search

riboseinc / terraform-aws-s3-cloudfront-website

Terraform module for creating a static S3 website with CloudFront with an SSL certificate (e.g., from ACM)
Apache License 2.0
74 stars 40 forks source link

Sample usage return a 403 #19

Closed jenkins-wayonara closed 5 years ago

jenkins-wayonara commented 5 years ago

Hi all, I have try sample usage but it return a 403

terraform {
  backend "s3" {
    bucket = "stag.example.it-status"
    key    = "terraform/terraform.tfstate"
    region = "eu-west-1"
  }
}

# AWS Region for S3 and other resources
provider "aws" {
  region = "us-west-1"
  alias = "main"
}

# AWS Region for Cloudfront (ACM certs only supports us-east-1)
provider "aws" {
  region = "us-east-1"
  alias = "cloudfront"
}

# Variables
variable "fqdn" {
  description = "The fully-qualified domain name of the resulting S3 website."
  default     = "stag.example.it"
}

variable "domain" {
  description = "The domain name."
  default     = "example.it"
}

# Allowed IPs that can directly access the S3 bucket
variable "allowed_ips" {
  type = "list"
  default = [ "999.999.999.999/32" ]
}

# Using this module
module "main" {
  source = "github.com/riboseinc/terraform-aws-s3-cloudfront-website"

  fqdn = "${var.fqdn}"
  ssl_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
  allowed_ips = "${var.allowed_ips}"

  index_document = "index.html"
  error_document = "404.html"

  refer_secret = "${base64sha512("REFER-SECRET-19265125-${var.fqdn}-52865926")}"

  force_destroy = "true"

  providers {
    "aws.main" = "aws.main"
    "aws.cloudfront" = "aws.cloudfront"
  }

  # Optional WAF Web ACL ID, defaults to none.
  #web_acl_id = "${data.terraform_remote_state.site.waf-web-acl-id}"
}

# ACM Certificate generation

resource "aws_acm_certificate" "cert" {
  provider          = "aws.cloudfront"
  domain_name       = "${var.fqdn}"
  validation_method = "DNS"
}

resource "aws_route53_record" "cert_validation" {
  provider = "aws.cloudfront"
  name     = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type     = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id  = "${data.aws_route53_zone.main.id}"
  records  = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl      = 60
}

resource "aws_acm_certificate_validation" "cert" {
  provider                = "aws.cloudfront"
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

# Route 53 record for the static site

data "aws_route53_zone" "main" {
  provider     = "aws.main"
  name         = "${var.domain}"
  private_zone = false
}

resource "aws_route53_record" "web" {
  provider = "aws.main"
  zone_id  = "${data.aws_route53_zone.main.zone_id}"
  name     = "${var.fqdn}"
  type     = "A"

  alias {
    name    = "${module.main.cf_domain_name}"
    zone_id = "${module.main.cf_hosted_zone_id}"
    evaluate_target_health = false
  }
}

# Outputs
# Outputs

output "s3_domain" {
  value = "${module.main.s3_website_endpoint}"
}

output "route53_fqdn" {
  value = "${aws_route53_record.web.fqdn}"
}

output "acm_certificate_arn" {
  value = "${aws_acm_certificate_validation.cert.certificate_arn}"
}
ronaldtse commented 5 years ago

@jenkins-wayonara thanks for the report.

The first issue I noticed is this section:

# Allowed IPs that can directly access the S3 bucket
variable "allowed_ips" {
  type = "list"
  default = [ "999.999.999.999/32" ]
}

The 403 is probably due to setting allowed_ips to an invalid IP. If you leave this empty, like this, it should work:

# Allowed IPs that can directly access the S3 bucket
variable "allowed_ips" {
  type = "list"
  default = [ "" ]
}
jenkins-wayonara commented 5 years ago

Fixed. Can I suggest to use default = [ "" ]
in the example to avoid misunderstand?

Tnx guys

ronaldtse commented 5 years ago

@jenkins-wayonara good idea, done in #20. Thanks for the confirmation!