feat: harden static-site further + refactor

static-site/README.md

@@ -24,13 +24,13 @@ module "static_site" {
   bucket_name = "example.org"
   hosted_zone = "my-hosted_zone"
 
-  restriction = {
+  geo_restriction = {
     type      = "none"
     locations = []
   }
 
   viewer_certificate = {
-    minimum_protocol_version = "TLSv1.2_2021"
+    minimum_protocol_version = "TLSv1.2_2025"
   }
 
   tags = {

static-site/cloudfront.tf

@@ -5,19 +5,26 @@ resource "aws_cloudfront_distribution" "static_site" {
   is_ipv6_enabled     = true
   default_root_object = "index.html"
 
-  origin {
-    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
-    origin_id                = "S3-${aws_s3_bucket.static_site.bucket}"
-    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
+  viewer_certificate {
+    acm_certificate_arn            = aws_acm_certificate.cloudfront_cert.arn
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = var.viewer_certificate.minimum_protocol_version
+    cloudfront_default_certificate = false
   }
 
   restrictions {
     geo_restriction {
-      restriction_type = var.cloudfront.restriction.type
-      locations        = var.cloudfront.restriction.locations
+      restriction_type = var.geo_restriction.type
+      locations        = var.geo_restriction.locations
     }
   }
 
+  origin {
+    domain_name              = aws_s3_bucket.static_site.bucket_regional_domain_name
+    origin_id                = "S3-${aws_s3_bucket.static_site.bucket}"
+    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
+  }
+
   default_cache_behavior {
     target_origin_id           = "S3-${aws_s3_bucket.static_site.bucket}"
     response_headers_policy_id = aws_cloudfront_response_headers_policy.cloudfront.id
@@ -36,13 +43,6 @@ resource "aws_cloudfront_distribution" "static_site" {
     viewer_protocol_policy = "redirect-to-https"
   }
 
-  viewer_certificate {
-    acm_certificate_arn            = aws_acm_certificate.cloudfront_cert.arn
-    ssl_support_method             = "sni-only"
-    minimum_protocol_version       = var.cloudfront.viewer_certificate.minimum_protocol_version
-    cloudfront_default_certificate = false
-  }
-
   custom_error_response {
     error_code            = 403
     response_code         = 200

static-site/data.tf

@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 data "aws_route53_zone" "hosted_zone" {
   count        = local.create_hosted_zone ? 0 : 1
   name         = var.hosted_zone
@@ -6,7 +8,7 @@ data "aws_route53_zone" "hosted_zone" {
 
 data "aws_iam_policy_document" "cloudfront_to_s3" {
   statement {
-    sid = "AllowCloudFrontToAccessBucket"
+    sid       = "AllowCloudFrontToAccessBucket"
     actions   = ["s3:GetObject"]
     resources = ["${aws_s3_bucket.static_site.arn}/*"]
 
@@ -18,9 +20,13 @@ data "aws_iam_policy_document" "cloudfront_to_s3" {
     condition {
       test     = "StringEquals"
       variable = "AWS:SourceArn"
-      values = [
-        aws_cloudfront_distribution.static_site.arn
-      ]
+      values   = [aws_cloudfront_distribution.static_site.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
     }
   }
 }

static-site/variables.tf

@@ -19,34 +19,26 @@ variable "domains" {
   }
 }
 
-variable "cloudfront" {
+variable "geo_restriction" {
   type = object({
-    restriction = optional(object({
-      type      = string
-      locations = list(string)
-      }),
-      {
-        type      = "none"
-        locations = []
-    })
+    type      = optional(string, "none")
+    locations = optional(list(string), [])
+  })
+  default = {
+    type      = "none"
+    locations = []
+  }
+  description = "GEO restriction configuration for the CloudFront distribution"
+}
 
-    viewer_certificate = optional(object({
-      minimum_protocol_version = string
-      }),
-      {
-        minimum_protocol_version = "TLSv1.2_2021"
-    })
+variable "viewer_certificate" {
+  type = object({
+    minimum_protocol_version = optional(string, "TLSv1.2_2025")
   })
   default = {
-    restriction = {
-      type      = "none"
-      locations = []
-    }
-    viewer_certificate = {
-      minimum_protocol_version = "TLSv1.2_2021"
-    }
+    minimum_protocol_version = "TLSv1.2_2025"
   }
-  description = "Additional configuration options for the CloudFront distribution"
+  description = "Viewer certificate configuration for the CloudFront distribution"
 }
 
 variable "tags" {