skyscrapers / terraform-website-s3-cloudfront-route53 Goto Github PK

If my main site is https://example.com and redirecting the www version to the naked domain; do i need two security certificates?

I only have one currently which is for main site.
Example: example.com

In site redirect module i reused the same certificate.

So when I redirect from www.example.com browser reports certificate issue.

Thanks,
Shane.

Hi,

currently it's not possible to utilize the functionality of multiple CNAMEs for the cloudfront distribution. In my case I'm trying to register a wildcard subdomain.

Due to the missing type in the variable declaration we're not able to pass a list, although the terraform resource allows a list: https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#aliases

In addition to that: if we just provide a wildcard-domain, e.g. *.test.example.com, the default tag handling creates invalid tags (asterisks are not allowed as it seems).

Best

The Terraform modules in this repo are frequently used. Should we publish these modules to the Terraform Registry?

The following tags are hard coded (in variables.tf):
tags.Project
tags.Environment
tags.Name

It would be good to remove the hard coding so that we can have a clean set of custom values.

it's currently hard coded to TLSv1, but that's mostly being deprecated.

Thanks

Is there any case you're aware of where you'd prefer a Route53 CNAME over A-ALIAS? ALIAS records save the client from additional DNS lookups

Both site-main and site-redirect try to create an aws_iam_policy resource with the name "site.${replace("${var.domain}",".","-")}.deployer". Since the domain variable will generally be the same for the main and redirect buckets, the result is an error from Terraform/AWS like:

* aws_iam_policy.site_deployer_policy: Error creating IAM policy site.my-domain-com.deployer: EntityAlreadyExists: A policy called site.my-domain-com.deployer already exists. Duplicate names are not allowed.
        status code: 409, request id: 38816639-7dd1-11e6-9f1a-6d0a94ff2f5f

Seems like adding a -main and -redirect or something to the policy name would be an easy enough fix. Alternatively, since the deployer_role_policy.json file that they each use is identical, perhaps just a refactor so it only tries to create it once?

Happy to make the PR myself, but wondering if you'd agree to "deployer" being optional for site-main?

Some of us already have managed IAM roles with superuser access, or some of us (bad i know) just use the root user on our own AWS accounts.

So, for these cases we don't need this IAM Role Policy Attachment.

Hi there,
I'm running into an error like this when I try to use your module:

2020/03/21 16:27:37 [ERROR] module.site-main: eval: *terraform.EvalDiff, err: "origin.0.domain_name": required field is not set
2020/03/21 16:27:37 [ERROR] module.site-main: eval: *terraform.EvalSequence, err: "origin.0.domain_name": required field is not set
2020/03/21 16:27:37 [TRACE] [walkRefresh] Exiting eval tree: module.site-main.aws_cloudfront_distribution.website_cdn
2020/03/21 16:27:37 [TRACE] vertex "module.site-main.aws_cloudfront_distribution.website_cdn": visit complete
2020/03/21 16:27:37 [TRACE] vertex "module.site-main.aws_cloudfront_distribution.website_cdn": dynamic subgraph encountered errors
2020/03/21 16:27:37 [TRACE] vertex "module.site-main.aws_cloudfront_distribution.website_cdn": visit complete
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "module.site-main.output.website_cdn_hostname" errored, so skipping
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "module.site-main.output.website_cdn_arn" errored, so skipping
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "module.site-main.output.website_cdn_zone_id" errored, so skipping
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "module.site-main.output.website_cdn_id" errored, so skipping
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "provider.aws (close)" errored, so skipping
2020/03/21 16:27:37 [TRACE] dag/walk: upstream of "root" errored, so skipping
Error: "origin.0.domain_name": required field is not set

My implementation looks like this:

module "site-main" {
  source                           = "github.com/skyscrapers/terraform-website-s3-cloudfront-route53//site-main"
  region                           = "eu-central-1"
  domain                           = var.domain
  bucket_name                      = "prefix-${var.environment}-suffix"
  duplicate-content-penalty-secret = var.duplicate-content-penalty-secret
  deployer                         = var.deployer
  acm-certificate-arn              = aws_acm_certificate.cert.arn
  not-found-response-path          = "/404.html"
}

I have 2 aws profiles: prod and dev. Default is dev.
Even if i set profile in provider like that:

provider "aws" {
  region = "ap-northeast-2"
  profile = "prod"
}

i don't know why, but it creates cloudfront distribution on my prod profile, but other resources will be deployed on my default profile.

I added profile variable and now it works correctly!

Hi,
I have a feature request

What:

Expose CloudFront price_class attribute as an optional module variable.

Why

So I can define where on the world a website is fast accessible.

Let me know if you like this feature.
I'm willing to create a PR.

Cheers and thank you for a great module.

Describe the problem
When making terraform init - it will automatically download aws 4.2.0 - which results in error when try to terraform plan or apply.
If we use aws 3.7.0 everything works as expected

To Reproduce
Steps to reproduce the behavior:

1. Create main.tf according to readme
2. terraform init
3. terraform apply
4. See error

Expected behavior
everything should work, or we should specify 3.7.0 as supported aws provider version.

Screenshots

Your Environment
Ubuntu 21.04

Hi,

Just ran through the modules and got an error running the module above

"target field is needed"

But the readme doesnt outline this.

Example:

module "site-redirect" {
   source = "github.com/ringods/terraform-website-s3-cloudfront-route53//site-redirect"

   region = "${var.region}"
   domain = "www.xxx.com"
   duplicate-content-penalty-secret = "some-secret-password"
   deployer = "xxx"
   acm-certificate-arn = "arn:aws:acm:us-east-1:118195946080:certificate/0a124b1d-6988-4d46-8f50-c7a8a567a0f9"
   target = "${var.domain}"
}

Also, Im using an aws profile.

When i run the modules i have to run as

AWS_PROFILE=xxx terraform plan

does your modules support profile from aws provider?

provider "aws" {
  region     = "${var.region}"
  profile   = "thsmiko"
}

Awesome modules btw! ;-)

Hi,

I just ran chrome lighthouse test and I noticed http2 is not enabled:
https://developers.google.com/web/tools/lighthouse/audits/http2

Should that be variable defined in the module?

Thanks,
Shane.

I want to let multiple users be the 'deployer' to my s3 bucket, e.g. me, my colleagues, + the user from a CI app like Jenkins or something.

Normally to facilitate this I'd have a 'deployer' role (not user), and then authorize any of the above users assume that role so that they can deploy.

As this is coded now, there can only be one user. https://github.com/ringods/terraform-website-s3-cloudfront-route53/blob/d2e06/site-redirect/main.tf#L78

Agree it's a good idea to have this module support making a role instead? It could output the role arn, and users of this module could authorize users to assume that role as needed. https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

Alternatively, the modules could just output the policy JSON, and then users of this module could use that to send into IAM however makes sense.