spa-s3-cloudfront
This component is responsible for provisioning:
- S3 bucket
- CloudFront distribution for a Single Page Application
- ACM placed in us-east-1 regardless of the stack region (requirement of CloudFront)
NOTE: The component does not use the ACM created by dns-delegated
, because the ACM region has to be us-east-1.
Usage
Stack Level: Regional
Here are some example snippets for how to use this component:
An import for all instantiations of the spa-s3-cloudfront
component can be created at stacks/spa/spa-defaults.yaml
:
components:
terraform:
spa-s3-cloudfront:
vars:
# lookup GitHub Runner IAM role via remote state
github_runners_deployment_principal_arn_enabled: true
github_runners_component_name: github-runners
github_runners_tenant_name: core
github_runners_environment_name: ue2
github_runners_stage_name: auto
origin_force_destroy: false
origin_versioning_enabled: true
origin_block_public_acls: true
origin_block_public_policy: true
origin_ignore_public_acls: true
origin_restrict_public_buckets: true
origin_encryption_enabled: true
cloudfront_index_document: index.html
cloudfront_ipv6_enabled: false
cloudfront_compress: true
cloudfront_default_root_object: index.html
cloudfront_viewer_protocol_policy: redirect-to-https
An import for all instantiations for a specific SPA can be created at stacks/spa/example-spa.yaml
:
components:
terraform:
example-spa:
component: spa-s3-cloudfront
vars:
name: example-spa
site_subdomain: example-spa
cloudfront_allowed_methods:
- GET
- HEAD
cloudfront_cached_methods:
- GET
- HEAD
cloudfront_custom_error_response:
- error_caching_min_ttl: 1
error_code: 403
response_code: 200
response_page_path: /index.html
cloudfront_default_ttl: 60
cloudfront_min_ttl: 60
cloudfront_max_ttl: 60
Finally, the spa-s3-cloudfront
component can be instantiated in a stack config:
import:
- spa/example-spa
components:
terraform:
example-spa:
component: spa-s3-cloudfront
settings:
spacelift:
workspace_enabled: true
vars: {}
Failover Origins
Failover origins are supported via var.failover_s3_origin_name
and var.failover_s3_origin_region
.
Preview Environments
SPA Preview environments (i.e. subdomain.example.com
mapping to a /subdomain
path in the S3 bucket) powered by
Lambda@Edge are supported via var.preview_environment_enabled
. See the both the variable description and inline
documentation for an extensive explanation for how these preview environments work.
Customizing Lambda@Edge
This component supports customizing Lambda@Edge functions for the CloudFront distribution. All Lambda@Edge function
configuration is deep merged before being passed to the cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge
module.
You can add additional functions and overwrite existing functions as such:
import:
- catalog/spa-s3-cloudfront/defaults
components:
terraform:
refarch-docs-site-spa:
metadata:
component: spa-s3-cloudfront
inherits:
- spa-s3-cloudfront-defaults
vars:
enabled: true
lambda_edge_functions:
viewer_request: # overwrite existing function
source: null # this overwrites the 404 viewer request source with deep merging
source_zip: "./dist/lambda_edge_paywall_viewer_request.zip"
runtime: "nodejs16.x"
handler: "index.handler"
event_type: "viewer-request"
include_body: false
viewer_response: # new function
source_zip: "./dist/lambda_edge_paywall_viewer_response.zip"
runtime: "nodejs16.x"
handler: "index.handler"
event_type: "viewer-response"
include_body: false
Variables
Required Variables
region
(string
) requiredAWS Region.
Optional Variables
block_origin_public_access_enabled
(bool
) optionalWhen set to 'true' the s3 origin bucket will have public access block enabled.
Default value:
true
cloudfront_access_log_bucket_name
(string
) optionalWhen
cloudfront_access_log_create_bucket
isfalse
, this is the name of the existing S3 Bucket where
CloudFront Access Logs are to be delivered and is required. IGNORED whencloudfront_access_log_create_bucket
istrue
.Default value:
""
cloudfront_access_log_bucket_name_rendering_enabled
(bool
) optionalIf set to
true
, then the CloudFront origin access logs bucket name will be rendered by callingformat("%v-%v-%v-%v", var.namespace, var.environment, var.stage, var.cloudfront_access_log_bucket_name)
.
Otherwise, the value forcloudfront_access_log_bucket_name
will need to be the globally unique name of the access logs bucket.For example, if this component produces an origin bucket named
eg-ue1-devplatform-example
andcloudfront_access_log_bucket_name
is set to
example-cloudfront-access-logs
, then the bucket name will be rendered to beeg-ue1-devplatform-example-cloudfront-access-logs
.Default value:
false
cloudfront_access_log_create_bucket
(bool
) optionalWhen
true
andcloudfront_access_logging_enabled
is also true, this module will create a new,
separate S3 bucket to receive CloudFront Access Logs.Default value:
true
cloudfront_access_log_prefix
(string
) optionalPrefix to use for CloudFront Access Log object keys. Defaults to no prefix.
Default value:
""
cloudfront_access_log_prefix_rendering_enabled
(bool
) optionalWhether or not to dynamically render ${module.this.id} at the end of
var.cloudfront_access_log_prefix
.Default value:
false
cloudfront_allowed_methods
(list(string)
) optionalList of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront.
Default value:
[
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]cloudfront_aws_shield_protection_enabled
(bool
) optionalEnable or disable AWS Shield Advanced protection for the CloudFront distribution. If set to 'true', a subscription to AWS Shield Advanced must exist in this account.
Default value:
false
cloudfront_aws_waf_component_name
(string
) optionalThe name of the component used when deploying WAF ACL
Default value:
"waf"
cloudfront_aws_waf_environment
(string
) optionalThe environment where the WAF ACL for CloudFront distribution exists.
Default value:
null
cloudfront_aws_waf_protection_enabled
(bool
) optionalEnable or disable AWS WAF for the CloudFront distribution.
This assumes that the
aws-waf-acl-default-cloudfront
component has been deployed to the regional stack corresponding
tovar.waf_acl_environment
.Default value:
true
cloudfront_cached_methods
(list(string)
) optionalList of cached methods (e.g. GET, PUT, POST, DELETE, HEAD).
Default value:
[
"GET",
"HEAD"
]cloudfront_compress
(bool
) optionalCompress content for web requests that include Accept-Encoding: gzip in the request header.
Default value:
false
cloudfront_custom_error_response
optionalList of one or more custom error response element maps.
Type:
list(object({
error_caching_min_ttl = optional(string, "10")
error_code = string
response_code = string
response_page_path = string
}))Default value:
[ ]
cloudfront_default_root_object
(string
) optionalObject that CloudFront return when requests the root URL.
Default value:
"index.html"
cloudfront_default_ttl
(number
) optionalDefault amount of time (in seconds) that an object is in a CloudFront cache.
Default value:
60
cloudfront_index_document
(string
) optionalAmazon S3 returns this index document when requests are made to the root domain or any of the subfolders.
Default value:
"index.html"
cloudfront_ipv6_enabled
(bool
) optionalSet to true to enable an AAAA DNS record to be set as well as the A record.
Default value:
true
cloudfront_lambda_function_association
optionalA config block that configures the CloudFront distribution with lambda@edge functions for specific events.
Type:
list(object({
event_type = string
include_body = bool
lambda_arn = string
}))Default value:
[ ]
cloudfront_max_ttl
(number
) optionalMaximum amount of time (in seconds) that an object is in a CloudFront cache.
Default value:
31536000
cloudfront_min_ttl
(number
) optionalMinimum amount of time that you want objects to stay in CloudFront caches.
Default value:
0
cloudfront_viewer_protocol_policy
(string
) optionalLimit the protocol users can use to access content. One of
allow-all
,https-only
, orredirect-to-https
.Default value:
"redirect-to-https"
comment
(string
) optionalAny comments you want to include about the distribution.
Default value:
"Managed by Terraform"
custom_origins
optionalA list of additional custom website origins for this distribution.
Type:
list(object({
domain_name = string
origin_id = string
origin_path = string
custom_headers = list(object({
name = string
value = string
}))
custom_origin_config = object({
http_port = number
https_port = number
origin_protocol_policy = string
origin_ssl_protocols = list(string)
origin_keepalive_timeout = number
origin_read_timeout = number
})
}))Default value:
[ ]
dns_delegated_environment_name
(string
) optionalThe environment where
dns-delegated
component is deployed toDefault value:
"gbl"
external_aliases
(list(string)
) optionalList of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on CloudFront. No new Route53 records will be created for these.
Setting
process_domain_validation_options
to true may cause the component to fail if an external_alias DNS zone is not controlled by Terraform.Setting
preview_environment_enabled
totrue
will cause this variable to be ignored.Default value:
[ ]
failover_criteria_status_codes
(list(string)
) optionalList of HTTP Status Codes to use as the origin group failover criteria.
Default value:
[
403,
404,
500,
502
]failover_s3_origin_environment
(string
) optionalThe fixed name of the AWS Region where the
failover S3 origin exists. Setting this variable will enable use of a failover S3 origin, but it is required for the
failover S3 origin to exist beforehand. This variable is used in conjunction withvar.failover_s3_origin_format
to
build out the name of the Failover S3 origin in the specified region.For example, if this component creates an origin of name
eg-ue1-devplatform-example
and this variable is set touw1
,
then it is expected that a bucket with the nameeg-uw1-devplatform-example-failover
exists inus-west-1
.Default value:
null
failover_s3_origin_format
(string
) optionalIf
var.failover_s3_origin_environment
is supplied, this is the format to use for the failover S3 origin bucket name when
building the name viaformat([format], var.namespace, var.failover_s3_origin_environment, var.stage, var.name)
and then looking it up via theaws_s3_bucket
Data Source.For example, if this component creates an origin of name
eg-ue1-devplatform-example
andvar.failover_s3_origin_environment
is set touw1
, then it is expected that a bucket with the nameeg-uw1-devplatform-example-failover
exists inus-west-1
.Default value:
"%v-%v-%v-%v-failover"
forward_cookies
(string
) optionalSpecifies whether you want CloudFront to forward all or no cookies to the origin. Can be 'all' or 'none'
Default value:
"none"
forward_header_values
(list(string)
) optionalA list of whitelisted header values to forward to the origin (incompatible with
cache_policy_id
)Default value:
[
"Access-Control-Request-Headers",
"Access-Control-Request-Method",
"Origin"
]github_actions_allowed_repos
(list(string)
) optionalA list of the GitHub repositories that are allowed to assume this role from GitHub Actions. For example,
["cloudposse/infra-live"]. Can contain "*" as wildcard.
If org part of repo name is omitted, "cloudposse" will be assumed.Default value:
[ ]
github_actions_iam_role_attributes
(list(string)
) optionalAdditional attributes to add to the role name
Default value:
[ ]
github_actions_iam_role_enabled
(bool
) optionalFlag to toggle creation of an IAM Role that GitHub Actions can assume to access AWS resources
Default value:
false
github_runners_component_name
(string
) optionalThe name of the component that deploys GitHub Runners, used in remote-state lookup
Default value:
"github-runners"
github_runners_deployment_principal_arn_enabled
(bool
) optionalA flag that is used to decide whether or not to include the GitHub Runner's IAM role in origin_deployment_principal_arns list
Default value:
true
github_runners_environment_name
(string
) optionalThe name of the environment where the CloudTrail bucket is provisioned
Default value:
"ue2"
github_runners_stage_name
(string
) optionalThe stage name where the CloudTrail bucket is provisioned
Default value:
"auto"
github_runners_tenant_name
(string
) optionalThe tenant name where the GitHub Runners are provisioned
Default value:
null
http_version
(string
) optionalThe maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3
Default value:
"http2"
lambda_edge_allowed_ssm_parameters
(list(string)
) optionalThe Lambda@Edge functions will be allowed to access the list of AWS SSM parameter with these ARNs
Default value:
[ ]
lambda_edge_destruction_delay
(string
) optionalThe delay, in Golang ParseDuration format, to wait before destroying the Lambda@Edge
functions.This delay is meant to circumvent Lambda@Edge functions not being immediately deletable following their dissociation from
a CloudFront distribution, since they are replicated to CloudFront Edge servers around the world.If set to
null
, no delay will be introduced.By default, the delay is 20 minutes. This is because it takes about 3 minutes to destroy a CloudFront distribution, and
around 15 minutes until the Lambda@Edge function is available for deletion, in most cases.For more information, see: https://github.com/hashicorp/terraform-provider-aws/issues/1721.
Default value:
"20m"
lambda_edge_functions
optionalLambda@Edge functions to create.
The key of this map is the name of the Lambda@Edge function.
This map will be deep merged with each enabled default function. Use deep merge to change or overwrite specific values passed by those function objects.
Type:
map(object({
source = optional(list(object({
filename = string
content = string
})))
source_dir = optional(string)
source_zip = optional(string)
runtime = string
handler = string
event_type = string
include_body = bool
}))Default value:
{ }
lambda_edge_handler
(string
) optionalThe default Lambda@Edge handler for all functions.
This value is deep merged in
module.lambda_edge_functions
withvar.lambda_edge_functions
and can be overwritten for any individual function.Default value:
"index.handler"
lambda_edge_runtime
(string
) optionalThe default Lambda@Edge runtime for all functions.
This value is deep merged in
module.lambda_edge_functions
withvar.lambda_edge_functions
and can be overwritten for any individual function.Default value:
"nodejs16.x"
ordered_cache
optionalAn ordered list of cache behaviors resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Settarget_origin_id
to""
to specify the S3 bucket origin created by this module.
Setcache_policy_id
to""
to usecache_policy_name
for creating a new policy. At least one of the two must be set.
Setorigin_request_policy_id
to""
to useorigin_request_policy_name
for creating a new policy. At least one of the two must be set.Type:
list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_name = optional(string)
cache_policy_id = optional(string)
origin_request_policy_name = optional(string)
origin_request_policy_id = optional(string)
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
response_headers_policy_id = string
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
forward_cookies_whitelisted_names = list(string)
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
origin_request_policy = optional(object({
cookie_behavior = optional(string, "none")
header_behavior = optional(string, "none")
query_string_behavior = optional(string, "none")
cookies = optional(list(string), [])
headers = optional(list(string), [])
query_strings = optional(list(string), [])
}), {})
}))Default value:
[ ]
origin_allow_ssl_requests_only
(bool
) optionalSet to
true
in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requestsDefault value:
true
origin_bucket
(string
) optionalName of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using
var.name
and other context related inputsDefault value:
null
origin_deployment_actions
(list(string)
) optionalList of actions to permit
origin_deployment_principal_arns
to perform on bucket and bucket prefixes (seeorigin_deployment_principal_arns
)Default value:
[
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]origin_deployment_principal_arns
(list(string)
) optionalList of role ARNs to grant deployment permissions to the origin Bucket.
Default value:
[ ]
origin_encryption_enabled
(bool
) optionalWhen set to 'true' the origin Bucket will have aes256 encryption enabled by default.
Default value:
true
origin_force_destroy
(bool
) optionalA boolean string that indicates all objects should be deleted from the origin Bucket so that the Bucket can be destroyed without error. These objects are not recoverable.
Default value:
false
origin_s3_access_log_bucket_name
(string
) optionalName of the existing S3 bucket where S3 Access Logs for the origin Bucket will be delivered. Default is not to enable S3 Access Logging for the origin Bucket.
Default value:
""
origin_s3_access_log_bucket_name_rendering_enabled
(bool
) optionalIf set to
true
, then the S3 origin access logs bucket name will be rendered by callingformat("%v-%v-%v-%v", var.namespace, var.environment, var.stage, var.origin_s3_access_log_bucket_name)
.
Otherwise, the value fororigin_s3_access_log_bucket_name
will need to be the globally unique name of the access logs bucket.For example, if this component produces an origin bucket named
eg-ue1-devplatform-example
andorigin_s3_access_log_bucket_name
is set to
example-s3-access-logs
, then the bucket name will be rendered to beeg-ue1-devplatform-example-s3-access-logs
.Default value:
false
origin_s3_access_log_prefix
(string
) optionalPrefix to use for S3 Access Log object keys. Defaults to
logs/${module.this.id}
Default value:
""
origin_s3_access_logging_enabled
(bool
) optionalSet
true
to deliver S3 Access Logs to theorigin_s3_access_log_bucket_name
bucket.
Defaults tofalse
iforigin_s3_access_log_bucket_name
is empty (the default),true
otherwise.
Must be set explicitly if the access log bucket is being created at the same time as this module is being invoked.Default value:
null
origin_versioning_enabled
(bool
) optionalEnable or disable versioning for the origin Bucket. Versioning is a means of keeping multiple variants of an object in the same bucket.
Default value:
false
parent_zone_name
(string
) optionalParent domain name of site to publish. Defaults to format(parent_zone_name_pattern, stage, environment).
Default value:
""
preview_environment_enabled
(bool
) optionalEnable or disable SPA Preview Environments via Lambda@Edge, i.e. mapping
subdomain.example.com
to the/subdomain
path in the origin S3 bucket.This variable implicitly affects the following variables:
s3_website_enabled
s3_website_password_enabled
block_origin_public_access_enabled
origin_allow_ssl_requests_only
forward_header_values
cloudfront_default_ttl
cloudfront_min_ttl
cloudfront_max_ttl
cloudfront_lambda_function_association
Default value:
false
process_domain_validation_options
(bool
) optionalFlag to enable/disable processing of the record to add to the DNS zone to complete certificate validation
Default value:
true
s3_object_ownership
(string
) optionalSpecifies the S3 object ownership control on the origin bucket. Valid values are
ObjectWriter
,BucketOwnerPreferred
, and 'BucketOwnerEnforced'.Default value:
"ObjectWriter"
s3_origins
optionalA list of S3 origins (in addition to the one created by this component) for this distribution.
S3 buckets configured as websites arecustom_origins
, nots3_origins
.
Specifyings3_origin_config.origin_access_identity
asnull
or""
will have it translated to theorigin_access_identity
used by the origin created by this component.Type:
list(object({
domain_name = string
origin_id = string
origin_path = string
s3_origin_config = object({
origin_access_identity = string
})
}))Default value:
[ ]
s3_website_enabled
(bool
) optionalSet to true to enable the created S3 bucket to serve as a website independently of CloudFront,
and to use that website as the origin.Setting
preview_environment_enabled
will implicitly set this totrue
.Default value:
false
s3_website_password_enabled
(bool
) optionalIf set to true, and
s3_website_enabled
is also true, a password will be required in theReferrer
field of the
HTTP request in order to access the website, and CloudFront will be configured to pass this password in its requests.
This will make it much harder for people to bypass CloudFront and access the S3 website directly via its website endpoint.Default value:
false
site_fqdn
(string
) optionalFully qualified domain name of site to publish. Overrides site_subdomain and parent_zone_name.
Default value:
""
site_subdomain
(string
) optionalSubdomain to plug into site_name_pattern to make site FQDN.
Default value:
""
Context Variables
The following variables are defined in the context.tf
file of this module and part of the terraform-null-label pattern.
context.tf
file of this module and part of the terraform-null-label pattern.additional_tag_map
(map(string)
) optionalAdditional key-value pairs to add to each map in
tags_as_list_of_maps
. Not added totags
orid
.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.Required: No
Default value:
{ }
attributes
(list(string)
) optionalID element. Additional attributes (e.g.
workers
orcluster
) to add toid
,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by thedelimiter
and treated as a single ID element.Required: No
Default value:
[ ]
context
(any
) optionalSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables asnull
to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.Required: No
Default value:
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}delimiter
(string
) optionalDelimiter to be used between ID elements.
Defaults to-
(hyphen). Set to""
to use no delimiter at all.Required: No
Default value:
null
descriptor_formats
(any
) optionalDescribe additional descriptors to be output in the
descriptors
output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type isany
so the map values can later be enhanced to provide additional options.)
format
is a Terraform format string to be passed to theformat()
function.
labels
is a list of labels, in order, to pass toformat()
function.
Label values will be normalized before being passed toformat()
so they will be
identical to how they appear inid
.
Default is{}
(descriptors
output will be empty).Required: No
Default value:
{ }
enabled
(bool
) optionalSet to false to prevent the module from creating any resources
Required: NoDefault value:
null
environment
(string
) optionalID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: NoDefault value:
null
id_length_limit
(number
) optionalLimit
id
to this many characters (minimum 6).
Set to0
for unlimited length.
Set tonull
for keep the existing setting, which defaults to0
.
Does not affectid_full
.Required: No
Default value:
null
label_key_case
(string
) optionalControls the letter case of the
tags
keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via thetags
input.
Possible values:lower
,title
,upper
.
Default value:title
.Required: No
Default value:
null
label_order
(list(string)
) optionalThe order in which the labels (ID elements) appear in the
id
.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.Required: No
Default value:
null
label_value_case
(string
) optionalControls the letter case of ID elements (labels) as included in
id
,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via thetags
input.
Possible values:lower
,title
,upper
andnone
(no transformation).
Set this totitle
and setdelimiter
to""
to yield Pascal Case IDs.
Default value:lower
.Required: No
Default value:
null
labels_as_tags
(set(string)
) optionalSet of labels (ID elements) to include as tags in the
tags
output.
Default is to include all labels.
Tags with empty values will not be included in thetags
output.
Set to[]
to suppress all generated tags.
Notes:
The value of thename
tag, if included, will be theid
, not thename
.
Unlike othernull-label
inputs, the initial setting oflabels_as_tags
cannot be
changed in later chained modules. Attempts to change it will be silently ignored.Required: No
Default value:
[
"default"
]name
(string
) optionalID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as atag
.
The "name" tag is set to the fullid
string. There is no tag with the value of thename
input.Required: No
Default value:
null
namespace
(string
) optionalID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: NoDefault value:
null
regex_replace_chars
(string
) optionalTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set,"/[^a-zA-Z0-9-]/"
is used to remove all characters other than hyphens, letters and digits.Required: No
Default value:
null
stage
(string
) optionalID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: NoDefault value:
null
tags
(map(string)
) optionalAdditional tags (e.g.
{'BusinessUnit': 'XYZ'}
).
Neither the tag keys nor the tag values will be modified by this module.Required: No
Default value:
{ }
tenant
(string
) optionalID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: NoDefault value:
null
Outputs
cloudfront_distribution_alias
Cloudfront Distribution Alias Record.
cloudfront_distribution_domain_name
Cloudfront Distribution Domain Name.
cloudfront_distribution_identity_arn
CloudFront Distribution Origin Access Identity IAM ARN.
failover_s3_bucket_name
Failover Origin bucket name, if enabled.
github_actions_iam_role_arn
ARN of IAM role for GitHub Actions
github_actions_iam_role_name
Name of IAM role for GitHub Actions
origin_s3_bucket_arn
Origin bucket ARN.
origin_s3_bucket_name
Origin bucket name.
Dependencies
Requirements
terraform
, version:>= 1.0.0
aws
, version:>= 4.9.0
Providers
aws
, version:>= 4.9.0
aws
, version:>= 4.9.0
Modules
Name | Version | Source | Description |
---|---|---|---|
acm_request_certificate | 0.18.0 | cloudposse/acm-request-certificate/aws | Create an ACM and explicitly set it to us-east-1 (requirement of CloudFront) |
dns_delegated | 1.5.0 | cloudposse/stack-config/yaml//modules/remote-state | n/a |
gha_assume_role | latest | ../account-map/modules/team-assume-role-policy | n/a |
gha_role_name | 0.25.0 | cloudposse/label/null | n/a |
github_runners | 1.5.0 | cloudposse/stack-config/yaml//modules/remote-state | n/a |
iam_roles | latest | ../account-map/modules/iam-roles | n/a |
lambda_edge | 0.92.0 | cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge | n/a |
lambda_edge_functions | 1.0.2 | cloudposse/config/yaml//modules/deepmerge | n/a |
spa_web | 0.95.0 | cloudposse/cloudfront-s3-cdn/aws | n/a |
this | 0.25.0 | cloudposse/label/null | n/a |
utils | 1.3.0 | cloudposse/utils/aws | n/a |
waf | 1.5.0 | cloudposse/stack-config/yaml//modules/remote-state | n/a |
Resources
The following resources are used by this module:
aws_cloudfront_cache_policy.created_cache_policies
(resource)aws_cloudfront_origin_request_policy.created_origin_request_policies
(resource)aws_iam_policy.additional_lambda_edge_permission
(resource)aws_iam_role.github_actions
(resource)aws_iam_role_policy_attachment.additional_lambda_edge_permission
(resource)aws_shield_protection.shield_protection
(resource)
Data Sources
The following data sources are used by this module:
aws_iam_policy_document.additional_lambda_edge_permission
(data source)aws_iam_policy_document.github_actions_iam_policy
(data source)aws_s3_bucket.failover_bucket
(data source)
References
- cloudposse/terraform-aws-components - Cloud Posse's upstream component
- How do I use CloudFront to serve a static website hosted on Amazon S3?