generated from BCDevOps/bcgov-terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 5
/
cloudfront.tf
112 lines (89 loc) · 2.79 KB
/
cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
resource "random_integer" "cf_origin_id" {
min = 1
max = 100
}
data "aws_cloudfront_cache_policy" "default" {
# Docs for the manged cache policy
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cache-policies.html
name = "Managed-CachingDisabled"
}
data "aws_cloudfront_origin_request_policy" "default" {
# Docs for the manged origin request policy
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-origin-request-policies.html
name = "Managed-AllViewerExceptHostHeader"
}
resource "aws_cloudfront_distribution" "geofencing" {
count = var.cloudfront ? 1 : 0
origin {
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
domain_name = trimprefix(aws_apigatewayv2_api.app.api_endpoint, "https://")
origin_id = random_integer.cf_origin_id.result
}
enabled = true
is_ipv6_enabled = true
comment = "geofencing"
// - logging should probably be in a central location (centralized-logging account?) - in an aggregated/shared bucket and perhaps also synced into a bucket within the account where the aws-login app is deployed
// - prefix should follow SEA convention like <account>/<region>/<service name> eg. 12345678/ca-central-1/cloudfront
//
// logging_config {
// include_cookies = false
// bucket = "<mylogs>.s3.amazonaws.com"
// prefix = "geofencing"
// }
default_cache_behavior {
allowed_methods = [
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
cached_methods = [
"GET",
"HEAD"
]
target_origin_id = random_integer.cf_origin_id.result
cache_policy_id = data.aws_cloudfront_cache_policy.default.id
origin_request_policy_id = data.aws_cloudfront_origin_request_policy.default.id
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "/static/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = random_integer.cf_origin_id.result
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
price_class = "PriceClass_100"
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = [
"CA"]
}
}
tags = local.common_tags
viewer_certificate {
cloudfront_default_certificate = true
}
}