|
resource "aws_s3_bucket" "demo-example-app" { |
|
bucket = "demo-example-app" |
|
} |
|
|
|
# Have bucket allow access to our cloudfront distro |
|
resource "aws_s3_bucket_policy" "demo-example-app" { |
|
bucket = aws_s3_bucket.demo-example-app.id |
|
policy = templatefile("s3_cloudfront_access_policy.tftpl", |
|
{ |
|
bucket_name : aws_s3_bucket.demo-example-app.bucket, |
|
cloudfront_arn : aws_cloudfront_distribution.demo-example-app.arn |
|
} |
|
) |
|
} |
|
|
|
resource "aws_s3_bucket_public_access_block" "derivatives" { |
|
bucket = aws_s3_bucket.demo-example-app.id |
|
|
|
block_public_acls = true |
|
block_public_policy = true |
|
ignore_public_acls = true |
|
restrict_public_buckets = true |
|
} |
|
|
|
|
|
|
|
resource "aws_cloudfront_distribution" "demo-example-app" { |
|
comment = "demo-example-app" |
|
enabled = true |
|
is_ipv6_enabled = true |
|
http_version = "http2and3" |
|
|
|
# Only North America/Europe to save money |
|
price_class = "PriceClass_100" |
|
|
|
default_cache_behavior { |
|
allowed_methods = [ |
|
"GET", |
|
"HEAD", |
|
"OPTIONS", |
|
] |
|
cached_methods = [ |
|
"GET", |
|
"HEAD", |
|
"OPTIONS", |
|
] |
|
|
|
compress = true |
|
|
|
target_origin_id = aws_s3_bucket.demo-example-app.bucket_regional_domain_name |
|
viewer_protocol_policy = "https-only" |
|
|
|
# restricted cloudfront distribution, urls must be signed with this key group |
|
trusted_key_groups = [aws_cloudfront_key_group.demo-example-app.id] |
|
# for an unrestricted cloudfront distribution, instead: |
|
# trusted_key_groups = [] |
|
|
|
cache_policy_id = aws_cloudfront_cache_policy.jrochkind-test-caching-optimized-plus-s3-params.id |
|
|
|
response_headers_policy_id = data.aws_cloudfront_response_headers_policy.Managed-CORS-with-preflight-and-SecurityHeadersPolicy.id |
|
} |
|
|
|
origin { |
|
connection_attempts = 3 |
|
connection_timeout = 1 |
|
domain_name = aws_s3_bucket.demo-example-app.bucket_regional_domain_name |
|
origin_id = aws_s3_bucket.demo-example-app.bucket_regional_domain_name |
|
origin_access_control_id = aws_cloudfront_origin_access_control.demo-example-app.id |
|
} |
|
|
|
restrictions { |
|
geo_restriction { |
|
locations = [] |
|
restriction_type = "none" |
|
} |
|
} |
|
|
|
viewer_certificate { |
|
cloudfront_default_certificate = true |
|
minimum_protocol_version = "TLSv1.2_2021" |
|
} |
|
} |
|
|
|
# Query params included in cache will also be forwarded to origin |
|
resource "aws_cloudfront_cache_policy" "jrochkind-test-caching-optimized-plus-s3-params" { |
|
name = "jrochkind-test-caching-optimized-plus-s3-params" |
|
comment = "Based on Managed-CachingOptimized, but also including select S3 query params" |
|
default_ttl = 86400 |
|
max_ttl = 31536000 |
|
min_ttl = 1 |
|
parameters_in_cache_key_and_forwarded_to_origin { |
|
enable_accept_encoding_brotli = true |
|
enable_accept_encoding_gzip = true |
|
|
|
cookies_config { |
|
cookie_behavior = "none" |
|
} |
|
headers_config { |
|
header_behavior = "none" |
|
} |
|
query_strings_config { |
|
query_string_behavior = "whitelist" |
|
query_strings { |
|
items = [ |
|
"response-content-disposition", |
|
"response-content-type" |
|
] |
|
} |
|
} |
|
} |
|
} |
|
|
|
# Data import of id for AWS managed Cloudfront policy |
|
data "aws_cloudfront_response_headers_policy" "Managed-CORS-with-preflight-and-SecurityHeadersPolicy" { |
|
name = "Managed-CORS-with-preflight-and-SecurityHeadersPolicy" |
|
} |
|
|
|
# AWS OAC object used to have Cloudfront sign URLs to S3 origin |
|
resource "aws_cloudfront_origin_access_control" "demo-example-app" { |
|
description = "Cloudfront signed s3" |
|
name = "demo-example-app" |
|
origin_access_control_origin_type = "s3" |
|
signing_behavior = "always" |
|
signing_protocol = "sigv4" |
|
} |
|
|
|
# Cloudfront key group granted access to restricted cloudfront distribution |
|
resource "aws_cloudfront_key_group" "demo-example-app" { |
|
comment = "key group used by our app for signing urls" |
|
items = [aws_cloudfront_public_key.demo-example-app.id] |
|
name = "demo-example-app" |
|
} |
|
|
|
|
|
# Public key used by key group for restricted cloudfront distribution |
|
resource "aws_cloudfront_public_key" "demo-example-app" { |
|
comment = "public key used by our app for signing urls" |
|
encoded_key = file("public_key-demo-example-app.pem") |
|
name = "demo-example-app" |
|
} |