AWS CloudFront Terraform module
Terraform module which creates AWS CloudFront resources with all (or almost all) features provided by Terraform AWS provider.
Usage
CloudFront distribution with versioning enabled
module "cdn" {
source = "terraform-aws-modules/cloudfront/aws"
aliases = ["cdn.example.com"]
comment = "My awesome CloudFront"
origin_access_control = {
s3_oac = {
description = "CloudFront access to S3"
origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
}
logging_config = {
bucket = "logs-my-cdn.s3.amazonaws.com"
}
origin = {
something = {
domain_name = "something.example.com"
custom_origin_config = {
http_port = 80
https_port = 443
origin_protocol_policy = "match-viewer"
origin_ssl_protocols = ["TLSv1.2"]
}
}
}
default_cache_behavior = {
target_origin_id = "something"
viewer_protocol_policy = "allow-all"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
}
ordered_cache_behavior = [
{
path_pattern = "/static/*"
target_origin_id = "s3"
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
}
]
viewer_certificate = {
acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"
ssl_support_method = "sni-only"
}
}
CloudFront distribution with CloudFront Functions
module "cdn" {
source = "terraform-aws-modules/cloudfront/aws"
aliases = ["cdn.example.com"]
comment = "CloudFront with Functions"
origin_access_control = {
s3 = {
description = "CloudFront access to S3"
origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
}
# Enable CloudFront Functions
cloudfront_functions = {
viewer-request-function = {
runtime = "cloudfront-js-2.0"
comment = "Function to add security headers and modify requests"
code = file("${path.module}/functions/viewer-request.js")
publish = true
}
viewer-response-function = {
runtime = "cloudfront-js-2.0"
comment = "Function to add security response headers"
code = file("${path.module}/functions/viewer-response.js")
publish = true
# Optional: Associate with CloudFront KeyValueStore
key_value_store_associations = ["arn:aws:cloudfront::123456789012:key-value-store/example-store"]
}
}
origin = {
s3_bucket = {
domain_name = "my-bucket.s3.amazonaws.com"
}
}
default_cache_behavior = {
target_origin_id = "s3_bucket"
viewer_protocol_policy = "redirect-to-https"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
compress = true
query_string = true
# Associate CloudFront Functions with cache behavior
# Option 1: Direct ARN reference (recommended for external functions)
# function_association = {
# viewer-request = {
# function_arn = aws_cloudfront_function.external.arn
# }
# }
# Option 2: Dynamic reference to module-managed functions by key/name
function_association = {
viewer-request = {
function_key = "viewer-request-function"
}
viewer-response = {
function_key = "viewer-response-function"
}
}
}
viewer_certificate = {
acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"
ssl_support_method = "sni-only"
}
}
Examples
- Complete - Complete example which creates AWS CloudFront distribution and integrates it with other terraform-aws-modules to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.
- mTLS - mTLS example which creates AWS CloudFront distribution with viewer mTLS support.
Authors
Module is maintained by Anton Babenko with help from these awesome contributors:
<a href="https://github.com/terraform-aws-modules/terraform-aws-cloudfront/graphs/contributors"> <img src="https://contrib.rocks/image?repo=terraform-aws-modules/terraform-aws-cloudfront" /> </a>License
Apache 2 Licensed. See LICENSE for full details.