mom0tomo/s3_cloudfront_custom_domain.tf

## s3_cloudfront_custom_domain.tf
#
# Route53
#
resource "aws_route53_record" "example" {
  zone_id = aws_route53_zone.example.zone_id # 他であらかじめ定義されている前提
  name    = "example.com"
  type    = "A"
  alias {
    name                   = aws_cloudfront_distribution.example.domain_name
    zone_id                = aws_cloudfront_distribution.example.hosted_zone_id
    evaluate_target_health = false
  }
}

#
# S3
#
resource "aws_s3_bucket" "example" {
  bucket = "example.com"
}

data "aws_iam_policy_document" "example" {
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
    ]
    principals {
      type        = "Service"
      identifiers = ["cloudfront.amazonaws.com"]
    }
    # Origin Access Control を利用する際の許可
    # https://zenn.dev/kou_pg_0131/articles/tf-cloudfront-oac
    condition {
      test     = "StringEquals"
      variable = "aws:SourceArn"
      values   = [aws_cloudfront_distribution.exampleg.arn]
    }
    resources = ["${aws_s3_bucket.example.arn}/*"]
  }
}

resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id
  policy = data.aws_iam_policy_document.example.json
}

#
# CloudFront
#
# HTTPSで配信するためCloudFrontを利用する
resource "aws_cloudfront_distribution" "example" {
  origin {

    domain_name              = aws_s3_bucket.example.bucket_regional_domain_name # ドメインで配信元を指定する
    origin_id                = aws_s3_bucket.example.id
    origin_access_control_id = aws_cloudfront_origin_access_control.example.id
  }
  # 代替ドメインはオプションだが、独自ドメインを使う場合は設定しないとERR_SSL_PROTOCOL_ERRORになる
  # https://repost.aws/ja/knowledge-center/cloudfront-ssl-connection-errors
  aliases = ["example.com"]

  enabled = true

  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]                   # キャッシュするメソッドを制御する
    target_origin_id = aws_s3_bucket.example.id # クッキー、ヘッダー、クエリパラメータの転送を制御する

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https" # HTTPSにリダイレクトする
    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
  }
  viewer_certificate {
    # CloudFrontでACMを利用するときはus-east-1に配置する必要がある
    acm_certificate_arn = aws_acm_certificate.example_com.arn
    # SNI(名前ベース)のSSL機能を使用する
    # https://aws.amazon.com/jp/cloudfront/custom-ssl-domains/
    ssl_support_method = "sni-only"
  }
}

# Origin Access Control を利用する
resource "aws_cloudfront_origin_access_control" "exmple" {
  name                              = "example"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

#
# ACM
#
provider "aws" {
  alias  = "virginia"
  region = "us-east-1"
}

resource "aws_acm_certificate" "exmaple_com" {
  domain_name       = "exmaple.com"
  validation_method = "DNS"
  provider          = "aws.virginia"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "acmexmaple_com" {
  # ACMのDNSによる検証で使われるレコード
  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53
  for_each = {
    for dvo in aws_acm_certificate.exmaple_com.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  zone_id         = aws_route53_zone.exmaple_com.zone_id
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  allow_overwrite = true
}

resource "aws_acm_certificate_validation" "exmaple_com" {
  certificate_arn         = aws_acm_certificate.exmaple_com.arn
  validation_record_fqdns = [for r in aws_route53_record.acm_exmaple_com : r.fqdn]
  provider                = "aws.virginia"
}
	#
	# Route53
	#
	resource "aws_route53_record" "example" {
	zone_id = aws_route53_zone.example.zone_id # 他であらかじめ定義されている前提
	name = "example.com"
	type = "A"
	alias {
	name = aws_cloudfront_distribution.example.domain_name
	zone_id = aws_cloudfront_distribution.example.hosted_zone_id
	evaluate_target_health = false
	}
	}

	#
	# S3
	#
	resource "aws_s3_bucket" "example" {
	bucket = "example.com"
	}

	data "aws_iam_policy_document" "example" {
	statement {
	effect = "Allow"
	actions = [
	"s3:GetObject",
	]
	principals {
	type = "Service"
	identifiers = ["cloudfront.amazonaws.com"]
	}
	# Origin Access Control を利用する際の許可
	# https://zenn.dev/kou_pg_0131/articles/tf-cloudfront-oac
	condition {
	test = "StringEquals"
	variable = "aws:SourceArn"
	values = [aws_cloudfront_distribution.exampleg.arn]
	}
	resources = ["${aws_s3_bucket.example.arn}/*"]
	}
	}

	resource "aws_s3_bucket_policy" "example" {
	bucket = aws_s3_bucket.example.id
	policy = data.aws_iam_policy_document.example.json
	}

	#
	# CloudFront
	#
	# HTTPSで配信するためCloudFrontを利用する
	resource "aws_cloudfront_distribution" "example" {
	origin {

	domain_name = aws_s3_bucket.example.bucket_regional_domain_name # ドメインで配信元を指定する
	origin_id = aws_s3_bucket.example.id
	origin_access_control_id = aws_cloudfront_origin_access_control.example.id
	}
	# 代替ドメインはオプションだが、独自ドメインを使う場合は設定しないとERR_SSL_PROTOCOL_ERRORになる
	# https://repost.aws/ja/knowledge-center/cloudfront-ssl-connection-errors
	aliases = ["example.com"]

	enabled = true

	default_root_object = "index.html"

	default_cache_behavior {
	allowed_methods = ["GET", "HEAD"]
	cached_methods = ["GET", "HEAD"] # キャッシュするメソッドを制御する
	target_origin_id = aws_s3_bucket.example.id # クッキー、ヘッダー、クエリパラメータの転送を制御する

	forwarded_values {
	query_string = false

	cookies {
	forward = "none"
	}
	}

	viewer_protocol_policy = "redirect-to-https" # HTTPSにリダイレクトする
	min_ttl = 0
	default_ttl = 0
	max_ttl = 0
	}
	viewer_certificate {
	# CloudFrontでACMを利用するときはus-east-1に配置する必要がある
	acm_certificate_arn = aws_acm_certificate.example_com.arn
	# SNI(名前ベース)のSSL機能を使用する
	# https://aws.amazon.com/jp/cloudfront/custom-ssl-domains/
	ssl_support_method = "sni-only"
	}
	}

	# Origin Access Control を利用する
	resource "aws_cloudfront_origin_access_control" "exmple" {
	name = "example"
	origin_access_control_origin_type = "s3"
	signing_behavior = "always"
	signing_protocol = "sigv4"
	}

	#
	# ACM
	#
	provider "aws" {
	alias = "virginia"
	region = "us-east-1"
	}

	resource "aws_acm_certificate" "exmaple_com" {
	domain_name = "exmaple.com"
	validation_method = "DNS"
	provider = "aws.virginia"

	lifecycle {
	create_before_destroy = true
	}
	}

	resource "aws_route53_record" "acmexmaple_com" {
	# ACMのDNSによる検証で使われるレコード
	# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53
	for_each = {
	for dvo in aws_acm_certificate.exmaple_com.domain_validation_options : dvo.domain_name => {
	name = dvo.resource_record_name
	record = dvo.resource_record_value
	type = dvo.resource_record_type
	}
	}

	zone_id = aws_route53_zone.exmaple_com.zone_id
	name = each.value.name
	records = [each.value.record]
	ttl = 60
	type = each.value.type
	allow_overwrite = true
	}

	resource "aws_acm_certificate_validation" "exmaple_com" {
	certificate_arn = aws_acm_certificate.exmaple_com.arn
	validation_record_fqdns = [for r in aws_route53_record.acm_exmaple_com : r.fqdn]
	provider = "aws.virginia"
	}