CloudFront frontend

Stretch96 · Stretch96 · commit c9d91b5970ba · 2022-03-13T21:57:47.000Z
* Creates a CloudFront endpoint to serve the Publii S3 bucket
* Creates logging buckets for CloudFront
* Adds a default WAF resource for CloudFront
* Adds read permission to the frontend S3 bucket for CloudFront
diff --git a/README.md b/README.md
@@ -23,26 +23,49 @@ Terraform module to host a static site generated by Publii
 
 | Name | Type |
 |------|------|
+| [aws_cloudfront_distribution.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_origin_access_identity.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
 | [aws_iam_policy.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy_attachment.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_kms_key.s3_bucket_cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key.s3_bucket_cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_acl.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_logging.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_logging.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_logging.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_policy.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_policy.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_public_access_block.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_versioning.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
+| [aws_wafv2_web_acl.cloudfront_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [random_id.project](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [template_file.cloudfront_frontend_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.cloudfront_frontend_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.cloudfront_frontend_logging_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.cloudfront_frontend_logging_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.frontend_bucket_cloudfront_read](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
@@ -53,6 +76,9 @@ Terraform module to host a static site generated by Publii
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cloudfront_enable_ipv6"></a> [cloudfront\_enable\_ipv6](#input\_cloudfront\_enable\_ipv6) | Enable IPv6 on CloudFront | `bool` | `true` | no |
+| <a name="input_cloudfront_tls_certificate_arn"></a> [cloudfront\_tls\_certificate\_arn](#input\_cloudfront\_tls\_certificate\_arn) | CloudFront TLS certificate ARN (must be created in us-east-1 region) | `string` | n/a | yes |
+| <a name="input_s3_bucket_acl"></a> [s3\_bucket\_acl](#input\_s3\_bucket\_acl) | S3 bucket ACL | `string` | `"private"` | no |
 | <a name="input_site_url"></a> [site\_url](#input\_site\_url) | The desired site URL | `string` | n/a | yes |
 
 ## Outputs
diff --git a/cloudfront-frontend-logging-logging.tf b/cloudfront-frontend-logging-logging.tf
@@ -0,0 +1,61 @@
+# tfsec requires CloudFront S3 buckets to also have logging buckets
+resource "aws_s3_bucket" "cloudfront_frontend_logging_logging" {
+  bucket        = "cloudfront-frontend-${local.project_name}-logs-logs"
+  force_destroy = false
+}
+
+resource "aws_s3_bucket_versioning" "cloudfront_frontend_logging_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging_logging.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_acl" "cloudfront_frontend_logging_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging_logging.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "cloudfront_frontend_logging_logging" {
+  bucket                  = aws_s3_bucket.cloudfront_frontend_logging_logging.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront_frontend_logging_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging_logging.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_bucket_cloudfront_frontend_logging_logging.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+data "template_file" "cloudfront_frontend_logging_logging_bucket_enforce_tls_statement" {
+  template = file("${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl")
+
+  vars = {
+    bucket_arn = aws_s3_bucket.cloudfront_frontend_logging_logging.arn
+  }
+}
+
+data "template_file" "cloudfront_frontend_logging_logging_bucket_policy" {
+  template = file("${path.module}/policies/s3-bucket-policy.json.tpl")
+
+  vars = {
+    statement = <<EOT
+[
+${data.template_file.cloudfront_frontend_logging_logging_bucket_enforce_tls_statement.rendered}
+]
+EOT
+  }
+}
+
+resource "aws_s3_bucket_policy" "cloudfront_frontend_logging_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging_logging.id
+  policy = data.template_file.cloudfront_frontend_logging_logging_bucket_policy.rendered
+}
diff --git a/cloudfront-frontend-logging.tf b/cloudfront-frontend-logging.tf
@@ -0,0 +1,66 @@
+resource "aws_s3_bucket" "cloudfront_frontend_logging" {
+  bucket        = "cloudfront-frontend-${local.project_name}-logs"
+  force_destroy = false
+}
+
+resource "aws_s3_bucket_logging" "cloudfront_frontend_logging" {
+  bucket        = aws_s3_bucket.cloudfront_frontend_logging.id
+  target_bucket = aws_s3_bucket.cloudfront_frontend_logging_logging.id
+  target_prefix = "log/"
+}
+
+resource "aws_s3_bucket_versioning" "cloudfront_frontend_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_acl" "cloudfront_frontend_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "cloudfront_frontend_logging" {
+  bucket                  = aws_s3_bucket.cloudfront_frontend_logging.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront_frontend_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_bucket_cloudfront_frontend_logging.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+data "template_file" "cloudfront_frontend_logging_bucket_enforce_tls_statement" {
+  template = file("${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl")
+
+  vars = {
+    bucket_arn = aws_s3_bucket.cloudfront_frontend_logging.arn
+  }
+}
+
+data "template_file" "cloudfront_frontend_logging_bucket_policy" {
+  template = file("${path.module}/policies/s3-bucket-policy.json.tpl")
+
+  vars = {
+    statement = <<EOT
+[
+${data.template_file.cloudfront_frontend_logging_bucket_enforce_tls_statement.rendered}
+]
+EOT
+  }
+}
+
+resource "aws_s3_bucket_policy" "cloudfront_frontend_logging" {
+  bucket = aws_s3_bucket.cloudfront_frontend_logging.id
+  policy = data.template_file.cloudfront_frontend_logging_bucket_policy.rendered
+}
diff --git a/cloudfront-frontend.tf b/cloudfront-frontend.tf
@@ -0,0 +1,78 @@
+resource "aws_cloudfront_origin_access_identity" "frontend" {
+  comment = "${local.project_name} frontend"
+}
+
+resource "aws_cloudfront_distribution" "frontend" {
+  origin {
+    domain_name = aws_s3_bucket.frontend.bucket_regional_domain_name
+    origin_id   = local.project_name
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.frontend.cloudfront_access_identity_path
+    }
+  }
+
+  enabled = true
+  aliases = [
+    local.site_url
+  ]
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = local.project_name
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 86400
+    max_ttl     = 31536000
+    compress    = true
+
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  default_root_object = "index.html"
+
+  custom_error_response {
+    error_code         = "404"
+    response_code      = "404"
+    response_page_path = "/404.html"
+  }
+
+  custom_error_response {
+    error_code         = "403"
+    response_code      = "404"
+    response_page_path = "/404.html"
+  }
+
+  price_class = "PriceClass_100"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = local.cloudfront_tls_certificate_arn
+    minimum_protocol_version = "TLSv1.2_2021"
+    ssl_support_method       = "sni-only"
+  }
+
+  is_ipv6_enabled = local.cloudfront_enable_ipv6
+
+  web_acl_id = aws_wafv2_web_acl.cloudfront_waf.id
+
+  logging_config {
+    include_cookies = false
+    bucket          = aws_s3_bucket.cloudfront_frontend_logging.bucket_domain_name
+    prefix          = "log/"
+  }
+}
diff --git a/cloudfront-waf.tf b/cloudfront-waf.tf
@@ -0,0 +1,15 @@
+resource "aws_wafv2_web_acl" "cloudfront_waf" {
+  name        = "${local.project_name}-acl"
+  description = "${local.project_name} ACL"
+  scope       = "CLOUDFRONT"
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = local.project_name
+    sampled_requests_enabled   = true
+  }
+
+  default_action {
+    allow {}
+  }
+}
diff --git a/kms.tf b/kms.tf
@@ -9,3 +9,15 @@ resource "aws_kms_key" "s3_bucket_frontend_logging" {
   deletion_window_in_days = 10
   enable_key_rotation     = true
 }
+
+resource "aws_kms_key" "s3_bucket_cloudfront_frontend_logging" {
+  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.cloudfront_frontend_logging.id}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_key" "s3_bucket_cloudfront_frontend_logging_logging" {
+  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.cloudfront_frontend_logging_logging.id}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+}
diff --git a/locals.tf b/locals.tf
@@ -1,5 +1,7 @@
 locals {
-  site_url          = var.site_url
-  project_random_id = random_id.project.dec
-  project_name      = "${replace(local.site_url, ".", "-")}-${local.project_random_id}"
+  site_url                       = var.site_url
+  project_random_id              = random_id.project.dec
+  project_name                   = "${replace(local.site_url, ".", "-")}-${local.project_random_id}"
+  cloudfront_tls_certificate_arn = var.cloudfront_tls_certificate_arn
+  cloudfront_enable_ipv6         = var.cloudfront_enable_ipv6
 }
diff --git a/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl b/policies/s3-bucket-policy-statements/cloudfront-read.json.tpl
@@ -0,0 +1,11 @@
+{
+  "Principal": {
+    "AWS": "${origin_access_identity}"
+  },
+  "Action": "s3:GetObject",
+  "Effect": "Allow",
+  "Resource": [
+    "${bucket_arn}",
+    "${bucket_arn}/*"
+  ]
+}
diff --git a/s3-frontend.tf b/s3-frontend.tf
@@ -33,8 +33,7 @@ resource "aws_s3_bucket_versioning" "frontend" {
   }
 }
 
-
-resource "aws_s3_bucket_logging" "example" {
+resource "aws_s3_bucket_logging" "frontend" {
   bucket        = aws_s3_bucket.frontend.id
   target_bucket = aws_s3_bucket.frontend_logging.id
   target_prefix = "log/"
@@ -80,13 +79,23 @@ data "template_file" "frontend_bucket_enforce_tls_statement" {
   }
 }
 
+data "template_file" "frontend_bucket_cloudfront_read" {
+  template = file("./policies/s3-bucket-policy-statements/cloudfront-read.json.tpl")
+
+  vars = {
+    bucket_arn             = aws_s3_bucket.frontend.arn
+    origin_access_identity = aws_cloudfront_origin_access_identity.frontend.iam_arn
+  }
+}
+
 data "template_file" "frontend_bucket_policy" {
   template = file("${path.module}/policies/s3-bucket-policy.json.tpl")
 
   vars = {
     statement = <<EOT
 [
-${data.template_file.frontend_bucket_enforce_tls_statement.rendered}
+${data.template_file.frontend_bucket_enforce_tls_statement.rendered},
+${data.template_file.frontend_bucket_cloudfront_read.rendered}
 ]
 EOT
   }
diff --git a/variables.tf b/variables.tf
@@ -2,3 +2,20 @@ variable "site_url" {
   description = "The desired site URL"
   type        = string
 }
+
+variable "s3_bucket_acl" {
+  description = "S3 bucket ACL"
+  default     = "private"
+  type        = string
+}
+
+variable "cloudfront_tls_certificate_arn" {
+  description = "CloudFront TLS certificate ARN (must be created in us-east-1 region)"
+  type        = string
+}
+
+variable "cloudfront_enable_ipv6" {
+  description = "Enable IPv6 on CloudFront"
+  type        = bool
+  default     = true
+}

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,7 @@ resource "aws_s3_bucket_versioning" "frontend" {`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`
`36`		`-`
`37`		`-resource "aws_s3_bucket_logging" "example" {`
	`36`	`+resource "aws_s3_bucket_logging" "frontend" {`
`38`	`37`	`bucket = aws_s3_bucket.frontend.id`
`39`	`38`	`target_bucket = aws_s3_bucket.frontend_logging.id`
`40`	`39`	`target_prefix = "log/"`
`@@ -80,13 +79,23 @@ data "template_file" "frontend_bucket_enforce_tls_statement" {`
`80`	`79`	`}`
`81`	`80`	`}`
`82`	`81`
	`82`	`+data "template_file" "frontend_bucket_cloudfront_read" {`
	`83`	`+ template = file("./policies/s3-bucket-policy-statements/cloudfront-read.json.tpl")`
	`84`	`+`
	`85`	`+ vars = {`
	`86`	`+ bucket_arn = aws_s3_bucket.frontend.arn`
	`87`	`+ origin_access_identity = aws_cloudfront_origin_access_identity.frontend.iam_arn`
	`88`	`+ }`
	`89`	`+}`
	`90`	`+`
`83`	`91`	`data "template_file" "frontend_bucket_policy" {`
`84`	`92`	`template = file("${path.module}/policies/s3-bucket-policy.json.tpl")`
`85`	`93`
`86`	`94`	`vars = {`
`87`	`95`	`statement = <<EOT`
`88`	`96`	`[`
`89`		`-${data.template_file.frontend_bucket_enforce_tls_statement.rendered}`
	`97`	`+${data.template_file.frontend_bucket_enforce_tls_statement.rendered},`
	`98`	`+${data.template_file.frontend_bucket_cloudfront_read.rendered}`
`90`	`99`	`]`
`91`	`100`	`EOT`
`92`	`101`	`}`