Skip to main content
Service Catalog Version 0.96.9Last updated in version 0.94.1

Public Static Website

View SourceRelease Notes

Overview

This service creates a public static website using S3 and CloudFront on AWS. The website can contain static HTML, CSS, JS, and images.

Static S3 WebsiteStatic S3 Website

Features

  • Offload storage and serving of static content (HTML, CSS, JS, images) to a public S3 bucket configured as a website.

  • Create additional buckets to store your website access logs, and your CloudFront access logs.

  • Deploy a CloudFront Distribution in front of the public S3 bucket for your website domain.

  • Optionally:

    • Create a Route 53 entry in IPV4 and IPV6 formats to route requests to your domain name to the public S3 bucket,
    • And associate an existing TLS certificate issued by Amazon’s Certificate Manager (ACM) for your domain.

Learn

Serving static content from S3 rather than from your own app server can significantly reduce the load on your server, allowing it to focus on serving dynamic data. This saves money and makes your website run faster. For even bigger improvements in performance, deploy a CloudFront Content Distribution Network (CDN) in front of the S3 bucket.

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

Core concepts

This module deploys a public website, so the S3 bucket and objects with it are readable by the public. It also is hosted in a Public Hosted Zone in Route 53. You may provide a hosted_zone_id in variables, or you may provide the base_domain_name associated with your Public Hosted Zone in Route 53, optionally along with any tags that must match that zone in base_domain_name_tags. If you do the latter, this module will find the hosted zone id for you.

For more info on why you would use S3 to store static content, why you may want a CDN in front of it, how to access the website, and how to configure SSL, check out the documentation for the s3-static-website and s3-cloudfront modules.

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
  • examples: This folder contains working examples of how to use the submodules.
  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples/for-learning-and-testing folder: The examples/for-learning-and-testing folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

Reference

Required

The domain name for which an ACM cert has been issued (e.g. *.foo.com). Only used if create_route53_entry is true. Set to blank otherwise.

website_domain_namestringrequired

The name of the website and the S3 bucket to create (e.g. static.foo.com).

Optional

base_domain_namestringoptional

The domain name associated with a hosted zone in Route 53. Usually the base domain name of website_domain_name (e.g. foo.com). This is used to find the hosted zone that will be used for the CloudFront distribution. If create_route53_entry is true, one of base_domain_name or hosted_zone_id must be provided.

null
base_domain_name_tagsmap(any)optional

The tags associated with base_domain_name. If there are multiple hosted zones for the same base_domain_name, this will help filter the hosted zones so that the correct hosted zone is found.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}
cors_ruleanyoptional

A configuration for CORS on the S3 bucket. Default value comes from AWS. Can override for custom CORS by passing the object structure define in the documentation https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#using-cors.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
[]

If set to true, create a DNS A Record in Route 53. If create_route53_entry is true, one of base_domain_name or hosted_zone_id must be provided.

true
custom_tagsmap(string)optional

A map of custom tags to apply to the S3 bucket containing the website and the CloudFront distribution created for it. The key is the tag name and the value is the tag value.

{}
default_function_associationslist(object(…))optional

A list of existing CloudFront functions to associate with the default cached behavior. CloudFront functions are lightweight alternatives to Lambda for high-scale, latency sensitive CDN customizations.

list(object({
    event_type   = string
    function_arn = string
  }))
[]
default_lambda_associationslist(object(…))optional

A list of existing Lambda@Edge functions to associate with CloudFront. Lambda version must be a published version and cannot be $LATEST (See https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#lambda_function_association for available options).

list(object({
    event_type   = string
    lambda_arn   = string
    include_body = bool
  }))
[]
default_ttlnumberoptional

The default amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an 'Cache-Control max-age' or 'Expires' header.

30

If set to true, a CloudFront function to implement default directory index (looking up index.html in an S3 directory when path ends in /) is deployed. Only relevant when restrict_bucket_access_to_cloudfront is set to true.

false
error_documentstringoptional

The path to the error document in the S3 bucket (e.g. error.html).

"error.html"
error_responsesmap(object(…))optional

The error responses you want CloudFront to return to the viewer.

map(object({
    response_code         = number
    response_page_path    = string
    error_caching_min_ttl = number
  }))
{
  404 = {
    error_caching_min_ttl = 0,
    response_code = 404,
    response_page_path = "404.html"
  },
  500 = {
    error_caching_min_ttl = 0,
    response_code = 500,
    response_page_path = "500.html"
  }
}
force_destroybooloptional

If set to true, this will force the deletion of the website, redirect, and access log S3 buckets when you run terraform destroy, even if there is still content in those buckets. This is only meant for testing and should not be used in production.

false
forward_headerslist(string)optional

The headers you want CloudFront to forward to the origin. Set to * to forward all headers.

[]
geo_locations_listlist(string)optional

The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (if geo_restriction_type is whitelist) or not distribute your content (if geo_restriction_type is blacklist).

[]
geo_restriction_typestringoptional

The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist.

"none"
hosted_zone_idstringoptional

The ID of the Route 53 Hosted Zone in which to create the DNS A Records specified in website_domain_name. If create_route53_entry is true, one of base_domain_name or hosted_zone_id must be provided.

null
index_documentstringoptional

The path to the index document in the S3 bucket (e.g. index.html).

"index.html"
max_ttlnumberoptional

The maximum amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of 'Cache-Control max-age', 'Cache-Control s-maxage', and 'Expires' headers.

60
min_ttlnumberoptional

The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.

0

The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version for possible values.

"TLSv1"

If set to true, the S3 bucket will only be accessible via CloudFront, and not directly. NOTE: this is only known to work if the S3 Bucket is in us-east-1.

false
routing_ruleanyoptional

A map describing the routing_rule for the aws_s3_website_configuration resource. Describes redirect behavior and conditions when redirects are applied.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}

The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. When null, the header is omitted.

"default-src 'self'; base-uri 'self'; block-all-mixed-content; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests"

Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff.

true

Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. When null, the header is omitted.

"SAMEORIGIN"
security_header_hstsobject(…)optional

Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. When null, the header is omitted.

object({
    # The number of seconds browsers should remember to prefer HTTPS.
    max_age = number
    # Whether to include subdomains in the policy.
    include_subdomains = bool
    # Whether to add the HSTS policy to browsers.
    preload = bool
  })
{
  include_subdomains = true,
  max_age = 15552000,
  preload = false
}

Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. When null, the header is omitted.

"no-referrer"

Determine whether CloudFront includes the X-Xss-Protection HTTP response header and the header’s value. When null, the header is omitted.

object({
    # A Boolean value that determines whether CloudFront includes the mode=block directive in the X-XSS-Protection header.
    mode_block = bool
    # A Boolean value that determines the value of the X-Xss-Protection HTTP response header (true = 1, false = 0).
    protection = bool
    # A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header. You cannot specify a report_uri when mode_block is true.
    report_uri = string
  })
{
  mode_block = false,
  protection = false,
  report_uri = null
}

In older AWS accounts, you must set this variable to true to use the ARN of the CloudFront log delivery AWS account in the access log bucket policy. In newer AWS accounts, you must set this variable to false to use the CanonicalUser ID of the CloudFront log delivery account. If you pick the wrong value, you'll get a perpetual diff on the IAM policy. See https://github.com/terraform-providers/terraform-provider-aws/issues/10158 for context.

false

Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https.

"allow-all"