Once we’ve set up our basic infra and published our content, we now have our blog published as static files, on S3, under our own domain name. We’re still missing two things that a modern, cloud native website should have: HTTPS and regional redundancy. Thankfully, AWS CloudFront gives us both of these things. We’ll return back to our Terraform code to move forward.
Again, the goal here is to use Cloud Native tools for every step, to the greatest extent possible.
We’ll start by using AWS Certificate Manager (“ACM”), which will generate the SSL certificate we need to enable HTTPS. ACM requires you to validate that you control the domain name of the certificate either by responding to an email or by entering a custom domain name validation record. As luck has it, we’re already controlling our domain via Terraform, so we can automate this entire process.
For starters, we add an acm.tf to our Terraform code.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
resource "aws_acm_certificate" "cert" {
domain_name = "${var.host_name}.${var.domain_name}"
validation_method = "DNS"
tags = {
"site" = "j.eremy.nl"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.eremy_nl.zone_id
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = aws_acm_certificate.cert.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
This does three things, with three resources. It creates the certificate as aws_acm_certificate.cert and configures it for DNS validation. We then create the required DNS entries in Route53 with the aws_route53_record.cert_validation record. Lastly, aws_acm_certificate_validation.cert ensures that validation is completed. If we apply this code, we now have an SSL certificate approved for the j.eremy.nl domain name.
Now it’s time to set up the CloudFront distribution. There’s a lot going on here and I’m not going to go through it line by line. The important thing to know is that it creates the distribution, sets our original website S3 bucket as the source, and uses our new ACM certificate. For good measure, I enable automatic http-to-https redirection so that all visitors wind up at the secure site.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
resource "aws_cloudfront_distribution" "prod_distribution" {
origin {
domain_name = "${var.host_name}.${var.domain_name}.s3.amazonaws.com"
origin_id = "S3-${var.host_name}.${var.domain_name}"
}
aliases = ["${var.host_name}.${var.domain_name}"]
# By default, show index.html file
default_root_object = "index.html"
enabled = true
# If there is a 404, return index.html with a HTTP 200 Response
custom_error_response {
error_caching_min_ttl = 3000
error_code = 404
response_code = 200
response_page_path = "/index.html"
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3-${aws_s3_bucket.website_bucket.bucket}"
# Forward all query strings, cookies and headers
forwarded_values {
query_string = true
cookies {
forward = "all"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
# Distributes content to US and Europe
price_class = "PriceClass_100"
# Restricts who is able to access this content
restrictions {
geo_restriction {
# type of restriction, blacklist, whitelist or none
restriction_type = "none"
}
}
# SSL certificate for the service.
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
}
tags = {
"site" = "j.eremy.nl"
}
depends_on = [
aws_s3_bucket.website_bucket,
]
}
One of the attributes of a CloudFront distribution is its CloudFront domain name. The last thing we need is to take that and update our j.eremy.nl Route53 record to point to this (it currently points directly to the S3 bucket).
We change dns.tf to replace aws_route53_record.root with this:
1
2
3
4
5
6
7
8
9
10
11
12
13
resource "aws_route53_record" "root" {
zone_id = aws_route53_zone.eremy_nl.zone_id
name = "${var.host_name}.${var.domain_name}"
type = "A"
alias {
name = replace(aws_cloudfront_distribution.prod_distribution.domain_name, "/[.]$/", "")
zone_id = aws_cloudfront_distribution.prod_distribution.hosted_zone_id
evaluate_target_health = true
}
depends_on = [aws_cloudfront_distribution.prod_distribution]
}
After applying these changes, our site is now fronted by CloudFront, forces HTTPS, and is distributed to CDN edge locations around the globe.