terraform-aws-cloudfront-s3

This Terraform module is to provision a private S3 bucket, and use it as a static website, and sit that behind a Cloudfront distribution. Certificate needs a delay adding before cloudfront uses it, until then run it twice.

Usage

Creates a static site with cloudfront distribution in front.

To use, add module.cloudfront.tf to your template and update your variables and values, see example/examplea for a full worked example.

module "cloudfront" {
  source       = "JamesWoolfenden/cloudfront-s3/aws"
  version      = "0.3.2"
  common_tags = var.common_tags
  bucket_name = var.bucket_name
}

Costs

 Monthly cost estimate

Project: .

 Name                                                                       Monthly Qty  Unit                Monthly Cost

 module.cloudfront.aws_acm_certificate.cert
 └─ Certificate                                                                       1  requests                   $0.75

 module.cloudfront.aws_cloudfront_distribution.website
 ├─ Field level encryption requests                                     Cost depends on usage: $0.02 per 10k requests
 ├─ Real-time log requests                                              Cost depends on usage: $0.01 per 1M lines
 ├─ Dedicated IP custom SSLs                                            Cost depends on usage: $600.00 per certificates
 ├─ Invalidation requests (first 1k)                                    Cost depends on usage: $0 per paths
 ├─ Data transfer out to internet
 │  ├─ US, Mexico, Canada (first 10TB)                                  Cost depends on usage: $0.09 per GB
 │  ├─ Europe, Israel (first 10TB)                                      Cost depends on usage: $0.09 per GB
 │  ├─ South Africa, Kenya, Middle East (first 10TB)                    Cost depends on usage: $0.11 per GB
 │  ├─ South America (first 10TB)                                       Cost depends on usage: $0.11 per GB
 │  ├─ Japan (first 10TB)                                               Cost depends on usage: $0.11 per GB
 │  ├─ Australia, New Zealand (first 10TB)                              Cost depends on usage: $0.11 per GB
 │  ├─ Hong Kong, Philippines, Asia Pacific (first 10TB)                Cost depends on usage: $0.12 per GB
 │  └─ India (first 10TB)                                               Cost depends on usage: $0.11 per GB
 ├─ Data transfer out to origin
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.02 per GB
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.02 per GB
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.06 per GB
 │  ├─ South America                                                    Cost depends on usage: $0.13 per GB
 │  ├─ Japan                                                            Cost depends on usage: $0.06 per GB
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.08 per GB
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.06 per GB
 │  └─ India                                                            Cost depends on usage: $0.16 per GB
 ├─ HTTP requests
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.0075 per 10k requests
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.009 per 10k requests
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.009 per 10k requests
 │  ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
 │  ├─ Japan                                                            Cost depends on usage: $0.009 per 10k requests
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.009 per 10k requests
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.009 per 10k requests
 │  └─ India                                                            Cost depends on usage: $0.009 per 10k requests
 ├─ HTTPS requests
 │  ├─ US, Mexico, Canada                                               Cost depends on usage: $0.01 per 10k requests
 │  ├─ Europe, Israel                                                   Cost depends on usage: $0.01 per 10k requests
 │  ├─ South Africa, Kenya, Middle East                                 Cost depends on usage: $0.01 per 10k requests
 │  ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
 │  ├─ Japan                                                            Cost depends on usage: $0.01 per 10k requests
 │  ├─ Australia, New Zealand                                           Cost depends on usage: $0.01 per 10k requests
 │  ├─ Hong Kong, Philippines, Asia Pacific                             Cost depends on usage: $0.01 per 10k requests
 │  └─ India                                                            Cost depends on usage: $0.01 per 10k requests
 └─ Origin shield HTTP requests
    ├─ US                                                               Cost depends on usage: $0.0075 per 10k requests
    ├─ Europe                                                           Cost depends on usage: $0.009 per 10k requests
    ├─ South America                                                    Cost depends on usage: $0.02 per 10k requests
    ├─ Japan                                                            Cost depends on usage: $0.009 per 10k requests
    ├─ Australia                                                        Cost depends on usage: $0.009 per 10k requests
    ├─ Singapore                                                        Cost depends on usage: $0.009 per 10k requests
    ├─ South Korea                                                      Cost depends on usage: $0.009 per 10k requests
    └─ India                                                            Cost depends on usage: $0.009 per 10k requests

 module.cloudfront.aws_route53_record.cert_validation["freebeer.site"]
 ├─ Standard queries (first 1B)                                         Cost depends on usage: $0.40 per 1M queries
 ├─ Latency based routing queries (first 1B)                            Cost depends on usage: $0.60 per 1M queries
 └─ Geo DNS queries (first 1B)                                          Cost depends on usage: $0.70 per 1M queries

 module.cloudfront.aws_s3_bucket.logging
 └─ Standard
    ├─ Storage                                                          Cost depends on usage: $0.02 per GB-months
    ├─ PUT, COPY, POST, LIST requests                                   Cost depends on usage: $0.0053 per 1k requests
    ├─ GET, SELECT, and all other requests                              Cost depends on usage: $0.00042 per 1k requests
    ├─ Select data scanned                                              Cost depends on usage: $0.00225 per GB-months
    └─ Select data returned                                             Cost depends on usage: $0.0008 per GB-months

 module.cloudfront.aws_s3_bucket.website
 └─ Standard
    ├─ Storage                                                          Cost depends on usage: $0.02 per GB-months
    ├─ PUT, COPY, POST, LIST requests                                   Cost depends on usage: $0.0053 per 1k requests
    ├─ GET, SELECT, and all other requests                              Cost depends on usage: $0.00042 per 1k requests
    ├─ Select data scanned                                              Cost depends on usage: $0.00225 per GB-months
    └─ Select data returned                                             Cost depends on usage: $0.0008 per GB-months

 PROJECT TOTAL                                                                                                      $0.75

The default TTL values have been set very low, you will override these (but oh so helpful for development), for a more effective cache.

Requirements

Name	Version
terraform	>=0.14.8
aws	4.6.0

Providers

Name	Version
aws	4.6.0
aws.useastone	4.6.0

Modules

No modules.

Resources

Name	Type
aws_acm_certificate.cert	resource
aws_acm_certificate_validation.cert	resource
aws_cloudfront_distribution.website	resource
aws_cloudfront_origin_access_identity.website	resource
aws_cloudfront_response_headers_policy.pass	resource
aws_route53_record.cert_validation	resource
aws_route53_record.cloudfront	resource
aws_s3_bucket.logging	resource
aws_s3_bucket.website	resource
aws_s3_bucket_acl.logging	resource
aws_s3_bucket_acl.website	resource
aws_s3_bucket_cors_configuration.website	resource
aws_s3_bucket_lifecycle_configuration.logging	resource
aws_s3_bucket_logging.website	resource
aws_s3_bucket_policy.cloudfront	resource
aws_s3_bucket_public_access_block.logging	resource
aws_s3_bucket_server_side_encryption_configuration.logging	resource
aws_s3_bucket_versioning.logging	resource
aws_s3_bucket_versioning.website	resource
aws_s3_bucket_website_configuration.website	resource
aws_s3_object.index	resource
aws_iam_policy_document.cloudfront	data source
aws_route53_zone.selected	data source

Inputs

Name	Description	Type	Default	Required
access_log_bucket	Name of your access logging bucket	`string`	`"logging"`	no
acm_certificate_arn	The ARN of the certificate to be used	`string`	`""`	no
bucket_acl	n/a	`string`	`"Private"`	no
bucket_name	name of the bucket	`string`	n/a	yes
cloudfront_default_certificate	use default SSL certificate	`bool`	`false`	no
common_tags	Implements the common tags scheme	`map(any)`	n/a	yes
default_ttl	default ttl values	`number`	`90`	no
force_destroy	n/a	`bool`	`true`	no
fqdn	The fully qualified domain Name	`string`	n/a	yes
header_policy_name	n/a	`string`	n/a	yes
kms_key	n/a	`any`	n/a	yes
locations	Locations for the Distribution	`list(any)`	[ "GB" ]	no
max_ttl	max ttl values	`number`	`300`	no
min_ttl	min ttl values	`number`	`30`	no
price_class	n/a	`string`	`"PriceClass_100"`	no
restriction_type	n/a	`string`	`"whitelist"`	no
retain	Do you want to retain the distribution on delete?	`bool`	`false`	no
sse_algorithm	The type of encryption algorithm to use	`string`	`"aws:kms"`	no
ttl	n/a	`string`	`"300"`	no
versioning	Switch to control versioning	`string`	`"Enabled"`	no
web_acl_id	The id of the WAF	`string`	n/a	yes
zone	The route53 zone to use	`string`	n/a	yes

Outputs

Name	Description
distribution	n/a
identity	n/a
logging	n/a
policy	n/a
website	n/a

Checkov Exclusion

I have added:

  #checkov:skip=CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
  #checkov:skip=CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"

As we will want to deploy to this bucket and it needs to be readable to the world if it's a website. There are also some exceptions on the logging bucket, e.g. logging of the logging bucket.

new checks

Address bridgecrewio/checkov#146

Related Projects

Check out these related projects.

terraform-aws-s3 - S3 buckets

Help

Got a question?

File a GitHub issue.

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Copyrights

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Contributors

James Woolfenden

JamesWoolfenden/terraform-aws-cloudfront-s3