terraform-aws-cloudfront-s3-cdn
terraform-aws-cloudfront-s3-cdn copied to clipboard
cloudposse
403 AccessDenied for static website
Describe the Bug
Using the module with
dns_alias_enabled = true
website_enabled = true
versioning_enabled = true
allow_ssl_requests_only = true
Resources created OK, but I get access denied on every resource on the website (with or without cloudfront)
Expected Behavior
Should not happen if we access the website from CloudFront URL.
Steps to Reproduce
module "cdn" {
source = "cloudposse/cloudfront-s3-cdn/aws"
version = "0.73.0"
enabled = var.enabled
aliases = ["${var.name}.${var.parent_zone_name}"] // TODO: strip "production" from cnames
dns_alias_enabled = true
website_enabled = true
versioning_enabled = true
parent_zone_id = var.parent_zone_id
namespace = var.namespace
environment = var.environment
name = var.name
allow_ssl_requests_only = true # NOTE: breaking access from cloudfront, maybe needs redirection to HTTPS
deployment_principal_arns = {}
minimum_protocol_version = "TLSv1"
acm_certificate_arn = var.acm_certificate_arn
}
Working around it is just disabling SSL (allow_ssl_requests_only = false)
Cheers :)
I had the same issue. I believe because the policy enforces SSL (HTTPS) connection but it does not create (and assign) a certificate to the bucket. So the HTTPS request just hangs given no SSL certificate available.
Documentation should be updated for this.
Or if allow_ssl_requests_only = true (current default behaviour!) then the module should create a certificate too and set it up for the bucket.
I should have looked here earlier, this literally cost me hours ... 🙄 . Anyway, me too. Example configuration available in this gist, beautiful HTTP 403 - even with certificate configured according to the examples in the module readme.
is there a known working version (ping @robvadai, @mrsufgi)? I want to move forward, and I failed at fixing it myself. this is a rather complicated module, and also my first contact with cloudfront and all the policy stuff (up until now I just published an S3 webpage endpoint).
The latest version works well, although you must set allow_ssl_requests_only = false. This parameter only disables TLS at S3 static-website level -- Cloudfront should still have its own TLS configuration given your ACM certificate.
yup, with allow_ssl_requests_only = false it works with v0.74.0 ... this is pretty great :) . it might run with v0.73.0 as well if you add this parameter. i had no changes for a terraform plan run after upgrading the module version and before adding the parameter.
Needed to add the
allow_ssl_requests_only = falseallow_ssl_requests_only = false
to make it work with version = "0.82.3"
Maybe should be in the docs?
According to the AWS docs: " If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration."
The module could ignore allow_ssl_requests_only when using a static website. This could prevent big problems
Yeah, I ran into this with v0.88.0, and it wasn't until I realized the issue was that the bucket policy was trying to enforce TLS and then that setting allow_ssl_requests_only = false was needed when website_enabled = true. With the s3_website_password_enabled variable set to true, this does restrict access to the S3 bucket website and enforces it to go through Cloudfront but I agree that if website_enabled == true then allow_ssl_requests_only being ignored and treated as false would prevent this significant issue that would potentially cause an unexpected outage of a website.
Having the policy enforce TLS when using as a bucket (ie- website_enabled = false) does make sense as the bucket can be accessed via HTTPS but the S3 certificate just doesn't handle it when running as a static website.
Issue exists on v0.92.0 as well. Adding allow_ssl_requests_only = false solves it. As @jbouse mentioned above, s3_website_password_enabled = true is recommended.
