I am using the
aws_s3_bucket_website_configuration
resource to configure the S3 website redirect and when I reference that in the origin block of the aws_cloudfront_distribution resource I get the following error:
Error: creating CloudFront Distribution: operation error CloudFront: CreateDistributionWithTags, https response error StatusCode: 400, RequestID: 123456789, InvalidArgument: The parameter Origin DomainName does not refer to a valid S3 bucket.
Here is the complete code:
resource "aws_s3_bucket" "cf_s3_bucket" {
bucket = var.cf_s3_bucket
}
resource "aws_s3_bucket_website_configuration" "cf_s3_bucket" {
bucket = aws_s3_bucket.cf_s3_bucket.id
redirect_all_requests_to {
host_name = var.s3_redirect_destination
protocol = "https"
}
}
resource "aws_cloudfront_origin_access_control" "cf_oac" {
name = "travel"
description = "travel policy"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
resource "aws_cloudfront_distribution" "s3_distribution" {
comment = var.cf_dist_comment
aliases = var.alt_domain_names
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
}
default_root_object = "index.html"
enabled = true
http_version = "http2"
is_ipv6_enabled = false
origin {
connection_attempts = 3
connection_timeout = 10
domain_name = aws_s3_bucket_website_configuration.cf_s3_bucket.website_endpoint
origin_access_control_id = aws_cloudfront_origin_access_control.cf_oac.id
origin_id = local.s3_origin_id
}
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = var.acm_cert_arn
minimum_protocol_version = "TLSv1.2_2021"
ssl_support_method = "sni-only"
}
}
If I change
domain_name
to
domain_name=aws_s3_bucket.cf_s3_bucket.bucket_regional_domain_name
then I do not get the error. However, when I look at the Origin in the CloudFront console I see this message
This S3 bucket has static web hosting enabled. If you plan to use this distribution as a website, we recommend using the S3 website endpoint rather than the bucket endpoint.
Therefore, I have the wrong Origin domain value in CloudFront which results in Access Denied in my browser and I have to manually change it in the CloudFront console in order for the redirect to work.
My question is can I use
domain_name = aws_s3_bucket_website_configuration.cf_s3_bucket.website_endpoint
and if not, how do I get the correct value for
domain_name
in the origin block?
Yes you can and should. But you have to configure it with the custom_origin_config and it needs to be http-only.
origin {
domain_name = aws_s3_bucket_website_configuration.cf_s3_bucket.website_endpoint
origin_id = local.s3_origin_id
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}