Setup Static Website on AWS S3 with Cloudfront, HTTPS and Route53

main.tf

provider "aws" {
  region  = "${var.region}"
  version = "1.10.0"
}

provider "aws" {
  region  = "us-east-1"
  alias   = "certificate-region"
  version = "1.10.0"
}

// Create website bucket
resource "aws_s3_bucket" "s3_bucket" {
  bucket = "${var.bucket_name}"
  acl    = "public-read"

  website {
    index_document = "index.html"
    error_document = "error.html"
  }

  force_destroy = true
}

// Create log bucket
resource "aws_s3_bucket" "s3_bucket_log" {
  bucket        = "${var.bucket_name}-logs"
  acl           = "private"
  force_destroy = true
}

// Set proper policies to access bucket
data "aws_iam_policy_document" "s3_bucket_policies" {
  statement {
    actions = [
      "s3:GetObject",
    ]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    resources = [
      "arn:aws:s3:::${var.bucket_name}/*",
    ]
  }
}

resource "aws_s3_bucket_policy" "s3_bucket_policy" {
  bucket = "${aws_s3_bucket.s3_bucket.id}"
  policy = "${data.aws_iam_policy_document.s3_bucket_policies.json}"
}

// Get certificate for Cloudfront from Certificate Manager
// We have to use us-east-1 region for custom Cludfront ceritificates.
// To be able to use it with Cloudfront from a different regions, a new
// provider must be used.
data "aws_acm_certificate" "s3_domain_certificate" {
  provider    = "aws.certificate-region"
  domain      = "${var.bucket_name}"
  most_recent = true
}

// Add Cloudfront for HTTPS
resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = "${aws_s3_bucket.s3_bucket.bucket_domain_name}"
    origin_id   = "S3Origin-${var.bucket_name}"
  }

  price_class         = "PriceClass_200"
  enabled             = true
  is_ipv6_enabled     = false
  default_root_object = "index.html"

  aliases = ["${var.bucket_name}"]

  logging_config {
    include_cookies = false
    bucket          = "${aws_s3_bucket.s3_bucket_log.bucket_domain_name}"
  }

  default_cache_behavior {
    compress         = true
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "S3Origin-${var.bucket_name}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "all"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn = "${data.aws_acm_certificate.s3_domain_certificate.arn}"
    ssl_support_method  = "sni-only"
  }
}

// Add route with alias to the bucket
resource "aws_route53_record" "s3_bucket_route" {
  zone_id = "${var.route53_zone_id}"
  name    = "${var.bucket_name}"
  type    = "A"

  alias {
    name                   = "${aws_cloudfront_distribution.s3_distribution.domain_name}"
    zone_id                = "${aws_cloudfront_distribution.s3_distribution.hosted_zone_id}"
    evaluate_target_health = true
  }
}

vars.tf

// Module main region
variable "region" {
  type = "string"
}

// ID of your Route53 zone
variable "route53_zone_id" {
  type = "string"
}

// Name of the S3 bucket that must have same name as the website address, e.g., mysite.example.com
variable "bucket_name" {
  type = "string"
}