Last active
March 26, 2023 16:50
-
-
Save ixonae/fe3d1bdd6bba97a1754c3f08a7b421bc to your computer and use it in GitHub Desktop.
Terraform script to setup the AWS infrastructure required to setup a Hugo website
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_providers { | |
aws = { | |
source = "hashicorp/aws" | |
version = "~> 4.60.0" | |
} | |
} | |
} | |
provider "aws" { | |
region = "xx-xxxx-x" | |
} | |
resource "aws_s3_bucket" "example-website-s3" { | |
bucket = "example-website" | |
} | |
resource "aws_s3_bucket_acl" "example-website-s3-acl" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
acl = "private" | |
} | |
resource "aws_s3_bucket_versioning" "example-website-s3-versioning" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
versioning_configuration { | |
status = "Enabled" | |
} | |
} | |
resource "aws_s3_bucket_lifecycle_configuration" "example-website-s3-lifecycle" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
rule { | |
id = "keep-versions-30-days" | |
status = "Enabled" | |
noncurrent_version_expiration { | |
noncurrent_days = 30 | |
newer_noncurrent_versions = 1 | |
} | |
} | |
} | |
resource "aws_s3_bucket_public_access_block" "example-website-s3-access" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
block_public_acls = true | |
block_public_policy = true | |
ignore_public_acls = true | |
restrict_public_buckets = true | |
} | |
resource "aws_s3_bucket_server_side_encryption_configuration" "example-website-s3-encryption" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "AES256" | |
} | |
bucket_key_enabled = true | |
} | |
} | |
resource "aws_s3_bucket" "example-website-logs-s3" { | |
bucket = "example-website-logs" | |
} | |
resource "aws_s3_bucket_acl" "example-website-logs-3-acl" { | |
bucket = aws_s3_bucket.example-website-logs-s3.id | |
acl = "log-delivery-write" | |
} | |
resource "aws_s3_bucket_public_access_block" "example-website-s3-logs-access" { | |
bucket = aws_s3_bucket.example-website-logs-s3.id | |
block_public_acls = true | |
block_public_policy = true | |
ignore_public_acls = true | |
restrict_public_buckets = true | |
} | |
resource "aws_s3_bucket_server_side_encryption_configuration" "example-website-logs-s3-encryption" { | |
bucket = aws_s3_bucket.example-website-logs-s3.id | |
rule { | |
apply_server_side_encryption_by_default { | |
sse_algorithm = "AES256" | |
} | |
bucket_key_enabled = true | |
} | |
} | |
resource "aws_cloudfront_distribution" "example-website-cloudfront" { | |
enabled = true | |
is_ipv6_enabled = true | |
aliases = ["www.example.com", "example.com"] | |
default_cache_behavior { | |
allowed_methods = ["GET", "HEAD"] | |
cached_methods = ["GET", "HEAD"] | |
target_origin_id = aws_s3_bucket.example-website-s3.bucket_regional_domain_name | |
viewer_protocol_policy = "redirect-to-https" | |
compress = true | |
cache_policy_id = data.aws_cloudfront_cache_policy.example-website-cloudfront-cache.id | |
function_association { | |
event_type = "viewer-request" | |
function_arn = aws_cloudfront_function.cloudfront-add-index-to-url.arn | |
} | |
} | |
origin { | |
domain_name = aws_s3_bucket.example-website-s3.bucket_regional_domain_name | |
origin_id = aws_s3_bucket.example-website-s3.bucket_regional_domain_name | |
origin_access_control_id = aws_cloudfront_origin_access_control.example-website-cloudfront-origin-ac.id | |
} | |
restrictions { | |
geo_restriction { | |
restriction_type = "none" | |
} | |
} | |
viewer_certificate { | |
cloudfront_default_certificate = true | |
acm_certificate_arn = "arn:aws:acm:us-east-1:xxxxxxxxxxxx:certificate/xxxxxx-xxxx-xxxx-xxxx-xxxxxx" | |
ssl_support_method = "sni-only" | |
minimum_protocol_version = "TLSv1.2_2021" | |
} | |
logging_config { | |
bucket = aws_s3_bucket.example-website-logs-s3.bucket_domain_name | |
prefix = "logs" | |
} | |
} | |
data "aws_cloudfront_cache_policy" "example-website-cloudfront-cache" { | |
name = "Managed-CachingOptimized" | |
} | |
resource "aws_cloudfront_function" "cloudfront-add-index-to-url" { | |
code = file("${path.module}/cloudfront-add-index-to-url.js") | |
name = "cloudfront-add-index-to-url" | |
runtime = "cloudfront-js-1.0" | |
} | |
resource "aws_cloudfront_origin_access_control" "example-website-cloudfront-origin-ac" { | |
name = aws_s3_bucket.example-website-s3.bucket_regional_domain_name | |
origin_access_control_origin_type = "s3" | |
signing_behavior = "always" | |
signing_protocol = "sigv4" | |
} | |
resource "aws_s3_bucket_policy" "example-website-s3-policy" { | |
bucket = aws_s3_bucket.example-website-s3.id | |
policy = data.aws_iam_policy_document.example-website-cloudfront-policy.json | |
} | |
data "aws_iam_policy_document" "example-website-cloudfront-policy" { | |
statement { | |
principals { | |
identifiers = ["cloudfront.amazonaws.com"] | |
type = "Service" | |
} | |
actions = ["s3:GetObject"] | |
resources = ["${aws_s3_bucket.example-website-s3.arn}/*"] | |
condition { | |
test = "StringEquals" | |
variable = "aws:SourceArn" | |
values = [aws_cloudfront_distribution.example-website-cloudfront.arn] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment