Skip to content

cn-terraform/terraform-aws-s3-static-website

BranchesTags

Repository files navigation

AWS S3 Static Website

This Terraform module provides the required infrastructure to host a static website on S3.

Usage

Check versions for this module on:

Install pre commit hooks.

Run this command right after cloning the repository.

    pre-commit install

For that you may need to install the following tools:

In order to run all checks at any point run the following command:

    pre-commit run --all-files

Requirements

Name Version
terraform >= 0.13
aws >= 4.0

Providers

Name Version
aws.acm_provider 6.35.1
aws.main 6.35.1

Modules

Name Source Version
s3_logs_bucket cn-terraform/logs-s3-bucket/aws 1.0.7

Resources

Name Type
aws_acm_certificate.cert resource
aws_acm_certificate_validation.cert_validation resource
aws_cloudfront_distribution.website resource
aws_cloudfront_origin_access_identity.cf_oai resource
aws_route53_record.acm_certificate_validation_records resource
aws_route53_record.website_cloudfront_record resource
aws_route53_record.website_cloudfront_record_ipv6 resource
aws_route53_record.www_website_record resource
aws_route53_record.www_website_record_ipv6 resource
aws_route53_zone.hosted_zone resource
aws_s3_bucket.website resource
aws_s3_bucket_acl.website resource
aws_s3_bucket_cors_configuration.website resource
aws_s3_bucket_logging.website resource
aws_s3_bucket_ownership_controls.website resource
aws_s3_bucket_policy.website resource
aws_s3_bucket_public_access_block.website_bucket_public_access_block resource
aws_s3_bucket_server_side_encryption_configuration.website_bucket_website_server_side_encryption_configuration resource
aws_s3_bucket_versioning.website resource

Inputs

Name Description Type Default Required
acm_certificate_arn_to_use ACM Certificate ARN to use in case you disable automatic certificate creation. Certificate must be in us-east-1 region. string "" no
aws_accounts_with_read_view_log_bucket List of AWS accounts with read permissions to log bucket list(string) [] no
cloudfront_additional_origins (Optional) A list of additional origins besides the web site 
list(object({
    connection_attempts = optional(number)
    connection_timeout  = optional(number)
    custom_origin_config = optional(object({
      http_port                = number
      https_port               = number
      origin_protocol_policy   = string
      origin_ssl_protocols     = list(string)
      origin_keepalive_timeout = optional(number)
      origin_read_timeout      = optional(number)
    }))
    domain_name = string
    custom_header : optional(list(
      object({
        name  = string
        value = string
      }))
    )
    origin_access_control_id = optional(string)
    origin_id                = string
    origin_path              = optional(string)
    # TODO support origin_shield
    s3_origin_config = optional(object({
      origin_access_identity = string
    }))
  }))
 [] no
cloudfront_allowed_cached_methods (Optional) Specifies which methods are allowed and cached by CloudFront. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and HEAD list(string) 
[
  "GET",
  "HEAD"
]
 no
cloudfront_custom_error_responses A list of custom error responses 
list(object({
    error_caching_min_ttl = number
    error_code            = number
    response_code         = number
    response_page_path    = string
  }))
 [] no
cloudfront_default_cache_policy_id (Optional) The cache policy ID for the default cache behavior. Defaults to Managed-CachingOptimized (658327ea-f89d-4fab-a63d-7e88639e58f6). Use 4135ea2d-6df8-44a3-9df3-4b5a84be39ad for Managed-CachingDisabled. string "658327ea-f89d-4fab-a63d-7e88639e58f6" no
cloudfront_default_origin_request_policy_id (Optional) The origin request policy ID for the default cache behavior. Defaults to Managed-CORS-S3Origin (88a5eaf4-2fd4-4709-b370-b4c650ea3fcf). string "88a5eaf4-2fd4-4709-b370-b4c650ea3fcf" no
cloudfront_default_root_object (Optional) - The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. Defaults to index.html string "index.html" no
cloudfront_enable_compression (Optional, Default:false) Enable compression with Gzip or Brotli for requests with a valid Accept-Encoding header bool false no
cloudfront_function_association (Optional - up to 2 per distribution) List containing information to associate a CF function to cloudfront. The first field is event_type of the CF function associated with default cache behavior, it can be viewer-request or viewer-response 
list(object({
    event_type   = string
    function_arn = string
  }))
 [] no
cloudfront_geo_restriction_locations (Optional) - The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist). Defaults to [] list(string) [] no
cloudfront_geo_restriction_type The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. Defaults to none string "none" no
cloudfront_http_version (Optional) - The maximum HTTP version to support on the distribution. Allowed values are http1.1 and http2. The default is http2. string "http2" no
cloudfront_lambda_function_association (Optional - up to 2 per distribution) List containing information to associate a CF lambda_function to cloudfront. The first field is event_type of the CF function associated with default cache behavior, it can be origin-request or origin-response 
list(object({
    event_type   = string
    lambda_arn   = string
    include_body = bool
  }))
 [] no
cloudfront_ordered_cache_behaviors A list of custom ordered cache behaviors 
list(object({
    allowed_methods           = list(string)
    cached_methods            = list(string)
    cache_policy_id           = string
    compress                  = optional(bool)
    default_ttl               = optional(number)
    field_level_encryption_id = optional(string)
    # forwarded_values will not be supported as Hashicorp had already deprecated it at the time of implementing this module
    function_association = optional(list(object({
      event_type   = string
      function_arn = string
    })), [])
    # TODO support lambda_function_association
    max_ttl                    = optional(number)
    min_ttl                    = optional(number)
    origin_request_policy_id   = string
    path_pattern               = optional(string)
    realtime_log_config_arn    = optional(string)
    response_headers_policy_id = optional(string)
    smooth_streaming           = optional(bool)
    target_origin_id           = string
    # TODO support trusted_key_groups and trusted_signers
    viewer_protocol_policy = string
  }))
 [] no
cloudfront_price_class (Optional) - The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100. Defaults to PriceClass_100 string "PriceClass_100" no
cloudfront_viewer_protocol_policy Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. Defautls to redirect-to-https string "redirect-to-https" no
cloudfront_web_acl_id (Optional) A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. string null no
cloudfront_website_retain_on_delete (Optional) - Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. Defaults to false. bool false no
cloudfront_website_wait_for_deployment (Optional) - If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this tofalse will skip the process. Defaults to true. bool true no
comment_for_cloudfront_website Comment for the Website CloudFront Distribution string "" no
create_acm_certificate Enable or disable automatic ACM certificate creation. If set to false, the variable acm_certificate_arn_to_use is required. Defaults to true bool true no
create_route53_hosted_zone Enable or disable Route 53 hosted zone creation. If set to false, the variable route53_hosted_zone_id is required. Defaults to true bool true no
create_route53_website_records Enable or disable creation of Route 53 records in the hosted zone. Defaults to true bool true no
is_ipv6_enabled (Optional) - Whether the IPv6 is enabled for the distribution. Defaults to true bool true no
log_bucket_force_destroy (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the log bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
log_bucket_versioning_mfa_delete (Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. Defaults to Disabled string "Disabled" no
log_bucket_versioning_status (Optional) The versioning state of the bucket. Valid values: Enabled or Suspended. Defaults to Enabled string "Enabled" no
name_prefix Name prefix for resources on AWS any n/a yes
route53_hosted_zone_id The Route 53 hosted zone ID to use if create_route53_hosted_zone is false string "" no
tags Resource tags map(string) {} no
website_bucket_acl (Optional) The canned ACL to apply when website_bucket_acl_enabled is true. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. string "private" no
website_bucket_acl_enabled (Optional) Whether to manage and apply bucket ACL settings. Keep true for backward compatibility. Set to false to disable ACL usage (BucketOwnerEnforced), which helps avoid cross-account object upload 403 errors. Defaults to true. bool true no
website_bucket_force_destroy (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
website_bucket_policy (Optional) Map containing the IAM policy for the website bucket. Defaults to null and the policy will be generated automatically. See examples/custom-website-bucket-policy/main.tf for configuration example. any null no
website_cors_additional_allowed_origins (Optional) Specifies which origins are allowed besides the domain name specified list(string) [] no
website_cors_allowed_headers (Optional) Specifies which headers are allowed. Defaults to Authorization and Content-Length list(string) 
[
  "Authorization",
  "Content-Length"
]
 no
website_cors_allowed_methods (Optional) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and POST list(string) 
[
  "GET",
  "POST"
]
 no
website_cors_expose_headers (Optional) Specifies expose header in the response. list(string) [] no
website_cors_max_age_seconds (Optional) Specifies time in seconds that browser can cache the response for a preflight request. Defaults to 3600 number 3600 no
website_domain_name The domain name to use for the website string n/a yes
website_error_document (Optional) An absolute path to the document to return in case of a 4XX error. Defaults to 404.html string "404.html" no
website_index_document Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. Defaults to index.html string "index.html" no
website_server_side_encryption_configuration (Optional) Map containing server-side encryption configuration for the website bucket. Defaults to no encryption. See examples/complete/main.tf for configuration example. any {} no
website_versioning_mfa_delete (Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. Defaults to Disabled string "Disabled" no
website_versioning_status (Optional) The versioning state of the bucket. Valid values: Enabled or Suspended. Defaults to Enabled string "Enabled" no
www_website_bucket_acl (Optional) The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. string "private" no
www_website_bucket_force_destroy (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
www_website_redirect_enabled (Optional) Whether to redirect www subdomain. Defaults to true. bool true no
www_website_versioning_enabled (Optional) Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. Defaults to true bool true no
www_website_versioning_mfa_delete (Optional) Enable MFA delete for either change the versioning state of your bucket or permanently delete an object version. Default is false. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. bool false no

Outputs

Name Description
acm_certificate_arn The ARN of the certificate
acm_certificate_domain_name The domain name for which the certificate is issued
acm_certificate_domain_validation_options Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g. if SANs are defined.
acm_certificate_id The ARN of the certificate
acm_certificate_status Status of the certificate.
acm_certificate_tags_all A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
cert_validation_certificate_arn The ARN of the certificate that is being validated.
cert_validation_id The time at which the certificate was issued
cert_validation_validation_record_fqdns List of FQDNs that implement the validation.
cloudfront_website_arn The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
cloudfront_website_caller_reference Internal value used by CloudFront to allow future updates to the distribution configuration.
cloudfront_website_domain_name The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net.
cloudfront_website_etag The current version of the distribution's information. For example: E2QWRUHAPOMQZL.
cloudfront_website_hosted_zone_id The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to. This attribute is simply an alias for the zone ID Z2FDTNDATAQYW2.
cloudfront_website_id The identifier for the distribution. For example: EDFDVBD632BHDS5.
cloudfront_website_in_progress_validation_batches The number of invalidation batches currently in progress.
cloudfront_website_last_modified_time The date and time the distribution was last modified.
cloudfront_website_status The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system.
cloudfront_website_tags_all A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
cloudfront_website_trusted_key_groups List of nested attributes for active trusted key groups, if the distribution is set up to serve private content with signed URLs
cloudfront_website_trusted_signers List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs
hosted_zone_id The Hosted Zone ID. This can be referenced by zone records.
hosted_zone_name_servers A list of name servers in the associated (or default) delegation set. Find more about delegation sets in AWS docs.
hosted_zone_tags_all A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
route_53_record_website_fqdn FQDN built using the zone domain and name.
route_53_record_website_name The name of the record.
route_53_record_www_website_fqdn FQDN built using the zone domain and name.
route_53_record_www_website_name The name of the record.
website_bucket_arn The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
website_bucket_domain_name The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
website_bucket_hosted_zone_id The Route 53 Hosted Zone ID for this bucket's region.
website_bucket_id The name of the bucket.
website_bucket_region The AWS region this bucket resides in.
website_bucket_regional_domain_name The bucket region-specific domain name. The bucket domain name including the region name, please refer to https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoints when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
website_bucket_tags_all A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
website_logs_bucket_id The name of the bucket which holds the access logs

About

Terraform Module for AWS to host Static Website on S3

registry.terraform.io/modules/cn-terraform/s3-static-website/aws

Topics

aws cloud terraform s3 static-website terraform-module

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

23 stars

Watchers

1 watching

Forks

41 forks
Report repository

Releases 35

1.2.0 Latest
Mar 9, 2026
+ 34 releases

Sponsor this project

Packages

 
 
 

Contributors

Languages