PBS TF Static Website Module

Installation

Using the Repo Source

Use this URL for the source of the module. See the usage examples below for more details.

github.com/pbs/terraform-aws-static-website-module?ref=6.0.17

Alternative Installation Methods

More information can be found on these install methods and more in the documentation here.

Usage

This module provisions an S3 bucket fronted by CloudFront to serve static content.

Integrate this module like so:

module "static_website" {
  source = "github.com/pbs/terraform-aws-static-website-module?ref=6.0.17"

  # Tagging Parameters
  organization = var.organization
  environment  = var.environment
  product      = var.product
  repo         = var.repo

  # Optional Parameters
}

Adding This Version of the Module

If this repo is added as a subtree, then the version of the module should be close to the version shown here:

6.0.17

Note, however that subtrees can be altered as desired within repositories.

Further documentation on usage can be found here.

Below is automatically generated documentation on this Terraform module using terraform-docs

---

Requirements

Name	Version
terraform	>= 1.3.2
aws	>= 4.27.0

Providers

No providers.

Modules

Name	Source	Version
cloudfront	github.com/pbs/terraform-aws-cloudfront-module	3.1.17
s3	github.com/pbs/terraform-aws-s3-module	4.0.11
s3_policy	github.com/pbs/terraform-aws-s3-bucket-policy-module	1.0.21

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
environment	Environment (sharedtools, dev, staging, qa, prod)	string	n/a	yes
organization	Organization using this module. Used to prefix tags so that they are easily identified as being from your organization	string	n/a	yes
primary_hosted_zone	Name of the primary hosted zone for DNS. e.g. primary_hosted_zone = example.org --> service.example.org.	string	n/a	yes
product	Tag used to group resources according to product	string	n/a	yes
repo	Tag used to point to the repo using this module	string	n/a	yes
acl	ACL configuration for the bucket. If an ACL is not provided, the bucket will be created with ACLs disabled	object({ canned_acl = optional(string) expected_bucket_owner = optional(string) access_control_policy = optional(object({ grants = set(object({ grantee = object({ type = string email_address = optional(string) id = optional(string) uri = optional(string) }) permission = string })) owner = object({ id = string display_name = optional(string) }) })) })	null	no
acm_arn	(optional) ARN for the ACM cert used for the CloudFront distribution	string	null	no
additional_origin_configurations	Additional origin configurations to merge into default configuration. Useful for setting origin shield configurations	any	{}	no
aliases	(optional) CNAME(s) that are allowed to be used for this cdn. Default is product.primary_hosted_zone. e.g. [service.example.com] --> [service.example.com]	list(string)	null	no
allow_anonymous_vpce_access	Create bucket policy that allows anonymous VPCE access.	bool	false	no
block_public_acls	Whether Amazon S3 should block public ACLs for this bucket.	bool	true	no
block_public_policy	Whether Amazon S3 should block public bucket policies for this bucket.	bool	true	no
bucket_name	Name to use for the bucket. If null, will default to product.	string	null	no
cloudfront_default_certificate	(optional) use cloudfront default ssl certificate	bool	false	no
cnames	(optional) CNAME(s) that are going to be created for this cdn in the primary_hosted_zone. This can be set to [] to avoid creating a CNAME for the app. This can be useful for CDNs. Default is product. e.g. [service] --> [example.example.com]	list(string)	null	no
comment	(optional) comment for the CDN	string	null	no
compress	(optional) gzip compress response	bool	true	no
cors_rules	CORS Rules	set(object({ allowed_headers = list(string), allowed_methods = list(string), allowed_origins = list(string), expose_headers = list(string), max_age_seconds = number }))	[]	no
create_cname	(optional) create CNAME(s) that point to CloudFront distribution	bool	true	no
custom_error_response	(optional) set of one or more custom error response elements	list(any)	[]	no
default_behavior_allowed_methods	(optional) default behavior allowed methods	list(string)	[ "GET", "HEAD" ]	no
default_behavior_cached_methods	(optional) default behavior cached methods	list(string)	[ "GET", "HEAD" ]	no
default_behavior_function_association	(optional) default behavior function association	object({ event_type = string function_arn = string })	null	no
default_behavior_lambda_function_association	(optional) default behavior lambda function association	object({ event_type = string lambda_arn = string include_body = optional(bool) })	null	no
default_cache_policy_id	(optional) policy id for the cache policy of the default cache behavior. If null, a lookup on default_cache_policy_name will be attempted.	string	null	no
default_cache_policy_name	(optional) policy name for the cache policy of the default cache behavior	string	"Managed-CachingDisabled"	no
default_origin_id	(optional) default origin origin id	string	null	no
default_origin_request_policy_id	(optional) policy id for the origin request policy of the default cache behavior. If null, a lookup on default_origin_request_policy_name will be attempted.	string	null	no
default_origin_request_policy_name	(optional) policy name for the origin request policy of the default cache behavior	string	null	no
default_response_headers_policy_id	(optional) policy id for the response headers policy of the default cache behavior. If null, a lookup on default_response_headers_policy_name will be attempted.	string	null	no
default_response_headers_policy_name	(optional) policy name for the response headers policy of the default cache behavior	string	null	no
default_root_object	(optional) default root object to be served from cdn. For your security, it is recommended to set this to a non-null value for static websites. This prevents listing the contents of the S3 bucket used as the default origin of the CloudFront distribution.	string	"index.html"	no
dns_evaluate_target_health	(optional) evaluate health of endpoints by querying DNS records	bool	false	no
enabled	(optional) enable cloudfront	bool	true	no
force_destroy	Allow destruction of an S3 bucket without clearing out the contents first	bool	false	no
force_tls	Deny HTTP requests that are made to the bucket without TLS.	bool	true	no
http_version	(optional) The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3.	string	"http2and3"	no
ignore_public_acls	Whether Amazon S3 should ignore public ACLs for this bucket.	bool	true	no
inventory_config	Inventory configuration	object({ enabled = optional(bool, true) included_object_versions = optional(string, "All") destination = object({ bucket = object({ name = string format = optional(string, "Parquet") prefix = optional(string) account_id = optional(string) }) }) filter = optional(object({ prefix = string })) schedule = optional(object({ frequency = string }), { frequency = "Daily" }) optional_fields = optional(list(string), [ "Size", "LastModifiedDate", "StorageClass", "IntelligentTieringAccessTier", ]) })	null	no
is_ipv6_enabled	(optional) enable ipv6	bool	true	no
is_versioned	Is versioning enabled?	bool	true	no
lifecycle_rules	List of maps containing configuration of object lifecycle management.	list(object({ id = string enabled = optional(bool, true) filter = optional(object({ and = optional(list(object({ object_size_greater_than = optional(number) object_size_less_than = optional(number) prefix = optional(string) tags = optional(map(string)) }))) object_size_greater_than = optional(number) object_size_less_than = optional(number) prefix = optional(string) tag = optional(object({ key = string value = string })) })) abort_incomplete_multipart_upload_days = optional(number) expiration = optional(object({ date = optional(string) days = optional(number) expired_object_delete_marker = optional(bool) })) noncurrent_version_expiration = optional(object({ days = optional(number) })) noncurrent_version_transition = optional(list(object({ days = optional(number) storage_class = optional(string) })), []) transition = optional(list(object({ date = optional(string) days = optional(number) storage_class = string })), []) }))	[ { "abort_incomplete_multipart_upload_days": 7, "enabled": true, "id": "default-lifecycle-rule", "noncurrent_version_transition": [ { "days": 30, "storage_class": "GLACIER" } ], "transition": [ { "days": 7, "storage_class": "INTELLIGENT_TIERING" } ] } ]	no
logging_config	(optional) logging configuration that controls how logs are written to your distribution (maximum one)	list(any)	[]	no
minimum_protocol_version	(optional) tls minimum protocol version	string	"TLSv1.2_2021"	no
name	Name to use for the static site. If null, will default to product.	string	null	no
ordered_cache_behavior	(optional) an ordered list of cache behaviors resource for this distribution	list(object({ path_pattern = string target_origin_id = string cache_policy_id = string origin_request_policy_id = optional(string) response_headers_policy_id = optional(string) allowed_methods = optional(list(string), ["GET", "HEAD"]) cached_methods = optional(list(string), ["GET", "HEAD"]) compress = optional(bool, true) field_level_encryption_id = optional(string) viewer_protocol_policy = optional(string, "redirect-to-https") smooth_streaming = optional(bool) trusted_key_groups = optional(list(string)) trusted_signers = optional(list(string)) lambda_function_associations = optional(list(object({ event_type = optional(string, "viewer-request") lambda_arn = string include_body = optional(bool, false) }))) function_associations = optional(list(object({ event_type = optional(string, "viewer-request") function_arn = string }))) }))	[]	no
override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document.	list(string)	null	no
price_class	(optional) price class for the distribution	string	"PriceClass_100"	no
replication_configuration_set	Set of (single) replication that needs to be managed by this bucket. If empty, no replication takes place.	set(object({ role = string, rules = set(object({ id = string priority = number status = string destination_account_id = string destination_bucket = string destination_access_control_translation_owner = string })) }))	[]	no
replication_configuration_shortcut	Shorthand version of the configuration used in replication_configuration_set. Is overridden by replication_configuration_set if defined.	object({ destination_account_id = string destination_bucket = string })	null	no
replication_source	The account number and role for the source bucket in a replication configuration.	object({ account_id = string role = string })	null	no
restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for this bucket.	bool	true	no
restriction_locations	(optional) locations to use in access restriction (whitelist or blacklist based on restriction_type)	list(string)	[]	no
restriction_type	(optional) type of restriction for CDN	string	"none"	no
s3_regional_domain_name	(optional) s3 regional domain name.	string	null	no
source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements.	list(string)	null	no
ssl_support_method	(optional) ssl support method (one of vip or sni-only)	string	"sni-only"	no
tags	Extra tags	map(string)	{}	no
use_prefix	Create bucket with prefix instead of explicit name	bool	true	no
viewer_protocol_policy	(optional) viewer protocol policy	string	"redirect-to-https"	no
vpce	Name of the VPC endpoint that should have access to this bucket. Only used when allow_anonymous_vpce_access is true.	string	null	no
web_acl_id	(optional) unique identifier that specifies the AWS WAF web ACL	string	null	no

Outputs

Name	Description
arn	ARN of the CloudFront distribution
bucket_arn	ARN of the bucket backing this CDN
bucket_name	Bucket backing this CDN.
domain_name	One domain name that will resolve to this cdn. Might not be a valid alias.
id	ID of the CloudFront distribution
oac_id	ID of the origin access identity