TerraStack: Build Bulletproof AWS Static Sites
Deploy secure static websites on AWS with this Terraform toolkit. Automates S3, CloudFront, WAF, and DNS setup while optimizing costs and maintaining best practices.
Published Jan 18, 2025
In the ever-evolving landscape of the internet, websites have transitioned from simple information pages to complex systems that power businesses and personal platforms. This journey has been marked by numerous technological advancements, from the early days of static web pages served via Netscape to PHP admin to contemporary frameworks brimming with features that make development a breeze.
Today's digital age demands not only functionally rich websites but also ones that are secure, performant, and cost-effective. Amazon Web Services (AWS) has emerged as a leading cloud provider offering tools to meet these needs.
Herein lies the charm of this guide: we'll embark on a clear and concise journey to deploy a robust frontend architecture using AWS, all orchestrated with the mighty Terraform—an open-source Infrastructure as Code (IaC) tool that simplifies and automates deployment.
This walkthrough is tailored for individuals or businesses striving for an efficient and secure online presence without breaking the bank. We will meticulously set up storage with S3, manage domain names with Route 53, handle access with IAM, accelerate content delivery with CloudFront, and shield the site with WAF.
The best part? No prior extensive knowledge is required—as long as you grasp the basics of AWS services and Terraform, you're good to go. I bet it will be the easiest way for anyone to create a secure, compliant, highly available, and highly performant website from scratch before it becomes a task for AI assistance.
Feel free to leap over to the [completed code repository on GitHub](https://github.com/iKnowJavaScript/terraform-static-server) _(and don't forget to star it!)_ if you're eager to get your hands on the code right away.
- Basic knowledge of AWS services and Terraform.
- Terraform installed on your local machine. If not, you can follow this [guide](https://learn.hashicorp.com/tutorials/terraform/install-cli) to install it.
- A domain name, if you choose to use a custom domain
First, we define variables that will be used throughout our Terraform configuration. These include the name of the application, the environment, and optional custom domain settings. Add these to a new `inputs.tf` file add the values to `inputs.auto.tfvars` file
Next, create a `main.tf` file, we'll create an S3 bucket to store our static website content.
The create `cloudfront.tf` file, we then create a CloudFront Origin Access Identity (OAI). This allows CloudFront to get objects from our S3 bucket on our behalf.
We create a CloudFront distribution to deliver our content to users. We configure it to use our S3 bucket as the origin and our OAI for access. We also set up caching, HTTPS redirection, and custom error responses. In `cloudfront.tf` file.
The CloudFront distribution is configured with cache behavior, custom error responses, and TLS settings. It serves content over HTTPS, redirects HTTP traffic, and compresses content for better performance.
We also depend on the variable `create_custom_domain` to know whether to use a custom domain or a Cloudfront-provisioned random domain name.
In `cloudfront.tf` file. Add the following.
If a custom domain is preferred, this module sets up the necessary DNS records and TLS certificate using ACM for SSL/TLS. It associates the custom domain with the CloudFront distribution. code on GitHub.
In `iam-user.tf` file, We create an IAM user and policy to allow full access to our S3 bucket. This user can be used to upload content to the bucket via AWS CLI or GitHub action - Please comment bellow if you need an article on either one.
In `policy.tf` file, We apply a policy to our S3 bucket to allow our CloudFront OAI to get objects and to enforce server-side encryption for all uploaded objects.
Finally, In `waf.tf` file, we create a WAF Web ACL and associate it with our CloudFront distribution to protect our website from common web exploits, managed by AWS rulesets.
The creation of a WAF ACL adds a strong layer of security to our CloudFront distribution. We configure it with AWS Managed Rules for common threats, which is an excellent starting point for protecting against a wide range of attacks.
To complete these configurations and have everything running, apply your Terraform configuration by executing `terraform apply` in your terminal. This command will provision all the defined resources in your AWS account.
Remember to review the changes before applying them, ensuring that you understand what resources will be created or modified.
After you confirm and apply the changes, Terraform will provide outputs with the necessary information such as your website URL, S3 bucket names, and IAM user credentials which you should secure.
Deploying a high-performing and secure static website on AWS using Terraform can significantly simplify the process of infrastructure management. The power of Infrastructure as Code (IaC) allows you to version control your infrastructure, track changes, and quickly replicate or destroy environments as needed.
In this article, we've outlined the steps to set up your static hosting environment with security and performance best practices in mind. Our approach ensures that your website remains highly available, performant under load, and resilient against common web vulnerabilities at an optimized cost.
Now that you have your website deployed, you can focus on uploading your content, monitoring performance, and enhancing user experience. As your needs evolve, you can update your Terraform configurations to scale your infrastructure or integrate additional services.
Be sure to check out the [GitHub repository](https://github.com/iKnowJavaScript/terraform-static-server) for the complete code and leave a star behind if you found it helpful. If you encounter any issues or have questions, don't hesitate to comment below or open an issue on GitHub. Your contributions to improving the code are welcome!
Checkout a simplified Terraform package based on this here https://github.com/iKnowJavaScript/terraform-aws-complete-static-site
- complete-static-site: Terraform Module
Happy Building!!!