IaC for static site deployed to s3, cloudfront with ACM cert and R53 dns records configured. CD setup with GithubActions to build static nextJS and push it to s3 bucket.

deployTos3.yml

name: Deploy to S3 upon push to main
on:
  pull_request:
  push:
    branches:
      - main
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - uses: actions/setup-node@v1
      with:
        node-version: 16
    - run: npm install -g yarn
    - run: yarn install --frozen-lockfile
    - run: yarn s3Deploy
    - name: Deploy to S3
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1
    - run: aws s3 sync ./out s3://s3.ctfries.dev

s3.ctfries.dev.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.2"
    }
  }
  required_version = ">= 0.14.9"
}

data "aws_iam_policy_document" "public_read" {
  statement {
    sid    = "PublicReadForGetBucketObjects"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions   = ["s3:GetObject"]
    resources = ["arn:aws:s3:::${aws_s3_bucket.s3-ctfries-dev.bucket}/*"]
  }
}
data "aws_route53_zone" "primary" {
  name         = "ctfries.dev"
  private_zone = false
}

data "aws_acm_certificate" "ctfries-dev" {
  domain   = "*.ctfries.dev"
  statuses = ["ISSUED"]
}
provider "aws" {
  profile = "ctfries"
  region  = "us-east-1"
}
resource "aws_s3_bucket" "s3-ctfries-dev" {
  bucket = "s3.ctfries.dev"
  tags = {
    Name        = "s3.ctfries.dev"
    Environment = "production"
  }
}
resource "aws_s3_bucket_policy" "public_read" {
  bucket = aws_s3_bucket.s3-ctfries-dev.id
  policy = data.aws_iam_policy_document.public_read.json
}
resource "aws_s3_bucket_acl" "s3-ctfries-dev" {
  bucket = aws_s3_bucket.s3-ctfries-dev.id
  acl    = "public-read"

}
resource "aws_s3_bucket_website_configuration" "bucket-config" {
  bucket = aws_s3_bucket.s3-ctfries-dev.bucket

  index_document {
    suffix = "index.html"
  }

  error_document {
    key = "404.html"
  }
}
resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = aws_s3_bucket.s3-ctfries-dev.bucket_regional_domain_name
    origin_id   = "s3.ctfries.dev"
  }
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }
  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"
  aliases             = ["s3.ctfries.dev"]

  default_cache_behavior {
    allowed_methods  = ["HEAD", "GET"]
    cached_methods   = ["HEAD", "GET"]
    target_origin_id = "s3.ctfries.dev"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400

  }

  price_class = "PriceClass_All"

  tags = {
    Environment = "production"
  }

  viewer_certificate {
    ssl_support_method  = "sni-only"
    acm_certificate_arn = data.aws_acm_certificate.ctfries-dev.arn
  }
}
resource "aws_route53_record" "s3-ctfries-dev" {
  zone_id = data.aws_route53_zone.primary.zone_id
  name    = "s3.ctfries.dev"
  type    = "A"
  alias {
    name                   = aws_cloudfront_distribution.s3_distribution.domain_name
    zone_id                = aws_cloudfront_distribution.s3_distribution.hosted_zone_id
    evaluate_target_health = true
  }
}