diff options
Diffstat (limited to 'jinwei.me/infra/cloudfront.tf')
-rw-r--r-- | jinwei.me/infra/cloudfront.tf | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/jinwei.me/infra/cloudfront.tf b/jinwei.me/infra/cloudfront.tf new file mode 100644 index 0000000..2566584 --- /dev/null +++ b/jinwei.me/infra/cloudfront.tf | |||
@@ -0,0 +1,76 @@ | |||
1 | resource "aws_cloudfront_distribution" "main" { | ||
2 | aliases = [var.s3_cloudfront_name] | ||
3 | enabled = true | ||
4 | http_version = "http2and3" | ||
5 | is_ipv6_enabled = true | ||
6 | price_class = "PriceClass_All" | ||
7 | retain_on_delete = true | ||
8 | wait_for_deployment = false | ||
9 | |||
10 | default_cache_behavior { | ||
11 | target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name | ||
12 | |||
13 | compress = true | ||
14 | viewer_protocol_policy = "redirect-to-https" | ||
15 | allowed_methods = ["GET", "HEAD"] | ||
16 | cached_methods = ["GET", "HEAD"] | ||
17 | cache_policy_id = data.aws_cloudfront_cache_policy.managed["CachingOptimized"].id | ||
18 | origin_request_policy_id = data.aws_cloudfront_origin_request_policy.managed["CORS-S3Origin"].id | ||
19 | } | ||
20 | |||
21 | origin { | ||
22 | origin_id = aws_s3_bucket.main.bucket_regional_domain_name | ||
23 | domain_name = aws_s3_bucket.main.bucket_regional_domain_name | ||
24 | origin_access_control_id = aws_cloudfront_origin_access_control.main.id | ||
25 | } | ||
26 | |||
27 | restrictions { | ||
28 | geo_restriction { | ||
29 | restriction_type = "none" | ||
30 | } | ||
31 | } | ||
32 | |||
33 | viewer_certificate { | ||
34 | acm_certificate_arn = aws_acm_certificate_validation.us-east-1.certificate_arn | ||
35 | minimum_protocol_version = "TLSv1.2_2021" | ||
36 | ssl_support_method = "sni-only" | ||
37 | } | ||
38 | } | ||
39 | |||
40 | resource "aws_cloudfront_origin_access_control" "main" { | ||
41 | name = var.s3_cloudfront_name | ||
42 | description = var.s3_cloudfront_name | ||
43 | origin_access_control_origin_type = "s3" | ||
44 | signing_behavior = "always" | ||
45 | signing_protocol = "sigv4" | ||
46 | } | ||
47 | |||
48 | # Managed policies | ||
49 | locals { | ||
50 | managed_cache_policies = [ | ||
51 | "Amplify", | ||
52 | "CachingDisabled", | ||
53 | "CachingOptimized", | ||
54 | "CachingOptimizedForUncompressedObjects", | ||
55 | "Elemental-MediaPackage", | ||
56 | ] | ||
57 | managed_origin_request_policies = [ | ||
58 | "AllViewer", | ||
59 | "CORS-CustomOrigin", | ||
60 | "CORS-S3Origin", | ||
61 | "Elemental-MediaTailor-PersonalizedManifests", | ||
62 | "UserAgentRefererHeaders", | ||
63 | ] | ||
64 | } | ||
65 | |||
66 | data "aws_cloudfront_cache_policy" "managed" { | ||
67 | for_each = toset(local.managed_cache_policies) | ||
68 | |||
69 | name = "Managed-${each.key}" | ||
70 | } | ||
71 | |||
72 | data "aws_cloudfront_origin_request_policy" "managed" { | ||
73 | for_each = toset(local.managed_origin_request_policies) | ||
74 | |||
75 | name = "Managed-${each.key}" | ||
76 | } | ||