Add internal features to aws-single-page-static-site (#125)

Add internal features to aws-single-page-static-site### Summary This PR brings features over from CZI's internal repo to the public aws-single-page-static-site module. This includes overriding the bucket name, public access blocks, more allowed headers, ordered cache behavior, more outputs, and upgrading the minimum TLS version.
chanzuckerberg · Sep 18, 2019 · fbfaf51 · fbfaf51
1 parent 2289b2d
commit fbfaf51
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 4 deletions.
diff --git a/aws-single-page-static-site/README.md b/aws-single-page-static-site/README.md
@@ -45,13 +45,25 @@ module "site" {
 | aliases | Vanity aliases. Make sure your provided cert supports these. | list | `<list>` | no |
 | aws\_acm\_cert\_arn | An AWS ACM cert. Note that Cloudfront requires certs to be in us-east-1. | string | n/a | yes |
 | aws\_route53\_zone\_id | A route53 zone ID used to write records. | string | n/a | yes |
+| bucket\_name | Name of the bucket to created. If not given, it will use the domain name. | string | `""` | no |
 | cloudfront\_price\_class | Cloudfront [price class](https://aws.amazon.com/cloudfront/pricing/). | string | `"PriceClass_100"` | no |
 | env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
 | index\_document\_path | The path to the index document of your site. | string | `"index.html"` | no |
 | minimum\_tls\_version | Minimum TLS version to accept. | string | `"TLSv1_2016"` | no |
 | owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
+| path\_pattern | The pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to. | string | `"*"` | no |
 | project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
 | service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes |
 | subdomain | The subdomain for this static site. | string | n/a | yes |
 
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| bucket\_name |  |
+| bucket\_arn |  |
+| cloudfront\_arn |  |
+| cloudfront\_domain\_name |  |
+| cloudfront\_hosted\_zone\_id |  |
+
 <!-- END -->
diff --git a/aws-single-page-static-site/main.tf b/aws-single-page-static-site/main.tf
@@ -9,7 +9,7 @@ locals {
 
   domain       = "${replace(data.aws_route53_zone.zone.name, "/\\.$/", "")}"
   website_fqdn = "${var.subdomain}.${local.domain}"
-  bucket_name  = "${local.website_fqdn}"
+  bucket_name  = "${var.bucket_name != "" ? var.bucket_name : local.website_fqdn}"
 
   aliases = [
     "${local.website_fqdn}",
@@ -54,8 +54,9 @@ resource "aws_s3_bucket" "bucket" {
 
   // Cloudfront needs this to compress assets
   // https://stackoverflow.com/questions/35590622/cloudfront-with-s3-website-as-origin-is-not-serving-gzipped-files
+  // Content-Type is also needed to allow CORS json requests
   cors_rule {
-    allowed_headers = ["Authorization", "Content-Length"]
+    allowed_headers = ["Authorization", "Content-Length", "Content-Type"]
     allowed_methods = ["GET"]
     allowed_origins = ["*"]
     max_age_seconds = 3000
@@ -72,6 +73,15 @@ resource "aws_s3_bucket" "bucket" {
   tags = "${local.tags}"
 }
 
+resource "aws_s3_bucket_public_access_block" "bucket" {
+  bucket = "${aws_s3_bucket.bucket.id}"
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_cloudfront_distribution" "s3_distribution" {
   origin {
     domain_name = "${aws_s3_bucket.bucket.bucket_domain_name}"
@@ -89,7 +99,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
   aliases = "${concat(var.aliases, local.aliases)}"
 
   default_cache_behavior {
-    allowed_methods = ["GET", "HEAD"]
+    allowed_methods = ["GET", "HEAD", "OPTIONS"]
     cached_methods  = ["GET", "HEAD"]
 
     target_origin_id = "${local.website_fqdn}"
@@ -109,6 +119,29 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
     compress               = true
   }
 
+  ordered_cache_behavior {
+    path_pattern    = "${var.path_pattern}"
+    allowed_methods = ["GET", "HEAD", "OPTIONS"]
+    cached_methods  = ["GET", "HEAD"]
+
+    target_origin_id = "${local.website_fqdn}"
+
+    forwarded_values {
+      query_string = true
+      headers      = ["Origin"]
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+    compress               = true
+  }
+
   restrictions {
     geo_restriction {
       restriction_type = "none"

diff --git a/aws-single-page-static-site/outputs.tf b/aws-single-page-static-site/outputs.tf
@@ -1,3 +1,15 @@
+output "bucket_name" {
+  value = local.bucket_name
+}
+
+output "bucket_arn" {
+  value = aws_s3_bucket.bucket.arn
+}
+
+output "cloudfront_arn" {
+  value = aws_cloudfront_distribution.s3_distribution.arn
+}
+
 output "cloudfront_domain_name" {
   value = aws_cloudfront_distribution.s3_distribution.domain_name
 }

diff --git a/aws-single-page-static-site/variables.tf b/aws-single-page-static-site/variables.tf
@@ -47,7 +47,7 @@ variable "cloudfront_price_class" {
 
 variable "minimum_tls_version" {
   type        = "string"
-  default     = "TLSv1_2016"
+  default     = "TLSv1.1_2016"
   description = "Minimum TLS version to accept."
 }
 
@@ -56,3 +56,15 @@ variable "aliases" {
   default     = []
   description = "Vanity aliases. Make sure your provided cert supports these."
 }
+
+variable "bucket_name" {
+  type        = "string"
+  description = "Name of the bucket to created. If not given, it will use the domain name."
+  default     = ""
+}
+
+variable "path_pattern" {
+  type        = "string"
+  description = "The pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to."
+  default     = "*"
+}