- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
# S3+Cloudfront 構成のサイトインフラ。独自ドメインを CNAME で Cloudfront の
# ドメインに向ける前提。
#
# 一回 `tofu apply` を実行してタイムアウトで異常終了を待ってから `tofu output`
# を実行し、 `domain_cert_validations.resource_record_*` の内容を DNS に追記。
# その後再度 `tofu apply` を実行する。
#
# SPDX-FileCopyrightText: 2025 Shota FUJI <pockawoooh@gmail.com>
# SPDX-License-Identifier: AGPL-3.0-only
variable "docs_domain" {
description = "ドキュメントサイトをホストする最終的なドメイン"
type = string
}
variable "aws_region" {
description = "デフォルトのリージョン"
type = string
default = "us-west-2"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.82"
}
}
required_version = ">= 1.2.0"
}
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Service = "Yamori"
Module = "Docs"
}
}
}
provider "aws" {
alias = "us_east_1"
region = "us-east-1"
default_tags {
tags = {
Service = "Yamori"
Module = "Docs"
}
}
}
resource "aws_s3_bucket" "origin" {}
output "s3_bucket_name" {
value = aws_s3_bucket.origin.id
}
data "aws_iam_policy_document" "s3_cf_read_policy" {
statement {
sid = "AllowCloudfrontReadonly"
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.origin.arn}/*"]
condition {
test = "StringEquals"
variable = "aws:SourceArn"
values = [aws_cloudfront_distribution.cdn.arn]
}
}
}
resource "aws_s3_bucket_policy" "allow_read_from_cloudfront" {
bucket = aws_s3_bucket.origin.id
policy = data.aws_iam_policy_document.s3_cf_read_policy.json
}
resource "aws_acm_certificate" "domain_cert" {
# CloudFront で使う ACM は us-east-1 にある必要がある。
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
provider = aws.us_east_1
domain_name = var.docs_domain
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
output "domain_cert_validations" {
value = aws_acm_certificate.domain_cert.domain_validation_options
}
locals {
cf_origin_id = "yamor_docs_cdn"
}
resource "aws_cloudfront_origin_access_control" "s3_oac" {
name = "static_website"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
resource "aws_cloudfront_distribution" "cdn" {
origin {
domain_name = aws_s3_bucket.origin.bucket_regional_domain_name
origin_id = local.cf_origin_id
origin_access_control_id = aws_cloudfront_origin_access_control.s3_oac.id
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
http_version = "http2and3"
aliases = [var.docs_domain]
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.domain_cert.arn
ssl_support_method = "sni-only"
}
default_cache_behavior {
# AWS が管理している CacheOptimized ポリシー
cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.cf_origin_id
compress = true
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 31536000
max_ttl = 31536000
}
restrictions {
geo_restriction {
locations = []
restriction_type = "none"
}
}
}
output "cloudfront_distribution_id" {
value = aws_cloudfront_distribution.cdn.id
}
output "cloudfront_domain" {
value = aws_cloudfront_distribution.cdn.domain_name
}