resource "aws_cloudfront_cache_policy" "api" { name = "api-no-cache" default_ttl = 0 max_ttl = 0 min_ttl = 0 parameters_in_cache_key_and_forwarded_to_origin { cookies_config { cookie_behavior = "none" } headers_config { header_behavior = "none" } query_strings_config { query_string_behavior = "none" } } } resource "aws_cloudfront_origin_request_policy" "api" { name = "api-forward-all" headers_config { header_behavior = "allViewer" } query_strings_config { query_string_behavior = "all" } cookies_config { cookie_behavior = "all" } } ############################################ # CloudFront Distribution ############################################ resource "aws_cloudfront_distribution" "this" { ########################################## # Origins ########################################## dynamic "origin" { for_each = { for o in var.origins : o.origin_id => o } content { domain_name = origin.value.origin_domain_name origin_id = origin.value.origin_id ###################################### # S3 Origin ###################################### dynamic "s3_origin_config" { for_each = origin.value.origin_type == "s3" ? [1] : [] content { origin_access_identity = aws_cloudfront_origin_access_identity.oai[origin.key].cloudfront_access_identity_path } } ###################################### # API Gateway Origin ###################################### dynamic "custom_origin_config" { for_each = origin.value.origin_type == "api" ? [1] : [] content { http_port = 80 https_port = 443 origin_protocol_policy = "https-only" origin_ssl_protocols = ["TLSv1.2"] } } } } enabled = true aliases = var.aliases ########################################## # Default Cache Behavior (S3) ########################################## default_cache_behavior { target_origin_id = "s3-origin" viewer_protocol_policy = "redirect-to-https" allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] forwarded_values { query_string = false cookies { forward = "none" } } compress = true min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } ########################################## # API Behavior ########################################## ordered_cache_behavior { path_pattern = "/v1/*" target_origin_id = "api-origin" viewer_protocol_policy = "redirect-to-https" allowed_methods = ["GET","HEAD","OPTIONS","PUT","POST","PATCH","DELETE"] cached_methods = ["GET","HEAD"] cache_policy_id = aws_cloudfront_cache_policy.api.id origin_request_policy_id = aws_cloudfront_origin_request_policy.api.id min_ttl = 0 default_ttl = 0 max_ttl = 0 } price_class = "PriceClass_All" ########################################## # Geo Restrictions ########################################## restrictions { geo_restriction { restriction_type = "none" } } ########################################## # SSL Certificate ########################################## viewer_certificate { cloudfront_default_certificate = true } } ############################################ # Origin Access Identities (S3 only) ############################################ resource "aws_cloudfront_origin_access_identity" "oai" { for_each = { for o in var.origins : o.origin_id => o if o.origin_type == "s3" } comment = "OAI for ${each.key}" } ############################################ # S3 Bucket Policy (S3 only) ############################################ resource "aws_s3_bucket_policy" "bucket_policy" { for_each = { for o in var.origins : o.origin_id => o if o.origin_type == "s3" } bucket = each.value.bucket_id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { AWS = aws_cloudfront_origin_access_identity.oai[each.key].iam_arn } Action = "s3:GetObject" Resource = "${each.value.bucket_arn}/*" } ] }) }