Update terraform

terraform/main.tf

@@ -46,12 +46,12 @@ resource "aws_route53_record" "root_domain" {
 
 resource "aws_route53_record" "www_domain" {
   zone_id = "${var.hosted_zone_id}"
-  name = "www.${var.domain}"
+  name    = "${local.www_domain}"
   type    = "A"
 
   alias {
-    name = "${aws_cloudfront_distribution.cdn.domain_name}"
+    name                   = "${aws_cloudfront_distribution.www_cdn.domain_name}"
-    zone_id = "${aws_cloudfront_distribution.cdn.hosted_zone_id}"
+    zone_id                = "${aws_cloudfront_distribution.www_cdn.hosted_zone_id}"
     evaluate_target_health = false
   }
 }
@@ -75,6 +75,12 @@ resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
   comment = "${var.domain} origin access identity"
 }
 
+locals {
+  s3_origin_id     = "S3-${var.domain}"
+  s3_www_origin_id = "S3-www-${var.domain}"
+  www_domain       = "www.${var.domain}"
+}
+
 resource "aws_s3_bucket" "site" {
   bucket = "${var.domain}"
   acl    = "private"
@@ -90,11 +96,7 @@ resource "aws_s3_bucket" "site" {
       "Resource": "arn:aws:s3:::${var.domain}/*"
     }]
 }
-  EOF
+EOF
-}
-
-locals {
-  s3_origin_id = "S3-${var.domain}"
 }
 
 resource "aws_cloudfront_distribution" "cdn" {
@@ -108,7 +110,7 @@ resource "aws_cloudfront_distribution" "cdn" {
   }
 
   # If using route53 aliases for DNS we need to declare it here too, otherwise we'll get 403s.
-  aliases = ["${var.domain}", "www.${var.domain}"]
+  aliases = ["${var.domain}"]
 
   enabled             = true
   is_ipv6_enabled     = true
@@ -121,6 +123,71 @@ resource "aws_cloudfront_distribution" "cdn" {
 
     forwarded_values {
       query_string = true
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl                = 0
+    default_ttl            = 86400
+    max_ttl                = 31536000
+    compress               = true
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+      locations        = []
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = "${aws_acm_certificate_validation.cert.certificate_arn}"
+    minimum_protocol_version = "TLSv1.1_2016"
+    ssl_support_method       = "sni-only"
+  }
+}
+
+resource "aws_s3_bucket" "www_site" {
+  bucket = "${local.www_domain}"
+  acl    = "public-read"
+
+  website {
+    redirect_all_requests_to = "https://${var.domain}"
+  }
+}
+
+resource "aws_cloudfront_distribution" "www_cdn" {
+  origin {
+    origin_id   = "${local.s3_www_origin_id}"
+    domain_name = "${aws_s3_bucket.www_site.website_endpoint}"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.1", "TLSv1.2"]
+    }
+  }
+
+  # If using route53 aliases for DNS we need to declare it here too, otherwise we'll get 403s.
+  aliases = ["${local.www_domain}"]
+
+  enabled         = true
+  is_ipv6_enabled = true
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "${local.s3_www_origin_id}"
+
+    forwarded_values {
+      query_string = true
+
       cookies {
         forward = "none"
       }