Web Stack Module

Deploy a complete web application stack combining Application Load Balancer, CloudFront CDN, WAF, and DNS.

What You'll Build

• Application Load Balancer with HTTP/HTTPS listeners
• CloudFront distribution for global content delivery
• AWS WAF for DDoS and attack protection
• Route53 DNS records (CNAME and alias)
• SSL/TLS certificate binding via ACM
• Security group configuration for layered protection

How to Use

module "web_stack" {
  source = "github.com/nnthanh101/terraform-aws/modules/web"

  environment = "prod"
  domain_name = "example.com"
  subdomain   = "app"

  # ALB Configuration
  alb_subnets       = var.public_subnets
  alb_internal      = false
  
  # Backend targets
  target_groups = {
    api = {
      port            = 8080
      protocol        = "HTTP"
      health_path     = "/health"
      health_interval = 30
    }
  }

  # CloudFront CDN
  cloudfront_enabled = true
  cloudfront_cache_behaviors = [
    {
      path_pattern = "/static/*"
      cache_ttl    = 31536000 # 1 year
    },
    {
      path_pattern = "/api/*"
      cache_ttl    = 0 # No caching
    }
  ]

  # WAF Protection
  waf_enabled = true
  waf_rules = {
    rate_limiting = {
      limit = 2000
      window = 300
    }
    geo_blocking = {
      allowed_countries = ["US", "CA", "GB", "AU"]
    }
  }

  # SSL/TLS
  certificate_arn = aws_acm_certificate.main.arn

  # DNS
  zone_id = aws_route53_zone.main.zone_id

  tags = {
    Environment = "prod"
    Service     = "web"
  }
}

Key Variables

Variable	Type	Purpose
environment	string	Environment name (dev, staging, prod)
domain_name	string	Primary domain (e.g., example.com)
subdomain	string	Subdomain prefix (e.g., app, api)
alb_subnets	list(string)	Public subnets for ALB deployment
target_groups	map(object)	Backend service definitions
cloudfront_enabled	bool	Enable CloudFront distribution
waf_enabled	bool	Enable AWS WAF
certificate_arn	string	ACM certificate ARN for HTTPS
zone_id	string	Route53 hosted zone ID

Outputs

Output	Use Case
alb_dns_name	Internal ALB endpoint
cloudfront_domain_name	Public CloudFront domain
website_fqdn	Full qualified domain name (e.g., app.example.com)
waf_web_acl_arn	WAF Web ACL for manual attachment

Security Features

• DDoS Protection: AWS WAF with rate limiting and geo-blocking
• Encryption: TLS 1.2+ termination at CloudFront + ALB
• Access Control: Security groups restrict traffic flows
• Logging: ALB and WAF logs to CloudWatch for auditing

Integration

• ECS Services: Register containers in ALB target groups
• EC2 Auto Scaling: Attach ASG for dynamic capacity
• Lambda@Edge: Attach Lambda functions to CloudFront for edge computing
• Secrets Manager: Store SSL certificate private keys
• CloudWatch: Alarms on ALB/WAF metrics

Source Reference

Module: terraform-aws/modules/web (composition layer integrating alb, cloudfront, waf, acm)