diff --git a/modules/cloudfront-ssl-hsts/README.md b/modules/cloudfront-ssl-hsts/README.md
index 8814a165..46c5253f 100644
--- a/modules/cloudfront-ssl-hsts/README.md
+++ b/modules/cloudfront-ssl-hsts/README.md
@@ -1,60 +1,43 @@
+# Module to create aws cloudfront(CDN) resource with related resources and options.The var.origins is a list of origins with their behaviors, so that for each origin it creates the behavior also. The default behavior/origin is the last one from var.origins listing. For non default behaviors origin_object.behavior.path_pattern required, this defines the routing path for behavior.
+
# example with ALB default and 2 more cache behaviors:
+## it creates
```hcl
+provider "aws" {
+ region = "eu-central-1"
+}
provider "aws" {
region = "us-east-1"
+ alias = "virginia"
}
module "cdn" {
source = "dasmeta/modules/aws//modules/cloudfront-ssl-hsts"
- version = "0.19.5"
+ version = "2.16.0"
zone = ["devops.dasmeta.com"]
aliases = ["cdn.devops.dasmeta.com"]
comment = "My CloudFront"
- create_origin_access_identity = true
- origin_access_identities = {
- s3_bucket_one = "My awesome CloudFront can access"
- }
logging_config = {
bucket = "logs-my-cdn.s3.amazonaws.com"
}
- origin = {
- something = {
+ origins = [
+ {
+ id = "first"
domain_name = "something.example.com"
- custom_origin_config = {
- http_port = 80
- https_port = 443
- origin_protocol_policy = "match-viewer"
- origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+ behavior = {
+ path_pattern = "/api"
}
- }
-
- s3_one = {
- domain_name = "my-s3-bycket.s3.amazonaws.com"
- s3_origin_config = {
- origin_access_identity = "s3_bucket_one"
- }
- }
- }
-
- default_cache_behavior = {
- target_origin_id = "alb"
- }
-
- ordered_cache_behavior = [
- {
- path_pattern = "/alb"
- target_origin_id = "alb"
},
{
- path_pattern = "/alb2"
- target_origin_id = "alb"
+ id = "default"
+ domain_name = "my-s3-bucket"
+ type = "bucket"
}
]
-
}
```
@@ -67,26 +50,19 @@ provider "aws" {
module "cdn" {
source = "dasmeta/modules/aws//modules/cloudfront-ssl-hsts"
- version = "0.19.5"
+ version = "2.16.0"
zone = ["devops.dasmeta.com"]
aliases = ["cdn.devops.dasmeta.com"]
comment = "My CloudFront"
- origin = {
- s3 = {
- domain_name = "S3 website URL" # you need to enable S3 website to have this
- custom_origin_config = {
- origin_protocol_policy = "http-only"
- }
+ origins = [
+ {
+ id = "s3"
+ type = "bucket"
+ domain_name = "the-s3-bucket-name" # you need to enable S3 website to have this
}
}
-
- default_cache_behavior = {
- target_origin_id = "s3"
- use_forwarded_values = true
- headers = [] # the default value is ["*"] and S3 origin do not support it, so we just need to disable it
- }
}
```
@@ -103,6 +79,7 @@ module "cdn" {
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.64 |
+| [aws.virginia](#provider\_aws.virginia) | >= 3.64 |
## Modules
@@ -118,6 +95,9 @@ module "cdn" {
| [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
| [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
| [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
+| [aws_s3_bucket_policy.cdn_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_s3_bucket.origins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
## Inputs
@@ -127,7 +107,7 @@ module "cdn" {
| [comment](#input\_comment) | Any comments you want to include about the distribution. | `string` | `null` | no |
| [create\_certificate](#input\_create\_certificate) | create certificate | `bool` | `true` | no |
| [create\_distribution](#input\_create\_distribution) | Controls if CloudFront distribution should be created | `bool` | `true` | no |
-| [create\_hsts](#input\_create\_hsts) | create hsts | `bool` | `true` | no |
+| [create\_hsts](#input\_create\_hsts) | create hsts | `bool` | `false` | no |
| [create\_monitoring\_subscription](#input\_create\_monitoring\_subscription) | If enabled, the resource for monitoring subscription will created. | `bool` | `false` | no |
| [create\_origin\_access\_identity](#input\_create\_origin\_access\_identity) | Controls if CloudFront origin access identity should be created | `bool` | `false` | no |
| [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | `any` | `{}` | no |
@@ -139,9 +119,9 @@ module "cdn" {
| [is\_ipv6\_enabled](#input\_is\_ipv6\_enabled) | Whether the IPv6 is enabled for the distribution. | `bool` | `true` | no |
| [logging\_config](#input\_logging\_config) | The logging configuration that controls how logs are written to your distribution (maximum one). | `any` | `{}` | no |
| [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | `any` | `[]` | no |
-| [origin](#input\_origin) | One or more origins for this distribution (multiples allowed). | `any` | `null` | no |
| [origin\_access\_identities](#input\_origin\_access\_identities) | Map of CloudFront origin access identities (value as a comment) | `map(string)` | `{}` | no |
| [origin\_group](#input\_origin\_group) | One or more origin\_group for this distribution (multiples allowed). | `any` | `{}` | no |
+| [origins](#input\_origins) | One or more origins for this distribution (multiples allowed). | `any` | `null` | no |
| [override\_custom\_headers](#input\_override\_custom\_headers) | Allows to override-default/disable-default/have-additional security headers | `any` | `{}` | no |
| [price\_class](#input\_price\_class) | The price class for this distribution. One of PriceClass\_All, PriceClass\_200, PriceClass\_100 | `string` | `"PriceClass_All"` | no |
| [realtime\_metrics\_subscription\_status](#input\_realtime\_metrics\_subscription\_status) | A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution. Valid values are `Enabled` and `Disabled`. | `string` | `"Enabled"` | no |
diff --git a/modules/cloudfront-ssl-hsts/bucket-origin.tf b/modules/cloudfront-ssl-hsts/bucket-origin.tf
new file mode 100644
index 00000000..b3a51613
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/bucket-origin.tf
@@ -0,0 +1,32 @@
+data "aws_s3_bucket" "origins" {
+ for_each = { for key, origin in var.origins : origin.id => origin if try(origin.type, null) == "bucket" }
+
+ bucket = each.value.domain_name
+}
+
+resource "aws_cloudfront_origin_access_identity" "this" {
+ for_each = data.aws_s3_bucket.origins
+
+ provider = aws.virginia
+}
+
+data "aws_iam_policy_document" "s3_policy" {
+ for_each = data.aws_s3_bucket.origins
+
+ statement {
+ actions = ["s3:GetObject"]
+ resources = ["${each.value.arn}/*"]
+
+ principals {
+ type = "AWS"
+ identifiers = [aws_cloudfront_origin_access_identity.this[each.key].iam_arn]
+ }
+ }
+}
+
+resource "aws_s3_bucket_policy" "cdn_access_policy" {
+ for_each = data.aws_s3_bucket.origins
+
+ bucket = each.value.id
+ policy = data.aws_iam_policy_document.s3_policy[each.key].json
+}
diff --git a/modules/cloudfront-ssl-hsts/main.tf b/modules/cloudfront-ssl-hsts/main.tf
index e5ca46fc..fcd5b2b9 100644
--- a/modules/cloudfront-ssl-hsts/main.tf
+++ b/modules/cloudfront-ssl-hsts/main.tf
@@ -1,11 +1,5 @@
locals {
- create_origin_access_identity = var.create_origin_access_identity && length(keys(var.origin_access_identities)) > 0
-}
-
-resource "aws_cloudfront_origin_access_identity" "this" {
- for_each = local.create_origin_access_identity ? var.origin_access_identities : {}
-
- comment = each.value
+ default_origin_index = length(var.origins) - 1 # the default origin behavior is last one from origins listing
}
resource "aws_cloudfront_distribution" "this" {
@@ -34,33 +28,33 @@ resource "aws_cloudfront_distribution" "this" {
}
dynamic "origin" {
- for_each = var.origin
+ for_each = var.origins
content {
- domain_name = origin.value.domain_name
- origin_id = lookup(origin.value, "origin_id", origin.key)
+ domain_name = try(origin.value.type, null) == "bucket" ? data.aws_s3_bucket.origins[origin.value.id].bucket_regional_domain_name : origin.value.domain_name
+ origin_id = origin.value.id
origin_path = lookup(origin.value, "origin_path", "")
connection_attempts = lookup(origin.value, "connection_attempts", null)
connection_timeout = lookup(origin.value, "connection_timeout", null)
dynamic "s3_origin_config" {
- for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]
+ for_each = { for key, origin_access_identity in aws_cloudfront_origin_access_identity.this : key => origin_access_identity if key == origin.value.id }
content {
- origin_access_identity = lookup(s3_origin_config.value, "cloudfront_access_identity_path", lookup(lookup(aws_cloudfront_origin_access_identity.this, lookup(s3_origin_config.value, "origin_access_identity", ""), {}), "cloudfront_access_identity_path", null))
+ origin_access_identity = s3_origin_config.value.cloudfront_access_identity_path
}
}
- dynamic "custom_origin_config" {
- for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")]
+ dynamic "custom_origin_config" { # custom_origin_config block required for non bucket type origins and should not be set for bucket origins
+ for_each = try(origin.value.type, null) == "bucket" ? [] : [lookup(origin.value, "custom_origin_config", {})]
content {
- http_port = lookup(custom_origin_config.value, "http_port", 80)
- https_port = lookup(custom_origin_config.value, "https_port", 443)
- origin_protocol_policy = lookup(custom_origin_config.value, "origin_protocol_policy", "match-viewer")
- origin_ssl_protocols = lookup(custom_origin_config.value, "origin_ssl_protocols", ["TLSv1.2"])
- origin_keepalive_timeout = lookup(custom_origin_config.value, "origin_keepalive_timeout", null)
- origin_read_timeout = lookup(custom_origin_config.value, "origin_read_timeout", null)
+ http_port = try(custom_origin_config.value.http_port, 80)
+ https_port = try(custom_origin_config.value.https_port, 443)
+ origin_protocol_policy = try(custom_origin_config.value.origin_protocol_policy, "match-viewer")
+ origin_ssl_protocols = try(custom_origin_config.value.origin_ssl_protocols, ["TLSv1.2"])
+ origin_keepalive_timeout = try(custom_origin_config.value.origin_keepalive_timeout, null)
+ origin_read_timeout = try(custom_origin_config.value.origin_read_timeout, null)
}
}
@@ -104,112 +98,107 @@ resource "aws_cloudfront_distribution" "this" {
}
}
- dynamic "default_cache_behavior" {
- for_each = [var.default_cache_behavior]
- iterator = i
+ default_cache_behavior {
+ target_origin_id = var.origins[local.default_origin_index].id
+ viewer_protocol_policy = try(var.origins[local.default_origin_index].behavior.viewer_protocol_policy, "redirect-to-https")
- content {
- target_origin_id = i.value["target_origin_id"]
- viewer_protocol_policy = lookup(i.value, "viewer_protocol_policy", "redirect-to-https")
-
- allowed_methods = lookup(i.value, "allowed_methods", ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
- cached_methods = lookup(i.value, "cached_methods", ["GET", "HEAD"])
- compress = lookup(i.value, "compress", null)
- field_level_encryption_id = lookup(i.value, "field_level_encryption_id", null)
- smooth_streaming = lookup(i.value, "smooth_streaming", null)
- trusted_signers = lookup(i.value, "trusted_signers", null)
- trusted_key_groups = lookup(i.value, "trusted_key_groups", null)
-
- cache_policy_id = lookup(i.value, "cache_policy_id", null)
- origin_request_policy_id = lookup(i.value, "origin_request_policy_id", null)
- response_headers_policy_id = lookup(i.value, "response_headers_policy_id", null)
- realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
-
- min_ttl = lookup(i.value, "min_ttl", null)
- default_ttl = lookup(i.value, "default_ttl", null)
- max_ttl = lookup(i.value, "max_ttl", null)
+ allowed_methods = try(var.origins[local.default_origin_index].behavior.allowed_methods, ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
+ cached_methods = try(var.origins[local.default_origin_index].behavior.cached_methods, ["GET", "HEAD"])
+ compress = try(var.origins[local.default_origin_index].behavior.compress, null)
+ field_level_encryption_id = try(var.origins[local.default_origin_index].behavior.field_level_encryption_id, null)
+ smooth_streaming = try(var.origins[local.default_origin_index].behavior.smooth_streaming, null)
+ trusted_signers = try(var.origins[local.default_origin_index].behavior.trusted_signers, null)
+ trusted_key_groups = try(var.origins[local.default_origin_index].behavior.trusted_key_groups, null)
- dynamic "forwarded_values" {
- for_each = lookup(i.value, "use_forwarded_values", true) ? [true] : []
+ cache_policy_id = try(var.origins[local.default_origin_index].behavior.cache_policy_id, null)
+ origin_request_policy_id = try(var.origins[local.default_origin_index].behavior.origin_request_policy_id, null)
+ response_headers_policy_id = try(var.origins[local.default_origin_index].behavior.response_headers_policy_id, null)
+ realtime_log_config_arn = try(var.origins[local.default_origin_index].behavior.realtime_log_config_arn, null)
- content {
- query_string = lookup(i.value, "query_string", true)
- query_string_cache_keys = lookup(i.value, "query_string_cache_keys", [])
- headers = lookup(i.value, "headers", ["*"])
+ min_ttl = try(var.origins[local.default_origin_index].behavior.min_ttl, null)
+ default_ttl = try(var.origins[local.default_origin_index].behavior.default_ttl, null)
+ max_ttl = try(var.origins[local.default_origin_index].behavior.max_ttl, null)
- cookies {
- forward = lookup(i.value, "cookies_forward", "all")
- whitelisted_names = lookup(i.value, "cookies_whitelisted_names", null)
- }
+ dynamic "forwarded_values" {
+ for_each = try(var.origins[local.default_origin_index].behavior.use_forwarded_values, true) ? [true] : []
+
+ content {
+ query_string = try(var.origins[local.default_origin_index].behavior.query_string, true)
+ query_string_cache_keys = try(var.origins[local.default_origin_index].behavior.query_string_cache_keys, [])
+ headers = try(var.origins[local.default_origin_index].behavior.headers, [])
+
+ cookies {
+ forward = try(var.origins[local.default_origin_index].behavior.cookies_forward, "all")
+ whitelisted_names = try(var.origins[local.default_origin_index].behavior.cookies_whitelisted_names, null)
}
}
+ }
- dynamic "lambda_function_association" {
- for_each = var.create_hsts ? [true] : lookup(i.value, "lambda_function_association", [])
- iterator = l
+ dynamic "lambda_function_association" {
+ for_each = var.create_hsts ? [true] : try(var.origins[local.default_origin_index].behavior.lambda_function_association, [])
+ iterator = l
- content {
- event_type = var.create_hsts ? "viewer-response" : l.key
- lambda_arn = var.create_hsts ? module.aws-cloudfront-security-headers[0].lambda_arn : l.value.lambda_arn
- include_body = var.create_hsts ? false : lookup(l.value, "include_body", null)
- }
+ content {
+ event_type = var.create_hsts ? "viewer-response" : l.key
+ lambda_arn = var.create_hsts ? module.aws-cloudfront-security-headers[0].lambda_arn : l.value.lambda_arn
+ include_body = var.create_hsts ? false : lookup(l.value, "include_body", null)
}
+ }
- dynamic "function_association" {
- for_each = lookup(i.value, "function_association", [])
- iterator = f
+ dynamic "function_association" {
+ for_each = try(var.origins[local.default_origin_index].behavior.function_association, [])
+ iterator = f
- content {
- event_type = f.key
- function_arn = f.value.function_arn
- }
+ content {
+ event_type = f.key
+ function_arn = f.value.function_arn
}
}
}
dynamic "ordered_cache_behavior" {
- for_each = var.ordered_cache_behavior
+ for_each = { for key, origin in var.origins : key => origin if key != local.default_origin_index }
iterator = i
content {
- path_pattern = i.value["path_pattern"]
- target_origin_id = i.value["target_origin_id"]
- viewer_protocol_policy = lookup(i.value, "viewer_protocol_policy", "redirect-to-https")
-
- allowed_methods = lookup(i.value, "allowed_methods", ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
- cached_methods = lookup(i.value, "cached_methods", ["GET", "HEAD"])
- compress = lookup(i.value, "compress", null)
- field_level_encryption_id = lookup(i.value, "field_level_encryption_id", null)
- smooth_streaming = lookup(i.value, "smooth_streaming", null)
- trusted_signers = lookup(i.value, "trusted_signers", null)
- trusted_key_groups = lookup(i.value, "trusted_key_groups", null)
-
- cache_policy_id = lookup(i.value, "cache_policy_id", null)
- origin_request_policy_id = lookup(i.value, "origin_request_policy_id", null)
- response_headers_policy_id = lookup(i.value, "response_headers_policy_id", null)
- realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
-
- min_ttl = lookup(i.value, "min_ttl", null)
- default_ttl = lookup(i.value, "default_ttl", null)
- max_ttl = lookup(i.value, "max_ttl", null)
+ path_pattern = i.value.behavior["path_pattern"] # non default origins should have behavior.path_pattern
+ target_origin_id = i.value.id
+ viewer_protocol_policy = try(i.value.behavior.viewer_protocol_policy, "redirect-to-https")
+
+ allowed_methods = try(i.value.behavior.allowed_methods, ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
+ cached_methods = try(i.value.behavior.cached_methods, ["GET", "HEAD"])
+ compress = try(i.value.behavior.compress, null)
+ field_level_encryption_id = try(i.value.behavior.field_level_encryption_id, null)
+ smooth_streaming = try(i.value.behavior.smooth_streaming, null)
+ trusted_signers = try(i.value.behavior.trusted_signers, null)
+ trusted_key_groups = try(i.value.behavior.trusted_key_groups, null)
+
+ cache_policy_id = try(i.value.behavior.cache_policy_id, null)
+ origin_request_policy_id = try(i.value.behavior.origin_request_policy_id, null)
+ response_headers_policy_id = try(i.value.behavior.response_headers_policy_id, null)
+ realtime_log_config_arn = try(i.value.behavior.realtime_log_config_arn, null)
+
+ min_ttl = try(i.value.behavior.min_ttl, null)
+ default_ttl = try(i.value.behavior.default_ttl, null)
+ max_ttl = try(i.value.behavior.max_ttl, null)
dynamic "forwarded_values" {
- for_each = lookup(i.value, "use_forwarded_values", true) ? [true] : []
+ for_each = try(i.value.behavior.use_forwarded_values, true) ? [true] : []
content {
- query_string = lookup(i.value, "query_string", true)
- query_string_cache_keys = lookup(i.value, "query_string_cache_keys", [])
- headers = lookup(i.value, "headers", ["*"])
+ query_string = try(i.value.behavior.query_string, true)
+ query_string_cache_keys = try(i.value.behavior.query_string_cache_keys, [])
+ headers = try(i.value.behavior.headers, [])
cookies {
- forward = lookup(i.value, "cookies_forward", "all")
- whitelisted_names = lookup(i.value, "cookies_whitelisted_names", null)
+ forward = try(i.value.behavior.cookies_forward, "all")
+ whitelisted_names = try(i.value.behavior.cookies_whitelisted_names, null)
}
}
}
dynamic "lambda_function_association" {
- for_each = lookup(i.value, "lambda_function_association", [])
+ for_each = try(i.value.behavior.lambda_function_association, [])
iterator = l
content {
@@ -220,7 +209,7 @@ resource "aws_cloudfront_distribution" "this" {
}
dynamic "function_association" {
- for_each = lookup(i.value, "function_association", [])
+ for_each = try(i.value.behavior.function_association, [])
iterator = f
content {
@@ -262,17 +251,22 @@ resource "aws_cloudfront_distribution" "this" {
}
}
}
+
depends_on = [module.aws-cloudfront-security-headers, module.ssl-certificate-auth]
+
+ provider = aws.virginia
}
resource "aws_cloudfront_monitoring_subscription" "this" {
count = var.create_distribution && var.create_monitoring_subscription ? 1 : 0
- distribution_id = aws_cloudfront_distribution.this[0].id
+ distribution_id = aws_cloudfront_distribution.this[local.default_origin_index].id
monitoring_subscription {
realtime_metrics_subscription_config {
realtime_metrics_subscription_status = var.realtime_metrics_subscription_status
}
}
+
+ provider = aws.virginia
}
diff --git a/modules/cloudfront-ssl-hsts/outputs.tf b/modules/cloudfront-ssl-hsts/outputs.tf
index 47abea75..7597262e 100644
--- a/modules/cloudfront-ssl-hsts/outputs.tf
+++ b/modules/cloudfront-ssl-hsts/outputs.tf
@@ -50,17 +50,17 @@ output "cloudfront_distribution_hosted_zone_id" {
output "cloudfront_origin_access_identities" {
description = "The origin access identities created"
- value = local.create_origin_access_identity ? { for k, v in aws_cloudfront_origin_access_identity.this : k => v } : {}
+ value = { for k, v in aws_cloudfront_origin_access_identity.this : k => v }
}
output "cloudfront_origin_access_identity_ids" {
description = "The IDS of the origin access identities created"
- value = local.create_origin_access_identity ? [for v in aws_cloudfront_origin_access_identity.this : v.id] : []
+ value = [for v in aws_cloudfront_origin_access_identity.this : v.id]
}
output "cloudfront_origin_access_identity_iam_arns" {
description = "The IAM arns of the origin access identities created"
- value = local.create_origin_access_identity ? [for v in aws_cloudfront_origin_access_identity.this : v.iam_arn] : []
+ value = { for key, value in aws_cloudfront_origin_access_identity.this : key => value.iam_arn }
}
output "cloudfront_monitoring_subscription_id" {
diff --git a/modules/cloudfront-ssl-hsts/ssl-certificate.tf b/modules/cloudfront-ssl-hsts/ssl-certificate.tf
index 037c6de6..377d58f7 100644
--- a/modules/cloudfront-ssl-hsts/ssl-certificate.tf
+++ b/modules/cloudfront-ssl-hsts/ssl-certificate.tf
@@ -8,4 +8,8 @@ module "ssl-certificate-auth" {
zone = element(var.zone, 0)
alternative_zones = slice(var.zone, 1, length(var.zone))
tags = var.tags
+
+ providers = {
+ aws = aws.virginia
+ }
}
diff --git a/modules/cloudfront-ssl-hsts/tests/basic/0-setup.tf b/modules/cloudfront-ssl-hsts/tests/basic/0-setup.tf
new file mode 100644
index 00000000..9c244007
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/basic/0-setup.tf
@@ -0,0 +1,25 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.33"
+ }
+ }
+}
+
+provider "aws" {
+ region = "eu-central-1"
+}
+provider "aws" {
+ region = "us-east-1"
+ alias = "virginia"
+}
+
+locals {
+ domain = "basic-test-cloudfront.devops.dasmeta.com"
+ zone = "devops.dasmeta.com"
+}
+
+resource "aws_s3_bucket" "this" {
+ bucket = local.domain
+}
diff --git a/modules/cloudfront-ssl-hsts/tests/basic/1-example.tf b/modules/cloudfront-ssl-hsts/tests/basic/1-example.tf
new file mode 100644
index 00000000..3346e756
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/basic/1-example.tf
@@ -0,0 +1,17 @@
+module "this" {
+ source = "../../"
+ zone = [local.zone]
+ aliases = [local.domain]
+ origins = [
+ {
+ id = "s3"
+ domain_name = aws_s3_bucket.this.id
+ type = "bucket"
+ }
+ ]
+
+ providers = {
+ aws = aws
+ aws.virginia = aws.virginia
+ }
+}
diff --git a/modules/cloudfront-ssl-hsts/tests/basic/README.md b/modules/cloudfront-ssl-hsts/tests/basic/README.md
new file mode 100644
index 00000000..21db6eca
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/basic/README.md
@@ -0,0 +1,35 @@
+# basic
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [aws](#requirement\_aws) | ~> 4.33 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 4.67.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [this](#module\_this) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/modules/cloudfront-ssl-hsts/tests/s3-and-alb/0-setup.tf b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/0-setup.tf
new file mode 100644
index 00000000..6536805a
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/0-setup.tf
@@ -0,0 +1,45 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.33"
+ }
+ }
+}
+
+provider "aws" {
+ region = "eu-central-1"
+}
+provider "aws" {
+ region = "us-east-1"
+ alias = "virginia"
+}
+
+locals {
+ domain = "s3-and-alb-test-cloudfront.devops.dasmeta.com"
+ zone = "devops.dasmeta.com"
+}
+
+resource "aws_s3_bucket" "test" {
+ bucket = local.domain
+}
+
+# get region default vpc and its public subnets
+data "aws_vpc" "default" {
+ default = true
+ provider = aws
+}
+
+data "aws_subnets" "default" {
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.default.id]
+ }
+}
+
+# create test alb
+resource "aws_lb" "test" {
+ name = "cloudfront-test-alb"
+ provider = aws
+ subnets = data.aws_subnets.default.ids
+}
diff --git a/modules/cloudfront-ssl-hsts/tests/s3-and-alb/1-example.tf b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/1-example.tf
new file mode 100644
index 00000000..a00ebaa6
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/1-example.tf
@@ -0,0 +1,24 @@
+module "this" {
+ source = "../../"
+ zone = [local.zone]
+ aliases = [local.domain]
+ origins = [
+ {
+ id = "alb"
+ domain_name = aws_lb.test.dns_name
+ behavior = {
+ path_pattern = "/api/*"
+ }
+ },
+ {
+ id = "s3"
+ domain_name = aws_s3_bucket.test.id
+ type = "bucket"
+ }
+ ]
+
+ providers = {
+ aws = aws
+ aws.virginia = aws.virginia
+ }
+}
diff --git a/modules/cloudfront-ssl-hsts/tests/s3-and-alb/README.md b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/README.md
new file mode 100644
index 00000000..59dae79d
--- /dev/null
+++ b/modules/cloudfront-ssl-hsts/tests/s3-and-alb/README.md
@@ -0,0 +1,38 @@
+# s3-and-alb
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [aws](#requirement\_aws) | ~> 4.33 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 4.67.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [this](#module\_this) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_lb.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_s3_bucket.test](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_subnets.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/modules/cloudfront-ssl-hsts/variables.tf b/modules/cloudfront-ssl-hsts/variables.tf
index 10ebd9db..db9aeeb4 100644
--- a/modules/cloudfront-ssl-hsts/variables.tf
+++ b/modules/cloudfront-ssl-hsts/variables.tf
@@ -1,7 +1,7 @@
-variable "create_hsts" {
+variable "create_hsts" { # TODO: this variable was created for allowing to have security headers set in lambda layer, but there is way to have header policy for this, please check and remove this param and related ability
description = "create hsts"
type = bool
- default = true
+ default = false
}
variable "create_certificate" {
@@ -97,7 +97,7 @@ variable "tags" {
default = null
}
-variable "origin" {
+variable "origins" {
description = "One or more origins for this distribution (multiples allowed)."
type = any
default = null
diff --git a/modules/cloudfront-ssl-hsts/versions.tf b/modules/cloudfront-ssl-hsts/versions.tf
index bfce6ae3..9a6bafae 100644
--- a/modules/cloudfront-ssl-hsts/versions.tf
+++ b/modules/cloudfront-ssl-hsts/versions.tf
@@ -3,8 +3,9 @@ terraform {
required_providers {
aws = {
- source = "hashicorp/aws"
- version = ">= 3.64"
+ source = "hashicorp/aws"
+ version = ">= 3.64"
+ configuration_aliases = [aws.virginia]
}
}
}