Terraform module which creates AWS CloudFront resources with all (or almost all) features provided by Terraform AWS provider.
module "cdn" {
source = "terraform-aws-modules/cloudfront/aws"
aliases = ["cdn.example.com"]
comment = "My awesome CloudFront"
enabled = true
is_ipv6_enabled = true
price_class = "PriceClass_All"
retain_on_delete = false
wait_for_deployment = false
create_origin_access_identity = true
origin_access_identities = {
s3_bucket_one = "My awesome CloudFront can access"
}
logging_config = {
bucket = "logs-my-cdn.s3.amazonaws.com"
}
origin = {
something = {
domain_name = "something.example.com"
custom_origin_config = {
http_port = 80
https_port = 443
origin_protocol_policy = "match-viewer"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
s3_one = {
domain_name = "my-s3-bycket.s3.amazonaws.com"
s3_origin_config = {
origin_access_identity = "s3_bucket_one"
}
}
}
default_cache_behavior = {
target_origin_id = "something"
viewer_protocol_policy = "allow-all"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
}
ordered_cache_behavior = [
{
path_pattern = "/static/*"
target_origin_id = "s3_one"
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
}
]
viewer_certificate = {
acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"
ssl_support_method = "sni-only"
}
}
- Complete - Complete example which creates AWS CloudFront distribution and integrates it with other terraform-aws-modules to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.
Error: updating CloudFront Distribution (ETXXXXXXXXXXXX): InvalidArgument: The parameter ForwardedValues cannot be used when a cache policy is associated to the cache behavior.
- When defining a behavior in
ordered_cache_behavior
anddefault_cache_behavior
with a cache policy, you must specifyuse_forwarded_values = false
.
- When defining a behavior in
ordered_cache_behavior = [{
path_pattern = "/my/path"
target_origin_id = "my-origin"
viewer_protocol_policy = "https-only"
allowed_methods = ["GET", "HEAD"]
use_forwarded_values = false
# AllViewerAndCloudFrontHeaders-2022-06
origin_request_policy_id = "33f36d7e-f396-46d9-90e0-52428a34d9dc"
# CachingDisabled
cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
}]
Name | Version |
---|---|
terraform | >= 0.13.1 |
aws | >= 5.82 |
Name | Version |
---|---|
aws | >= 5.82 |
No modules.
Name | Type |
---|---|
aws_cloudfront_distribution.this | resource |
aws_cloudfront_monitoring_subscription.this | resource |
aws_cloudfront_origin_access_control.this | resource |
aws_cloudfront_origin_access_identity.this | resource |
aws_cloudfront_vpc_origin.this | resource |
aws_cloudfront_cache_policy.this | data source |
aws_cloudfront_origin_request_policy.this | data source |
aws_cloudfront_response_headers_policy.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aliases | Extra CNAMEs (alternate domain names), if any, for this distribution. | list(string) |
null |
no |
comment | Any comments you want to include about the distribution. | string |
null |
no |
continuous_deployment_policy_id | Identifier of a continuous deployment policy. This argument should only be set on a production distribution. | string |
null |
no |
create_distribution | Controls if CloudFront distribution should be created | bool |
true |
no |
create_monitoring_subscription | If enabled, the resource for monitoring subscription will created. | bool |
false |
no |
create_origin_access_control | Controls if CloudFront origin access control should be created | bool |
false |
no |
create_origin_access_identity | Controls if CloudFront origin access identity should be created | bool |
false |
no |
create_vpc_origin | If enabled, the resource for VPC origin will be created. | bool |
false |
no |
custom_error_response | One or more custom error response elements | any |
{} |
no |
default_cache_behavior | The default cache behavior for this distribution | any |
null |
no |
default_root_object | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | string |
null |
no |
enabled | Whether the distribution is enabled to accept end user requests for content. | bool |
true |
no |
geo_restriction | The restriction configuration for this distribution (geo_restrictions) | any |
{} |
no |
http_version | The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3, and http3. The default is http2. | string |
"http2" |
no |
is_ipv6_enabled | Whether the IPv6 is enabled for the distribution. | bool |
null |
no |
logging_config | The logging configuration that controls how logs are written to your distribution (maximum one). | any |
{} |
no |
ordered_cache_behavior | An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | any |
[] |
no |
origin | One or more origins for this distribution (multiples allowed). | any |
null |
no |
origin_access_control | Map of CloudFront origin access control | map(object({ |
{ |
no |
origin_access_identities | Map of CloudFront origin access identities (value as a comment) | map(string) |
{} |
no |
origin_group | One or more origin_group for this distribution (multiples allowed). | any |
{} |
no |
price_class | The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100 | string |
null |
no |
realtime_metrics_subscription_status | A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution. Valid values are Enabled and Disabled . |
string |
"Enabled" |
no |
retain_on_delete | Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. | bool |
false |
no |
staging | Whether the distribution is a staging distribution. | bool |
false |
no |
tags | A map of tags to assign to the resource. | map(string) |
null |
no |
viewer_certificate | The SSL configuration for this distribution | any |
{ |
no |
vpc_origin | Map of CloudFront VPC origin | map(object({ |
{} |
no |
wait_for_deployment | If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this to false will skip the process. | bool |
true |
no |
web_acl_id | If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned. If using WAFv2, provide the ARN of the web ACL. | string |
null |
no |
Name | Description |
---|---|
cloudfront_distribution_arn | The ARN (Amazon Resource Name) for the distribution. |
cloudfront_distribution_caller_reference | Internal value used by CloudFront to allow future updates to the distribution configuration. |
cloudfront_distribution_domain_name | The domain name corresponding to the distribution. |
cloudfront_distribution_etag | The current version of the distribution's information. |
cloudfront_distribution_hosted_zone_id | The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to. |
cloudfront_distribution_id | The identifier for the distribution. |
cloudfront_distribution_in_progress_validation_batches | The number of invalidation batches currently in progress. |
cloudfront_distribution_last_modified_time | The date and time the distribution was last modified. |
cloudfront_distribution_status | The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system. |
cloudfront_distribution_tags | Tags of the distribution's |
cloudfront_distribution_trusted_signers | List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs |
cloudfront_monitoring_subscription_id | The ID of the CloudFront monitoring subscription, which corresponds to the distribution_id . |
cloudfront_origin_access_controls | The origin access controls created |
cloudfront_origin_access_controls_ids | The IDS of the origin access identities created |
cloudfront_origin_access_identities | The origin access identities created |
cloudfront_origin_access_identity_iam_arns | The IAM arns of the origin access identities created |
cloudfront_origin_access_identity_ids | The IDS of the origin access identities created |
cloudfront_vpc_origin_ids | The IDS of the VPC origin created |
Module is maintained by Anton Babenko with help from these awesome contributors:
Apache 2 Licensed. See LICENSE for full details.