Skip to main content
Sponsor @cloudposse

spa-s3-cloudfront

This component is responsible for provisioning:

  • S3 bucket
  • CloudFront distribution for a Single Page Application
  • ACM placed in us-east-1 regardless of the stack region (requirement of CloudFront)

NOTE: The component does not use the ACM created by dns-delegated, because the ACM region has to be us-east-1.

Usage

Stack Level: Regional

Here are some example snippets for how to use this component:

An import for all instantiations of the spa-s3-cloudfront component can be created at stacks/spa/spa-defaults.yaml:

components:
  terraform:
    spa-s3-cloudfront:
      vars:
        # lookup GitHub Runner IAM role via remote state
        github_runners_deployment_principal_arn_enabled: true
        github_runners_component_name: github-runners
        github_runners_tenant_name: core
        github_runners_environment_name: ue2
        github_runners_stage_name: auto
        origin_force_destroy: false
        origin_versioning_enabled: true
        origin_block_public_acls: true
        origin_block_public_policy: true
        origin_ignore_public_acls: true
        origin_restrict_public_buckets: true
        origin_encryption_enabled: true
        cloudfront_index_document: index.html
        cloudfront_ipv6_enabled: false
        cloudfront_compress: true
        cloudfront_default_root_object: index.html
        cloudfront_viewer_protocol_policy: redirect-to-https

An import for all instantiations for a specific SPA can be created at stacks/spa/example-spa.yaml:

components:
  terraform:
    example-spa:
      component: spa-s3-cloudfront
      vars:
        name: example-spa
        site_subdomain: example-spa
        cloudfront_allowed_methods:
          - GET
          - HEAD
        cloudfront_cached_methods:
          - GET
          - HEAD
        cloudfront_custom_error_response:
          - error_caching_min_ttl: 1
            error_code: 403
            response_code: 200
            response_page_path: /index.html
        cloudfront_default_ttl: 60
        cloudfront_min_ttl: 60
        cloudfront_max_ttl: 60

Finally, the spa-s3-cloudfront component can be instantiated in a stack config:

import:
  - spa/example-spa

components:
  terraform:
    example-spa:
      component: spa-s3-cloudfront
      settings:
        spacelift:
          workspace_enabled: true
      vars: {}

Failover Origins

Failover origins are supported via var.failover_s3_origin_name and var.failover_s3_origin_region.

Preview Environments

SPA Preview environments (i.e. subdomain.example.com mapping to a /subdomain path in the S3 bucket) powered by Lambda@Edge are supported via var.preview_environment_enabled. See the both the variable description and inline documentation for an extensive explanation for how these preview environments work.

Customizing Lambda@Edge

This component supports customizing Lambda@Edge functions for the CloudFront distribution. All Lambda@Edge function configuration is deep merged before being passed to the cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge module. You can add additional functions and overwrite existing functions as such:

import:
  - catalog/spa-s3-cloudfront/defaults

components:
  terraform:
    refarch-docs-site-spa:
      metadata:
        component: spa-s3-cloudfront
        inherits:
          - spa-s3-cloudfront-defaults
      vars:
        enabled: true
        lambda_edge_functions:
          viewer_request: # overwrite existing function
            source: null # this overwrites the 404 viewer request source with deep merging
            source_zip: "./dist/lambda_edge_paywall_viewer_request.zip"
            runtime: "nodejs16.x"
            handler: "index.handler"
            event_type: "viewer-request"
            include_body: false
          viewer_response: # new function
            source_zip: "./dist/lambda_edge_paywall_viewer_response.zip"
            runtime: "nodejs16.x"
            handler: "index.handler"
            event_type: "viewer-response"
            include_body: false

Variables

Required Variables

region (string) required

AWS Region.

Optional Variables

block_origin_public_access_enabled (bool) optional

When set to 'true' the s3 origin bucket will have public access block enabled.


Default value: true

cloudfront_access_log_bucket_name (string) optional

When cloudfront_access_log_create_bucket is false, this is the name of the existing S3 Bucket where
CloudFront Access Logs are to be delivered and is required. IGNORED when cloudfront_access_log_create_bucket is true.



Default value: ""

cloudfront_access_log_bucket_name_rendering_enabled (bool) optional

If set to true, then the CloudFront origin access logs bucket name will be rendered by calling format("%v-%v-%v-%v", var.namespace, var.environment, var.stage, var.cloudfront_access_log_bucket_name).
Otherwise, the value for cloudfront_access_log_bucket_name will need to be the globally unique name of the access logs bucket.


For example, if this component produces an origin bucket named eg-ue1-devplatform-example and cloudfront_access_log_bucket_name is set to
example-cloudfront-access-logs, then the bucket name will be rendered to be eg-ue1-devplatform-example-cloudfront-access-logs.



Default value: false

cloudfront_access_log_create_bucket (bool) optional

When true and cloudfront_access_logging_enabled is also true, this module will create a new,
separate S3 bucket to receive CloudFront Access Logs.



Default value: true

cloudfront_access_log_prefix (string) optional

Prefix to use for CloudFront Access Log object keys. Defaults to no prefix.


Default value: ""

cloudfront_access_log_prefix_rendering_enabled (bool) optional

Whether or not to dynamically render ${module.this.id} at the end of var.cloudfront_access_log_prefix.


Default value: false

cloudfront_allowed_methods (list(string)) optional

List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront.


Default value:

[
  "DELETE",
  "GET",
  "HEAD",
  "OPTIONS",
  "PATCH",
  "POST",
  "PUT"
]
cloudfront_aws_shield_protection_enabled (bool) optional

Enable or disable AWS Shield Advanced protection for the CloudFront distribution. If set to 'true', a subscription to AWS Shield Advanced must exist in this account.


Default value: false

cloudfront_aws_waf_component_name (string) optional

The name of the component used when deploying WAF ACL


Default value: "waf"

cloudfront_aws_waf_environment (string) optional

The environment where the WAF ACL for CloudFront distribution exists.


Default value: null

cloudfront_aws_waf_protection_enabled (bool) optional

Enable or disable AWS WAF for the CloudFront distribution.


This assumes that the aws-waf-acl-default-cloudfront component has been deployed to the regional stack corresponding
to var.waf_acl_environment.



Default value: true

cloudfront_cached_methods (list(string)) optional

List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD).


Default value:

[
  "GET",
  "HEAD"
]
cloudfront_compress (bool) optional

Compress content for web requests that include Accept-Encoding: gzip in the request header.


Default value: false

cloudfront_custom_error_response optional

List of one or more custom error response element maps.


Type:

list(object({
error_caching_min_ttl = optional(string, "10")
error_code            = string
response_code         = string
response_page_path    = string
}))

Default value: [ ]

cloudfront_default_root_object (string) optional

Object that CloudFront return when requests the root URL.


Default value: "index.html"

cloudfront_default_ttl (number) optional

Default amount of time (in seconds) that an object is in a CloudFront cache.


Default value: 60

cloudfront_index_document (string) optional

Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders.


Default value: "index.html"

cloudfront_ipv6_enabled (bool) optional

Set to true to enable an AAAA DNS record to be set as well as the A record.


Default value: true

cloudfront_lambda_function_association optional

A config block that configures the CloudFront distribution with lambda@edge functions for specific events.


Type:

list(object({
event_type   = string
include_body = bool
lambda_arn   = string
}))

Default value: [ ]

cloudfront_max_ttl (number) optional

Maximum amount of time (in seconds) that an object is in a CloudFront cache.


Default value: 31536000

cloudfront_min_ttl (number) optional

Minimum amount of time that you want objects to stay in CloudFront caches.


Default value: 0

cloudfront_viewer_protocol_policy (string) optional

Limit the protocol users can use to access content. One of allow-all, https-only, or redirect-to-https.


Default value: "redirect-to-https"

comment (string) optional

Any comments you want to include about the distribution.


Default value: "Managed by Terraform"

custom_origins optional

A list of additional custom website origins for this distribution.



Type:

list(object({
domain_name = string
origin_id   = string
origin_path = string
custom_headers = list(object({
  name  = string
  value = string
}))
custom_origin_config = object({
  http_port                = number
  https_port               = number
  origin_protocol_policy   = string
  origin_ssl_protocols     = list(string)
  origin_keepalive_timeout = number
  origin_read_timeout      = number
})
}))

Default value: [ ]

dns_delegated_environment_name (string) optional

The environment where dns-delegated component is deployed to


Default value: "gbl"

external_aliases (list(string)) optional

List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on CloudFront. No new Route53 records will be created for these.


Setting process_domain_validation_options to true may cause the component to fail if an external_alias DNS zone is not controlled by Terraform.


Setting preview_environment_enabled to true will cause this variable to be ignored.



Default value: [ ]

failover_criteria_status_codes (list(string)) optional

List of HTTP Status Codes to use as the origin group failover criteria.


Default value:

[
  403,
  404,
  500,
  502
]
failover_s3_origin_environment (string) optional

The fixed name of the AWS Region where the
failover S3 origin exists. Setting this variable will enable use of a failover S3 origin, but it is required for the
failover S3 origin to exist beforehand. This variable is used in conjunction with var.failover_s3_origin_format to
build out the name of the Failover S3 origin in the specified region.


For example, if this component creates an origin of name eg-ue1-devplatform-example and this variable is set to uw1,
then it is expected that a bucket with the name eg-uw1-devplatform-example-failover exists in us-west-1.



Default value: null

failover_s3_origin_format (string) optional

If var.failover_s3_origin_environment is supplied, this is the format to use for the failover S3 origin bucket name when
building the name via format([format], var.namespace, var.failover_s3_origin_environment, var.stage, var.name)
and then looking it up via the aws_s3_bucket Data Source.


For example, if this component creates an origin of name eg-ue1-devplatform-example and var.failover_s3_origin_environment
is set to uw1, then it is expected that a bucket with the name eg-uw1-devplatform-example-failover exists in us-west-1.



Default value: "%v-%v-%v-%v-failover"

forward_cookies (string) optional

Specifies whether you want CloudFront to forward all or no cookies to the origin. Can be 'all' or 'none'


Default value: "none"

forward_header_values (list(string)) optional

A list of whitelisted header values to forward to the origin (incompatible with cache_policy_id)


Default value:

[
  "Access-Control-Request-Headers",
  "Access-Control-Request-Method",
  "Origin"
]
github_actions_allowed_repos (list(string)) optional

A list of the GitHub repositories that are allowed to assume this role from GitHub Actions. For example,
["cloudposse/infra-live"]. Can contain "*" as wildcard.
If org part of repo name is omitted, "cloudposse" will be assumed.



Default value: [ ]

github_actions_iam_role_attributes (list(string)) optional

Additional attributes to add to the role name


Default value: [ ]

github_actions_iam_role_enabled (bool) optional

Flag to toggle creation of an IAM Role that GitHub Actions can assume to access AWS resources



Default value: false

github_runners_component_name (string) optional

The name of the component that deploys GitHub Runners, used in remote-state lookup


Default value: "github-runners"

github_runners_deployment_principal_arn_enabled (bool) optional

A flag that is used to decide whether or not to include the GitHub Runner's IAM role in origin_deployment_principal_arns list


Default value: true

github_runners_environment_name (string) optional

The name of the environment where the CloudTrail bucket is provisioned


Default value: "ue2"

github_runners_stage_name (string) optional

The stage name where the CloudTrail bucket is provisioned


Default value: "auto"

github_runners_tenant_name (string) optional

The tenant name where the GitHub Runners are provisioned


Default value: null

http_version (string) optional

The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3


Default value: "http2"

lambda_edge_allowed_ssm_parameters (list(string)) optional

The Lambda@Edge functions will be allowed to access the list of AWS SSM parameter with these ARNs


Default value: [ ]

lambda_edge_destruction_delay (string) optional

The delay, in Golang ParseDuration format, to wait before destroying the Lambda@Edge
functions.


This delay is meant to circumvent Lambda@Edge functions not being immediately deletable following their dissociation from
a CloudFront distribution, since they are replicated to CloudFront Edge servers around the world.


If set to null, no delay will be introduced.


By default, the delay is 20 minutes. This is because it takes about 3 minutes to destroy a CloudFront distribution, and
around 15 minutes until the Lambda@Edge function is available for deletion, in most cases.


For more information, see: https://github.com/hashicorp/terraform-provider-aws/issues/1721.



Default value: "20m"

lambda_edge_functions optional

Lambda@Edge functions to create.


The key of this map is the name of the Lambda@Edge function.


This map will be deep merged with each enabled default function. Use deep merge to change or overwrite specific values passed by those function objects.



Type:

map(object({
source = optional(list(object({
  filename = string
  content  = string
})))
source_dir   = optional(string)
source_zip   = optional(string)
runtime      = string
handler      = string
event_type   = string
include_body = bool
}))

Default value: { }

lambda_edge_handler (string) optional

The default Lambda@Edge handler for all functions.


This value is deep merged in module.lambda_edge_functions with var.lambda_edge_functions and can be overwritten for any individual function.



Default value: "index.handler"

lambda_edge_runtime (string) optional

The default Lambda@Edge runtime for all functions.


This value is deep merged in module.lambda_edge_functions with var.lambda_edge_functions and can be overwritten for any individual function.



Default value: "nodejs16.x"

ordered_cache optional

An ordered list of cache behaviors resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set target_origin_id to "" to specify the S3 bucket origin created by this module.
Set cache_policy_id to "" to use cache_policy_name for creating a new policy. At least one of the two must be set.
Set origin_request_policy_id to "" to use origin_request_policy_name for creating a new policy. At least one of the two must be set.



Type:

list(object({
target_origin_id = string
path_pattern     = string

allowed_methods    = list(string)
cached_methods     = list(string)
compress           = bool
trusted_signers    = list(string)
trusted_key_groups = list(string)

cache_policy_name          = optional(string)
cache_policy_id            = optional(string)
origin_request_policy_name = optional(string)
origin_request_policy_id   = optional(string)

viewer_protocol_policy     = string
min_ttl                    = number
default_ttl                = number
max_ttl                    = number
response_headers_policy_id = string

forward_query_string              = bool
forward_header_values             = list(string)
forward_cookies                   = string
forward_cookies_whitelisted_names = list(string)

lambda_function_association = list(object({
  event_type   = string
  include_body = bool
  lambda_arn   = string
}))

function_association = list(object({
  event_type   = string
  function_arn = string
}))

origin_request_policy = optional(object({
  cookie_behavior       = optional(string, "none")
  header_behavior       = optional(string, "none")
  query_string_behavior = optional(string, "none")

  cookies       = optional(list(string), [])
  headers       = optional(list(string), [])
  query_strings = optional(list(string), [])
}), {})
}))

Default value: [ ]

origin_allow_ssl_requests_only (bool) optional

Set to true in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests


Default value: true

origin_bucket (string) optional

Name of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using var.name and other context related inputs


Default value: null

origin_deployment_actions (list(string)) optional

List of actions to permit origin_deployment_principal_arns to perform on bucket and bucket prefixes (see origin_deployment_principal_arns)


Default value:

[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
origin_deployment_principal_arns (list(string)) optional

List of role ARNs to grant deployment permissions to the origin Bucket.


Default value: [ ]

origin_encryption_enabled (bool) optional

When set to 'true' the origin Bucket will have aes256 encryption enabled by default.


Default value: true

origin_force_destroy (bool) optional

A boolean string that indicates all objects should be deleted from the origin Bucket so that the Bucket can be destroyed without error. These objects are not recoverable.


Default value: false

origin_s3_access_log_bucket_name (string) optional

Name of the existing S3 bucket where S3 Access Logs for the origin Bucket will be delivered. Default is not to enable S3 Access Logging for the origin Bucket.


Default value: ""

origin_s3_access_log_bucket_name_rendering_enabled (bool) optional

If set to true, then the S3 origin access logs bucket name will be rendered by calling format("%v-%v-%v-%v", var.namespace, var.environment, var.stage, var.origin_s3_access_log_bucket_name).
Otherwise, the value for origin_s3_access_log_bucket_name will need to be the globally unique name of the access logs bucket.


For example, if this component produces an origin bucket named eg-ue1-devplatform-example and origin_s3_access_log_bucket_name is set to
example-s3-access-logs, then the bucket name will be rendered to be eg-ue1-devplatform-example-s3-access-logs.



Default value: false

origin_s3_access_log_prefix (string) optional

Prefix to use for S3 Access Log object keys. Defaults to logs/${module.this.id}


Default value: ""

origin_s3_access_logging_enabled (bool) optional

Set true to deliver S3 Access Logs to the origin_s3_access_log_bucket_name bucket.
Defaults to false if origin_s3_access_log_bucket_name is empty (the default), true otherwise.
Must be set explicitly if the access log bucket is being created at the same time as this module is being invoked.



Default value: null

origin_versioning_enabled (bool) optional

Enable or disable versioning for the origin Bucket. Versioning is a means of keeping multiple variants of an object in the same bucket.


Default value: false

parent_zone_name (string) optional

Parent domain name of site to publish. Defaults to format(parent_zone_name_pattern, stage, environment).


Default value: ""

preview_environment_enabled (bool) optional

Enable or disable SPA Preview Environments via Lambda@Edge, i.e. mapping subdomain.example.com to the /subdomain
path in the origin S3 bucket.


This variable implicitly affects the following variables:


  • s3_website_enabled
  • s3_website_password_enabled
  • block_origin_public_access_enabled
  • origin_allow_ssl_requests_only
  • forward_header_values
  • cloudfront_default_ttl
  • cloudfront_min_ttl
  • cloudfront_max_ttl
  • cloudfront_lambda_function_association


Default value: false

process_domain_validation_options (bool) optional

Flag to enable/disable processing of the record to add to the DNS zone to complete certificate validation


Default value: true

s3_object_ownership (string) optional

Specifies the S3 object ownership control on the origin bucket. Valid values are ObjectWriter, BucketOwnerPreferred, and 'BucketOwnerEnforced'.


Default value: "ObjectWriter"

s3_origins optional

A list of S3 origins (in addition to the one created by this component) for this distribution.
S3 buckets configured as websites are custom_origins, not s3_origins.
Specifying s3_origin_config.origin_access_identity as null or "" will have it translated to the origin_access_identity used by the origin created by this component.



Type:

list(object({
domain_name = string
origin_id   = string
origin_path = string
s3_origin_config = object({
  origin_access_identity = string
})
}))

Default value: [ ]

s3_website_enabled (bool) optional

Set to true to enable the created S3 bucket to serve as a website independently of CloudFront,
and to use that website as the origin.


Setting preview_environment_enabled will implicitly set this to true.



Default value: false

s3_website_password_enabled (bool) optional

If set to true, and s3_website_enabled is also true, a password will be required in the Referrer field of the
HTTP request in order to access the website, and CloudFront will be configured to pass this password in its requests.
This will make it much harder for people to bypass CloudFront and access the S3 website directly via its website endpoint.



Default value: false

site_fqdn (string) optional

Fully qualified domain name of site to publish. Overrides site_subdomain and parent_zone_name.


Default value: ""

site_subdomain (string) optional

Subdomain to plug into site_name_pattern to make site FQDN.


Default value: ""

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

additional_tag_map (map(string)) optional

Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.


Required: No

Default value: { }

attributes (list(string)) optional

ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.


Required: No

Default value: [ ]

context (any) optional

Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.


Required: No

Default value:

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
delimiter (string) optional

Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.


Required: No

Default value: null

descriptor_formats (any) optional

Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).


Required: No

Default value: { }

enabled (bool) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: null

environment (string) optional

ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: No

Default value: null

id_length_limit (number) optional

Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.


Required: No

Default value: null

label_key_case (string) optional

Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.


Required: No

Default value: null

label_order (list(string)) optional

The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.


Required: No

Default value: null

label_value_case (string) optional

Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.


Required: No

Default value: null

labels_as_tags (set(string)) optional

Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.


Required: No

Default value:

[
  "default"
]
name (string) optional

ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.


Required: No

Default value: null

namespace (string) optional

ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: No

Default value: null

regex_replace_chars (string) optional

Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.


Required: No

Default value: null

stage (string) optional

ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: No

Default value: null

tags (map(string)) optional

Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.


Required: No

Default value: { }

tenant (string) optional

ID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: No

Default value: null

Outputs

cloudfront_distribution_alias

Cloudfront Distribution Alias Record.

cloudfront_distribution_domain_name

Cloudfront Distribution Domain Name.

cloudfront_distribution_identity_arn

CloudFront Distribution Origin Access Identity IAM ARN.

failover_s3_bucket_name

Failover Origin bucket name, if enabled.

github_actions_iam_role_arn

ARN of IAM role for GitHub Actions

github_actions_iam_role_name

Name of IAM role for GitHub Actions

origin_s3_bucket_arn

Origin bucket ARN.

origin_s3_bucket_name

Origin bucket name.

Dependencies

Requirements

  • terraform, version: >= 1.0.0
  • aws, version: >= 4.9.0

Providers

  • aws, version: >= 4.9.0
  • aws, version: >= 4.9.0

Modules

NameVersionSourceDescription
acm_request_certificate0.18.0cloudposse/acm-request-certificate/awsCreate an ACM and explicitly set it to us-east-1 (requirement of CloudFront)
dns_delegated1.5.0cloudposse/stack-config/yaml//modules/remote-staten/a
gha_assume_rolelatest../account-map/modules/team-assume-role-policyn/a
gha_role_name0.25.0cloudposse/label/nulln/a
github_runners1.5.0cloudposse/stack-config/yaml//modules/remote-staten/a
iam_roleslatest../account-map/modules/iam-rolesn/a
lambda_edge0.92.0cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edgen/a
lambda_edge_functions1.0.2cloudposse/config/yaml//modules/deepmergen/a
spa_web0.95.0cloudposse/cloudfront-s3-cdn/awsn/a
this0.25.0cloudposse/label/nulln/a
utils1.3.0cloudposse/utils/awsn/a
waf1.5.0cloudposse/stack-config/yaml//modules/remote-staten/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module:

References

Changelog

Component PRs #991 and #995

Drop lambda_edge_redirect_404

This PRs removes the lambda_edge_redirect_404 functionality because it leads to significant costs. Use native CloudFront error pages configs instead.

cloudfront_custom_error_response:
  - error_code: 404
    response_code: 404
    response_page_path: /404.html

Components PR #978

Lambda@Edge Submodule Refactor

This PR has significantly refactored how Lambda@Edge functions are managed by Terraform with this component. Previously, the specific use cases for Lambda@Edge functions were handled by submodules lambda-edge-preview and lambda_edge_redirect_404. These component submodules both called the same Terraform module, cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge. These submodules have been replaced with a single Terraform file, lambda_edge.tf.

The reason a single file is better than submodules is (1) simplification and (2) adding the ability to deep merge function configuration. Cloudfront Distributions support a single Lambda@Edge function for each origin/viewer request or response. With deep merging, we can define default values for function configuration and provide the ability to overwrite specific values for a given deployment.

Specifically, our own use case is using an authorization Lambda@Edge viewer request only if the paywall is enabled. Other deployments use an alternative viewer request to redirect 404.

Upgrading with preview_environment_enabled: true or lambda_edge_redirect_404_enabled: true

If you have var.preview_environment_enabled or var.lambda_edge_redirect_404_enabled set to true, Terraform moved will move the previous resource by submodule to the new resource by file. Please give your next Terraform plan a sanity check. Any existing Lambda functions should not be destroyed by this change.

Upgrading with both preview_environment_enabled: false and lambda_edge_redirect_404_enabled: false

If you have no Lambda@Edge functions deployed and where both var.preview_environment_enabled and var.lambda_edge_redirect_404_enabled are false (the default value), no change is necessary.

Lambda Runtime Version

The previous PR #946 introduced the var.lambda_runtime input. Previously, the version of node in both submodules was hard-coded to be nodejs12.x. This PR renames that variable to var.lambda_edge_runtime and sets the default to nodejs16.x.

If you want to maintain the previous version of Node, set var.lambda_edge_runtime to nodejs12.x, though be aware that AWS deprecated that version on March 31, 2023, and lambdas using that environment may no longer work. Otherwise, this component will attempt to deploy the functions with runtime nodejs16.x.