Terraform module for creating a CloudFront distribution with an S3 origin. S3 bucket is encrypted with a KMS key and access is restricted to CloudFront Origin Access Control. Certificate for the domain is issued by ACM and validated via DNS.
- Call the module as follows
module "cloudfront-s3" {
source = "github.com/porscheofficial/terraform-aws-cloudfront-s3"
bucket_name = "my-project-demo-cf"
domain_name = "demo.example.com"
route53_zone_name = "example.com"
enable_s3_logging = true
s3_logging_bucket = "s3-logging-bucket"
enable_cf_logging = true
cf_logging_bucket = "cf-logging-bucket"
}Please install tfsec
tfsec --format=defaultNOTE: Scans for CloudFront and S3 logging are excluded as these functionalities are configurable.
| Name | Version |
|---|---|
| terraform | ~> 1.6.5 |
| Name | Version |
|---|---|
| aws | ~> 5.19.0 |
| Name | Type |
|---|---|
| aws_acm_certificate.cert | resource |
| aws_acm_certificate_validation.cert_validation | resource |
| aws_cloudfront_distribution.cdn | resource |
| aws_cloudfront_origin_access_control.cloudfront_access_control | resource |
| aws_kms_alias.cf_s3_kms_alias | resource |
| aws_kms_key.cf_s3_kms | resource |
| aws_kms_key_policy.cf_access | resource |
| aws_route53_record.dns_record | resource |
| aws_route53_record.dvo_records | resource |
| aws_s3_bucket.origin | resource |
| aws_s3_bucket_acl.acl | resource |
| aws_s3_bucket_logging.logging | resource |
| aws_s3_bucket_ownership_controls.ownership_control | resource |
| aws_s3_bucket_policy.bucket_policy | resource |
| aws_s3_bucket_public_access_block.block_public_access | resource |
| aws_s3_bucket_server_side_encryption_configuration.encryption | resource |
| aws_s3_bucket_versioning.versioning | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.bucket_policy | data source |
| aws_route53_zone.hosted_zone | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_name | Name of the S3 bucket | string |
n/a | yes |
| cf_logging_bucket | Name of the bucket for CloudFront logs | string |
"my-logging-bucket" |
no |
| cf_logging_prefix | Prefix for CloudFront logs | string |
"cf-logs" |
no |
| default_ttl | Default TTL for CloudFront distribution | number |
86400 |
no |
| domain_name | Domain name (alias) for CloudFront distribution | string |
n/a | yes |
| enable_cf_logging | Enable CloudFront logging | bool |
false |
no |
| enable_s3_logging | Enable S3 logging | bool |
false |
no |
| environment | Environment (e.g., dev, prod) | string |
"dev" |
no |
| error_page | Name of the default error page | string |
"error.html" |
no |
| max_ttl | Maximum TTL for CloudFront distribution | number |
31536000 |
no |
| price_class | Price class for CloudFront distribution | string |
"PriceClass_200" |
no |
| route53_zone_name | Name of the Route53 hosted zone (e.g., example.com) | string |
n/a | yes |
| s3_logging_bucket | Name of the bucket for S3 logs | string |
"my-logging-bucket" |
no |
| s3_logging_prefix | Prefix for S3 logs | string |
"s3-logs" |
no |
| waf_id | ID of the Web Application Firewall to associate with the CloudFront distribution | string |
"" |
no |
| Name | Description |
|---|---|
| bucket_arn | n/a |
| cdn_url | n/a |
| cloudfront_distribution_arn | n/a |
| cname_url | n/a |