Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/timmeinerzhagen/terraform-aws-website-secure

Terraform module for deploying a secure website hosted on AWS utilizing Cognito Identity including external IdPs
https://github.com/timmeinerzhagen/terraform-aws-website-secure

auth authentication aws cloudfront cognito lambda-at-edge terraform terraform-module website

Last synced: 17 days ago
JSON representation

Terraform module for deploying a secure website hosted on AWS utilizing Cognito Identity including external IdPs

Host: GitHub
URL: https://github.com/timmeinerzhagen/terraform-aws-website-secure
Owner: timmeinerzhagen
License: mit
Created: 2021-10-31T23:52:26.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2023-04-03T22:02:23.000Z (over 1 year ago)
Last Synced: 2024-10-10T01:12:21.212Z (29 days ago)
Topics: auth, authentication, aws, cloudfront, cognito, lambda-at-edge, terraform, terraform-module, website
Language: HCL
Homepage: https://registry.terraform.io/modules/timmeinerzhagen/website-secure
Size: 355 KB
Stars: 3
Watchers: 2
Forks: 4
Open Issues: 10
Metadata Files:
- Readme: README.md
- License: LICENSE.md

Awesome Lists containing this project

README

        # terraform-aws-website-secure

Creates a  private website behind a cloudfront distribution, with SSL enabled. Custom Cognito hosted UI is put in front of it.

The website files are hosted in an S3 bucket which is also created by the module.

# Usage

```hcl-terraform

module "website" {

    source = "timmeinerzhagen/website-secure/aws"

    

    name           = "tf-my-project"

    domain         = "example.com"

    custom_domain  = "example.com"

    domain_aliases = ["www.example.com"]

    is_spa         = false

    csp            = {

        allow_default = ["api.mysite.com"]

        allow_style = ["'unsafe-inline'"]

        allow_img = ["data:"]

        allow_font = []

        allow_frame = []

        allow_manifest = []

        allow_connect = []

    }

    cloudfront_cache_duration = 86400

    cognito_path_refresh_auth       = "/refreshauth"

    cognito_path_logout             = "/"

    cognito_path_parse_auth         = "/parseauth"

    cognito_refresh_token_validity  = 3650

    cognito_additional_redirects    = ["http://localhost:3000"]  // Useful for development purposes

    cognito_domain_prefix           = "login"

}

```

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0.2 |

|  [archive](#requirement\_archive) | >= 2.2.0, < 3.0.0 |

|  [aws](#requirement\_aws) | >= 3.61.0, < 4.0.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | 3.64.2 |

|  [random](#provider\_random) | 3.1.0 |

## Modules

| Name | Source | Version |

|------|--------|---------|

|  [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 |

|  [cloudfront](#module\_cloudfront) | terraform-aws-modules/cloudfront/aws | 2.8.0 |

|  [cognito-user-pool](#module\_cognito-user-pool) | lgallard/cognito-user-pool/aws | 0.14.2 |

|  [lambda\_function](#module\_lambda\_function) | ./modules/lambda | n/a |

|  [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2.0 |

|  [records](#module\_records) | terraform-aws-modules/route53/aws//modules/records | 2.3.0 |

|  [website-bucket](#module\_website-bucket) | terraform-aws-modules/s3-bucket/aws | ~> 2.0 |

## Resources

| Name | Type |

|------|------|

| [aws_route53_record.cognito-domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |

| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |

| [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |

| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [cognito\_additional\_redirects](#input\_cognito\_additional\_redirects) | Additional URLs to allow cognito redirects to | `list(string)` | `[]` | no |

|  [cognito\_domain\_prefix](#input\_cognito\_domain\_prefix) | The first part of the hosted UI login domain, as in https://[COGNITO_DOMAIN_PREFIX].[CUSTOM_DOMAIN]/ | `string` | `"login"` | no |

|  [cognito\_path\_logout](#input\_cognito\_path\_logout) | Path relative to custom\_domain to redirect to after logging out | `string` | `"/"` | no |

|  [cognito\_path\_parse\_auth](#input\_cognito\_path\_parse\_auth) | Path relative to custom\_domain to redirect to upon successful authentication | `string` | `"/parseauth"` | no |

|  [cognito\_path\_refresh\_auth](#input\_cognito\_path\_refresh\_auth) | Path relative to `custom_domain` to redirect to when a token refresh is required | `string` | `"/refreshauth"` | no |

|  [cognito\_refresh\_token\_validity](#input\_cognito\_refresh\_token\_validity) | Time until the refresh token expires and the user will be required to log in again | `number` | `3650` | no |

|  [content\_html\_rewrite](#input\_content\_html\_rewrite) | Boolean, default false. If true, any URL where the final part does not contain a `.` will reference the S3 object with `html` appended. For example `https://example.com/home` would retrieve the file `home.html` from the website S3 bucket. | `bool` | `false` | no |

|  [csp](#input\_csp) | List of default domains to include in the Content Security Policy. Typically you would list the URL of your API here if your pages access that. Always includes `'self'`. | 
object({
    allow_default  = list(string),
    allow_script   = list(string),
    allow_style    = list(string),
    allow_img      = list(string),
    allow_font     = list(string),
    allow_frame    = list(string),
    allow_manifest = list(string),
    allow_connect  = list(string)
  })
 | {
  "allow_connect": [],
  "allow_default": [],
  "allow_font": [
    "https://fonts.gstatic.com"
  ],
  "allow_frame": [],
  "allow_img": [],
  "allow_manifest": [],
  "allow_script": [],
  "allow_style": []
} | no |

|  [domain](#input\_domain) | The primary domain name to use for the website | `string` | n/a | yes |

|  [domain\_aliases](#input\_domain\_aliases) | A set of any alternative domain names. Typically this would just contain the same as custom\_domain but prefixed by www. | `set(string)` | `[]` | no |

|  [is\_spa](#input\_is\_spa) | If your website is a single page application (SPA), this sets up the cloudfront redirects such that whenever an item is not found, the file `index.html` is returned instead. | `bool` | `false` | no |

|  [name](#input\_name) | A unique string to use for this module to make sure resources do not clash with others | `string` | n/a | yes |

|  [route53\_zone\_name](#input\_route53\_zone\_name) | The name of the hosted zone in Route53 where the SSL certificates will be created | `string` | n/a | yes |

## Outputs

| Name | Description |

|------|-------------|

|  [alternate\_urls](#output\_alternate\_urls) | Alternate URLs of the website |

|  [url](#output\_url) | URL of the main website |