Last active
July 9, 2023 07:44
-
-
Save mom0tomo/55ef18e34c36574e3d9f604d5af09b84 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Route53 | |
# | |
resource "aws_route53_record" "example" { | |
zone_id = aws_route53_zone.example.zone_id # 他であらかじめ定義されている前提 | |
name = "example.com" | |
type = "A" | |
alias { | |
name = aws_cloudfront_distribution.example.domain_name | |
zone_id = aws_cloudfront_distribution.example.hosted_zone_id | |
evaluate_target_health = false | |
} | |
} | |
# | |
# S3 | |
# | |
resource "aws_s3_bucket" "example" { | |
bucket = "example.com" | |
} | |
data "aws_iam_policy_document" "example" { | |
statement { | |
effect = "Allow" | |
actions = [ | |
"s3:GetObject", | |
] | |
principals { | |
type = "Service" | |
identifiers = ["cloudfront.amazonaws.com"] | |
} | |
# Origin Access Control を利用する際の許可 | |
# https://zenn.dev/kou_pg_0131/articles/tf-cloudfront-oac | |
condition { | |
test = "StringEquals" | |
variable = "aws:SourceArn" | |
values = [aws_cloudfront_distribution.exampleg.arn] | |
} | |
resources = ["${aws_s3_bucket.example.arn}/*"] | |
} | |
} | |
resource "aws_s3_bucket_policy" "example" { | |
bucket = aws_s3_bucket.example.id | |
policy = data.aws_iam_policy_document.example.json | |
} | |
# | |
# CloudFront | |
# | |
# HTTPSで配信するためCloudFrontを利用する | |
resource "aws_cloudfront_distribution" "example" { | |
origin { | |
domain_name = aws_s3_bucket.example.bucket_regional_domain_name # ドメインで配信元を指定する | |
origin_id = aws_s3_bucket.example.id | |
origin_access_control_id = aws_cloudfront_origin_access_control.example.id | |
} | |
# 代替ドメインはオプションだが、独自ドメインを使う場合は設定しないとERR_SSL_PROTOCOL_ERRORになる | |
# https://repost.aws/ja/knowledge-center/cloudfront-ssl-connection-errors | |
aliases = ["example.com"] | |
enabled = true | |
default_root_object = "index.html" | |
default_cache_behavior { | |
allowed_methods = ["GET", "HEAD"] | |
cached_methods = ["GET", "HEAD"] # キャッシュするメソッドを制御する | |
target_origin_id = aws_s3_bucket.example.id # クッキー、ヘッダー、クエリパラメータの転送を制御する | |
forwarded_values { | |
query_string = false | |
cookies { | |
forward = "none" | |
} | |
} | |
viewer_protocol_policy = "redirect-to-https" # HTTPSにリダイレクトする | |
min_ttl = 0 | |
default_ttl = 0 | |
max_ttl = 0 | |
} | |
viewer_certificate { | |
# CloudFrontでACMを利用するときはus-east-1に配置する必要がある | |
acm_certificate_arn = aws_acm_certificate.example_com.arn | |
# SNI(名前ベース)のSSL機能を使用する | |
# https://aws.amazon.com/jp/cloudfront/custom-ssl-domains/ | |
ssl_support_method = "sni-only" | |
} | |
} | |
# Origin Access Control を利用する | |
resource "aws_cloudfront_origin_access_control" "exmple" { | |
name = "example" | |
origin_access_control_origin_type = "s3" | |
signing_behavior = "always" | |
signing_protocol = "sigv4" | |
} | |
# | |
# ACM | |
# | |
provider "aws" { | |
alias = "virginia" | |
region = "us-east-1" | |
} | |
resource "aws_acm_certificate" "exmaple_com" { | |
domain_name = "exmaple.com" | |
validation_method = "DNS" | |
provider = "aws.virginia" | |
lifecycle { | |
create_before_destroy = true | |
} | |
} | |
resource "aws_route53_record" "acmexmaple_com" { | |
# ACMのDNSによる検証で使われるレコード | |
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53 | |
for_each = { | |
for dvo in aws_acm_certificate.exmaple_com.domain_validation_options : dvo.domain_name => { | |
name = dvo.resource_record_name | |
record = dvo.resource_record_value | |
type = dvo.resource_record_type | |
} | |
} | |
zone_id = aws_route53_zone.exmaple_com.zone_id | |
name = each.value.name | |
records = [each.value.record] | |
ttl = 60 | |
type = each.value.type | |
allow_overwrite = true | |
} | |
resource "aws_acm_certificate_validation" "exmaple_com" { | |
certificate_arn = aws_acm_certificate.exmaple_com.arn | |
validation_record_fqdns = [for r in aws_route53_record.acm_exmaple_com : r.fqdn] | |
provider = "aws.virginia" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment