diff --git a/examples/cloudfront-distribution-simple/main.tf b/examples/cloudfront-distribution-simple/main.tf index f8f8e1f..74aa212 100644 --- a/examples/cloudfront-distribution-simple/main.tf +++ b/examples/cloudfront-distribution-simple/main.tf @@ -20,9 +20,11 @@ module "distribution" { host = "api.example.com" } } - default_target_origin = "api" + default_behavior = { + target_origin = "api" + } tags = { - "project" = "terraform-aws-secret-examples" + "project" = "terraform-aws-cloudfront-examples" } } diff --git a/modules/distribution/README.md b/modules/distribution/README.md index d46345d..7c5aa8a 100644 --- a/modules/distribution/README.md +++ b/modules/distribution/README.md @@ -11,14 +11,14 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 5.1 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.19 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.28.0 | ## Modules @@ -38,25 +38,14 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [default\_target\_origin](#input\_default\_target\_origin) | (Required) The ID of existing origin or origin group that you want CloudFront to route requests to when a request matches the path pattern for the default behavior. | `string` | n/a | yes | +| [default\_behavior](#input\_default\_behavior) | (Required) A default bahavior for the distribution. `default_behavior` as defined below.
(Required) `target_origin` - The ID of existing origin or origin group that you want CloudFront to route requests to when a request matches the path pattern for the default behavior.
(Optional) `compression_enabled` - Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Defaults to `true`.
(Optional) `smooth_streaming_enabled` - Whether to distribute media files in Microsoft Smooth Streaming format and you do not have an IIS server. Set `false` if your origin is configured to use Microsoft IIS for Smooth Streaming. Defaults to `false`.
(Optional) `field_level_encryption_configuration` - The ID of field-level encryption configuration. To associate a field-level encryption configuration with a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP POST and PUT requests from viewers.
(Optional) `realtime_log_configuration` -The ARN of real-time log configuration for the default behavior. Real-time logs are delivered to the data stream in Amazon Kinesis Data Streams.
(Optional) `viewer_protocol_policy` - The protocol policy that viewers can use to access the contents in CloudFront edge locations. Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, and `REDIRECT_TO_HTTPS`. Defaults to `REDIRECT_TO_HTTPS`.
(Optional) `allowed_http_methods` - A list of HTTP methods to allow. Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. Valid values are `["GET", "HEAD"]` , `["GET", "HEAD", "OPTIONS"]`, or `["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]`. Defaults to `["GET", "HEAD"]`.
(Optional) `cached_http_methods` - A list of HTTP methods to cache. Controls whether CloudFront caches the response to requests using the specified HTTP methods. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`.
(Optional) `cache_policy` - The ID of the cache policy that you want to attach to the default behavior of the distribution.
(Optional) `origin_request_policy` - The ID of the origin request policy that you want to attach to the default behavior of the distribution.
(Optional) `response_headers_policy` - The ID of the response headers policy that you want to attach to the default behavior of the distribution.
(Optional) `legacy_cache_config` - The legacy cache configuration for the default behavior of the distribution. Recommend using a cache policy and origin request policy to control the cache key and origin requests. `legacy_cache_config` block as defined below.
(Opitonal) `enabled` - Whether to enable legacy cache configuration. Defaults to `false`.
(Optional) `min_ttl` - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `0`.
(Optional) `default_ttl` - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an `Cache-Control max-age` or `Expires` header. Defaults to `86400`.
(Optional) `max_ttl` - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of `Cache-Control max-age`, `Cache-Control s-maxage`, and `Expires` headers. Defaults to `31536000`.
(Optional) `forwarding_cookies` - A configuration for specifying which cookies in viewer requests to be forwarded in the origin requests. `forwarding_cookies` as defined below.
(Required) `behavior` - Determine whether any cookies in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST` and `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of cookie names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `forwarding_headers` - A configuration for specifying which headers in viewer requests to be forwarded in the origin requests. `forwarding_headers` as defined below.
(Required) `behavior` - Determine whether any headers in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST` and `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of header names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `forwarding_query_strings` - A configuration for specifying which query strings in viewer requests to be forwarded in the origin requests. `forwarding_query_strings` as defined below.
(Required) `behavior` - Determine whether any query strings in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST`, `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of query string names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `function_associations` - The configuration for function associations to event of the CloudFront distribution. You can configure a Lambda@Edge function or CloudFront function.

Each key means the CloudFront event. Supported CloudFront events are `VIEWER_REQUEST`, `ORIGIN_REQUEST`, `ORIGIN_RESPONSE`, and `VIEWER_RESPONSE`.
- `VIEWER_REQUEST`: When CloudFront receives a request from a viewer.
- `ORIGIN_REQUEST`: Before CloudFront forwards a request to the origin.
- `ORIGIN_RESPONSE`: When CloudFront receives a response from the origin.
- `VIEWER_RESPONSE`: Before CloudFront returns the response to the viewer.

Each value of `default_function_associtaions` as defined below.
(Required) `type` - The type of associated function. Valid values are `LAMBDA_EDGE` and `CLOUDFRONT`.
(Required) `function` - The ARN of the CloudFront function or the Lambda@Edge function.
(Optional) `include_body` - Whether to expose the request body to the Lambda@Edge function. Only valid when `type` is `LAMBDA_EDGE` on `VIEWER_REQUEST` and `ORIGIN_REQUEST` events. Defaults to `false`. |
object({
target_origin = string

compression_enabled = optional(bool, true)
smooth_streaming_enabled = optional(bool, false)

field_level_encryption_configuration = optional(string)
realtime_log_configuration = optional(string)

viewer_protocol_policy = optional(string, "REDIRECT_TO_HTTPS")
allowed_http_methods = optional(set(string), ["GET", "HEAD"])
cached_http_methods = optional(set(string), ["GET", "HEAD"])

cache_policy = optional(string)
origin_request_policy = optional(string)
response_headers_policy = optional(string)

legacy_cache_config = optional(object({
enabled = optional(bool, false)
min_ttl = optional(number, 0)
default_ttl = optional(number, 86400)
max_ttl = optional(number, 31536000)

forwarding_cookies = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
forwarding_headers = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
forwarding_query_strings = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
}), {})

function_associations = optional(map(object({
type = string
function = string
include_body = optional(bool, false)
})), {})
})
| n/a | yes | | [name](#input\_name) | (Required) The name of the CloudFront distribution. | `string` | n/a | yes | | [aliases](#input\_aliases) | (Optional) A list of extra CNAMEs (alternate domain names) that use in URLs for the files served by this distribution. | `set(string)` | `[]` | no | -| [custom\_origins](#input\_custom\_origins) | (Optional) A configuration for custom origins of the distribution. Each key defines a name of each custom origin. Each value of `custom_origins` as defined below.
(Required) `host` - The DNS domain name of either the web site of your custom origin.
(Optional) `path` - The URL path to append to `host` which the origin domain name for origin requests. Enter the directory path, beginning with a slash (/). Do not add a slash (/) at the end of the path.
(Optional) `http_port` - The HTTP port the custom origin listens on. Defaults to `80`.
(Optional) `https_port` - The HTTPS port the custom origin listens on. Defaults to `443`.
(Optional) `protocol_policy` - The origin protocol policy to apply to your origin. The origin protocol policy determines the protocol (HTTP or HTTPS) that you want CloudFront to use when connecting to the origin. Valid values are `HTTP_ONLY`, `HTTPS_ONLY` or `MATCH_VIEWER`. Defaults to `MATCH_VIEWER`.
(Optional) `ssl_security_policy` - The minimum SSL/TLS protocol that CloudFront uses with the origin over HTTPS. Valid values are `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`. Defaults to `TLSv1.1`. Recommend the latest TLS protocol that the origin supports.
(Optional) `custom_headers` - A map of custom HTTP headers to include in all requests to the origin. Each key/value is mapping to HTTP header `name`/`value`.
(Optional) `origin_shield` - Origin Shield is an additional caching layer that can help reduce the load on your origin and help protect its availability. `origin_shield` block as defined below.
(Required) `enabled` - Whether to enable Origin Shield. Defaults to `false`.
(Required) `region` - The AWS Region for Origin Shield. To specify a region. For example, specify the US East (Ohio) region as `us-east-2`.
(Optional) `connection_attempts` - The number of times that CloudFront attempts to connect to the origin, from `1` to `3`. Defaults to `3`.
(Optional) `connection_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `10`. Defaults to `10`.
(Optional) `keepalive_timeout` - The number of seconds that CloudFront maintains an idle connection with the origin, from `1` to `60`. But, the maximum can be changed arbitrarily by AWS Support to a much higher value. Defaults to `5`.
(Optional) `response_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `60`. Defaults to `30`. | `any` | `{}` | no | -| [default\_allowed\_http\_methods](#input\_default\_allowed\_http\_methods) | (Optional) A list of HTTP methods to allow. Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`.`GET`, `HEAD`, `OPTIONS`, `PUT`, `POST`, `PATCH` and `DELETE`. Defaults to `GET` and `HEAD`. | `set(string)` |
[
"GET",
"HEAD"
]
| no | -| [default\_cache\_policy](#input\_default\_cache\_policy) | (Optional) The ID of the cache policy that you want to attach to the default behavior of the distribution. | `string` | `null` | no | -| [default\_cache\_ttl](#input\_default\_cache\_ttl) | (Optional) The configuration for cache TTL(Time-to-Live) values of the default behavior. `default_cache_ttl` block as defined below.
(Required) `min` - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
(Required) `default` - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an `Cache-Control max-age` or `Expires` header.
(Required) `max` - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of `Cache-Control max-age`, `Cache-Control s-maxage`, and `Expires` headers. |
object({
min = number
default = number
max = number
})
| `null` | no | -| [default\_cached\_http\_methods](#input\_default\_cached\_http\_methods) | (Optional) A list of HTTP methods to cache. Controls whether CloudFront caches the response to requests using the specified HTTP methods. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`. | `set(string)` |
[
"GET",
"HEAD"
]
| no | -| [default\_compression\_enabled](#input\_default\_compression\_enabled) | (Optional) Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Defaults to `true`. | `bool` | `true` | no | -| [default\_field\_level\_encryption\_configuration](#input\_default\_field\_level\_encryption\_configuration) | (Optional) The ID of field-level encryption configuration. To associate a field-level encryption configuration with a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP POST and PUT requests from viewers. | `string` | `null` | no | -| [default\_function\_associations](#input\_default\_function\_associations) | (Optional) The configuration for function associations to event of the CloudFront distribution. You can configure a Lambda@Edge function or CloudFront function when one or more of the following CloudFront events occur:
- `VIEWER_REQUEST`: When CloudFront receives a request from a viewer.
- `ORIGIN_REQUEST`: Before CloudFront forwards a request to the origin.
- `ORIGIN_RESPONSE`: When CloudFront receives a response from the origin.
- `VIEWER_RESPONSE`: Before CloudFront returns the response to the viewer.

Each key means the CloudFront event. Supported CloudFront events are `VIEWER_REQUEST`, `ORIGIN_REQUEST`, `ORIGIN_RESPONSE`, and `VIEWER_RESPONSE`. Each value of `default_function_associtaions` as defined below.
(Required) `type` - The type of associated function. Valid values are `LAMBDA_EDGE` and `CLOUDFRONT`.
(Required) `function` - The ARN of the CloudFront function or the Lambda@Edge function.
(Optional) `include_body` - Whether to expose the request body to the Lambda@Edge function. Only valid when `type` is `LAMBDA_EDGE` on `VIEWER_REQUEST` and `ORIGIN_REQUEST` events. Defaults to `false`. | `any` | `{}` | no | -| [default\_origin\_request\_policy](#input\_default\_origin\_request\_policy) | (Optional) The ID of the origin request policy that you want to attach to the default behavior of the distribution. | `string` | `null` | no | -| [default\_realtime\_log\_configuration](#input\_default\_realtime\_log\_configuration) | (Optional) The ARN of real-time log configuration for the default behavior. Real-time logs are delivered to the data stream in Amazon Kinesis Data Streams. | `string` | `null` | no | -| [default\_response\_headers\_policy](#input\_default\_response\_headers\_policy) | (Optional) The ID of the response headers policy that you want to attach to the default behavior of the distribution. | `string` | `null` | no | -| [default\_smooth\_streaming\_enabled](#input\_default\_smooth\_streaming\_enabled) | (Optional) Whether to distribute media files in Microsoft Smooth Streaming format and you do not have an IIS server. Set `false` if your origin is configured to use Microsoft IIS for Smooth Streaming. Defaults to `false`. | `bool` | `false` | no | -| [default\_viewer\_protocol\_policy](#input\_default\_viewer\_protocol\_policy) | (Optional) The protocol policy that viewers can use to access the contents in CloudFront edge locations when a request does not matches any path patttern in ordered behaviors. Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, and `REDIRECT_TO_HTTPS`. Defaults to `REDIRECT_TO_HTTPS`. | `string` | `"REDIRECT_TO_HTTPS"` | no | +| [custom\_origins](#input\_custom\_origins) | (Optional) A configuration for custom origins of the distribution. Each key defines a name of each custom origin. Each value of `custom_origins` as defined below.
(Required) `host` - The DNS domain name of either the web site of your custom origin.
(Optional) `path` - The URL path to append to `host` which the origin domain name for origin requests. Enter the directory path, beginning with a slash (/). Do not add a slash (/) at the end of the path.
(Optional) `http_port` - The HTTP port the custom origin listens on. Defaults to `80`.
(Optional) `https_port` - The HTTPS port the custom origin listens on. Defaults to `443`.
(Optional) `protocol_policy` - The origin protocol policy to apply to your origin. The origin protocol policy determines the protocol (HTTP or HTTPS) that you want CloudFront to use when connecting to the origin. Valid values are `HTTP_ONLY`, `HTTPS_ONLY` or `MATCH_VIEWER`. Defaults to `MATCH_VIEWER`.
(Optional) `ssl_security_policy` - The minimum SSL/TLS protocol that CloudFront uses with the origin over HTTPS. Valid values are `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`. Defaults to `TLSv1.1`. Recommend the latest TLS protocol that the origin supports.
(Optional) `custom_headers` - A map of custom HTTP headers to include in all requests to the origin. Each key/value is mapping to HTTP header `name`/`value`.
(Optional) `origin_shield` - Origin Shield is an additional caching layer that can help reduce the load on your origin and help protect its availability. `origin_shield` block as defined below.
(Required) `enabled` - Whether to enable Origin Shield. Defaults to `false`.
(Required) `region` - The AWS Region for Origin Shield. To specify a region. For example, specify the US East (Ohio) region as `us-east-2`.
(Optional) `connection_attempts` - The number of times that CloudFront attempts to connect to the origin, from `1` to `3`. Defaults to `3`.
(Optional) `connection_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `10`. Defaults to `10`.
(Optional) `keepalive_timeout` - The number of seconds that CloudFront maintains an idle connection with the origin, from `1` to `60`. But, the maximum can be changed arbitrarily by AWS Support to a much higher value. Defaults to `5`.
(Optional) `response_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `60`. Defaults to `30`. |
map(object({
host = string
path = optional(string)
http_port = optional(number, 80)
https_port = optional(number, 443)
protocol_policy = optional(string, "MATCH_VIEWER")
ssl_security_policy = optional(string, "TLSv1.1")
custom_headers = optional(map(string), {})
origin_shield = optional(object({
enabled = bool
region = string
}))
connection_attempts = optional(number, 3)
connection_timeout = optional(number, 10)
keepalive_timeout = optional(number, 5)
response_timeout = optional(number, 30)
}))
| `{}` | no | | [description](#input\_description) | (Optional) The description of the distribution. Any comments you want to include about the distribution. | `string` | `"Managed by Terraform."` | no | -| [enabled](#input\_enabled) | (Optional) Whether the distribution is enabled to accept end user requests for content. | `bool` | `true` | no | +| [enabled](#input\_enabled) | (Optional) Whether the distribution is enabled to accept end user requests for content. Defaults to `true`. | `bool` | `true` | no | | [error\_responses](#input\_error\_responses) | (Optional) A configurations of custom error responses for the distribution. Each key means the HTTP status code that you want to customize like `404`, `503`. Each value of `error_responses` as defined below.
(Optional) `cache_min_ttl` - The minimum TTL(Time-to-live) in seconds that you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `10`.
(Optional) `custom_response_code` - The HTTP status code to return to the viewer. CloudFront can return a different status code to the viewer than what it received from the origin.
(Optional) `custom_response_path` - The path to the custom error response page. | `any` | `{}` | no | +| [geographic\_restriction](#input\_geographic\_restriction) | (Optional) A configuration for CloudFront geographic restrictions. `geographic_restriction` as defined below.
(Optiona) `type` - The method that you want to use to restrict distribution of the content by country. Valid values are `NONE`, `WHITELIST` or `BLACKLIST`. Defaults to `NONE`.
(Optiona) `countries` - A list of the ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (`WHITELIST`) or not distribute your content (`BLACKLIST`). |
object({
type = optional(string, "NONE")
countries = optional(set(string), [])
})
| `{}` | no | | [http\_version](#input\_http\_version) | (Optional) The maximum HTTP version to support on the distribution. Valid values are `HTTP1.1`, `HTTP2`, `HTTP2AND3`, or `HTTP3`. Defaults to `HTTP2`. | `string` | `"HTTP2"` | no | | [ipv6\_enabled](#input\_ipv6\_enabled) | (Optional) Whether the IPv6 is enabled for the distribution. Defaults to `true`. | `bool` | `true` | no | | [logging\_include\_cookies](#input\_logging\_include\_cookies) | (Optional) Indicate whether to include cookies in access logs. Defaults to `false`. | `bool` | `false` | no | @@ -65,17 +54,15 @@ This module creates following resources. | [logging\_s3\_prefix](#input\_logging\_s3\_prefix) | (Optional) The prefix to append to the folder name. | `string` | `""` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [monitoring\_realtime\_metrics\_enabled](#input\_monitoring\_realtime\_metrics\_enabled) | (Optional) Whether additional real-time CloudWatch metrics are enabled for the CloudFront distribution. | `bool` | `false` | no | -| [ordered\_behaviors](#input\_ordered\_behaviors) | (Optional) An ordered list of ordered bahaviors for the distribution. Each block of `ordered_behaviors` as defined below.
(Required) `path_pattern` - The pattern that specifies which requests you want this cache behavior to apply to. When CloudFront receives an end-user request, the requested path is compared with path patterns in the order in which cache behaviors are listed in the distribution. The first match determines which cache behavior is applied to that request. Path patterns support wildcard matching: `*` and `?`. Path patterns are case-sensitive, and support the following characters: a-z, A-Z, 0-9, `_-.*$/~"'@:+'"`, & (as `&`).
(Required) `target_origin` - The ID of existing origin or origin group that you want CloudFront to route requests to when a request matches the path pattern for the behavior.
(Optional) `compression_enabled` - Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Defaults to `true`.
(Optional) `smooth_streaming_enabled` - Whether to distribute media files in Microsoft Smooth Streaming format and you do not have an IIS server. Set `false` if your origin is configured to use Microsoft IIS for Smooth Streaming. Defaults to `false`.
(Optional) `field_level_encryption_configuration` - The ID of field-level encryption configuration. To associate a field-level encryption configuration with a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP POST and PUT requests from viewers.
(Optional) `realtime_log_configuration` -The ARN of real-time log configuration for the behavior. Real-time logs are delivered to the data stream in Amazon Kinesis Data Streams.
(Optional) `viewer_protocol_policy` - The protocol policy that viewers can use to access the contents in CloudFront edge locations. Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, and `REDIRECT_TO_HTTPS`. Defaults to `REDIRECT_TO_HTTPS`.
(Optional) `allowed_http_methods` - A list of HTTP methods to allow. Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`.`GET`, `HEAD`, `OPTIONS`, `PUT`, `POST`, `PATCH` and `DELETE`. Defaults to `GET` and `HEAD`.
(Optional) `cached_http_methods` - A list of HTTP methods to cache. Controls whether CloudFront caches the response to requests using the specified HTTP methods. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`.
(Optional) `cache_policy` - The ID of the cache policy that you want to attach to the behavior of the distribution.
(Optional) `origin_request_policy` - The ID of the origin request policy that you want to attach to the behavior of the distribution.
(Optional) `response_headers_policy` - The ID of the response headers policy that you want to attach to the behavior of the distribution.
(Optional) `cache_ttl` - The configuration for cache TTL(Time-to-Live) values of the behavior. `cache_ttl` block as defined below.
(Required) `min` - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
(Required) `default` - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an `Cache-Control max-age` or `Expires` header.
(Required) `max` - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of `Cache-Control max-age`, `Cache-Control s-maxage`, and `Expires` headers.
(Optional) `function_associations` - The configuration for function associations to event of the CloudFront distribution. You can configure a Lambda@Edge function or CloudFront function. Each key means the CloudFront event. Supported CloudFront events are `VIEWER_REQUEST`, `ORIGIN_REQUEST`, `ORIGIN_RESPONSE`, and `VIEWER_RESPONSE`. Each value of `default_function_associtaions` as defined below.
(Required) `type` - The type of associated function. Valid values are `LAMBDA_EDGE` and `CLOUDFRONT`.
(Required) `function` - The ARN of the CloudFront function or the Lambda@Edge function.
(Optional) `include_body` - Whether to expose the request body to the Lambda@Edge function. Only valid when `type` is `LAMBDA_EDGE` on `VIEWER_REQUEST` and `ORIGIN_REQUEST` events. Defaults to `false`. | `any` | `[]` | no | +| [ordered\_behaviors](#input\_ordered\_behaviors) | (Optional) An ordered list of ordered bahaviors for the distribution. Each block of `ordered_behaviors` as defined below.
(Required) `path_pattern` - The pattern that specifies which requests you want this cache behavior to apply to. When CloudFront receives an end-user request, the requested path is compared with path patterns in the order in which cache behaviors are listed in the distribution. The first match determines which cache behavior is applied to that request. Path patterns support wildcard matching: `*` and `?`. Path patterns are case-sensitive, and support the following characters: a-z, A-Z, 0-9, `_-.*$/~"'@:+'"`, & (as `&`).
(Required) `target_origin` - The ID of existing origin or origin group that you want CloudFront to route requests to when a request matches the path pattern for the behavior.
(Optional) `compression_enabled` - Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Defaults to `true`.
(Optional) `smooth_streaming_enabled` - Whether to distribute media files in Microsoft Smooth Streaming format and you do not have an IIS server. Set `false` if your origin is configured to use Microsoft IIS for Smooth Streaming. Defaults to `false`.
(Optional) `field_level_encryption_configuration` - The ID of field-level encryption configuration. To associate a field-level encryption configuration with a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP POST and PUT requests from viewers.
(Optional) `realtime_log_configuration` -The ARN of real-time log configuration for the behavior. Real-time logs are delivered to the data stream in Amazon Kinesis Data Streams.
(Optional) `viewer_protocol_policy` - The protocol policy that viewers can use to access the contents in CloudFront edge locations. Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, and `REDIRECT_TO_HTTPS`. Defaults to `REDIRECT_TO_HTTPS`.
(Optional) `allowed_http_methods` - A list of HTTP methods to allow. Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. Valid values are `["GET", "HEAD"]` , `["GET", "HEAD", "OPTIONS"]`, or `["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]`. Defaults to `["GET", "HEAD"]`.
(Optional) `cached_http_methods` - A list of HTTP methods to cache. Controls whether CloudFront caches the response to requests using the specified HTTP methods. Valid values are `["GET", "HEAD"]` or `["GET", "HEAD", "OPTIONS"]`. Defaults to `["GET", "HEAD"]`.
(Optional) `cache_policy` - The ID of the cache policy that you want to attach to the behavior of the distribution.
(Optional) `origin_request_policy` - The ID of the origin request policy that you want to attach to the behavior of the distribution.
(Optional) `response_headers_policy` - The ID of the response headers policy that you want to attach to the behavior of the distribution.
(Optional) `legacy_cache_config` - The legacy cache configuration for the behavior of the distribution. Recommend using a cache policy and origin request policy to control the cache key and origin requests. `legacy_cache_config` block as defined below.
(Opitonal) `enabled` - Whether to enable legacy cache configuration. Defaults to `false`.
(Optional) `min_ttl` - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `0`.
(Optional) `default_ttl` - The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an `Cache-Control max-age` or `Expires` header. Defaults to `86400`.
(Optional) `max_ttl` - The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of `Cache-Control max-age`, `Cache-Control s-maxage`, and `Expires` headers. Defaults to `31536000`.
(Optional) `forwarding_cookies` - A configuration for specifying which cookies in viewer requests to be forwarded in the origin requests. `forwarding_cookies` as defined below.
(Required) `behavior` - Determine whether any cookies in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST` and `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of cookie names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `forwarding_headers` - A configuration for specifying which headers in viewer requests to be forwarded in the origin requests. `forwarding_headers` as defined below.
(Required) `behavior` - Determine whether any headers in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST` and `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of header names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `forwarding_query_strings` - A configuration for specifying which query strings in viewer requests to be forwarded in the origin requests. `forwarding_query_strings` as defined below.
(Required) `behavior` - Determine whether any query strings in viewer requests are forwarded in the origin requests. Valid values are `NONE`, `WHITELIST`, `ALL`. Defaults to `NONE`.
(Optional) `items` - A list of query string names. It only takes effect when `behavior` is `WHITELIST`.
(Optional) `function_associations` - The configuration for function associations to event of the CloudFront distribution. You can configure a Lambda@Edge function or CloudFront function. Each key means the CloudFront event. Supported CloudFront events are `VIEWER_REQUEST`, `ORIGIN_REQUEST`, `ORIGIN_RESPONSE`, and `VIEWER_RESPONSE`. Each value of `default_function_associtaions` as defined below.
(Required) `type` - The type of associated function. Valid values are `LAMBDA_EDGE` and `CLOUDFRONT`.
(Required) `function` - The ARN of the CloudFront function or the Lambda@Edge function.
(Optional) `include_body` - Whether to expose the request body to the Lambda@Edge function. Only valid when `type` is `LAMBDA_EDGE` on `VIEWER_REQUEST` and `ORIGIN_REQUEST` events. Defaults to `false`. |
list(object({
path_pattern = string
target_origin = string

compression_enabled = optional(bool, true)
smooth_streaming_enabled = optional(bool, false)

field_level_encryption_configuration = optional(string)
realtime_log_configuration = optional(string)

viewer_protocol_policy = optional(string, "REDIRECT_TO_HTTPS")
allowed_http_methods = optional(set(string), ["GET", "HEAD"])
cached_http_methods = optional(set(string), ["GET", "HEAD"])

cache_policy = optional(string)
origin_request_policy = optional(string)
response_headers_policy = optional(string)

legacy_cache_config = optional(object({
enabled = optional(bool, false)
min_ttl = optional(number, 0)
default_ttl = optional(number, 86400)
max_ttl = optional(number, 31536000)

forwarding_cookies = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
forwarding_headers = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
forwarding_query_strings = optional(object({
behavior = optional(string, "NONE")
items = optional(set(string), [])
}), {})
}), {})

function_associations = optional(map(object({
type = string
function = string
include_body = optional(bool, false)
})), {})
}))
| `[]` | no | | [origin\_groups](#input\_origin\_groups) | (Optional) A configuration for origin groups of the distribution. Each key defines a name of each origin group. Each value of `origin_groups` as defined below.
(Required) `primary_origin` - The ID of Primary Origin.
(Required) `secondary_origin` - The ID of Secondary Origin.
(Required) `failover_status_codes` - A list of HTTP status codes for when to failover to the secondary origin. |
map(object({
primary_origin = string
secondary_origin = string
failover_status_codes = set(number)
}))
| `{}` | no | | [price\_class](#input\_price\_class) | (Optional) The price class for this distribution. Valid values are `ALL`, `200` or `100`. Defaults to `ALL`. | `string` | `"ALL"` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [restriction\_locations](#input\_restriction\_locations) | (Optional) A list of the ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (`WHITELIST`) or not distribute your content (`BLACKLIST`). | `set(string)` | `[]` | no | -| [restriction\_type](#input\_restriction\_type) | (Optional) The method that you want to use to restrict distribution of the content by country. Valid values are `NONE`, `WHITELIST` or `BLACKLIST`. Defaults to `NONE` | `string` | `"NONE"` | no | | [retain\_on\_deletion\_enabled](#input\_retain\_on\_deletion\_enabled) | (Optional) Disable the distribution instead of deleting it when destroying the resource through Terraform. If this is `true`, the distribution needs to be deleted manually afterwards. Defaults to `false`. | `bool` | `false` | no | | [root\_object](#input\_root\_object) | (Optional) The object (file name) to return when a viewer requests the root URL(/) instead of a specific object. | `string` | `""` | no | -| [s3\_origins](#input\_s3\_origins) | (Optional) A configuration for S3 origins of the distribution. Each key defines a name of each S3 origin. Each value of `s3_origins` as defined below.
(Required) `host` - The DNS domain name of either the S3 bucket.
(Optional) `path` - The URL path to append to `host` which the origin domain name for origin requests. Enter the directory path, beginning with a slash (/). Do not add a slash (/) at the end of the path.
(Optional) `custom_headers` - A map of custom HTTP headers to include in all requests to the origin. Each key/value is mapping to HTTP header `name`/`value`.
(Optional) `origin_shield` - Origin Shield is an additional caching layer that can help reduce the load on your origin and help protect its availability. `origin_shield` block as defined below.
(Required) `enabled` - Whether to enable Origin Shield. Defaults to `false`.
(Required) `region` - The AWS Region for Origin Shield. To specify a region. For example, specify the US East (Ohio) region as `us-east-2`.
(Optional) `connection_attempts` - The number of times that CloudFront attempts to connect to the origin, from `1` to `3`. Defaults to `3`.
(Optional) `connection_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `10`. Defaults to `10`. | `any` | `{}` | no | +| [s3\_origins](#input\_s3\_origins) | (Optional) A configuration for S3 origins of the distribution. Each key defines a name of each S3 origin. Each value of `s3_origins` as defined below.
(Required) `host` - The DNS domain name of either the S3 bucket.
(Optional) `path` - The URL path to append to `host` which the origin domain name for origin requests. Enter the directory path, beginning with a slash (/). Do not add a slash (/) at the end of the path.
(Optional) `custom_headers` - A map of custom HTTP headers to include in all requests to the origin. Each key/value is mapping to HTTP header `name`/`value`.
(Optional) `origin_shield` - Origin Shield is an additional caching layer that can help reduce the load on your origin and help protect its availability. `origin_shield` block as defined below.
(Required) `enabled` - Whether to enable Origin Shield. Defaults to `false`.
(Required) `region` - The AWS Region for Origin Shield. To specify a region. For example, specify the US East (Ohio) region as `us-east-2`.
(Optional) `connection_attempts` - The number of times that CloudFront attempts to connect to the origin, from `1` to `3`. Defaults to `3`.
(Optional) `connection_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `10`. Defaults to `10`. |
map(object({
host = string
path = optional(string)
custom_headers = optional(map(string), {})
origin_shield = optional(object({
enabled = bool
region = string
}))
connection_attempts = optional(number, 3)
connection_timeout = optional(number, 10)
}))
| `{}` | no | | [ssl\_certificate](#input\_ssl\_certificate) | (Optional) The ARN of the AWS Certificate Manager certificate to use with this distribution if `ssl_certificate_provider` is `ACM`. The ACM certificate must be in `us-east-1`. The ID of IAM certificate to use with this distribution if `ssl_certificate_provider` is `IAM`. Can only be set if `ssl_certificate_provider` is not `CLOUDFRONT`. | `string` | `null` | no | | [ssl\_certificate\_provider](#input\_ssl\_certificate\_provider) | (Optional) The provider of SSL certificate for the distribution. Valid values are `CLOUDFRONT`, `ACM` or `IAM`. Defaults to `CLOUDFRONT`.
`CLOUDFRONT` - Associate a certificate from CloudFront. The distribution must use the CloudFront domain name.
`ACM` - Associate a certificate from AWS Certificate Manager. The certificate must be in the US East (N. Virginia) Region (us-east-1).

`IAM` - Associate a certificate from AWS IAM. | `string` | `"CLOUDFRONT"` | no | | [ssl\_security\_policy](#input\_ssl\_security\_policy) | (Optional) The security policy determines the SSL or TLS protocol and the specific ciphers that CloudFront uses for HTTPS connections with viewers (clients). Only `SSLv3` or `TLSv1` can be specified if `ssl_support_method` is `VIP`. Can only be set if `ssl_certificate_provider` is not `CLOUDFRONT`. Defaults to `TLSv1`. | `string` | `"TLSv1"` | no | @@ -96,6 +83,7 @@ This module creates following resources. | [enabled](#output\_enabled) | Whether the distribution is enabled to accept end user requests for content. | | [error\_responses](#output\_error\_responses) | The configuration of custom error responses for the distribution. | | [etag](#output\_etag) | The current version of the distribution's information. For example: `E2QWRUHAPOMQZL`. | +| [geographic\_restriction](#output\_geographic\_restriction) | The configuration for CloudFront geographic restrictions.
`type` - The method to restrict distribution of the content by country.
`countries` - A list of the ISO 3166-1-alpha-2 codes of countries to distribute or not distribute the content. | | [http\_version](#output\_http\_version) | The supported maximum HTTP version of the distribution. | | [id](#output\_id) | The identifier for the CloudFront distribution. For example: `EDFDVBD632BHDS5`. | | [ipv6\_enabled](#output\_ipv6\_enabled) | Whether the IPv6 is enabled for the distribution. | @@ -107,7 +95,6 @@ This module creates following resources. | [origin\_groups](#output\_origin\_groups) | The configuration for origin groups of the distribution. | | [origins](#output\_origins) | The configuration for origins of the distribution. | | [price\_class](#output\_price\_class) | The price class for this distribution. | -| [restriction](#output\_restriction) | The restriction configuration for the distribution.
`type` - The method to restrict distribution of the content by country.
`locations` - A list of the ISO 3166-1-alpha-2 codes of countries to distribute or not distribute the content. | | [root\_object](#output\_root\_object) | The object (file name) to return when a viewer requests the root URL(/). | | [ssl](#output\_ssl) | The SSL/TLS configuration for the distribution.
`certificate_provider` - The provider of SSL certificate for the distribution. | | [status](#output\_status) | The current status of the distribution. `Deployed` if the distribution's information is fully propagated throughout the Amazon CloudFront system. | diff --git a/modules/distribution/main.tf b/modules/distribution/main.tf index 6826fcb..cf33809 100644 --- a/modules/distribution/main.tf +++ b/modules/distribution/main.tf @@ -84,6 +84,9 @@ resource "aws_cloudfront_origin_access_identity" "this" { # TODO # - `default_cache_behavior.trusted_key_groups` # - `ordered_cache_behavior.trusted_key_groups` +# - `continuous_deployment_policy_id` +# - `staging` +# - `origin.origin_access_control_id` resource "aws_cloudfront_distribution" "this" { aliases = var.aliases comment = var.description @@ -114,11 +117,11 @@ resource "aws_cloudfront_distribution" "this" { } - ## Restriction + ## Geographic Restriction restrictions { geo_restriction { - restriction_type = lower(var.restriction_type) - locations = var.restriction_locations + restriction_type = lower(var.geographic_restriction.type) + locations = var.geographic_restriction.countries } } @@ -143,13 +146,13 @@ resource "aws_cloudfront_distribution" "this" { content { origin_id = s3.key domain_name = s3.value.host - origin_path = try(s3.value.path, null) + origin_path = s3.value.path - connection_attempts = try(s3.value.connection_attempts, null) - connection_timeout = try(s3.value.connection_timeout, null) + connection_attempts = s3.value.connection_attempts + connection_timeout = s3.value.connection_timeout dynamic "custom_header" { - for_each = try(s3.value.custom_headers, {}) + for_each = s3.value.custom_headers content { name = custom_header.key @@ -158,7 +161,7 @@ resource "aws_cloudfront_distribution" "this" { } dynamic "origin_shield" { - for_each = try(s3.value.origin_shield.enabled, false) ? [s3.value.origin_shield] : [] + for_each = s3.value.origin_shield != null ? [s3.value.origin_shield] : [] content { enabled = origin_shield.value.enabled @@ -180,13 +183,13 @@ resource "aws_cloudfront_distribution" "this" { content { origin_id = custom.key domain_name = custom.value.host - origin_path = try(custom.value.path, null) + origin_path = custom.value.path - connection_attempts = try(custom.value.connection_attempts, null) - connection_timeout = try(custom.value.connection_timeout, null) + connection_attempts = custom.value.connection_attempts + connection_timeout = custom.value.connection_timeout dynamic "custom_header" { - for_each = try(custom.value.custom_headers, {}) + for_each = custom.value.custom_headers content { name = custom_header.key @@ -195,7 +198,7 @@ resource "aws_cloudfront_distribution" "this" { } dynamic "origin_shield" { - for_each = try(custom.value.origin_shield.enabled, false) ? [custom.value.origin_shield] : [] + for_each = custom.value.origin_shield != null ? [custom.value.origin_shield] : [] content { enabled = origin_shield.value.enabled @@ -204,19 +207,13 @@ resource "aws_cloudfront_distribution" "this" { } custom_origin_config { - http_port = try(custom.value.http_port, 80) - https_port = try(custom.value.https_port, 443) - origin_protocol_policy = try( - local.origin_protocol_policy[custom.value.protocol_policy], - local.origin_protocol_policy["MATCH_VIEWER"] - ) - origin_ssl_protocols = try( - local.origin_ssl_security_policy[custom.value.ssl_security_policy], - local.origin_ssl_security_policy["TLSv1.1"] - ) + http_port = custom.value.http_port + https_port = custom.value.https_port + origin_protocol_policy = local.origin_protocol_policy[custom.value.protocol_policy] + origin_ssl_protocols = local.origin_ssl_security_policy[custom.value.ssl_security_policy] - origin_keepalive_timeout = try(custom.value.keepalive_timeout, null) - origin_read_timeout = try(custom.value.response_timeout, null) + origin_keepalive_timeout = custom.value.keepalive_timeout + origin_read_timeout = custom.value.response_timeout } } } @@ -245,31 +242,31 @@ resource "aws_cloudfront_distribution" "this" { ## Default Behavior default_cache_behavior { - target_origin_id = var.default_target_origin + target_origin_id = var.default_behavior.target_origin - compress = var.default_compression_enabled - smooth_streaming = var.default_smooth_streaming_enabled + compress = var.default_behavior.compression_enabled + smooth_streaming = var.default_behavior.smooth_streaming_enabled - field_level_encryption_id = (var.default_viewer_protocol_policy == "HTTPS_ONLY" && contains(var.default_allowed_http_methods, "POST") && contains(var.default_allowed_http_methods, "PUT") - ? var.default_field_level_encryption_configuration + field_level_encryption_id = (var.default_behavior.viewer_protocol_policy == "HTTPS_ONLY" && contains(var.default_behavior.allowed_http_methods, "POST") && contains(var.default_behavior.allowed_http_methods, "PUT") + ? var.default_behavior.field_level_encryption_configuration : null ) - realtime_log_config_arn = var.default_realtime_log_configuration + realtime_log_config_arn = var.default_behavior.realtime_log_configuration # Viewer - viewer_protocol_policy = local.viewer_protocol_policy[var.default_viewer_protocol_policy] - allowed_methods = var.default_allowed_http_methods - cached_methods = var.default_cached_http_methods + viewer_protocol_policy = local.viewer_protocol_policy[var.default_behavior.viewer_protocol_policy] + allowed_methods = var.default_behavior.allowed_http_methods + cached_methods = var.default_behavior.cached_http_methods # Policies - cache_policy_id = var.default_cache_policy - origin_request_policy_id = var.default_origin_request_policy - response_headers_policy_id = var.default_response_headers_policy + cache_policy_id = var.default_behavior.cache_policy + origin_request_policy_id = var.default_behavior.origin_request_policy + response_headers_policy_id = var.default_behavior.response_headers_policy # Function Associations dynamic "lambda_function_association" { for_each = { - for event, f in try(var.default_function_associations, {}) : + for event, f in var.default_behavior.function_associations : event => f if contains(keys(local.cloudfront_events), event) && f.type == "LAMBDA_EDGE" } @@ -279,12 +276,12 @@ resource "aws_cloudfront_distribution" "this" { event_type = local.cloudfront_events[lambda.key] lambda_arn = lambda.value.function - include_body = try(lambda.value.include_body, false) + include_body = lambda.value.include_body } } dynamic "function_association" { for_each = { - for event, f in try(var.default_function_associations, {}) : + for event, f in var.default_behavior.function_associations : event => f if contains(["VIEWER_REQUEST", "VIEWER_RESPONSE"], event) && f.type == "CLOUDFRONT" } @@ -297,30 +294,39 @@ resource "aws_cloudfront_distribution" "this" { } # Cache Key & Origin Requests (Legacy) - min_ttl = (var.default_cache_policy == null - ? try(var.default_cache_ttl.min, 0) + min_ttl = (var.default_behavior.legacy_cache_config.enabled + ? var.default_behavior.legacy_cache_config.min_ttl : null ) - default_ttl = (var.default_cache_policy == null - ? try(var.default_cache_ttl.default, 0) + default_ttl = (var.default_behavior.legacy_cache_config.enabled + ? var.default_behavior.legacy_cache_config.default_ttl : null ) - max_ttl = (var.default_cache_policy == null - ? try(var.default_cache_ttl.max, 0) + max_ttl = (var.default_behavior.legacy_cache_config.enabled + ? var.default_behavior.legacy_cache_config.max_ttl : null ) dynamic "forwarded_values" { - for_each = var.default_cache_policy == null ? ["go"] : [] + for_each = var.default_behavior.legacy_cache_config.enabled ? [var.default_behavior.legacy_cache_config] : [] + iterator = config content { - headers = [] - query_string = true - cookies { - forward = "none" - whitelisted_names = [] + forward = lower(config.forwarding_cookies.behavior) + whitelisted_names = config.value.forwarding_cookies.items } + + headers = (config.value.forwarding_query_strings.behavior == "ALL" + ? ["*"] + : config.value.forwarding_query_strings.items + ) + + query_string = contains(["ALL", "WHITELIST"], config.value.forwarding_query_strings.behavior) + query_string_cache_keys = (config.value.forwarding_query_strings.behavior == "ALL" + ? null + : config.value.forwarding_query_strings.items + ) } } } @@ -335,32 +341,29 @@ resource "aws_cloudfront_distribution" "this" { path_pattern = behavior.value.path_pattern target_origin_id = behavior.value.target_origin - compress = try(behavior.value.compression_enabled, true) - smooth_streaming = try(behavior.value.smooth_streaming_enabled, false) + compress = behavior.value.compression_enabled + smooth_streaming = behavior.value.smooth_streaming_enabled - # Viewer - viewer_protocol_policy = try( - local.viewer_protocol_policy[behavior.value.viewer_protocol_policy], - local.viewer_protocol_policy["REDIRECT_TO_HTTPS"], - ) - allowed_methods = try( - toset(behavior.value.allowed_http_methods), - toset(["GET", "HEAD"]) - ) - cached_methods = try( - toset(behavior.value.cached_http_methods), - toset(["GET", "HEAD"]) + field_level_encryption_id = (behavior.value.viewer_protocol_policy == "HTTPS_ONLY" && contains(behavior.value.allowed_http_methods, "POST") && contains(behavior.value.allowed_http_methods, "PUT") + ? behavior.value.field_level_encryption_configuration + : null ) + realtime_log_config_arn = behavior.value.realtime_log_configuration + + # Viewer + viewer_protocol_policy = local.viewer_protocol_policy[behavior.value.viewer_protocol_policy] + allowed_methods = behavior.value.allowed_http_methods + cached_methods = behavior.value.cached_http_methods # Policies - cache_policy_id = try(behavior.value.cache_policy, null) - origin_request_policy_id = try(behavior.value.origin_request_policy, null) - response_headers_policy_id = try(behavior.value.response_headers_policy, null) + cache_policy_id = behavior.value.cache_policy + origin_request_policy_id = behavior.value.origin_request_policy + response_headers_policy_id = behavior.value.response_headers_policy # Function Associations dynamic "lambda_function_association" { for_each = { - for event, f in try(behavior.value.function_associations, {}) : + for event, f in behavior.value.function_associations : event => f if contains(keys(local.cloudfront_events), event) && f.type == "LAMBDA_EDGE" } @@ -370,12 +373,12 @@ resource "aws_cloudfront_distribution" "this" { event_type = local.cloudfront_events[lambda.key] lambda_arn = lambda.value.function - include_body = try(lambda.value.include_body, false) + include_body = lambda.value.include_body } } dynamic "function_association" { for_each = { - for event, f in try(behavior.value.function_associations, {}) : + for event, f in behavior.value.function_associations : event => f if contains(["VIEWER_REQUEST", "VIEWER_RESPONSE"], event) && f.type == "CLOUDFRONT" } @@ -388,30 +391,39 @@ resource "aws_cloudfront_distribution" "this" { } # Cache Key & Origin Requests (Legacy) - min_ttl = (behavior.value.cache_policy == null - ? try(behavior.cache_ttl.min, 0) + min_ttl = (behavior.value.legacy_cache_config.enabled + ? behavior.legacy_cache_config.min_ttl : null ) - default_ttl = (behavior.value.cache_policy == null - ? try(behavior.cache_ttl.default, 0) + default_ttl = (behavior.value.legacy_cache_config.enabled + ? behavior.legacy_cache_config.default_ttl : null ) - max_ttl = (behavior.value.cache_policy == null - ? try(behavior.cache_ttl.max, 0) + max_ttl = (behavior.value.legacy_cache_config.enabled + ? behavior.legacy_cache_config.max_ttl : null ) dynamic "forwarded_values" { - for_each = behavior.value.cache_policy == null ? ["go"] : [] + for_each = behavior.value.legacy_cache_config.enabled ? [behavior.value.legacy_cache_config] : [] + iterator = config content { - headers = [] - query_string = true - cookies { - forward = "none" - whitelisted_names = [] + forward = lower(config.forwarding_cookies.behavior) + whitelisted_names = config.value.forwarding_cookies.items } + + headers = (config.value.forwarding_query_strings.behavior == "ALL" + ? ["*"] + : config.value.forwarding_query_strings.items + ) + + query_string = contains(["ALL", "WHITELIST"], config.value.forwarding_query_strings.behavior) + query_string_cache_keys = (config.value.forwarding_query_strings.behavior == "ALL" + ? null + : config.value.forwarding_query_strings.items + ) } } } diff --git a/modules/distribution/outputs.tf b/modules/distribution/outputs.tf index 27b3e5f..83c96d6 100644 --- a/modules/distribution/outputs.tf +++ b/modules/distribution/outputs.tf @@ -91,15 +91,15 @@ output "error_responses" { } } -output "restriction" { +output "geographic_restriction" { description = <= 1024 && origin.https_port <= 65535 ]) ]) - if(try(origin.http_port, null) != null) || (try(origin.https_port, null) != null) ]) error_message = "Valid values for ports include `80`, `443`, and `1024` to `65535`." } @@ -256,7 +282,6 @@ variable "custom_origins" { condition = alltrue([ for origin in var.custom_origins : contains(["HTTP_ONLY", "HTTPS_ONLY", "MATCH_VIEWER"], origin.protocol_policy) - if try(origin.protocol_policy, null) != null ]) error_message = "Valid values for `protocol_policy` are `HTTP_ONLY`, `HTTPS_ONLY`, and `MATCH_VIEWER`." } @@ -265,7 +290,6 @@ variable "custom_origins" { condition = alltrue([ for origin in var.custom_origins : contains(["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"], origin.ssl_security_policy) - if try(origin.ssl_security_policy, null) != null ]) error_message = "Valid values for `ssl_security_policy` are `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`." } @@ -306,136 +330,116 @@ variable "origin_groups" { } } -variable "default_target_origin" { - description = "(Required) The ID of existing origin or origin group that you want CloudFront to route requests to when a request matches the path pattern for the default behavior." - type = string - nullable = false -} - -variable "default_compression_enabled" { - description = "(Optional) Whether you want CloudFront to automatically compress content for web requests that include `Accept-Encoding: gzip` in the request header. Defaults to `true`." - type = bool - default = true - nullable = false -} - -variable "default_smooth_streaming_enabled" { - description = "(Optional) Whether to distribute media files in Microsoft Smooth Streaming format and you do not have an IIS server. Set `false` if your origin is configured to use Microsoft IIS for Smooth Streaming. Defaults to `false`." - type = bool - default = false - nullable = false -} - -variable "default_field_level_encryption_configuration" { - description = "(Optional) The ID of field-level encryption configuration. To associate a field-level encryption configuration with a cache behavior, the distribution must be configured to always use HTTPS, and to accept HTTP POST and PUT requests from viewers." - type = string - default = null -} - -variable "default_realtime_log_configuration" { - description = "(Optional) The ARN of real-time log configuration for the default behavior. Real-time logs are delivered to the data stream in Amazon Kinesis Data Streams." - type = string - default = null -} - -variable "default_viewer_protocol_policy" { - description = "(Optional) The protocol policy that viewers can use to access the contents in CloudFront edge locations when a request does not matches any path patttern in ordered behaviors. Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, and `REDIRECT_TO_HTTPS`. Defaults to `REDIRECT_TO_HTTPS`." - type = string - default = "REDIRECT_TO_HTTPS" - nullable = false - - validation { - condition = contains(["ALLOW_ALL", "HTTPS_ONLY", "REDIRECT_TO_HTTPS"], var.default_viewer_protocol_policy) - error_message = "Valid values are `ALLOW_ALL`, `HTTPS_ONLY`, `REDIRECT_TO_HTTPS`." - } -} - -variable "default_allowed_http_methods" { +variable "default_behavior" { description = <