1 files changed, 76 insertions, 0 deletions
diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf
new file mode 100644
index 0000000..2566584
--- /dev/null
+++ b/jinwei.me/infra/cloudfront.tf
@@ -0,0 +1,76 @@
+resource "aws_cloudfront_distribution" "main" {
+  aliases             = [var.s3_cloudfront_name]
+  enabled             = true
+  http_version        = "http2and3"
+  is_ipv6_enabled     = true
+  price_class         = "PriceClass_All"
+  retain_on_delete    = true
+  wait_for_deployment = false
+  default_cache_behavior {
+    target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name
+    compress                 = true
+    viewer_protocol_policy   = "redirect-to-https"
+    allowed_methods          = ["GET", "HEAD"]
+    cached_methods           = ["GET", "HEAD"]
+    cache_policy_id          = data.aws_cloudfront_cache_policy.managed["CachingOptimized"].id
+    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.managed["CORS-S3Origin"].id
+  }
+  origin {
+    origin_id                = aws_s3_bucket.main.bucket_regional_domain_name
+    domain_name              = aws_s3_bucket.main.bucket_regional_domain_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.main.id
+  }
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+  viewer_certificate {
+    acm_certificate_arn      = aws_acm_certificate_validation.us-east-1.certificate_arn
+    minimum_protocol_version = "TLSv1.2_2021"
+    ssl_support_method       = "sni-only"
+  }
+}
+resource "aws_cloudfront_origin_access_control" "main" {
+  name                              = var.s3_cloudfront_name
+  description                       = var.s3_cloudfront_name
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+# Managed policies
+locals {
+  managed_cache_policies = [
+    "Amplify",
+    "CachingDisabled",
+    "CachingOptimized",
+    "CachingOptimizedForUncompressedObjects",
+    "Elemental-MediaPackage",
+  ]
+  managed_origin_request_policies = [
+    "AllViewer",
+    "CORS-CustomOrigin",
+    "CORS-S3Origin",
+    "Elemental-MediaTailor-PersonalizedManifests",
+    "UserAgentRefererHeaders",
+  ]
+}
+data "aws_cloudfront_cache_policy" "managed" {
+  for_each = toset(local.managed_cache_policies)
+  name = "Managed-${each.key}"
+}
+data "aws_cloudfront_origin_request_policy" "managed" {
+  for_each = toset(local.managed_origin_request_policies)
+  name = "Managed-${each.key}"
+}

diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf new file mode 100644 index 0000000..2566584 --- /dev/null +++ b/jinwei.me/infra/cloudfront.tf
@@ -0,0 +1,76 @@
	1	resource "aws_cloudfront_distribution" "main" {
	2	aliases = [var.s3_cloudfront_name]
	3	enabled = true
	4	http_version = "http2and3"
	5	is_ipv6_enabled = true
	6	price_class = "PriceClass_All"
	7	retain_on_delete = true
	8	wait_for_deployment = false
	9
	10	default_cache_behavior {
	11	target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name
	12
	13	compress = true
	14	viewer_protocol_policy = "redirect-to-https"
	15	allowed_methods = ["GET", "HEAD"]
	16	cached_methods = ["GET", "HEAD"]
	17	cache_policy_id = data.aws_cloudfront_cache_policy.managed["CachingOptimized"].id
	18	origin_request_policy_id = data.aws_cloudfront_origin_request_policy.managed["CORS-S3Origin"].id
	19	}
	20
	21	origin {
	22	origin_id = aws_s3_bucket.main.bucket_regional_domain_name
	23	domain_name = aws_s3_bucket.main.bucket_regional_domain_name
	24	origin_access_control_id = aws_cloudfront_origin_access_control.main.id
	25	}
	26
	27	restrictions {
	28	geo_restriction {
	29	restriction_type = "none"
	30	}
	31	}
	32
	33	viewer_certificate {
	34	acm_certificate_arn = aws_acm_certificate_validation.us-east-1.certificate_arn
	35	minimum_protocol_version = "TLSv1.2_2021"
	36	ssl_support_method = "sni-only"
	37	}
	38	}
	39
	40	resource "aws_cloudfront_origin_access_control" "main" {
	41	name = var.s3_cloudfront_name
	42	description = var.s3_cloudfront_name
	43	origin_access_control_origin_type = "s3"
	44	signing_behavior = "always"
	45	signing_protocol = "sigv4"
	46	}
	47
	48	# Managed policies
	49	locals {
	50	managed_cache_policies = [
	51	"Amplify",
	52	"CachingDisabled",
	53	"CachingOptimized",
	54	"CachingOptimizedForUncompressedObjects",
	55	"Elemental-MediaPackage",
	56	]
	57	managed_origin_request_policies = [
	58	"AllViewer",
	59	"CORS-CustomOrigin",
	60	"CORS-S3Origin",
	61	"Elemental-MediaTailor-PersonalizedManifests",
	62	"UserAgentRefererHeaders",
	63	]
	64	}
	65
	66	data "aws_cloudfront_cache_policy" "managed" {
	67	for_each = toset(local.managed_cache_policies)
	68
	69	name = "Managed-${each.key}"
	70	}
	71
	72	data "aws_cloudfront_origin_request_policy" "managed" {
	73	for_each = toset(local.managed_origin_request_policies)
	74
	75	name = "Managed-${each.key}"
	76	}