Function Junction

Example of CloudFront for S3 with Static Website

11 May 20252 min read

locals {  
  s3_origin_id = "S3-origin-${local.bucket_name}"  
}  
  
resource "aws_cloudfront_origin_access_control" "oac" {  
  name                              = "${local.bucket_name}-oac"  
  description                       = "OAC"  
  origin_access_control_origin_type = "s3"  
  signing_behavior                  = "always"  
  signing_protocol                  = "sigv4"  
}  
  
data "aws_cloudfront_cache_policy" "s3_distribution" {  
  name = "Managed-CachingOptimized"  
}  
  
data "aws_cloudfront_origin_request_policy" "s3_distribution" {  
  name = "Managed-CORS-S3Origin"  
}  
  
data "aws_cloudfront_response_headers_policy" "s3_distribution" {  
  name = "Managed-CORS-With-Preflight"  
  
}  
  
resource "aws_cloudfront_distribution" "s3_distribution" {  
  depends_on = [aws_s3_bucket.bucket]  
  
  origin {  
    domain_name              = aws_s3_bucket.bucket.bucket_regional_domain_name  
    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id  
    origin_id                = local.s3_origin_id  
  }  
  
  enabled             = true  
  is_ipv6_enabled     = true  
  default_root_object = "index.html"  
  
  # aliases = [local.app_domain_2]  
  
  default_cache_behavior {  
    allowed_methods  = ["GET", "HEAD"]  
    cached_methods   = ["GET", "HEAD"]  
    target_origin_id = local.s3_origin_id  
  
    viewer_protocol_policy     = "redirect-to-https"  
    cache_policy_id            = data.aws_cloudfront_cache_policy.s3_distribution.id  
    origin_request_policy_id   = data.aws_cloudfront_origin_request_policy.s3_distribution.id  
    response_headers_policy_id = data.aws_cloudfront_response_headers_policy.s3_distribution.id  
  }  
  
  price_class = var.price_class  
  viewer_certificate {  
    cloudfront_default_certificate = true  
  }  
  
  # TODO: Once we use in production, create certs etc, we can use this  
  # viewer_certificate {  
  #   acm_certificate_arn      = aws_acm_certificate.cert.arn  
  #   ssl_support_method       = "sni-only"  
  #   minimum_protocol_version = "TLSv1"  
  # }  
  
  restrictions {  
    dynamic "geo_restriction" {  
      for_each = [for k, v in var.cloudfront_geo_restrictions : v if v.restriction_type == "none"]  
      content {  
        restriction_type = "none"  
      }  
    }  
  
    dynamic "geo_restriction" {  
      for_each = [for k, v in var.cloudfront_geo_restrictions : v if v.restriction_type != "none"]  
      content {  
        restriction_type = geo_restriction.value.restriction_type  
        locations        = geo_restriction.value.locations  
      }  
    }  
  }  
  
  dynamic "custom_error_response" {  
    for_each = [for key, val in var.cloudfront_custom_error_response : val]  
  
    content {  
      error_code            = custom_error_response.value.error_code  
      response_code         = custom_error_response.value.response_code  
      error_caching_min_ttl = custom_error_response.value.error_caching_min_ttl  
      response_page_path    = custom_error_response.value.response_page_path  
    }  
  }  
  
  wait_for_deployment = false  
}

Recent Notes

Backlinks