feat(static-site): allow specifying multiple domains (#4)

Script47 · web-flow · commit 53879dd40fc9 · 2025-07-01T21:26:29.000+01:00
- add support for multiple domains
- add support for 404 error fallbacks
- enforce validation rules on variables
- update outputs format
- update readme
diff --git a/static-site/README.md b/static-site/README.md
@@ -2,14 +2,15 @@
 
 ## About
 
-This module enables you to set up a static site/SPA on AWS with the following features:
-
-- Custom domain with corresponding A record in the hosted zone and TLS certificate (DNS validated)
-- S3 bucket for hosting the static site
-- CloudFront distribution for site delivery
-    - OAC for secure access between CloudFront and S3
-    - Ensures only signed requests (SigV4) are allowed to S3
-- IAM role for CD (e.g., GitHub Actions)
+This module allows you to setup a static site with the following features:
+
+- S3 bucket for static content (secure, private access only via CloudFront OAC)
+- CloudFront distribution with TLS certificate (ACM) and full domain aliasing
+  - Automatic DNS validation for ACM via Route 53
+  - Optional creation of Route 53 Hosted Zone (or reuse an existing one)
+  - Multi-domain support
+- CI/CD deploy IAM role via OIDC (optional)
+- Fallback support for SPA (`403 → 200 /index.html` and `404 → 200 /index.html`)
 - Resource tagging for manageable resources
 
 ## Assumptions
@@ -19,19 +20,21 @@ toggle to disable this.
 
 ## Usage
 
+See `variables.tf` for the full argument reference.
+
 ```hcl
 module "static_site" {
-  source = "github.com/Script47/aws-tf-modules/static-site"
+  source      = "github.com/Script47/aws-tf-modules/static-site"
 
+  domains     = ["example.org"]
   bucket_name = "example.org"
   hosted_zone = "my-hosted_zone"
-  domain_name = "example.org"
   role_name   = "deploy-example-org"
   repo        = "example-org/repo:ref:refs/heads/master"
   setup_cd    = false
 
   restriction = {
-    type = "none"
+    type      = "none"
     locations = []
   }
 
@@ -42,7 +45,7 @@ module "static_site" {
   tags = {
     Project     = "my-project"
     Service     = "my-service"
-    Environment = "prod"
+    Environment = "produdction"
   }
 
   providers = {
diff --git a/static-site/acm.tf b/static-site/acm.tf
@@ -1,8 +1,9 @@
 resource "aws_acm_certificate" "cloudfront_cert" {
-  domain_name       = var.domain_name
-  validation_method = "DNS"
-  tags              = var.tags
-  provider          = aws.acm
+  domain_name               = local.primary_domain
+  subject_alternative_names = local.domains
+  validation_method         = "DNS"
+  tags                      = var.tags
+  provider                  = aws.acm
 }
 
 resource "aws_acm_certificate_validation" "cloudfront_cert_validation" {
diff --git a/static-site/cloudfront.tf b/static-site/cloudfront.tf
@@ -1,6 +1,6 @@
 resource "aws_cloudfront_distribution" "static_site" {
-  comment             = "Distribution for ${var.domain_name}"
-  aliases             = local.aliases
+  comment             = "Distribution for ${local.primary_domain}"
+  aliases             = local.domains
   enabled             = true
   is_ipv6_enabled     = true
   default_root_object = "index.html"
@@ -43,11 +43,17 @@ resource "aws_cloudfront_distribution" "static_site" {
     cloudfront_default_certificate = false
   }
 
-  # For SPAs this is needed for hard refresh on dynamic routes
   custom_error_response {
-    response_page_path    = "/index.html"
-    response_code         = 404
     error_code            = 403
+    response_code         = 200
+    response_page_path    = "/index.html"
+    error_caching_min_ttl = 0
+  }
+
+  custom_error_response {
+    error_code            = 404
+    response_code         = 200
+    response_page_path    = "/index.html"
     error_caching_min_ttl = 0
   }
 
@@ -67,7 +73,7 @@ resource "aws_cloudfront_origin_access_control" "oac" {
 
 resource "aws_cloudfront_response_headers_policy" "cloudfront" {
   name    = "cloudfront-response-headers-policy"
-  comment = "Response headers policy for ${var.domain_name}"
+  comment = "Response headers policy for ${local.primary_domain}"
 
   security_headers_config {
     content_type_options {
diff --git a/static-site/locals.tf b/static-site/locals.tf
@@ -1,5 +1,6 @@
 locals {
-  aliases            = [var.domain_name]
+  domains            = distinct(var.domains)
+  primary_domain     = local.domains[0]
   create_hosted_zone = var.hosted_zone == ""
-  bucket_name        = var.bucket_name == "" ? var.domain_name : var.bucket_name
+  bucket_name        = var.bucket_name == "" ? local.primary_domain : var.bucket_name
 }
diff --git a/static-site/outputs.tf b/static-site/outputs.tf
@@ -1,9 +1,8 @@
-output "bucket_name" {
-  value = aws_s3_bucket.static_site.bucket
-}
-
-output "deploy_role_arn" {
-  value = var.setup_cd ? aws_iam_role.deploy_static_site[0].arn : null
+output "bucket" {
+  value = {
+    id  = aws_s3_bucket.static_site.id
+    arn = aws_s3_bucket.static_site.arn
+  }
 }
 
 output "cloudfront" {
@@ -12,4 +11,10 @@ output "cloudfront" {
     domain_name = aws_cloudfront_distribution.static_site.domain_name
     aliases     = aws_cloudfront_distribution.static_site.aliases
   }
-}
+}
+
+output "role" {
+  value = var.setup_cd ? {
+    arn = aws_iam_role.deploy_static_site[0].arn
+  } : null
+}
diff --git a/static-site/route53.tf b/static-site/route53.tf
@@ -1,6 +1,6 @@
 resource "aws_route53_zone" "hosted_zone" {
   count = local.create_hosted_zone ? 1 : 0
-  name  = var.domain_name
+  name  = local.primary_domain
   tags  = var.tags
 }
 
@@ -16,8 +16,8 @@ resource "aws_route53_record" "acm_records" {
     }
   }
 
-  type            = each.value.type
   zone_id         = local.create_hosted_zone ? aws_route53_zone.hosted_zone[0].zone_id : data.aws_route53_zone.hosted_zone[0].zone_id
+  type            = each.value.type
   name            = each.value.name
   records         = [each.value.record]
   ttl             = 60
@@ -29,9 +29,11 @@ resource "aws_route53_record" "acm_records" {
 # Setup the A record for your custom domain
 #############################################
 resource "aws_route53_record" "static_site_a_record" {
+  count = length(local.domains)
+
   zone_id = local.create_hosted_zone ? aws_route53_zone.hosted_zone[0].zone_id : data.aws_route53_zone.hosted_zone[0].zone_id
-  name    = var.domain_name
   type    = "A"
+  name    = local.domains[count.index]
 
   alias {
     name                   = aws_cloudfront_distribution.static_site.domain_name
diff --git a/static-site/variables.tf b/static-site/variables.tf
@@ -10,9 +10,13 @@ variable "hosted_zone" {
   default     = ""
 }
 
-variable "domain_name" {
-  type        = string
-  description = "The custom domain name for your CloudFront distribution"
+variable "domains" {
+  type        = list(string)
+  description = "List of custom domain names for your CloudFront distribution. The first domain specified will be classed as the primary domain (used as S3 bucket name, Route53 hosted zone name etc.)"
+  validation {
+    condition     = length(var.domains) > 0
+    error_message = "domains requires at least one domain to be specified"
+  }
 }
 
 variable "role_name" {

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`locals {`
`2`		`- aliases = [var.domain_name]`
	`2`	`+ domains = distinct(var.domains)`
	`3`	`+ primary_domain = local.domains[0]`
`3`	`4`	`create_hosted_zone = var.hosted_zone == ""`
`4`		`- bucket_name = var.bucket_name == "" ? var.domain_name : var.bucket_name`
	`5`	`+ bucket_name = var.bucket_name == "" ? local.primary_domain : var.bucket_name`
`5`	`6`	`}`