Skip to content

Latest commit

 

History

History
87 lines (74 loc) · 12.1 KB

README.md

File metadata and controls

87 lines (74 loc) · 12.1 KB

AWS VPC Cloudfront Module

Terraform module with create Cloudfront resources on AWS.

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0.0

Providers

Name Version
aws >= 4.0.0

Modules

Name Source Version
waf oozou/waf/aws 1.1.1

Resources

Name Type
aws_cloudfront_distribution.distribution resource
aws_cloudfront_origin_access_identity.this resource
aws_iam_role.main resource
aws_iam_role_policy.main resource
aws_route53_record.application resource
aws_route53_zone.hosted_zone data source

Inputs

Name Description Type Default Required
cdn_certificate_arn Specify ARN for CDN certificate string null no
default_cache_behavior Specify CloudFront configuration related to caching behavior any
{
"allowed_methods": [
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
],
"cached_methods": [
"GET",
"HEAD"
],
"compress": true,
"cookies_forward": "none",
"cookies_whitelisted_names": [],
"default_ttl": 3600,
"headers": [
"Host"
],
"max_ttl": 86400,
"min_ttl": 0,
"query_string": false,
"query_string_cache_keys": []
}
no
default_root_object File name for default root object string "index.html" no
domain_aliases CNAMEs (domain names) for the distribution list(string) [] no
environment (Optional) Environment as a part of format("%s-%s-%s-cf", var.prefix, var.environment, var.name); ex. xxx-prod-xxx-cf string "" no
geo_restriction_config Specify configuration for restriction based on location
object({
geo_restriction_type = string # Method that use to restrict distribution of your content by country: none, whitelist, or `blacklist
geo_restriction_locations = list(string) # List of country codes for which CloudFront either to distribute content (whitelist) or not distribute your content (blacklist)
})
{
"geo_restriction_locations": [],
"geo_restriction_type": "none"
}
no
is_automatic_create_dns_record Whether to automatically create cloudfront A record. bool true no
is_create_log_access_role Whether to create log access role or not; just make role no relate resource in this module used bool true no
is_create_waf_logging_configuration Whether to create logging configuration in order start logging from a WAFv2 Web ACL to CloudWatch bool true no
is_enable_distribution enable or disable distribution bool true no
is_enable_waf Whether to enable WAF for CloudFront bool false no
is_enable_waf_cloudwatch_metrics The action to perform if none of the rules contained in the WebACL match. bool true no
is_enable_waf_default_rule If true with enable default rule (detail in locals.tf) bool true no
is_enable_waf_sampled_requests Whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. bool true no
is_ipv6_enabled State of CloudFront IPv6 bool true no
log_aggregation_s3_bucket_name [Required] S3 bucket name where logs are stored for cloudfront string n/a yes
log_include_cookies Include cookies in access logs bool false no
name (Optional) Name as a part of format("%s-%s-%s-cf", var.prefix, var.environment, var.name); ex. xxx-xxx-cms-cf string "" no
name_override (Optional) Full name to override usage from format("%s-%s-%s-cf", var.prefix, var.environment, var.name) string "" no
ordered_cache_behaviors An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. any [] no
origin One or more origins for this distribution (multiples allowed). any {} no
origin_access_identities Map of CloudFront origin access identities (value as a comment) map(string) {} no
origin_group One or more origin_group for this distribution (multiples allowed). any {} no
prefix (Optional) Prefix as a part of format("%s-%s-%s-cf", var.prefix, var.environment, var.name); ex. oozou-xxx-xxx-cf string "" no
price_class Price class for this distribution: PriceClass_All, PriceClass_200, PriceClass_100 (price class denotes the edge locations which are supported by CDN) string "PriceClass_100" no
retain_on_delete retain cloudfront when destroy bool true no
route53_domain_name [Required] The Name of the already existing Route53 Hosted Zone (i.e.: 'spike.abc.cloud') string null no
tags Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. map(string) {} no
waf_cloudwatch_log_kms_key_id The ARN for the KMS encryption key. string null no
waf_cloudwatch_log_retention_in_days Specifies the number of days you want to retain log events Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire number 90 no
waf_custom_response_body (optional) Define custom response body list(any) [] no
waf_custom_rules Find the example for these structure any [] no
waf_default_action The action to perform if none of the rules contained in the WebACL match. string "block" no
waf_ip_rate_based_rule A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
object({
name = string
priority = number
action = string
limit = number
})
null no
waf_ip_set To create IP set ex.
ip_sets = {
"oozou-vpn-ipv4-set" = {
ip_addresses = ["127.0.01/32"]
ip_address_version = "IPV4"
},
"oozou-vpn-ipv6-set" = {
ip_addresses = ["2403:6200:88a2:a6f8:2096:9b42:31f8:61fd/128"]
ip_address_version = "IPV6"
}
}
map(object({
ip_addresses = list(string)
ip_address_version = string
}))
{} no
waf_ip_sets_rule A rule to detect web requests coming from particular IP addresses or address ranges.
list(object({
name = string
priority = number
ip_set = list(string)
action = string
ip_address_version = string
}))
[] no
waf_logging_filter A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation. any {} no
waf_managed_rules List of Managed WAF rules.
list(object({
name = string
priority = number
override_action = string
excluded_rules = list(string)
}))
[] no
waf_redacted_fields The parts of the request that you want to keep out of the logs. Up to 100 redacted_fields blocks are supported. any [] no

Outputs

Name Description
cloudfront_distribution_arn The ARN (Amazon Resource Name) for the distribution.
cloudfront_distribution_domain_name The domain name corresponding to the distribution. For example: d604721fxaaqy9.cloudfront.net
cloudfront_origin_access_identities A pre-generated ARN for use in S3 bucket policies (see below). Example: arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2QWRUHAPOMQZL.