diff --git a/aws-single-page-static-site/README.md b/aws-single-page-static-site/README.md index 5a0e9454..2cf7466e 100644 --- a/aws-single-page-static-site/README.md +++ b/aws-single-page-static-site/README.md @@ -45,13 +45,25 @@ module "site" { | aliases | Vanity aliases. Make sure your provided cert supports these. | list | `` | no | | aws\_acm\_cert\_arn | An AWS ACM cert. Note that Cloudfront requires certs to be in us-east-1. | string | n/a | yes | | aws\_route53\_zone\_id | A route53 zone ID used to write records. | string | n/a | yes | +| bucket\_name | Name of the bucket to created. If not given, it will use the domain name. | string | `""` | no | | cloudfront\_price\_class | Cloudfront [price class](https://aws.amazon.com/cloudfront/pricing/). | string | `"PriceClass_100"` | no | | env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | index\_document\_path | The path to the index document of your site. | string | `"index.html"` | no | | minimum\_tls\_version | Minimum TLS version to accept. | string | `"TLSv1_2016"` | no | | owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | +| path\_pattern | The pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to. | string | `"*"` | no | | project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | subdomain | The subdomain for this static site. | string | n/a | yes | +## Outputs + +| Name | Description | +|------|-------------| +| bucket\_name | | +| bucket\_arn | | +| cloudfront\_arn | | +| cloudfront\_domain\_name | | +| cloudfront\_hosted\_zone\_id | | + diff --git a/aws-single-page-static-site/main.tf b/aws-single-page-static-site/main.tf index 9d2ec17c..2df9ebf6 100644 --- a/aws-single-page-static-site/main.tf +++ b/aws-single-page-static-site/main.tf @@ -9,7 +9,7 @@ locals { domain = "${replace(data.aws_route53_zone.zone.name, "/\\.$/", "")}" website_fqdn = "${var.subdomain}.${local.domain}" - bucket_name = "${local.website_fqdn}" + bucket_name = "${var.bucket_name != "" ? var.bucket_name : local.website_fqdn}" aliases = [ "${local.website_fqdn}", @@ -54,8 +54,9 @@ resource "aws_s3_bucket" "bucket" { // Cloudfront needs this to compress assets // https://stackoverflow.com/questions/35590622/cloudfront-with-s3-website-as-origin-is-not-serving-gzipped-files + // Content-Type is also needed to allow CORS json requests cors_rule { - allowed_headers = ["Authorization", "Content-Length"] + allowed_headers = ["Authorization", "Content-Length", "Content-Type"] allowed_methods = ["GET"] allowed_origins = ["*"] max_age_seconds = 3000 @@ -72,6 +73,15 @@ resource "aws_s3_bucket" "bucket" { tags = "${local.tags}" } +resource "aws_s3_bucket_public_access_block" "bucket" { + bucket = "${aws_s3_bucket.bucket.id}" + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + resource "aws_cloudfront_distribution" "s3_distribution" { origin { domain_name = "${aws_s3_bucket.bucket.bucket_domain_name}" @@ -89,7 +99,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" { aliases = "${concat(var.aliases, local.aliases)}" default_cache_behavior { - allowed_methods = ["GET", "HEAD"] + allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD"] target_origin_id = "${local.website_fqdn}" @@ -109,6 +119,29 @@ resource "aws_cloudfront_distribution" "s3_distribution" { compress = true } + ordered_cache_behavior { + path_pattern = "${var.path_pattern}" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD"] + + target_origin_id = "${local.website_fqdn}" + + forwarded_values { + query_string = true + headers = ["Origin"] + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + compress = true + } + restrictions { geo_restriction { restriction_type = "none" diff --git a/aws-single-page-static-site/outputs.tf b/aws-single-page-static-site/outputs.tf index 1abba234..d0aff127 100755 --- a/aws-single-page-static-site/outputs.tf +++ b/aws-single-page-static-site/outputs.tf @@ -1,3 +1,15 @@ +output "bucket_name" { + value = local.bucket_name +} + +output "bucket_arn" { + value = aws_s3_bucket.bucket.arn +} + +output "cloudfront_arn" { + value = aws_cloudfront_distribution.s3_distribution.arn +} + output "cloudfront_domain_name" { value = aws_cloudfront_distribution.s3_distribution.domain_name } diff --git a/aws-single-page-static-site/variables.tf b/aws-single-page-static-site/variables.tf index 732c9491..45fd69cb 100755 --- a/aws-single-page-static-site/variables.tf +++ b/aws-single-page-static-site/variables.tf @@ -47,7 +47,7 @@ variable "cloudfront_price_class" { variable "minimum_tls_version" { type = "string" - default = "TLSv1_2016" + default = "TLSv1.1_2016" description = "Minimum TLS version to accept." } @@ -56,3 +56,15 @@ variable "aliases" { default = [] description = "Vanity aliases. Make sure your provided cert supports these." } + +variable "bucket_name" { + type = "string" + description = "Name of the bucket to created. If not given, it will use the domain name." + default = "" +} + +variable "path_pattern" { + type = "string" + description = "The pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to." + default = "*" +}