Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 102 Commits
.github/workflows		.github/workflows
examples/complete		examples/complete
wrappers		wrappers
.editorconfig		.editorconfig
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.releaserc.json		.releaserc.json
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
README.md		README.md
main.tf		main.tf
outputs.tf		outputs.tf
variables.tf		variables.tf
versions.tf		versions.tf

Repository files navigation

AWS CloudFront Terraform module

Terraform module which creates AWS CloudFront resources with all (or almost all) features provided by Terraform AWS provider.

Usage

CloudFront distribution with versioning enabled

module"cdn" {source="terraform-aws-modules/cloudfront/aws"aliases=["cdn.example.com"]comment="My awesome CloudFront"enabled=trueis_ipv6_enabled=trueprice_class="PriceClass_All"retain_on_delete=falsewait_for_deployment=falsecreate_origin_access_identity=trueorigin_access_identities={    s3_bucket_one="My awesome CloudFront can access"  }logging_config={    bucket="logs-my-cdn.s3.amazonaws.com"  }origin={    something= {      domain_name="something.example.com"      custom_origin_config= {        http_port=80        https_port=443        origin_protocol_policy="match-viewer"        origin_ssl_protocols= ["TLSv1","TLSv1.1","TLSv1.2"]      }    }    s3_one= {      domain_name="my-s3-bycket.s3.amazonaws.com"      s3_origin_config= {        origin_access_identity="s3_bucket_one"      }    }  }default_cache_behavior={    target_origin_id="something"    viewer_protocol_policy="allow-all"    allowed_methods= ["GET","HEAD","OPTIONS"]    cached_methods= ["GET","HEAD"]    compress=true    query_string=true  }ordered_cache_behavior=[    {      path_pattern="/static/*"      target_origin_id="s3_one"      viewer_protocol_policy="redirect-to-https"      allowed_methods= ["GET","HEAD","OPTIONS"]      cached_methods= ["GET","HEAD"]      compress=true      query_string=true    }  ]viewer_certificate={    acm_certificate_arn="arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"    ssl_support_method="sni-only"  }}

Examples

Complete - Complete example which creates AWS CloudFront distribution and integrates it with otherterraform-aws-modules to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.

Notes

Error: updating CloudFront Distribution (ETXXXXXXXXXXXX): InvalidArgument: The parameter ForwardedValues cannot be used when a cache policy is associated to the cache behavior.
- When defining a behavior inordered_cache_behavior anddefault_cache_behavior with a cache policy, you must specifyuse_forwarded_values = false.

ordered_cache_behavior = [{  path_pattern           = "/my/path"  target_origin_id       = "my-origin"  viewer_protocol_policy = "https-only"  allowed_methods        = ["GET", "HEAD"]  use_forwarded_values   = false  # AllViewerAndCloudFrontHeaders-2022-06  origin_request_policy_id = "33f36d7e-f396-46d9-90e0-52428a34d9dc"  # CachingDisabled  cache_policy_id          = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"}]

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 5.83

Providers

Name	Version
aws	>= 5.83

Modules

No modules.

Resources

Name	Type
aws_cloudfront_distribution.this	resource
aws_cloudfront_monitoring_subscription.this	resource
aws_cloudfront_origin_access_control.this	resource
aws_cloudfront_origin_access_identity.this	resource
aws_cloudfront_vpc_origin.this	resource
aws_cloudfront_cache_policy.this	data source
aws_cloudfront_origin_request_policy.this	data source
aws_cloudfront_response_headers_policy.this	data source

Inputs

Name	Description	Type	Default	Required
aliases	Extra CNAMEs (alternate domain names), if any, for this distribution.	`list(string)`	`null`	no
comment	Any comments you want to include about the distribution.	`string`	`null`	no
continuous_deployment_policy_id	Identifier of a continuous deployment policy. This argument should only be set on a production distribution.	`string`	`null`	no
create_distribution	Controls if CloudFront distribution should be created	`bool`	`true`	no
create_monitoring_subscription	If enabled, the resource for monitoring subscription will created.	`bool`	`false`	no
create_origin_access_control	Controls if CloudFront origin access control should be created	`bool`	`false`	no
create_origin_access_identity	Controls if CloudFront origin access identity should be created	`bool`	`false`	no
create_vpc_origin	If enabled, the resource for VPC origin will be created.	`bool`	`false`	no
custom_error_response	One or more custom error response elements	`any`	`{}`	no
default_cache_behavior	The default cache behavior for this distribution	`any`	`null`	no
default_root_object	The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL.	`string`	`null`	no
enabled	Whether the distribution is enabled to accept end user requests for content.	`bool`	`true`	no
geo_restriction	The restriction configuration for this distribution (geo_restrictions)	`any`	`{}`	no
http_version	The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3, and http3. The default is http2.	`string`	`"http2"`	no
is_ipv6_enabled	Whether the IPv6 is enabled for the distribution.	`bool`	`null`	no
logging_config	The logging configuration that controls how logs are written to your distribution (maximum one).	`any`	`{}`	no
ordered_cache_behavior	An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0.	`any`	`[]`	no
origin	One or more origins for this distribution (multiples allowed).	`any`	`null`	no
origin_access_control	Map of CloudFront origin access control	map(object({ name = optional(string) description = string origin_type = string signing_behavior = string signing_protocol = string }))	{ "s3": { "description": "", "origin_type": "s3", "signing_behavior": "always", "signing_protocol": "sigv4" } }	no
origin_access_identities	Map of CloudFront origin access identities (value as a comment)	`map(string)`	`{}`	no
origin_group	One or more origin_group for this distribution (multiples allowed).	`any`	`{}`	no
price_class	The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100	`string`	`null`	no
realtime_metrics_subscription_status	A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution. Valid values are`Enabled` and`Disabled`.	`string`	`"Enabled"`	no
retain_on_delete	Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards.	`bool`	`false`	no
staging	Whether the distribution is a staging distribution.	`bool`	`false`	no
tags	A map of tags to assign to the resource.	`map(string)`	`null`	no
viewer_certificate	The SSL configuration for this distribution	`any`	{ "cloudfront_default_certificate": true, "minimum_protocol_version": "TLSv1" }	no
vpc_origin	Map of CloudFront VPC origin	map(object({ name = string arn = string http_port = number https_port = number origin_protocol_policy = string origin_ssl_protocols = object({ items = list(string) quantity = number }) }))	`{}`	no
vpc_origin_timeouts	Create, update, and delete timeout configurations for vpc origin	`map(string)`	`{}`	no
wait_for_deployment	If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this to false will skip the process.	`bool`	`true`	no
web_acl_id	If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned. If using WAFv2, provide the ARN of the web ACL.	`string`	`null`	no

Outputs

Name	Description
cloudfront_distribution_arn	The ARN (Amazon Resource Name) for the distribution.
cloudfront_distribution_caller_reference	Internal value used by CloudFront to allow future updates to the distribution configuration.
cloudfront_distribution_domain_name	The domain name corresponding to the distribution.
cloudfront_distribution_etag	The current version of the distribution's information.
cloudfront_distribution_hosted_zone_id	The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to.
cloudfront_distribution_id	The identifier for the distribution.
cloudfront_distribution_in_progress_validation_batches	The number of invalidation batches currently in progress.
cloudfront_distribution_last_modified_time	The date and time the distribution was last modified.
cloudfront_distribution_status	The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system.
cloudfront_distribution_tags	Tags of the distribution's
cloudfront_distribution_trusted_signers	List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs
cloudfront_monitoring_subscription_id	The ID of the CloudFront monitoring subscription, which corresponds to the`distribution_id`.
cloudfront_origin_access_controls	The origin access controls created
cloudfront_origin_access_controls_ids	The IDS of the origin access identities created
cloudfront_origin_access_identities	The origin access identities created
cloudfront_origin_access_identity_iam_arns	The IAM arns of the origin access identities created
cloudfront_origin_access_identity_ids	The IDS of the origin access identities created
cloudfront_vpc_origin_ids	The IDS of the VPC origin created