aboutsummaryrefslogtreecommitdiff
path: root/jinwei.me/infra/cloudfront.tf
blob: 25665849f962374ad98635d970aa76ea4db3c4f8 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

resource "aws_cloudfront_distribution" "main" {
  aliases             = [var.s3_cloudfront_name]
  enabled             = true
  http_version        = "http2and3"
  is_ipv6_enabled     = true
  price_class         = "PriceClass_All"
  retain_on_delete    = true
  wait_for_deployment = false

  default_cache_behavior {
    target_origin_id = aws_s3_bucket.main.bucket_regional_domain_name

    compress                 = true
    viewer_protocol_policy   = "redirect-to-https"
    allowed_methods          = ["GET", "HEAD"]
    cached_methods           = ["GET", "HEAD"]
    cache_policy_id          = data.aws_cloudfront_cache_policy.managed["CachingOptimized"].id
    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.managed["CORS-S3Origin"].id
  }

  origin {
    origin_id                = aws_s3_bucket.main.bucket_regional_domain_name
    domain_name              = aws_s3_bucket.main.bucket_regional_domain_name
    origin_access_control_id = aws_cloudfront_origin_access_control.main.id
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    acm_certificate_arn      = aws_acm_certificate_validation.us-east-1.certificate_arn
    minimum_protocol_version = "TLSv1.2_2021"
    ssl_support_method       = "sni-only"
  }
}

resource "aws_cloudfront_origin_access_control" "main" {
  name                              = var.s3_cloudfront_name
  description                       = var.s3_cloudfront_name
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

# Managed policies
locals {
  managed_cache_policies = [
    "Amplify",
    "CachingDisabled",
    "CachingOptimized",
    "CachingOptimizedForUncompressedObjects",
    "Elemental-MediaPackage",
  ]
  managed_origin_request_policies = [
    "AllViewer",
    "CORS-CustomOrigin",
    "CORS-S3Origin",
    "Elemental-MediaTailor-PersonalizedManifests",
    "UserAgentRefererHeaders",
  ]
}

data "aws_cloudfront_cache_policy" "managed" {
  for_each = toset(local.managed_cache_policies)

  name = "Managed-${each.key}"
}

data "aws_cloudfront_origin_request_policy" "managed" {
  for_each = toset(local.managed_origin_request_policies)

  name = "Managed-${each.key}"
}
Powered by cgit v1.2.3 (git 2.41.0)