π― Goal: Deploy a secure, fast, globally cached static site β no console clicks, no hardcoded IDs.
β Youβll build:
- β Private S3 bucket (no public exposure!)
- β CloudFront Origin Access Control (OAC) β modern, secure auth
- β Bucket policy β least-privilege access for CloudFront
- β Auto-upload of
index.html,style.css,script.js- β HTTPS-ready distribution (default + ACM-ready)
| Approach | Risk | Cost | Performance | Security |
|---|---|---|---|---|
β Public S3 (s3-website-us-east-1.amazonaws.com) |
DDoS, data leaks | High (global data transfer) | Slow (no caching) | β Open to internet |
| β S3 + CloudFront (Terraform) | None | Low (edge caching) | β‘ Fast (TTL, edge POPs) | β Private bucket + OAC |
π Key Insight:
CloudFront β CDN β itβs your security control plane:
- S3 bucket stays private
- Users hit edge locations (Mumbai, Virginia, Sydneyβ¦)
- Requests never reach S3 unless cache miss
flowchart LR
A[User in India] -->|HTTPS| B[CloudFront Edge: Mumbai]
C[User in US] -->|HTTPS| D[CloudFront Edge: Virginia]
B -->|Cache HIT| A
B -->|Cache MISS| E[S3 Bucket<br/>(private, us-east-1)]
D -->|Cache HIT| C
D -->|Cache MISS| E
E -.->|OAC Auth| B & D
β Critical Components:
s3:GetObject only to CloudFront (via ARN condition)default_root_object = "index.html"viewer_certificate = cloudfront_default_certificate (or ACM later)price_class = "PriceClass_100" (US/EU/CA only β cheaper!)/day14/)day14/
βββ main.tf # S3 + CloudFront resources
βββ locals.tf # Reusable values (origin_id)
βββ variables.tf # Inputs (bucket_name, environment)
βββ www/ # π Your static files
β βββ index.html
β βββ style.css
β βββ script.js
βββ TASK.md # π Your challenge (ACM, Route 53, CI/CD)
main.tf β Core Resources