-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain-website-cloudfront.tf
124 lines (102 loc) · 3.64 KB
/
main-website-cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
resource "aws_cloudfront_distribution" "main_website" {
origin {
origin_id = var.dns_entry
domain_name = aws_s3_bucket.main_website.bucket_regional_domain_name
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
}
}
# If using route53 aliases for DNS we need to declare it here too, otherwise we'll get 403s.
aliases = concat(
[var.dns_entry],
[for name in var.secondary_addresses :
join("", [name])]
)
enabled = true
default_root_object = var.index_doc
is_ipv6_enabled = false
web_acl_id = var.create_firewall ? aws_waf_web_acl.waf_acl[0].id : null
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.dns_entry
# support gzip and other http transfer compression
compress = true
forwarded_values {
query_string = true
cookies {
forward = "none"
}
}
#http-to-https redirect. Default cache times
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
function_association {
event_type = "viewer-response"
function_arn = aws_cloudfront_function.secure_headers.arn
}
function_association {
event_type = "viewer-request"
function_arn = aws_cloudfront_function.redirect_spa.arn
}
}
# Log to bucket. Leave bucket as is, if Cloud Team is on the ball then no issues should arise.
logging_config {
include_cookies = false
bucket = "uoa-security-cloudfront-access-logs.s3.amazonaws.com"
prefix = "${data.aws_iam_account_alias.current.account_alias}/${var.dns_entry}/"
}
price_class = "PriceClass_All"
# This is required to be specified even if it's not used.
restrictions {
geo_restriction {
restriction_type = "none"
locations = []
}
}
# Setup the SSL certificate that is used with HTTPS
# The protocol version specified is compliant with UoA Web Policy
viewer_certificate {
cloudfront_default_certificate = false
acm_certificate_arn = var.acm_arn
minimum_protocol_version = "TLSv1.2_2019"
ssl_support_method = "sni-only"
}
# Keep things simple
tags = merge(
local.common_tags,
{
"Name" = "${var.dns_entry}-Distribution"
},
)
}
output "cf_id" {
value = try(aws_cloudfront_distribution.main_website.id, "")
description = "ID of CloudFront distribution"
}
output "cf_arn" {
value = try(aws_cloudfront_distribution.main_website.arn, "")
description = "ARN of CloudFront distribution"
}
output "cf_aliases" {
value = try(aws_cloudfront_distribution.main_website.aliases, "")
description = "Extra CNAMEs of AWS CloudFront"
}
output "cf_status" {
value = try(aws_cloudfront_distribution.main_website.status, "")
description = "Current status of the distribution"
}
output "cf_domain_name" {
value = try(aws_cloudfront_distribution.main_website.domain_name, "")
description = "Domain name corresponding to the distribution"
}
output "cf_hosted_zone_id" {
value = try(aws_cloudfront_distribution.main_website.hosted_zone_id, "")
description = "CloudFront Route 53 Zone ID"
}
output "cf_origin_access_identity" {
value = try(aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path, "")
description = "A shortcut to the full path for the origin access identity to use in CloudFront"
}