S3 + CloudFront + ACM + Route53のミニマムWebサイトをTerraformで構築する

AWS, Terraform01 December 2020

AWSのサービス、S3 + CloudFront + ACM + Route53のウェブサイト環境をTerraformで構築するときのミニマム構成。 おそらくかなりベーシックな構成なのでよく出るやつです。

この構成をTerraformのコードで書いていきます!

S3バケット構築

まずはオリジンとなるS3バケットから構築します。

# Webサイト化するオリジンのバケット
resource "aws_s3_bucket" "web_bucket" {
bucket = "web_bucket"
acl = "public-read"
website {
index_document = "index.html"
error_document = "error.html"
}
}
# バケットのポリシー
resource "aws_s3_bucket_policy" "web_bucket_policy" {
bucket = aws_s3_bucket.web_bucket.id
policy = data.aws_iam_policy_document.web_bucket_policy_document.json
}
# バケットのポリシードキュメント
data "aws_iam_policy_document" "web_bucket_policy_document" {
statement {
sid = "1"
actions = [
"s3:GetObject",
]
principals {
type = "*"
identifiers = [
"*",
]
}
resources = [
"${aws_s3_bucket.web_bucket.arn}/*",
]
}
}
view raw terraform-s3-web.tf hosted with ❤ by GitHub

ACM&Route53を構築

次にACMの証明書とRoute53でドメインを追加します。

(便宜上、ドメインは当ブログのkleinblog.netになっています)

# ドメインを変数で定義
locals {
cert_domain_name = "*.kleinblog.net"
zone_name = "kleinblog.net"
}
# ACM証明書
resource "aws_acm_certificate" "cert" {
domain_name = local.cert_domain_name
validation_method = "DNS"
}
# Route53
data "aws_route53_zone" "zone" {
name = local.zone_name
private_zone = false
}
# Route53のレコードリスト
resource "aws_route53_record" "cert_validation" {
name = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
# レコードチェック
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
view raw terraform-acm-web.tf hosted with ❤ by GitHub

CloudFrontを構築

最後にCloudFrontを構築します。

locals {
aliases = ["www.kleinblog.net"]
origin_bucket = aws_s3_bucket.web_bucket
origin_id = "originWebBucket"
}
resource "aws_cloudfront_distribution" "distribution" {
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
aliases = local.aliases
origin {
domain_name = local.origin_bucket.website_endpoint}
origin_id = local.origin_id
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
default_cache_behavior {
allowed_methods = ["HEAD", "GET"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.origin_id
forwarded_values {
query_string = true
cookies {
forward = "all"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 0
max_ttl = 0
compress = true
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1"
}
}
view raw terraform-cloudfront-web.tf hosted with ❤ by GitHub

tags: AWS, Terraform