Testing first approach

.gitignore

-.DS_Store
+.DS_Store
\ No newline at end of file
+.terraform/*
+.terraform.lock.hcl
\ No newline at end of file

.terraform-version

+1.0.11
\ No newline at end of file

README.md

-# CloudFront with separate S3
-This
+# CloudFront with separate S3 and DNS
 
-![Solution Schema](./doc/schema.png)
+This an example how to deploy a static site with CloudFront.
\ No newline at end of file
+
+Assuming governance with Control Tower, allow custom AssumeRoles.
+
+![Solution Schema](./doc/schema.png)
+
+# Use
+
+```
+terraform init && terraform plan && terraform apply
+```
+
+# DRY Statement
+
+Using high quality OSS modules provide tested solutions among other multiple benefits.
\ No newline at end of file

locals.tf

+locals {
+  settings = yamldecode(file("settings.yaml")) 
+}
\ No newline at end of file

main.tf

+ module "storage" {
+     source = "./modules/s3"
+     
+     account_id = local.settings.s3_account_id
+     environment = local.settings.environment
+     project_name = local.settings.project_name
+     force_destroy = local.settings.s3_force_destroy
+     region = local.settings.region
+     assume_role = local.settings.assume_role
+ }
+ module "certificate" {
+     source = "./modules/acm"
+     
+     account_id = local.settings.cdn_account_id
+     environment = local.settings.environment
+     domain  = local.settings.domain
+     zone_id = local.settings.zone_id
+ }
+
+ module "distribution" {
+     source = "./modules/cdn"
+ 
+     account_id = local.settings.cdn_account_id
+     environment = local.settings.environment
+     domain  = local.settings.domain
+     bucket = module.storage.s3_bucket_bucket_domain_name
+     acm_certificate_arn = module.certificate.acm_certificate_arn
+     assume_role = local.settings.assume_role
+
+ #    depends_on = [module.storage,module.certificate]
+ }
+ 
+
+# 
+ module "dns" {
+     source = "./modules/dns"
+ 
+     account_id = local.settings.dns_account_id
+     environment = local.settings.environment
+     zone_id = local.settings.zone_id
+     cdn_endpoint = module.distribution.cdn_endpoint
+     region = local.settings.region
+     domain = local.settings.domain
+     assume_role = local.settings.assume_role
+   # depends_on = [module.distribution]
+ }
+# 
+ module "policy" {
+     source = "./modules/iam"
+     
+     account_id = local.settings.s3_account_id
+     environment = local.settings.environment
+     s3_bucket_id = module.storage.s3_bucket_id
+     distribution_arn = module.distribution.distribution_arn
+     identity_arn = module.distribution.cloudfront_origin_access_identity_iam_arns[0]
+     region = local.settings.region
+     assume_role = local.settings.assume_role
+    # depends_on = [module.distribution]
+ }
\ No newline at end of file

modules/acm/locals.tf

+locals {
+    assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.assume_role}"
+    
+}
\ No newline at end of file

modules/acm/main.tf

+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "~> 4.0"
+
+  domain_name  = var.domain
+  zone_id      = var.zone_id
+
+  subject_alternative_names = [
+    "*.${var.domain}",
+    var.domain,
+  ]
+
+  wait_for_validation = true
+
+  tags = {
+    Name = var.domain
+    Env  = var.environment
+  }
+}
\ No newline at end of file

modules/acm/outputs.tf

+output "acm_certificate_arn" {
+    value = module.acm.acm_certificate_arn
+}
\ No newline at end of file

modules/acm/provider.tf

+provider "aws" {
+  region = "us-east-1"
+  assume_role {
+    role_arn    = local.assume_role_arn
+  }
+  default_tags {
+    tags = {
+      environment = var.environment
+    }
+  }
+}
\ No newline at end of file

variables.tf → modules/acm/variables.tf

-variable "region"{
-    description = ""
+variable "account_id" {
     type = string
-    default = "eu-west-1"
+    description = "Account where this module will be executed"
+  
 }
-variable "project_name"{
+variable "assume_role"{
     description = ""
     type = string
+    default ="AWSControlTowerExecution"
 }
 variable "environment"{
     description = ""
@@ -16,24 +17,8 @@ variable "domain"{
     description = ""
     type = string
 }
+
 variable "zone_id"{
     description = ""
     type = string
-}
-variable "assume_role"{
-    description = ""
-    type = string
-    default ="AWSControlTowerExecution"
-}
-variable "dns_account_id"{
-    description = ""
-    type = string
-}
-variable "cdn_account_id"{
-    description = ""
-    type = string
-}
-variable "s3_account_id"{
-    description = ""
-    type = string
 }
\ No newline at end of file

modules/cdn/cdn_logs.tf

+module "cdn_logs" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = local.log_bucket_name
+  acl    = "log-delivery-write"
+
+  # Allow deletion of non-empty bucket
+  force_destroy = true
+
+}
\ No newline at end of file

modules/cdn/locals.tf

+locals {
+    assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.assume_role}"
+    log_bucket_name = "${var.bucket}-${var.environment}-logs"
+}
\ No newline at end of file

modules/cdn/main.tf

+module "cdn" {
+  source = "terraform-aws-modules/cloudfront/aws"
+
+  aliases = [var.domain]
+
+  comment             = "Static site CDN example"
+  enabled             = true
+  is_ipv6_enabled     = true
+  price_class         = "PriceClass_All"
+  retain_on_delete    = false
+  wait_for_deployment = false
+  default_root_object = "index.html"
+
+  create_origin_access_identity = true
+  origin_access_identities = {
+    s3_bucket_one = "CloudFront Authorization"
+  }
+
+  logging_config = {
+    bucket = module.cdn_logs.s3_bucket_bucket_regional_domain_name
+  }
+
+
+#     + origin {
+#         + connection_attempts = 3
+#         + connection_timeout  = 10
+#         + domain_name         = "cdn-test-suarez-695964370516-prod.s3.amazonaws.com"
+#         + origin_id           = "s3_one"
+#
+#         + s3_origin_config {
+#             + origin_access_identity = "origin-access-identity/cloudfront/EJZYR4TJZ4424"
+#           }
+#       }
+#     - origin {
+#         - connection_attempts      = 3 -> null
+#         - connection_timeout       = 10 -> null
+#         - domain_name              = "cdn-test-suarez-695964370516-prod.s3.amazonaws.com" -> null
+#         - origin_access_control_id = "E8WTPE7OWBAPP" -> null
+#         - origin_id                = "s3_one" -> null
+#       }
+#
+
+
+  origin = {
+
+    s3_one = {
+      domain_name = var.bucket
+      s3_origin_config = {
+        origin_access_identity = "s3_bucket_one"
+      }
+    }
+  }
+
+  default_cache_behavior = {
+    target_origin_id           = "s3_one"
+    viewer_protocol_policy     = "allow-all"
+
+    allowed_methods = ["GET", "HEAD", "OPTIONS"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = true
+    query_string    = true
+  }
+
+  ordered_cache_behavior = [
+    {
+      path_pattern           = "*"
+      target_origin_id       = "s3_one"
+      viewer_protocol_policy = "redirect-to-https"
+
+      allowed_methods = ["GET", "HEAD", "OPTIONS"]
+      cached_methods  = ["GET", "HEAD"]
+      compress        = true
+      query_string    = true
+    }
+  ]
+
+  viewer_certificate = {
+    acm_certificate_arn = var.acm_certificate_arn
+    ssl_support_method  = "sni-only"
+  }
+}
\ No newline at end of file

modules/cdn/outputs.tf

+output "cdn_endpoint" {
+    value = module.cdn.cloudfront_distribution_domain_name
+}
+
+output "distribution_arn" {
+    value = module.cdn.cloudfront_distribution_arn
+}
+
+output "cloudfront_origin_access_identity_iam_arns"{
+    description = "	The IAM arns of the origin access identities created"
+    value = module.cdn.cloudfront_origin_access_identity_iam_arns
+}
+output "cloudfront_origin_access_identity_ids"{
+    description = "The IDS of the origin access identities created"
+    value = module.cdn.cloudfront_origin_access_identity_ids
+}
\ No newline at end of file

modules/cdn/provider.tf

+provider "aws" {
+  region = "us-east-1"
+  assume_role {
+    role_arn    = local.assume_role_arn
+  }
+  default_tags {
+    tags = {
+      environment = var.environment
+    }
+  }
+}
\ No newline at end of file

modules/cdn/variables.tf

+variable "account_id" {
+    type = string
+    description = "Account where this module will be executed"
+  
+}
+variable "assume_role"{
+    description = ""
+    type = string
+    default ="AWSControlTowerExecution"
+}
+variable "environment"{
+    description = ""
+    type = string
+    default = "dev"
+}
+variable "domain"{
+    description = ""
+    type = string
+}
+
+variable "bucket"{
+    description = ""
+    type = string
+}
+
+variable "acm_certificate_arn" {
+    description = ""
+    type = string
+  
+}
\ No newline at end of file

modules/dns/locals.tf

+locals {
+    assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.assume_role}"
+    hostname = split(".",var.domain)[0]
+}
+

modules/dns/main.tf

+module "records" {
+  source  = "terraform-aws-modules/route53/aws//modules/records"
+  version = "~> 2.0"
+  
+  zone_id = var.zone_id
+  
+  records = [
+  {
+      name           = local.hostname
+      type           = "CNAME"
+      ttl            = 5
+      records        = [var.cdn_endpoint]
+   }]
+
+}

modules/dns/provider.tf

+provider "aws" {
+  region = var.region
+  assume_role {
+    role_arn    = local.assume_role_arn
+  }
+  default_tags {
+    tags = {
+      Env = var.environment
+    }
+  }
+}
\ No newline at end of file

modules/dns/variables.tf

+variable "account_id" {
+    type = string
+    description = "Account where this module will be executed"
+  
+}
+variable "environment"{
+    description = ""
+    type = string
+    default = "dev"
+}
+variable "region" {
+    type = string
+    description = "region"
+}
+variable "zone_id" {
+    type = string
+    description = "(optional) describe your variable"
+}
+
+variable "cdn_endpoint" {
+  type = string
+  description = "CDN endpoint FQDN"
+}
+
+variable "domain" {
+    type = string
+    description = "The domain record needs to be published"
+  
+}
+
+
+
+variable "assume_role" {
+    type = string
+    description = ""
+}
+

modules/iam/files/policy.json.tpl

+{
+    "Version": "2008-10-17",
+    "Id": "PolicyForCloudFrontPrivateContent",
+    "Statement": [
+        {
+            "Sid": "AllowCloudFrontServicePrincipal",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "cloudfront.amazonaws.com"
+            },
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::${bucket_name}/*",
+            "Condition": {
+                "StringEquals": {
+                    "AWS:SourceArn": "${distribution_arn}"
+                }
+            }
+        },
+        {
+        "Sid": "AllowCloudFrontServiceIdentity",
+        "Effect": "Allow",
+        "Principal": {
+        "AWS": "${identity_arn}"
+            },
+        "Action": "s3:GetObject",
+        "Resource": "arn:aws:s3:::${bucket_name}/*"
+        }
+    ]
+}
\ No newline at end of file

modules/iam/locals.tf

+locals {
+    assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.assume_role}"
+}
+

modules/iam/main.tf

+resource "aws_s3_bucket_policy" "s3_cur_output_name_policy" {
+  bucket = var.s3_bucket_id
+  policy = data.template_file.s3_cur_output_name_policy.rendered
+}
+
+data "template_file" "s3_cur_output_name_policy" {
+  template = "${file("${path.module}/files/policy.json.tpl")}"
+  vars = {
+    bucket_name  = var.s3_bucket_id, 
+    distribution_arn = var.distribution_arn,
+    identity_arn = var.identity_arn
+    }
+}
\ No newline at end of file

modules/iam/provider.tf

+provider "aws" {
+  region = var.region
+  assume_role {
+    role_arn    = local.assume_role_arn
+  }
+  default_tags {
+    tags = {
+      Env = var.environment
+    }
+  }
+}
\ No newline at end of file

modules/iam/variables.tf

+variable "force_destroy" {
+    description = ""
+    type = bool
+    default = false
+}
+
+variable "s3_bucket_id"{
+    description = ""
+    type = string
+}
+
+variable "distribution_arn" {
+    type = string
+    description = "Distribution to grant bucket permissions"
+}
+variable "identity_arn" {
+    type = string 
+    description = "CloudFront Identity created for add it into the S3 policy"
+  
+}
+variable "region" {
+    type = string
+    description = "(optional) describe your variable"
+}
+
+variable "account_id" {
+    type = string
+    description = "Account where this module will be executed"
+  
+}
+
+variable "assume_role" {
+    type = string
+    description = ""
+}
+
+variable "environment" {
+    type = string
+    description = ""
+  
+}
\ No newline at end of file

modules/s3/locals.tf

+locals {
+    assume_role_arn = "arn:aws:iam::${var.account_id}:role/${var.assume_role}"
+    bucket_name = "${var.project_name}-${var.account_id}-${var.environment}"
+}
+

modules/s3/main.tf

+module "web_storage" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = local.bucket_name
+  acl    = "log-delivery-write"
+
+  # Allow deletion of non-empty bucket
+  force_destroy = var.force_destroy
+
+}
\ No newline at end of file

modules/s3/outputs.tf

+output "s3_bucket_bucket_domain_name" {
+    value = module.web_storage.s3_bucket_bucket_domain_name
+}
+
+output "s3_bucket_id" {
+    value = module.web_storage.s3_bucket_id
+}
\ No newline at end of file

modules/s3/provider.tf

+provider "aws" {
+  region = var.region
+  assume_role {
+    role_arn    = local.assume_role_arn
+  }
+  default_tags {
+    tags = {
+      Env = var.environment
+    }
+  }
+}
\ No newline at end of file

modules/s3/variables.tf

+variable "force_destroy" {
+    description = ""
+    type = bool
+    default = false
+}
+
+variable "environment"{
+    description = ""
+    type = string
+    default = "dev"
+}
+
+variable "region" {
+    type = string
+    description = "(optional) describe your variable"
+}
+
+variable "account_id" {
+    type = string
+    description = "Account where this module will be executed"
+  
+}
+variable "project_name" {
+    type = string
+    description = "Project name to form the bucket name withing other vars"
+}
+
+variable "assume_role" {
+    type = string
+    description = ""
+}
\ No newline at end of file

outputs.tf

+output "cdn_account_id" {
+    value = local.settings.cdn_account_id
+    description = "Setting value"
+}
+output "dns_account_id" {
+    value = local.settings.dns_account_id
+    description = "Setting value"
+}
+output "s3_account_id" {
+    value = local.settings.s3_account_id
+    description = "Setting value"
+}
+output "project_name" {
+    value = local.settings.project_name
+    description = "Setting value"
+}
+output "region" {
+    value = local.settings.region
+    description = "Setting value"
+}
+output "environment" {
+    value = local.settings.environment
+    description = "Setting value"
+}
+output "domain" {
+    value = local.settings.domain
+    description = "Setting value"
+}
+output "zone_id" {
+    value = local.settings.zone_id
+    description = "Setting value"
+}
+output "s3_force_destroy" {
+    value = local.settings.s3_force_destroy
+    description = "Setting value"
+}
+output "assume_role" {
+    value = local.settings.assume_role
+    description = "Setting value"
+}
+output "cloudfront_origin_access_identity_iam_arns"{
+    description = "	The IAM arns of the origin access identities created"
+    value = module.distribution.cloudfront_origin_access_identity_iam_arns
+}
+output "cloudfront_origin_access_identity_ids"{
+    description = "The IDS of the origin access identities created"
+    value = module.distribution.cloudfront_origin_access_identity_ids
+}
\ No newline at end of file

versions.tf

+terraform {
+  required_version = ">= 1.0.1"
+
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      version               = ">= 3.72"
+    }
+  }
+
+  backend "s3" {
+    region         = "eu-west-1"
+    bucket         = "cdn-static-example-xsdc-state"
+    key            = "LockID" 
+    dynamodb_table = "cdn-static-example-xsdc-locks"
+    role_arn       = "arn:aws:iam::248128070333:role/AWSControlTowerExecution"
+  }
+}