Web Stack Module

Deploy a complete web application stack combining Application Load Balancer, CloudFront CDN, WAF, and DNS.

What You'll Build

Application Load Balancer with HTTP/HTTPS listeners
CloudFront distribution for global content delivery
AWS WAF for DDoS and attack protection
Route53 DNS records (CNAME and alias)
SSL/TLS certificate binding via ACM
Security group configuration for layered protection

How to Use

module "web_stack" {
  source = "github.com/nnthanh101/terraform-aws/modules/web"

  environment = "prod"
  domain_name = "example.com"
  subdomain   = "app"

  # ALB Configuration
  alb_subnets       = var.public_subnets
  alb_internal      = false
  
  # Backend targets
  target_groups = {
    api = {
      port            = 8080
      protocol        = "HTTP"
      health_path     = "/health"
      health_interval = 30
    }
  }

  # CloudFront CDN
  cloudfront_enabled = true
  cloudfront_cache_behaviors = [
    {
      path_pattern = "/static/*"
      cache_ttl    = 31536000 # 1 year
    },
    {
      path_pattern = "/api/*"
      cache_ttl    = 0 # No caching
    }
  ]

  # WAF Protection
  waf_enabled = true
  waf_rules = {
    rate_limiting = {
      limit = 2000
      window = 300
    }
    geo_blocking = {
      allowed_countries = ["US", "CA", "GB", "AU"]
    }
  }

  # SSL/TLS
  certificate_arn = aws_acm_certificate.main.arn

  # DNS
  zone_id = aws_route53_zone.main.zone_id

  tags = {
    Environment = "prod"
    Service     = "web"
  }
}

Key Variables

Variable	Type	Purpose
`environment`	string	Environment name (dev, staging, prod)
`domain_name`	string	Primary domain (e.g., example.com)
`subdomain`	string	Subdomain prefix (e.g., app, api)
`alb_subnets`	list(string)	Public subnets for ALB deployment
`target_groups`	map(object)	Backend service definitions
`cloudfront_enabled`	bool	Enable CloudFront distribution
`waf_enabled`	bool	Enable AWS WAF
`certificate_arn`	string	ACM certificate ARN for HTTPS
`zone_id`	string	Route53 hosted zone ID

Outputs

Output	Use Case
`alb_dns_name`	Internal ALB endpoint
`cloudfront_domain_name`	Public CloudFront domain
`website_fqdn`	Full qualified domain name (e.g., app.example.com)
`waf_web_acl_arn`	WAF Web ACL for manual attachment

Security Features

DDoS Protection: AWS WAF with rate limiting and geo-blocking
Encryption: TLS 1.2+ termination at CloudFront + ALB
Access Control: Security groups restrict traffic flows
Logging: ALB and WAF logs to CloudWatch for auditing

Integration

ECS Services: Register containers in ALB target groups
EC2 Auto Scaling: Attach ASG for dynamic capacity
Lambda@Edge: Attach Lambda functions to CloudFront for edge computing
Secrets Manager: Store SSL certificate private keys
CloudWatch: Alarms on ALB/WAF metrics

Source Reference

Module: terraform-aws/modules/web (composition layer integrating alb, cloudfront, waf, acm)

What You'll Build​

How to Use​

Key Variables​

Outputs​

Security Features​

Integration​

Source Reference​

What You'll Build

How to Use

Key Variables

Outputs

Security Features

Integration

Source Reference