generated from xoap-io/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
127 lines (119 loc) · 3.81 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
module "this_label" {
source = "git::github.com/xoap-io/terraform-aws-misc-label?ref=v0.1.1"
context = var.context
attributes = ["hosting", var.site_name]
}
module "bucket" {
source = "git::github.com/xoap-io/terraform-aws-storage-s3.git?ref=v0.1.3"
context = var.context
name = var.site_name
website_enabled = true
error_document = var.error_document
index_document = var.index_document
routing_rules = var.routing_rules
cors_allowed_methods = var.cors_allowed_methods
cors_allowed_origins = var.cors_allowed_origins
cors_allowed_header = var.cors_allowed_headers
cors_exposed_header = var.cors_expose_headers
kms_arn = ""
logging_bucket = ""
disable_public_access = false
}
resource "aws_cloudfront_cache_policy" "this" {
name = module.this_label.id
min_ttl = var.cf_min_ttl
default_ttl = var.cf_default_ttl
max_ttl = var.cf_max_ttl
parameters_in_cache_key_and_forwarded_to_origin {
enable_accept_encoding_gzip = true
enable_accept_encoding_brotli = true
cookies_config {
cookie_behavior = var.cf_max_ttl == 0 ? "none" : "all"
}
headers_config {
header_behavior = "none"
}
query_strings_config {
query_string_behavior = "none"
}
}
}
resource "aws_cloudfront_origin_request_policy" "this" {
name = module.this_label.id
cookies_config {
cookie_behavior = "all"
}
headers_config {
header_behavior = "none"
}
query_strings_config {
query_string_behavior = "all"
}
}
resource "aws_cloudfront_response_headers_policy" "this" {
name = module.this_label.id
cors_config {
access_control_allow_credentials = false
access_control_allow_headers {
items = var.cors_allowed_headers
}
access_control_allow_methods {
items = concat(var.cors_allowed_methods, ["OPTIONS"])
}
access_control_allow_origins {
items = var.cors_allowed_origins
}
origin_override = true
}
}
#tfsec:ignore:AWS045
resource "aws_cloudfront_distribution" "this" {
origin {
domain_name = module.bucket.website_endpoint
origin_id = var.s3_origin_id
origin_path = var.origin_path
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "http-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
dynamic "custom_error_response" {
for_each = var.custom_error_response != null ? var.custom_error_response : []
content {
error_code = custom_error_response.value.error_code
response_code = custom_error_response.value.response_code
response_page_path = custom_error_response.value.response_page_path
}
}
enabled = true
is_ipv6_enabled = true
default_root_object = var.default_root_object
aliases = var.cloudfront_aliases
default_cache_behavior {
allowed_methods = var.allowed_methods
cached_methods = var.cached_methods
target_origin_id = var.s3_origin_id
compress = true
cache_policy_id = aws_cloudfront_cache_policy.this.id
origin_request_policy_id = aws_cloudfront_origin_request_policy.this.id
viewer_protocol_policy = var.viewer_protocol_policy
response_headers_policy_id = aws_cloudfront_response_headers_policy.this.id
}
price_class = var.cf_price_class
viewer_certificate {
acm_certificate_arn = var.cloudfront_certificate_arn
ssl_support_method = "sni-only"
minimum_protocol_version = var.minimum_tls_version
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
# logging_config {
# bucket = data.aws_s3_bucket.logging.bucket_domain_name
# prefix = "${module.this_label.id}/"
# }
}