * DNS Record
+ *
+ **/
+
+resource "aws_route53_record" "a" {
+  count   = var.create_dns_records ? 1 : 0
+  zone_id = data.aws_route53_zone.public_zone[0].zone_id
+  name    = var.domain
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.website.domain_name
+    zone_id                = aws_cloudfront_distribution.website.hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+
+/**
+ * S3 Bucket
+ *
+ **/
+
+resource "aws_s3_bucket" "website" {
+  bucket = var.domain
+}
+
+resource "aws_s3_bucket_cors_configuration" "website" {
+  count  = local.сreate_cors_configuration ? 1 : 0
+  bucket = aws_s3_bucket.website.id
+
+  cors_rule {
+    allowed_headers = ["*"]
+    allowed_methods = ["GET", "HEAD"]
+    allowed_origins = var.cors_allowed_origins
+    max_age_seconds = 3600
+  }
+}
+
+resource "aws_s3_bucket_website_configuration" "website" {
+  bucket = aws_s3_bucket.website.id
+
+  index_document { suffix = local.s3_root_object }
+  error_document { key = local.s3_root_object }
+}
+
+
+/**
+ * CloudFront Distribution
+ *
+ **/
+
+resource "aws_cloudfront_origin_access_identity" "website" {
+  comment = var.domain
+}
+
+resource "aws_cloudfront_distribution" "website" {
+  enabled             = true
+  aliases             = [var.domain]
+  comment             = var.domain
+  default_root_object = local.s3_root_object
+  price_class         = "PriceClass_All"
+
+  origin {
+    domain_name = aws_s3_bucket.website.bucket_domain_name
+    origin_id   = local.s3_origin_id
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.website.cloudfront_access_identity_path
+    }
+  }
+
+  custom_error_response {
+    error_caching_min_ttl = 86400
+    error_code            = 404
+    response_code         = 200
+    response_page_path    = "/${local.s3_root_object}"
+  }
+
+  custom_error_response {
+    error_caching_min_ttl = 86400
+    error_code            = 403
+    response_code         = 200
+    response_page_path    = "/${local.s3_root_object}"
+  }
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id = local.s3_origin_id
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 60
+    default_ttl            = 3600
+    max_ttl                = 86400
+
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.website_security.id
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = aws_acm_certificate.website.arn
+    cloudfront_default_certificate = false
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+}
+
+resource "aws_cloudfront_response_headers_policy" "website_security" {
+  name = replace(var.domain, ".", "-")
+
+  custom_headers_config {
+    items {
+      header   = "X-Permitted-Cross-Domain-Policies"
+      value    = "none"
+      override = true
+    }
+    items {
+      header   = "Feature-Policy"
+      value    = "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://${var.domain}/*"
+      override = true
+    }
+  }
+
+  security_headers_config {
+    content_security_policy {
+      content_security_policy = "default-src * blob: data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
+      override                = true
+    }
+    content_type_options {
+      override = true
+    }
+    referrer_policy {
+      referrer_policy = "no-referrer-when-downgrade"
+      override        = true
+    }
+    frame_options {
+      frame_option = "SAMEORIGIN"
+      override     = true
+    }
+    strict_transport_security {
+      access_control_max_age_sec = "31536000"
+      include_subdomains         = true
+      preload                    = true
+      override                   = true
+    }
+    xss_protection {
+      mode_block = true
+      protection = true
+      override   = true
+    }
+  }
+}
+
+
+/**
+ * S3 Bucket IAM
+ *
+ **/
+
+data "aws_iam_policy_document" "allow_website_cloudfront" {
+  statement {
+    sid = "Allow bucket access from CloudFront"
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.website.iam_arn]
+    }
+
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.website.arn}/*"]
+  }
+}
+
+resource "aws_s3_bucket_policy" "allow_cloudfront" {
+  bucket = aws_s3_bucket.website.id
+  policy = data.aws_iam_policy_document.allow_website_cloudfront.json
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,17 @@
+output "bucket_id" {
+  value = aws_s3_bucket.website.id
+}
+
+output "cloudfront_distribution_id" {
+  value = aws_cloudfront_distribution.website.id
+}
+
+output "resource_domain_record" {
+  value = "${var.domain} CNAME ${aws_cloudfront_distribution.website.domain_name}"
+}
+
+output "certificate_validation_records" {
+  value = [
+    for dvo in aws_acm_certificate.website.domain_validation_options : "${dvo.resource_record_name} ${dvo.resource_record_type} ${dvo.resource_record_value}"
+  ]
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,18 @@
+variable "domain" {
+  type = string
+}
+
+variable "domain_zone_name" {
+  type    = string
+  default = null
+}
+
+variable "create_dns_records" {
+  type    = bool
+  default = true
+}
+
+variable "cors_allowed_origins" {
+  type    = list(string)
+  default = null
+}
