Skip to content

Terraform module for deploying a secure website hosted on AWS utilizing Cognito Identity including external IdPs

License

Notifications You must be signed in to change notification settings

timmeinerzhagen/terraform-aws-website-secure

Repository files navigation

terraform-aws-website-secure

Creates a private website behind a cloudfront distribution, with SSL enabled. Custom Cognito hosted UI is put in front of it.

The website files are hosted in an S3 bucket which is also created by the module.

Usage

module "website" {
    source = "timmeinerzhagen/website-secure/aws"
    
    name           = "tf-my-project"
    domain         = "example.com"
    custom_domain  = "example.com"
    domain_aliases = ["www.example.com"]
    is_spa         = false
    csp            = {
        allow_default = ["api.mysite.com"]
        allow_style = ["'unsafe-inline'"]
        allow_img = ["data:"]
        allow_font = []
        allow_frame = []
        allow_manifest = []
        allow_connect = []
    }

    cloudfront_cache_duration = 86400

    cognito_path_refresh_auth       = "/refreshauth"
    cognito_path_logout             = "/"
    cognito_path_parse_auth         = "/parseauth"
    cognito_refresh_token_validity  = 3650
    cognito_additional_redirects    = ["http://localhost:3000"]  // Useful for development purposes
    cognito_domain_prefix           = "login"
}

Requirements

Name Version
terraform >= 1.0.2
archive >= 2.2.0, < 3.0.0
aws >= 3.61.0, < 4.0.0

Providers

Name Version
aws 3.64.2
random 3.1.0

Modules

Name Source Version
acm terraform-aws-modules/acm/aws ~> 3.0
cloudfront terraform-aws-modules/cloudfront/aws 2.8.0
cognito-user-pool lgallard/cognito-user-pool/aws 0.14.2
lambda_function ./modules/lambda n/a
log_bucket terraform-aws-modules/s3-bucket/aws ~> 2.0
records terraform-aws-modules/route53/aws//modules/records 2.3.0
website-bucket terraform-aws-modules/s3-bucket/aws ~> 2.0

Resources

Name Type
aws_route53_record.cognito-domain resource
aws_s3_bucket_policy.bucket_policy resource
random_pet.this resource
aws_canonical_user_id.current data source
aws_iam_policy_document.s3_policy data source
aws_route53_zone.this data source

Inputs

Name Description Type Default Required
cognito_additional_redirects Additional URLs to allow cognito redirects to list(string) [] no
cognito_domain_prefix The first part of the hosted UI login domain, as in https://[COGNITO_DOMAIN_PREFIX].[CUSTOM_DOMAIN]/ string "login" no
cognito_path_logout Path relative to custom_domain to redirect to after logging out string "/" no
cognito_path_parse_auth Path relative to custom_domain to redirect to upon successful authentication string "/parseauth" no
cognito_path_refresh_auth Path relative to custom_domain to redirect to when a token refresh is required string "/refreshauth" no
cognito_refresh_token_validity Time until the refresh token expires and the user will be required to log in again number 3650 no
content_html_rewrite Boolean, default false. If true, any URL where the final part does not contain a . will reference the S3 object with html appended. For example https://example.com/home would retrieve the file home.html from the website S3 bucket. bool false no
csp List of default domains to include in the Content Security Policy. Typically you would list the URL of your API here if your pages access that. Always includes 'self'.
object({
allow_default = list(string),
allow_script = list(string),
allow_style = list(string),
allow_img = list(string),
allow_font = list(string),
allow_frame = list(string),
allow_manifest = list(string),
allow_connect = list(string)
})
{
"allow_connect": [],
"allow_default": [],
"allow_font": [
"https://fonts.gstatic.com"
],
"allow_frame": [],
"allow_img": [],
"allow_manifest": [],
"allow_script": [],
"allow_style": []
}
no
domain The primary domain name to use for the website string n/a yes
domain_aliases A set of any alternative domain names. Typically this would just contain the same as custom_domain but prefixed by www. set(string) [] no
is_spa If your website is a single page application (SPA), this sets up the cloudfront redirects such that whenever an item is not found, the file index.html is returned instead. bool false no
name A unique string to use for this module to make sure resources do not clash with others string n/a yes
route53_zone_name The name of the hosted zone in Route53 where the SSL certificates will be created string n/a yes

Outputs

Name Description
alternate_urls Alternate URLs of the website
url URL of the main website