Skip to content

This terraform module is an AWS ECS Application Module (frontend component).

License

Notifications You must be signed in to change notification settings

DNXLabs/terraform-aws-ecs-app-front

Repository files navigation

terraform-aws-ecs-app-front

Lint Status LICENSE

This terraform module is an AWS ECS Application Module (frontend component).

It's designed to be used with DNXLabs/terraform-aws-ecs (https://github.com/DNXLabs/terraform-aws-ecs). and DNXLabs/terraform-aws-ecs-app (https://github.com/DNXLabs/terraform-aws-ecs-app).

The following resources will be created:

  • Cloudwatch Metrics alarm - Provides a CloudWatch Metric Alarm resource.
  • Application Load Balancer (ALB) cloudfront key - Key generated by terraform-aws-ecs module to allow ALB connection from CloudFront
  • ALB Dns Name - ALB DNS Name that CloudFront will point as origin
  • Certificate Amazon Resource Name (ARN) - Certificate for this app to use in CloudFront (US), must cover hostname.
  • Cloudwatch Log Groups

In addition you have the option to create or not:

  • Cloudfront 500 Errors rate threshold
  • Simple Notification Service (SNS) topic United States (US) - Alarm topics to create and alert on metrics on US region
  • Cloudfront forward headers - Headers to forward to origin from CloudFront
  • Cloudfront Logging bucket - Bucket to store logs from app
  • Cloudfront origin keepalive timeout - The amount of time, in seconds, that CloudFront maintains an idle connection with a custom origin server before closing the connection. Valid values are from 1 to 60 seconds.
  • Cloudfront origin read timeout - The amount of time, in seconds, that CloudFront waits for a response from a custom origin. The value applies both to the time that CloudFront waits for an initial response and the time that CloudFront waits for each subsequent packet. Valid values are from 4 to 60 seconds.
  • Web Application Firewall (WAF) to attach to Cloudfront
  • IAM Certificate ID - Specifies IAM certificate id for CloudFront distribution
  • Minimum protocol version - The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
  • One of SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016 or TLSv1.2_2018. Default: TLSv1.2_2018.

NOTE: If you are using a custom certificate (specified with acm_certificate_arn or iam_certificate_id),and have specified sni-only in ssl_support_method, TLSv1 or later must be specified. If you have specified vip in ssl_support_method, only SSLv3 or TLSv1 can be specified. If you have specified cloudfront_default_certificate, TLSv1 must be specified.

Requirements

Name Version
terraform >= 1.3.0
aws >= 3.0.0

Providers

Name Version
aws >= 3.0.0

Inputs

Name Description Type Default Required
alarm_cloudfront_500_errors_threshold Cloudfront 500 Errors rate threshold (use 0 to disable this alarm) number 5 no
alarm_prefix String prefix for cloudwatch alarms. (Optional) string "alarm" no
alarm_sns_topics_us Alarm topics to create and alert on metrics on US region list(string) [] no
alb_cloudfront_key Key generated by terraform-aws-ecs module to allow ALB connection from CloudFront string n/a yes
alb_dns_name ALB DNS Name that CloudFront will point as origin string n/a yes
certificate_arn Certificate for this app to use in CloudFront (US), must cover hostname. string n/a yes
cloudfront_forward_headers Headers to forward to origin from CloudFront list(string)
[
"*"
]
no
cloudfront_logging_bucket Bucket to store logs from app string null no
cloudfront_logging_prefix Logging prefix string "" no
cloudfront_origin_keepalive_timeout The amount of time, in seconds, that CloudFront maintains an idle connection with a custom origin server before closing the connection. Valid values are from 1 to 60 seconds. number 5 no
cloudfront_origin_read_timeout The amount of time, in seconds, that CloudFront waits for a response from a custom origin. The value applies both to the time that CloudFront waits for an initial response and the time that CloudFront waits for each subsequent packet. Valid values are from 4 to 60 seconds. number 30 no
dynamic_custom_error_response One or more custom error response elements (multiples allowed)
list(object({
error_code = optional(number)
response_code = optional(number)
response_page_path = optional(string)
}))
[] no
dynamic_custom_origin_config Configuration for the custom origin config to be used in dynamic block any [] no
dynamic_ordered_cache_behavior Ordered Cache Behaviors to be used in dynamic block any [] no
hosted_zone Existing Hosted Zone domain to add hostnames as DNS records string n/a yes
hostname_create Create hostnames in the hosted zone passed? bool true no
hostnames Hostnames to create DNS record for this app that the cloudfront distribution will accept list(string) n/a yes
iam_certificate_id Specifies IAM certificate id for CloudFront distribution string null no
minimum_protocol_version The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
One of SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016 or TLSv1.2_2018. Default: TLSv1.2_2018.
NOTE: If you are using a custom certificate (specified with acm_certificate_arn or iam_certificate_id),
and have specified sni-only in ssl_support_method, TLSv1 or later must be specified.
If you have specified vip in ssl_support_method, only SSLv3 or TLSv1 can be specified.
If you have specified cloudfront_default_certificate, TLSv1 must be specified.
string "TLSv1.2_2018" no
name Name of your ECS service string n/a yes
record_type Type of the record to create on Route53 string "CNAME" no
restriction_location The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist) list(any) [] no
restriction_type The restriction type of your CloudFront distribution geolocation restriction. Options include none, whitelist, blacklist string "none" no
waf_cloudfront_enable Enable WAF for Cloudfront distribution bool false no
wafv2_managed_block_rule_groups List of WAF V2 managed rule groups, set to block list(string) [] no
wafv2_managed_rule_groups List of WAF V2 managed rule groups, set to count list(string)
[
"AWSManagedRulesCommonRuleSet"
]
no
wafv2_rate_limit_rule The limit on requests per 5-minute period for a single originating IP address (leave 0 to disable) number 0 no

Outputs

Name Description
aws_cloudfront_origin_access_identity Define cloudfront origin access identity
cloudfront_distribution_hostname The hostname of the CloudFront Distribution (use for DNS CNAME).
cloudfront_distribution_id The ID of the CloudFront Distribution.
cloudfront_zone_id The Zone ID of the CloudFront Distribution (use for DNS Alias).

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.