diff --git a/.github/workflows/documentation.yml b/.github/workflows/tfdocs.yml
similarity index 87%
rename from .github/workflows/documentation.yml
rename to .github/workflows/tfdocs.yml
index f1afbd1..c074791 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/tfdocs.yml
@@ -1,4 +1,4 @@
-name: Generate terraform docs
+name: Terraform Docs
on:
- pull_request
@@ -6,7 +6,7 @@ jobs:
docs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml
index c240651..6a7f751 100644
--- a/.github/workflows/tflint.yml
+++ b/.github/workflows/tflint.yml
@@ -7,19 +7,20 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
name: Checkout source code
- - uses: actions/cache@v3
+ - uses: actions/cache@v4
name: Cache plugin dir
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- - uses: terraform-linters/setup-tflint@v3
+ - uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
with:
- tflint_version: v0.45.0
+ tflint_version: v0.50.3
+ tflint_wrapper: true
- name: Show version
run: tflint --version
@@ -32,5 +33,11 @@ jobs:
- name: Run TFLint
run: |
- tflint -f compact .
- tflint -f compact modules/rename_me
+ tflint -f compact --chdir .
+ tflint -f compact --chdir modules/cloudfront-app
+ tflint -f compact --chdir modules/cloudfront-deployment-policy
+ tflint -f compact --chdir modules/cloudfront-s3-origin-bucket-policy
+
+ - run: echo ${{ steps.tflint.outputs.stdout }}
+ - run: echo ${{ steps.tflint.outputs.stderr }}
+ - run: echo ${{ steps.tflint.outputs.exitcode }}
\ No newline at end of file
diff --git a/.tflint.hcl b/.tflint.hcl
index b3f5689..b7044ac 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -1,11 +1,11 @@
plugin "terraform" {
enabled = true
- version = "0.2.2"
+ version = "0.6.0"
source = "github.com/terraform-linters/tflint-ruleset-terraform"
}
plugin "aws" {
enabled = true
- version = "0.21.2"
+ version = "0.30.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
diff --git a/README.md b/README.md
index 355aaae..863ffb7 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
-# Terraform RENAME_ME module
+# Terraform AWS modules
-TODO
+This repository contains Terraform modules for AWS.
+Rather than using the modules it's better to copy the code and adjust it to your needs.
diff --git a/examples/cloudfront-app/.terraform.lock.hcl b/examples/cloudfront-app/.terraform.lock.hcl
new file mode 100644
index 0000000..5e1c43e
--- /dev/null
+++ b/examples/cloudfront-app/.terraform.lock.hcl
@@ -0,0 +1,44 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+ version = "5.47.0"
+ constraints = "~> 5.0"
+ hashes = [
+ "h1:T0tupfn2Ubj18Y7xmO0pFMvti1Qns2K6EGXenR6Hg30=",
+ "zh:06037a14e47e8f82d0b3b326cd188566272b808b7970a9249a11db26d475b83d",
+ "zh:116b7dd58ca964a1056249d2b6550f399b0a6bc9a7920b7ee134242114432c9f",
+ "zh:1aa089c81459071c1d65ba7454f1122159e1fa1b5384e6e9ef85c8264f8a9ecb",
+ "zh:2c1471acba40c4944aa88dda761093c0c969db6408bdc1a4fb62417788cd6bb6",
+ "zh:3b950bea06ea4bf1ec359a97a4f1745b7efca7fc2da368843666020dd0ebc5d4",
+ "zh:7191c5c2fce834d584153dcd5269ed3042437f224d341ad85df06b2247bd09b2",
+ "zh:76d841b3f247f9bb3899dec3b4d871613a4ae8a83a581a827655d34b1bbee0ee",
+ "zh:7c656ce252fafc2c915dad43a0a7da17dba975207d75841a02f3f2b92d51ec25",
+ "zh:8ec97118cbdef64139c52b719e4e22443e67a1f37ea1597cd45b2e9b97332a35",
+ "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+ "zh:a369deca7938236a7da59f7ad1fe18137f736764c9015ed10e88edb6e8505980",
+ "zh:a743882fb099401eae0c86d9388a6faadbbc27b2ac9477aeef643e5de4eec3f9",
+ "zh:d5f960f58aff06fc58e244fea6e665800384cacb8cd64a556f8e145b98650372",
+ "zh:e31ffcfd560132ffbff2f574928ba392e663202a750750ed39a8950031b75623",
+ "zh:ebd9061b92a772144564f35a63d5a08cb45e14a9d39294fda185f2e0de9c8e28",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.6.1"
+ hashes = [
+ "h1:a+Goawwh6Qtg4/bRWzfDtIdrEFfPlnVy0y4LdUQY3nI=",
+ "zh:2a0ec154e39911f19c8214acd6241e469157489fc56b6c739f45fbed5896a176",
+ "zh:57f4e553224a5e849c99131f5e5294be3a7adcabe2d867d8a4fef8d0976e0e52",
+ "zh:58f09948c608e601bd9d0a9e47dcb78e2b2c13b4bda4d8f097d09152ea9e91c5",
+ "zh:5c2a297146ed6fb3fe934c800e78380f700f49ff24dbb5fb5463134948e3a65f",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:7ce41e26f0603e31cdac849085fc99e5cd5b3b73414c6c6d955c0ceb249b593f",
+ "zh:8c9e8d30c4ef08ee8bcc4294dbf3c2115cd7d9049c6ba21422bd3471d92faf8a",
+ "zh:93e91be717a7ffbd6410120eb925ebb8658cc8f563de35a8b53804d33c51c8b0",
+ "zh:982542e921970d727ce10ed64795bf36c4dec77a5db0741d4665230d12250a0d",
+ "zh:b9d1873f14d6033e216510ef541c891f44d249464f13cc07d3f782d09c7d18de",
+ "zh:cfe27faa0bc9556391c8803ade135a5856c34a3fe85b9ae3bdd515013c0c87c1",
+ "zh:e4aabf3184bbb556b89e4b195eab1514c86a2914dd01c23ad9813ec17e863a8a",
+ ]
+}
diff --git a/examples/cloudfront-app/README.md b/examples/cloudfront-app/README.md
new file mode 100644
index 0000000..cd91494
--- /dev/null
+++ b/examples/cloudfront-app/README.md
@@ -0,0 +1,32 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+| [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 5.47.0 |
+| [random](#provider\_random) | 3.6.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [cloudfront\_app](#module\_cloudfront\_app) | ../../modules/cloudfront-app | n/a |
+| [cloudfront\_bucket\_policy](#module\_cloudfront\_bucket\_policy) | ../../modules/cloudfront-s3-origin-bucket-policy | n/a |
+| [cloudfront\_deployment\_policy](#module\_cloudfront\_deployment\_policy) | ../../modules/cloudfront-deployment-policy | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [random_id.example](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+
\ No newline at end of file
diff --git a/examples/cloudfront-app/main.tf b/examples/cloudfront-app/main.tf
new file mode 100644
index 0000000..8a4cf67
--- /dev/null
+++ b/examples/cloudfront-app/main.tf
@@ -0,0 +1,46 @@
+resource "random_id" "example" {
+ byte_length = 4
+ prefix = "tf-example-"
+}
+
+resource "aws_s3_bucket" "this" {
+ bucket = "apps-${random_id.example.hex}"
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+ bucket = aws_s3_bucket.this.id
+
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+}
+
+module "cloudfront_app" {
+ source = "../../modules/cloudfront-app"
+
+ context = {
+ namespace = "example"
+ stage = "dev"
+ name = "app"
+ }
+ app_id = "example"
+ s3_bucket = aws_s3_bucket.this.bucket
+ aliases = []
+ certificate_arn = ""
+}
+
+module "cloudfront_deployment_policy" {
+ source = "../../modules/cloudfront-deployment-policy"
+
+ s3_bucket_arn = aws_s3_bucket.this.arn
+ cloudfront_arns = [module.cloudfront_app.arn]
+ s3_origin_arns = [module.cloudfront_app.s3_origin_arn]
+}
+
+module "cloudfront_bucket_policy" {
+ source = "../../modules/cloudfront-s3-origin-bucket-policy"
+
+ s3_bucket = aws_s3_bucket.this.bucket
+ cloudfront_arns = [module.cloudfront_app.arn]
+}
diff --git a/examples/rename_me/versions.tf b/examples/cloudfront-app/versions.tf
similarity index 61%
rename from examples/rename_me/versions.tf
rename to examples/cloudfront-app/versions.tf
index 51493ec..bc2773a 100644
--- a/examples/rename_me/versions.tf
+++ b/examples/cloudfront-app/versions.tf
@@ -4,7 +4,12 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 4.0"
+ version = "~> 5.0"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.0"
}
}
}
diff --git a/examples/rename_me/README.md b/examples/rename_me/README.md
deleted file mode 100644
index 9a7abe2..0000000
--- a/examples/rename_me/README.md
+++ /dev/null
@@ -1,28 +0,0 @@
-# Example
-
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | ~> 1.0 |
-| [aws](#requirement\_aws) | ~> 4.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [random](#provider\_random) | n/a |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [random_id.example](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-
diff --git a/examples/rename_me/main.tf b/examples/rename_me/main.tf
deleted file mode 100644
index e2b163a..0000000
--- a/examples/rename_me/main.tf
+++ /dev/null
@@ -1,21 +0,0 @@
-resource "random_id" "example" {
- byte_length = 4
-
- prefix = "tf-example"
-}
-
-module "vpc" {
- source = "terraform-aws-modules/vpc/aws"
-
- name = random_id.example.hex
- cidr = "10.0.0.0/16"
-
- azs = ["eu-central-1a", "eu-central-1b"]
- private_subnets = ["10.0.1.0/24"]
- public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
-
- single_nat_gateway = true
- enable_nat_gateway = false
- enable_vpn_gateway = false
-}
-
diff --git a/modules/cloudfront-app/README.md b/modules/cloudfront-app/README.md
new file mode 100644
index 0000000..42ffa61
--- /dev/null
+++ b/modules/cloudfront-app/README.md
@@ -0,0 +1,51 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+| [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 5.0 |
+| [random](#provider\_random) | ~> 3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
+| [random_id.prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_s3_bucket.apps](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aliases](#input\_aliases) | List of CNAMEs | `list(string)` | n/a | yes |
+| [app\_id](#input\_app\_id) | Application ID and S3 folder | `string` | n/a | yes |
+| [apps\_folder](#input\_apps\_folder) | Folder where apps are stored, must end with /. | `string` | `"apps/"` | no |
+| [certificate\_arn](#input\_certificate\_arn) | AWS ACM certificate ARN. | `string` | n/a | yes |
+| [certificate\_minimum\_protocol\_version](#input\_certificate\_minimum\_protocol\_version) | The minimum version of the SSL protocol that you want to use for HTTPS. | `string` | `"TLSv1.2_2019"` | no |
+| [context](#input\_context) | Project context. | object({
namespace = string
stage = string
name = string
}) | n/a | yes |
+| [custom\_error\_responses](#input\_custom\_error\_responses) | List of custom error responses for distribution. | list(object({
error_code = number
error_caching_min_ttl = number
response_code = number
response_page_path = string
})) | `[]` | no |
+| [default\_root\_object](#input\_default\_root\_object) | The object that you want CDN to return when an user requests the root URL. | `string` | `"index.html"` | no |
+| [price\_class](#input\_price\_class) | Cloudfront distribution's price class. | `string` | `"PriceClass_100"` | no |
+| [s3\_bucket](#input\_s3\_bucket) | S3 bucket for Cloudfront origin. | `string` | n/a | yes |
+| [tags](#input\_tags) | Tags attached to Cloudfront distribution. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [arn](#output\_arn) | CDN distribution ARN. |
+| [domain\_name](#output\_domain\_name) | CDN distribution's domain name. |
+| [hosted\_zone\_id](#output\_hosted\_zone\_id) | CDN Route 53 zone ID. |
+| [id](#output\_id) | CDN distribution ID. |
+| [s3\_origin\_arn](#output\_s3\_origin\_arn) | S3 Origin ARN with origin path |
+
\ No newline at end of file
diff --git a/modules/cloudfront-app/main.tf b/modules/cloudfront-app/main.tf
new file mode 100644
index 0000000..d7498cd
--- /dev/null
+++ b/modules/cloudfront-app/main.tf
@@ -0,0 +1,88 @@
+locals {
+ origin_id = "s3-origin"
+ origin_path = "/${var.apps_folder}${var.app_id}" # /apps/your-app-id
+
+ tags = merge({
+ "context.namespace" = var.context.namespace
+ "context.stage" = var.context.stage
+ "context.name" = var.context.name
+ }, var.tags)
+}
+
+data "aws_s3_bucket" "apps" {
+ bucket = var.s3_bucket
+}
+
+resource "random_id" "prefix" {
+ byte_length = 2
+}
+
+resource "aws_cloudfront_distribution" "this" {
+ comment = "Application ${var.app_id}-${random_id.prefix.hex}"
+ enabled = true
+ is_ipv6_enabled = true
+ default_root_object = var.default_root_object
+ aliases = var.aliases
+ price_class = var.price_class
+
+ viewer_certificate {
+ cloudfront_default_certificate = var.certificate_arn == "" ? true : false
+ acm_certificate_arn = var.certificate_arn
+ minimum_protocol_version = var.certificate_arn == "" ? null : var.certificate_minimum_protocol_version
+
+ # sni-only is preferred, vip causes CloudFront to use a dedicated IP address and may incur extra charges.
+ ssl_support_method = var.certificate_arn == "" ? null : "sni-only"
+ }
+
+ restrictions {
+ geo_restriction {
+ restriction_type = "none"
+ }
+ }
+
+ origin {
+ # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html
+ origin_id = local.origin_id # must be unique within distribution
+ origin_path = local.origin_path
+ domain_name = data.aws_s3_bucket.apps.bucket_regional_domain_name
+ origin_access_control_id = aws_cloudfront_origin_access_control.this.id
+ }
+
+
+ default_cache_behavior {
+ target_origin_id = local.origin_id
+ cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" # CachingOptimized
+ response_headers_policy_id = "e61eb60c-9c35-4d20-a928-2b84e02af89c" # CORS-and-SecurityHeaders
+ allowed_methods = ["GET", "HEAD", "OPTIONS"]
+ cached_methods = ["GET", "HEAD"]
+ viewer_protocol_policy = "redirect-to-https"
+ }
+
+ # make sure frontend router works by redirection missing paths to index.html
+ custom_error_response {
+ error_code = 403
+ error_caching_min_ttl = 0
+ response_code = 200
+ response_page_path = "/"
+ }
+
+ dynamic "custom_error_response" {
+ for_each = var.custom_error_responses
+
+ content {
+ error_code = custom_error_response.value.error_code
+ error_caching_min_ttl = custom_error_response.value.error_caching_min_ttl
+ response_code = custom_error_response.value.response_code
+ response_page_path = custom_error_response.value.response_page_path
+ }
+ }
+
+ tags = merge(local.tags, { "resource.group" = "network" })
+}
+
+resource "aws_cloudfront_origin_access_control" "this" {
+ name = "app-${var.app_id}-${random_id.prefix.hex}"
+ origin_access_control_origin_type = "s3"
+ signing_behavior = "always"
+ signing_protocol = "sigv4"
+}
diff --git a/modules/cloudfront-app/outputs.tf b/modules/cloudfront-app/outputs.tf
new file mode 100644
index 0000000..9774264
--- /dev/null
+++ b/modules/cloudfront-app/outputs.tf
@@ -0,0 +1,24 @@
+output "id" {
+ value = aws_cloudfront_distribution.this.id
+ description = "CDN distribution ID."
+}
+
+output "arn" {
+ value = aws_cloudfront_distribution.this.arn
+ description = "CDN distribution ARN."
+}
+
+output "domain_name" {
+ value = aws_cloudfront_distribution.this.domain_name
+ description = "CDN distribution's domain name."
+}
+
+output "hosted_zone_id" {
+ value = aws_cloudfront_distribution.this.hosted_zone_id
+ description = "CDN Route 53 zone ID."
+}
+
+output "s3_origin_arn" {
+ value = "${data.aws_s3_bucket.apps.arn}${local.origin_path}/*"
+ description = "S3 Origin ARN with origin path"
+}
diff --git a/modules/cloudfront-app/variables.tf b/modules/cloudfront-app/variables.tf
new file mode 100644
index 0000000..a7dc7af
--- /dev/null
+++ b/modules/cloudfront-app/variables.tf
@@ -0,0 +1,77 @@
+# required
+
+variable "app_id" {
+ type = string
+ description = "Application ID and S3 folder"
+}
+
+variable "context" {
+ description = "Project context."
+
+ type = object({
+ namespace = string
+ stage = string
+ name = string
+ })
+}
+
+variable "aliases" {
+ type = list(string)
+ description = "List of CNAMEs"
+}
+
+variable "certificate_arn" {
+ type = string
+ description = "AWS ACM certificate ARN."
+}
+
+variable "s3_bucket" {
+ type = string
+ description = "S3 bucket for Cloudfront origin."
+}
+
+# optional
+
+variable "apps_folder" {
+ type = string
+ description = "Folder where apps are stored, must end with /."
+ default = "apps/"
+}
+
+variable "tags" {
+ type = map(string)
+ description = "Tags attached to Cloudfront distribution."
+ default = {}
+}
+
+variable "custom_error_responses" {
+ type = list(object({
+ error_code = number
+ error_caching_min_ttl = number
+ response_code = number
+ response_page_path = string
+ }))
+
+ default = []
+
+ description = "List of custom error responses for distribution."
+}
+
+variable "certificate_minimum_protocol_version" {
+ # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version
+ type = string
+ default = "TLSv1.2_2019"
+ description = "The minimum version of the SSL protocol that you want to use for HTTPS."
+}
+
+variable "default_root_object" {
+ type = string
+ description = "The object that you want CDN to return when an user requests the root URL."
+ default = "index.html"
+}
+
+variable "price_class" {
+ type = string
+ description = "Cloudfront distribution's price class."
+ default = "PriceClass_100"
+}
\ No newline at end of file
diff --git a/modules/rename_me/versions.tf b/modules/cloudfront-app/versions.tf
similarity index 53%
rename from modules/rename_me/versions.tf
rename to modules/cloudfront-app/versions.tf
index ce0d09a..aee38df 100644
--- a/modules/rename_me/versions.tf
+++ b/modules/cloudfront-app/versions.tf
@@ -4,7 +4,12 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 4.0"
+ version = "~> 5.0"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.0"
}
}
}
diff --git a/modules/cloudfront-deployment-policy/README.md b/modules/cloudfront-deployment-policy/README.md
new file mode 100644
index 0000000..e23214b
--- /dev/null
+++ b/modules/cloudfront-deployment-policy/README.md
@@ -0,0 +1,38 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+| [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 5.0 |
+| [random](#provider\_random) | ~> 3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [random_id.prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cloudfront\_arns](#input\_cloudfront\_arns) | list of cloudfront arns. | `list(string)` | n/a | yes |
+| [s3\_bucket\_arn](#input\_s3\_bucket\_arn) | S3 bucket ARN. | `string` | n/a | yes |
+| [s3\_origin\_arns](#input\_s3\_origin\_arns) | List of S3 Origin ARNs. | `list(string)` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [arn](#output\_arn) | n/a |
+
\ No newline at end of file
diff --git a/modules/cloudfront-deployment-policy/main.tf b/modules/cloudfront-deployment-policy/main.tf
new file mode 100644
index 0000000..9cca9c3
--- /dev/null
+++ b/modules/cloudfront-deployment-policy/main.tf
@@ -0,0 +1,45 @@
+resource "random_id" "prefix" {
+ byte_length = 2
+}
+
+resource "aws_iam_policy" "this" {
+ name = "cloudfront-deployment-${random_id.prefix.hex}"
+ policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_iam_policy_document" "this" {
+ version = "2012-10-17"
+
+ statement {
+ sid = 1
+
+ actions = [
+ "cloudfront:CreateInvalidation",
+ "cloudfront:GetInvalidation",
+ ]
+
+ resources = var.cloudfront_arns
+ }
+
+ statement {
+ sid = 2
+ actions = [
+ "s3:GetObject",
+ "s3:DeleteObject",
+ "s3:PutObject",
+ ]
+
+ resources = var.s3_origin_arns
+ }
+
+ statement {
+ actions = [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ ]
+
+ resources = [
+ var.s3_bucket_arn,
+ ]
+ }
+}
diff --git a/modules/cloudfront-deployment-policy/output.tf b/modules/cloudfront-deployment-policy/output.tf
new file mode 100644
index 0000000..efd19dd
--- /dev/null
+++ b/modules/cloudfront-deployment-policy/output.tf
@@ -0,0 +1,3 @@
+output "arn" {
+ value = aws_iam_policy.this.arn
+}
diff --git a/modules/cloudfront-deployment-policy/variables.tf b/modules/cloudfront-deployment-policy/variables.tf
new file mode 100644
index 0000000..ae00cce
--- /dev/null
+++ b/modules/cloudfront-deployment-policy/variables.tf
@@ -0,0 +1,15 @@
+
+variable "cloudfront_arns" {
+ description = "list of cloudfront arns."
+ type = list(string)
+}
+
+variable "s3_origin_arns" {
+ description = "List of S3 Origin ARNs."
+ type = list(string)
+}
+
+variable "s3_bucket_arn" {
+ description = "S3 bucket ARN."
+ type = string
+}
diff --git a/modules/cloudfront-deployment-policy/versions.tf b/modules/cloudfront-deployment-policy/versions.tf
new file mode 100644
index 0000000..aee38df
--- /dev/null
+++ b/modules/cloudfront-deployment-policy/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = "~> 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.0"
+ }
+ }
+}
+
diff --git a/modules/cloudfront-s3-origin-bucket-policy/README.md b/modules/cloudfront-s3-origin-bucket-policy/README.md
new file mode 100644
index 0000000..1302e64
--- /dev/null
+++ b/modules/cloudfront-s3-origin-bucket-policy/README.md
@@ -0,0 +1,29 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 5.0 |
+| [random](#requirement\_random) | ~> 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cloudfront\_arns](#input\_cloudfront\_arns) | list of cloudfront arns. | `list(string)` | n/a | yes |
+| [s3\_bucket](#input\_s3\_bucket) | Name of S3 bucket. | `string` | n/a | yes |
+
\ No newline at end of file
diff --git a/modules/cloudfront-s3-origin-bucket-policy/main.tf b/modules/cloudfront-s3-origin-bucket-policy/main.tf
new file mode 100644
index 0000000..8c5fcab
--- /dev/null
+++ b/modules/cloudfront-s3-origin-bucket-policy/main.tf
@@ -0,0 +1,32 @@
+# can only be one per bucket
+resource "aws_s3_bucket_policy" "this" {
+ bucket = var.s3_bucket
+ policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_iam_policy_document" "this" {
+ statement {
+ sid = "AllowCloudFrontServicePrincipalReadOnly"
+ effect = "Allow"
+
+ actions = [
+ "s3:GetObject"
+ ]
+
+ resources = [
+ "arn:aws:s3:::${var.s3_bucket}/*"
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["cloudfront.amazonaws.com"]
+ }
+
+ condition {
+ test = "StringEquals"
+ variable = "AWS:SourceArn"
+
+ values = var.cloudfront_arns
+ }
+ }
+}
diff --git a/modules/cloudfront-s3-origin-bucket-policy/variables.tf b/modules/cloudfront-s3-origin-bucket-policy/variables.tf
new file mode 100644
index 0000000..bd1978c
--- /dev/null
+++ b/modules/cloudfront-s3-origin-bucket-policy/variables.tf
@@ -0,0 +1,9 @@
+variable "s3_bucket" {
+ description = "Name of S3 bucket."
+ type = string
+}
+
+variable "cloudfront_arns" {
+ description = "list of cloudfront arns."
+ type = list(string)
+}
\ No newline at end of file
diff --git a/modules/cloudfront-s3-origin-bucket-policy/versions.tf b/modules/cloudfront-s3-origin-bucket-policy/versions.tf
new file mode 100644
index 0000000..aee38df
--- /dev/null
+++ b/modules/cloudfront-s3-origin-bucket-policy/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+ required_version = "~> 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+
+ random = {
+ source = "hashicorp/random"
+ version = "~> 3.0"
+ }
+ }
+}
+
diff --git a/modules/rename_me/README.md b/modules/rename_me/README.md
deleted file mode 100644
index b81d2f4..0000000
--- a/modules/rename_me/README.md
+++ /dev/null
@@ -1,33 +0,0 @@
-
-## Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | ~> 1.0 |
-| [aws](#requirement\_aws) | ~> 4.0 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | ~> 4.0 |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [context](#input\_context) | Project context. | object({
namespace = string
stage = string
name = string
}) | n/a | yes |
-| [todo](#input\_todo) | todo | `string` | n/a | yes |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [todo](#output\_todo) | TODO. |
-
diff --git a/modules/rename_me/main.tf b/modules/rename_me/main.tf
deleted file mode 100644
index aaf187f..0000000
--- a/modules/rename_me/main.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-data "aws_region" "current" {}
-
-locals {}
diff --git a/modules/rename_me/outputs.tf b/modules/rename_me/outputs.tf
deleted file mode 100644
index 6c269fd..0000000
--- a/modules/rename_me/outputs.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-output "todo" {
- description = "TODO."
-
- value = ""
-}
diff --git a/modules/rename_me/variables.tf b/modules/rename_me/variables.tf
deleted file mode 100644
index 33582e3..0000000
--- a/modules/rename_me/variables.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-variable "context" {
- description = "Project context."
-
- type = object({
- namespace = string
- stage = string
- name = string
- })
-}
-
-variable "todo" {
- description = "todo"
-
- type = string
-}
-
-# optional
-