-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
93 lines (73 loc) · 2.31 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
locals {
s3_origin_id = "origin-bucket-${module.website_bucket.id}"
bucket_arn = "arn:aws:s3:::${var.bucket_name}"
}
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
}
module "website_bucket" {
source = "Infrastrukturait/s3-bucket/aws"
version = "0.1.0"
bucket_name = var.bucket_name
bucket_policy = data.aws_iam_policy_document.s3_policy.json
block_public_acls = var.block_public_acls
block_public_policy = var.block_public_policy
tags = var.tags
}
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${local.bucket_arn}/*"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
}
}
}
resource "aws_cloudfront_distribution" "website_cdn" {
enabled = true
is_ipv6_enabled = var.ipv6
price_class = var.price_class
http_version = "http2"
origin {
origin_id = local.s3_origin_id
domain_name = module.website_bucket.bucket_regional_domain_name
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
}
}
default_root_object = var.default_root_object
custom_error_response {
error_code = "404"
error_caching_min_ttl = "360"
response_code = var.not_found_response_code
response_page_path = var.not_found_response_path
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "DELETE", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = "0"
default_ttl = "300" //3600
max_ttl = "1200" //86400
viewer_protocol_policy = "redirect-to-https"
compress = true
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = var.acm_certificate_arn
ssl_support_method = "sni-only"
minimum_protocol_version = var.minimum_client_tls_protocol_version
}
aliases = [var.domain]
tags = var.tags
}