forked from zimosworld/terraform-aws-s3-cloudfront
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
132 lines (105 loc) · 3.59 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#--------------------------------------------------------------
# Provider proxy
#--------------------------------------------------------------
provider "aws" {
alias = "default"
}
provider "aws" {
alias = "ssl"
}
#--------------------------------------------------------------
# S3 Bucket
#--------------------------------------------------------------
resource "aws_s3_bucket" "s3_cloudfront_bucket" {
provider = aws.default
bucket_prefix = var.bucket_name
acl = var.acl
policy = var.policy
force_destroy = var.force_destroy
}
data "aws_iam_policy_document" "s3_cloudfront_bucket" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.s3_cloudfront_bucket.arn}/*"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.s3_cloudfront_bucket.iam_arn]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.s3_cloudfront_bucket.arn]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.s3_cloudfront_bucket.iam_arn]
}
}
}
resource "aws_s3_bucket_policy" "s3_cloudfront_bucket" {
bucket = aws_s3_bucket.s3_cloudfront_bucket.id
policy = data.aws_iam_policy_document.s3_cloudfront_bucket.json
}
#--------------------------------------------------------------
# Certificate
#--------------------------------------------------------------
resource "aws_acm_certificate" "s3_cloudfront_ssl" {
count = var.use_default_certificate == true ? 0 : 1
provider = aws.ssl
domain_name = var.ssl_domain
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
#--------------------------------------------------------------
# Cloudfront
#--------------------------------------------------------------
resource "aws_cloudfront_origin_access_identity" "s3_cloudfront_bucket" {
}
resource "aws_cloudfront_distribution" "s3_cloudfront" {
depends_on = [
aws_s3_bucket.s3_cloudfront_bucket]
provider = aws.default
origin {
// Important to use this format of origin domain name, it is the only format that
// supports S3 redirects with CloudFront
domain_name = aws_s3_bucket.s3_cloudfront_bucket.bucket_domain_name
origin_id = aws_s3_bucket.s3_cloudfront_bucket.id
origin_path = var.origin_path
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.s3_cloudfront_bucket.cloudfront_access_identity_path
}
}
enabled = var.enabled
is_ipv6_enabled = var.is_ipv6_enabled
default_root_object = var.default_root_object
aliases = var.aliases
default_cache_behavior {
allowed_methods = var.allowed_methods
cached_methods = var.cache_methods
target_origin_id = aws_s3_bucket.s3_cloudfront_bucket.id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = var.viewer_protocol_policy
min_ttl = var.min_ttl
default_ttl = var.default_ttl
max_ttl = var.max_ttl
compress = var.compress
}
price_class = var.price_class
viewer_certificate {
cloudfront_default_certificate = var.use_default_certificate
acm_certificate_arn = var.use_default_certificate == true ? "" : join("", aws_acm_certificate.s3_cloudfront_ssl.*.arn)
ssl_support_method = var.use_default_certificate == true ? "" : var.ssl_support_method
minimum_protocol_version = var.minimum_protocol_version
}
restrictions {
geo_restriction {
restriction_type = var.restriction_type
}
}
}