diff --git a/terraform/cloudfront/.terraform.lock.hcl b/terraform/cloudfront/.terraform.lock.hcl new file mode 100644 index 0000000..b3fe162 --- /dev/null +++ b/terraform/cloudfront/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.35.0" + constraints = "~> 5.0" + hashes = [ + "h1:fggCACmhwwn6NOo3D6xY6WDyZfBSbMIb47X/MOC+zqE=", + "zh:3a2a6f40db82d30ea8c5e3e251ca5e16b08e520570336e7e342be823df67e945", + "zh:420a23b69b412438a15b8b2e2c9aac2cf2e4976f990f117e4bf8f630692d3949", + "zh:4d8b887f6a71b38cff77ad14af9279528433e279eed702d96b81ea48e16e779c", + "zh:4edd41f8e1c7d29931608a7b01a7ae3d89d6f95ef5502cf8200f228a27917c40", + "zh:6337544e2ded5cf37b55a70aa6ce81c07fd444a2644ff3c5aad1d34680051bdc", + "zh:668faa3faaf2e0758bf319ea40d2304340f4a2dc2cd24460ddfa6ab66f71b802", + "zh:79ddc6d7c90e59fdf4a51e6ea822ba9495b1873d6a9d70daf2eeaf6fc4eb6ff3", + "zh:885822027faf1aa57787f980ead7c26e7d0e55b4040d926b65709b764f804513", + "zh:8c50a8f397b871388ff2e048f5eb280af107faa2e8926694f1ffd9f32a7a7cdf", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a2f5d2553df5573a060641f18ee7585587047c25ba73fd80617f59b5893d22b4", + "zh:c43833ae2a152213ee92eb5be7653f9493779eddbe0ce403ea49b5f1d87fd766", + "zh:dab01527a3a55b4f0f958af6f46313d775e27f9ad9d10bedbbfea4a35a06dc5f", + "zh:ed49c65620ec42718d681a7fc00c166c295ff2795db6cede2c690b83f9fb3e65", + "zh:f0a358c0ae1087c466d0fbcc3b4da886f33f881a145c3836ec43149878b86a1a", + ] +} diff --git a/terraform/cloudfront/buckets.tf b/terraform/cloudfront/buckets.tf new file mode 100644 index 0000000..d7844e1 --- /dev/null +++ b/terraform/cloudfront/buckets.tf @@ -0,0 +1,32 @@ +data "aws_s3_bucket" "bucket" { + for_each = toset(var.buckets) + + bucket = each.value +} + +resource "aws_s3_bucket_policy" "policy" { + for_each = toset(var.buckets) + + bucket = data.aws_s3_bucket.bucket[each.value].id + + policy = jsonencode({ + "Version" = "2008-10-17", + "Id": "PolicyForCloudFrontPrivateContent", + "Statement" = [ + { + "Sid" = "AllowCloudFrontServicePrincipal" + "Effect" = "Allow", + "Principal" = { + "Service" = "cloudfront.amazonaws.com" + }, + "Action" = "s3:GetObject", + "Resource" = "${data.aws_s3_bucket.bucket[each.value].arn}/*", + "Condition" = { + "StringEquals" = { + "AWS:SourceArn": "arn:aws:cloudfront::508259851457:distribution/${aws_cloudfront_distribution.distribution[each.value].id}" + } + } + } + ] + }) +} \ No newline at end of file diff --git a/terraform/cloudfront/distributions.tf b/terraform/cloudfront/distributions.tf new file mode 100644 index 0000000..48c8524 --- /dev/null +++ b/terraform/cloudfront/distributions.tf @@ -0,0 +1,39 @@ +resource "aws_cloudfront_distribution" "distribution" { + for_each = toset(var.buckets) + + origin { + domain_name = data.aws_s3_bucket.bucket[each.value].bucket_regional_domain_name + origin_id = data.aws_s3_bucket.bucket[each.value].bucket_regional_domain_name + origin_access_control_id = aws_cloudfront_origin_access_control.origin_access[each.value].id + + origin_shield { + enabled = true + origin_shield_region = "ap-northeast-2" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Alert Images CDN - S3 Bucket: dsk-alert-images" + price_class = "PriceClass_200" + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["KR"] + } + } + + default_cache_behavior { + cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" + allowed_methods = ["GET", "HEAD"] + cached_methods = ["GET", "HEAD"] + target_origin_id = data.aws_s3_bucket.bucket[each.value].bucket_regional_domain_name + compress = true + viewer_protocol_policy = "redirect-to-https" + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} \ No newline at end of file diff --git a/terraform/cloudfront/main.tf b/terraform/cloudfront/main.tf new file mode 100644 index 0000000..2a5ccf3 --- /dev/null +++ b/terraform/cloudfront/main.tf @@ -0,0 +1,3 @@ +provider "aws" { + region = var.aws_region +} \ No newline at end of file diff --git a/terraform/cloudfront/origin-access.tf b/terraform/cloudfront/origin-access.tf new file mode 100644 index 0000000..c1de55c --- /dev/null +++ b/terraform/cloudfront/origin-access.tf @@ -0,0 +1,8 @@ +resource "aws_cloudfront_origin_access_control" "origin_access" { + for_each = toset(var.buckets) + + name = data.aws_s3_bucket.bucket[each.value].bucket_regional_domain_name + origin_access_control_origin_type = "s3" + signing_behavior = "always" + signing_protocol = "sigv4" +} \ No newline at end of file diff --git a/terraform/cloudfront/variables.tf b/terraform/cloudfront/variables.tf new file mode 100644 index 0000000..7d9282e --- /dev/null +++ b/terraform/cloudfront/variables.tf @@ -0,0 +1,8 @@ +variable "aws_region" { + default = "ap-northeast-2" +} + +variable "buckets" { + type = list(string) + default = ["dsk-alert-images"] +} \ No newline at end of file diff --git a/terraform/cloudfront/version.tf b/terraform/cloudfront/version.tf new file mode 100644 index 0000000..3f773c6 --- /dev/null +++ b/terraform/cloudfront/version.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} \ No newline at end of file