Add website_enabled option to use website as origin (#73)

othree · web-flow · commit 2e2429180e06 · 2020-02-14T17:30:24.000-08:00
Also update the default value of index_document. Which is required in
S3 website block.
diff --git a/README.md b/README.md
@@ -174,7 +174,7 @@ Available targets:
 | forward_query_string | Forward query strings to the origin that is associated with this cache behavior | bool | `false` | no |
 | geo_restriction_locations | List of country codes for which  CloudFront either to distribute content (whitelist) or not distribute your content (blacklist) | list(string) | `<list>` | no |
 | geo_restriction_type | Method that use to restrict distribution of your content by country: `none`, `whitelist`, or `blacklist` | string | `none` | no |
-| index_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | string | `` | no |
+| index_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | string | `index.html` | no |
 | ipv6_enabled | Set to true to enable an AAAA DNS record to be set as well as the A record | bool | `true` | no |
 | lambda_function_association | A config block that triggers a lambda function with specific actions | object | `<list>` | no |
 | log_expiration_days | Number of days after which to expunge the objects | number | `90` | no |
@@ -204,6 +204,7 @@ Available targets:
 | viewer_protocol_policy | allow-all, redirect-to-https | string | `redirect-to-https` | no |
 | wait_for_deployment | When set to 'true' the resource will wait for the distribution status to change from InProgress to Deployed | bool | `true` | no |
 | web_acl_id | ID of the AWS WAF web ACL that is associated with the distribution | string | `` | no |
+| website_enabled | Set to true to use an S3 static website as origin | bool | `false` | no |
 
 ## Outputs
 
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -30,7 +30,7 @@
 | forward_query_string | Forward query strings to the origin that is associated with this cache behavior | bool | `false` | no |
 | geo_restriction_locations | List of country codes for which  CloudFront either to distribute content (whitelist) or not distribute your content (blacklist) | list(string) | `<list>` | no |
 | geo_restriction_type | Method that use to restrict distribution of your content by country: `none`, `whitelist`, or `blacklist` | string | `none` | no |
-| index_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | string | `` | no |
+| index_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | string | `index.html` | no |
 | ipv6_enabled | Set to true to enable an AAAA DNS record to be set as well as the A record | bool | `true` | no |
 | lambda_function_association | A config block that triggers a lambda function with specific actions | object | `<list>` | no |
 | log_expiration_days | Number of days after which to expunge the objects | number | `90` | no |
@@ -60,6 +60,7 @@
 | viewer_protocol_policy | allow-all, redirect-to-https | string | `redirect-to-https` | no |
 | wait_for_deployment | When set to 'true' the resource will wait for the distribution status to change from InProgress to Deployed | bool | `true` | no |
 | web_acl_id | ID of the AWS WAF web ACL that is associated with the distribution | string | `` | no |
+| website_enabled | Set to true to use an S3 static website as origin | bool | `false` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -1,5 +1,4 @@
 locals {
-  website_enabled = var.redirect_all_requests_to != "" || var.index_document != "" || var.error_document != "" || var.routing_rules != ""
   website_config = {
     redirect_all = [
       {
@@ -58,8 +57,24 @@ data "aws_iam_policy_document" "origin" {
   }
 }
 
+data "aws_iam_policy_document" "origin_website" {
+  override_json = var.additional_bucket_policy
+
+  statement {
+    sid = "S3GetObjectForCloudFront"
+
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::$${bucket_name}$${origin_path}*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
+
 data "template_file" "default" {
-  template = data.aws_iam_policy_document.origin.json
+  template = var.website_enabled ? data.aws_iam_policy_document.origin_website.json : data.aws_iam_policy_document.origin.json
 
   vars = {
     origin_path                               = coalesce(var.origin_path, "/")
@@ -97,7 +112,7 @@ resource "aws_s3_bucket" "origin" {
   }
 
   dynamic "website" {
-    for_each = local.website_enabled ? local.website_config[var.redirect_all_requests_to == "" ? "default" : "redirect_all"] : []
+    for_each = var.website_enabled ? local.website_config[var.redirect_all_requests_to == "" ? "default" : "redirect_all"] : []
     content {
       error_document           = lookup(website.value, "error_document", null)
       index_document           = lookup(website.value, "index_document", null)
@@ -154,8 +169,8 @@ locals {
     )
   )
 
-  bucket_domain_name = var.use_regional_s3_endpoint ? format(
-    "%s.s3-%s.amazonaws.com",
+  bucket_domain_name = (var.use_regional_s3_endpoint || var.website_enabled) ? format(
+    var.website_enabled ? "%s.s3-website-%s.amazonaws.com" : "%s.s3-%s.amazonaws.com",
     local.bucket,
     data.aws_s3_bucket.selected.region,
   ) : format(var.bucket_domain_format, local.bucket)
@@ -185,8 +200,21 @@ resource "aws_cloudfront_distribution" "default" {
     origin_id   = module.distribution_label.id
     origin_path = var.origin_path
 
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
+    dynamic "s3_origin_config" {
+      for_each = ! var.website_enabled ? [1] : []
+      content {
+        origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
+      }
+    }
+
+    dynamic "custom_origin_config" {
+      for_each = var.website_enabled ? [1] : []
+      content {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "http-only"
+        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      }
     }
   }
 
diff --git a/variables.tf b/variables.tf
@@ -344,7 +344,7 @@ variable "encryption_enabled" {
 
 variable "index_document" {
   type        = string
-  default     = ""
+  default     = "index.html"
   description = "Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders"
 }
 
@@ -371,3 +371,9 @@ variable "ipv6_enabled" {
   default     = true
   description = "Set to true to enable an AAAA DNS record to be set as well as the A record"
 }
+
+variable "website_enabled" {
+  type        = bool
+  default     = false
+  description = "Set to true to use an S3 static website as origin"
+}
