-
Notifications
You must be signed in to change notification settings - Fork 0
/
tf_deploy_subset_direct_download_cloudfront.tf
158 lines (125 loc) · 3.92 KB
/
tf_deploy_subset_direct_download_cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
## CREATE BUCKET for subsets output
resource "aws_s3_bucket" "fcx_subset_output" {
bucket = var.DESTINATION_BUCKET_NAME
force_destroy = true # enables terraform to force destroy bucket despite contents in it.
tags = {
Name = "fcx-subset-outputs"
}
}
## ADD POLICY TO S3 BUCKET
# create policy document
data "aws_iam_policy_document" "allow_access_from_cloudfront" {
statement {
sid = "AllowCloudFrontServicePrincipal"
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
actions = [
"s3:GetObject"
]
resources = [
aws_s3_bucket.fcx_subset_output.arn,
"${aws_s3_bucket.fcx_subset_output.arn}/*",
]
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = [
"arn:aws:cloudfront::${var.accountId}:distribution/${aws_cloudfront_distribution.fcx_subset_output_distribution.id}"
]
}
}
}
# attach policy to bucket
resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
bucket = aws_s3_bucket.fcx_subset_output.id
policy = data.aws_iam_policy_document.allow_access_from_cloudfront.json
}
## CLOUDFRONT SETUP
locals {
s3_origin_id = "ghrc-fcx-subset-outputS3Origin"
}
# create OAC, for cloudwatch to get origin access to s3
resource "aws_cloudfront_origin_access_control" "fcx_subset_output" {
name = "ghrc-fcx-subset-output"
description = "Allow the cloudfront to access the subsets output that is in s3 bucket"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
# create cloudfront distribution, with OAC attached
resource "aws_cloudfront_distribution" "fcx_subset_output_distribution" {
origin {
domain_name = aws_s3_bucket.fcx_subset_output.bucket_regional_domain_name
origin_access_control_id = aws_cloudfront_origin_access_control.fcx_subset_output.id
origin_id = local.s3_origin_id
}
enabled = true
is_ipv6_enabled = true
comment = "Distributes the subsets output publicly which are stored in private bucket"
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}
# Cache behavior with precedence 1
ordered_cache_behavior {
path_pattern = "/content/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
compress = true
viewer_protocol_policy = "redirect-to-https"
}
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
tags = {
Environment = var.stage_name
}
viewer_certificate {
cloudfront_default_certificate = true
}
}