https://advancedweb.hu/how-to-use-lambda-edge-with-terraform/
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html
See "Lambda@Edge sample (intercepts 403 and 404 responses from origin S3 and redirects user to /index.html)":
https://sites.google.com/site/pawneecity/terraform/lambda-terraform#h.e9vhp6dpmi88
See page 'waf (terraform)'.
Eg: strategies
modules/cloudfront/variables.tf
output "front_policy_text" {
description = "Policy text for the 'frontend' S3 bucket to allow access from CloudFront"
value = data.aws_iam_policy_document.origin_access_control.json
}
modules/cloudfront/cloudfront.tf
data "aws_iam_policy_document" "origin_access_control" {
policy_id = "PolicyForCloudFrontPrivateContent"
statement {
sid = "AllowCloudFrontServicePrincipal"
principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}
actions = ["s3:GetObject"]
resources = ["${var.bucket_front_arn}/*"]
condition {
test = "StringEquals"
variable = "AWS:SourceArn"
values = [aws_cloudfront_distribution.myapp.arn]
}
}
}
#CloudFront Origin Access Control, used with an Amazon S3 bucket as the origin
resource "aws_cloudfront_origin_access_control" "s3_front" {
name = "Bucket ${var.bucket_front_id}"
description = "S3 policy for the S3 bucket to be accessed by CloudFront"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
resource "aws_cloudfront_distribution" "myapp" {
depends_on = [aws_api_gateway_deployment.deployment_myapp, var.bucket_front_id]
origin { #S3
domain_name = var.bucket_regional_domain_name
origin_id = "${var.bucket_front_id}-${var.env}"
origin_path = ""
origin_access_control_id = aws_cloudfront_origin_access_control.s3_front.id
}
origin { #API Gateway
...
}
...
}
Remark: OAI is legacy, use AOC instead.
resource "aws_cloudfront_origin_access_identity" "web_distribution" {
comment = "${var.env}-${var.ci} CloudFront origin access identity"
}
data "aws_iam_policy_document" "web_distribution" {
statement {
actions = ["s3:GetObject"]
principals {
type = "AWS"
identifiers = [aws_cloudfront_origin_access_identity.web_distribution.iam_arn]
}
resources = ["${var.bucket_frontend_arn}/*"]
}
}
resource "aws_s3_bucket_policy" "web_distribution" {
bucket = var.bucket_frontend_id
policy = data.aws_iam_policy_document.web_distribution.json
}
resource "aws_cloudfront_distribution" "myapp" {
depends_on = [aws_api_gateway_deployment.deployment_myapp, var.bucket_frontend]
origin { #S3
domain_name = var.bucket_regional_domain_name
origin_id = "${var.bucket_frontend}-${var.env}"
origin_path = ""
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.web_distribution.cloudfront_access_identity_path
}
}
origin { #API Gateway
...
}
...
}
Eg: strategies
Note: The LB must be external (not internal) and using the FQDN of the listener certificate
### CloudFront distribution
resource "aws_cloudfront_distribution" "cf" {
depends_on = [var.bucket_front]
origin { #S3
domain_name = var.bucket_front.bucket_regional_domain_name
origin_id = var.bucket_front.id #Bucket name
origin_access_control_id = aws_cloudfront_origin_access_control.s3_front.id #OAC
origin_path = ""
}
origin { #ALB EXTERNAL using the listener certificate FQDN (can't reach LB INTERNAL)
connection_attempts = 3
connection_timeout = 10
domain_name = var.lb_external_certificate_fqdn #listener certificate FQDN
origin_id = var.lb_external_name #Name of the load balancer internal
origin_path = ""
custom_origin_config {
http_port = 80
https_port = 443
origin_keepalive_timeout = 5
origin_protocol_policy = "https-only"
origin_read_timeout = 30
origin_ssl_protocols = ["TLSv1.2"]
}
}
enabled = true
comment = "${local.env}-${local.ci} CloudFront Distribution"
default_root_object = "index.html"
# Alternate domain name (CNAME)
aliases = [var.aliases]
# Cache behavior with precedence 0 (S3)
ordered_cache_behavior {
#Required args
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
path_pattern = "/front/*"
target_origin_id = var.bucket_front.id #Name of the bucket
viewer_protocol_policy = "redirect-to-https"
#Optional args
compress = true
default_ttl = var.default-ttl
forwarded_values {
query_string = false
headers = ["Origin", "Authorization"]
cookies {
forward = "none"
}
}
lambda_function_association {
event_type = "origin-response" #{viewer-request, origin-request, viewer-response, origin-response}
lambda_arn = var.lambda_lambdaedge_s3_origin_response_qualified_arn
include_body = false #The IncludeBody option can only be used with viewer-request or origin-request events
}
max_ttl = var.max-ttl
min_ttl = 0
}
# Cache behavior with precedence 1 (Load Balancer internal)
ordered_cache_behavior {
path_pattern = "/back/*"
allowed_methods = ["HEAD", "DELETE", "POST", "GET", "OPTIONS", "PUT", "PATCH"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = var.lb_external_name #Name of the load balancer external
compress = true
viewer_protocol_policy = "redirect-to-https"
#Cache policy and origin request policy (recommended)[instead of Legacy cache]
cache_policy_id = data.aws_cloudfront_cache_policy.elb_query_string.id
origin_request_policy_id = data.aws_cloudfront_origin_request_policy.elb.id
}
default_cache_behavior {
allowed_methods = ["HEAD", "DELETE", "POST", "GET", "OPTIONS", "PUT", "PATCH"]
cached_methods = ["GET", "HEAD"]
target_origin_id = var.bucket_front.id #bucket name
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = var.default-ttl-cache
max_ttl = var.max-ttl-cache
}
## GENERAL
# PriceClass > https://aws.amazon.com/cloudfront/pricing/
price_class = var.price_class
restrictions {
geo_restriction {
restriction_type = "blacklist" #{none, whitelist, blacklist}
locations = var.waf_country_blacklist #["KP","RU"]
}
}
# Custom SSL certificate
viewer_certificate {
cloudfront_default_certificate = false
acm_certificate_arn = var.cert_arn
minimum_protocol_version = "TLSv1.2_2021"
ssl_support_method = "sni-only"
}
http_version = "http2and3" #'http2and3' needs provider aws >= 4.26.0
is_ipv6_enabled = true
} //END CloudFront Distrition