Skip to content

cloudandthings/terraform-aws-cors

Repository files navigation

Terraform AWS CORS

A single module to setup CORS for both REST and HTTP APIs.

Headers

The following commonly used headers are set by default: Content-Type, X-Amz-Date, Authorization, X-Api-Key, X-Amz-Security-Token. These can be disbaled using the disable_default_headers variable.

Additional headers can be set using the allowed_headers variable.

Usage with REST API (v1)

Basic usage

REST APIs only support a single origin, if more than one is supplied the module will throw a validation error.

module "basic_cors_rest" {
  source  = "cloudandthings/cors/aws"
  version = "1.0.0"

  api_gateway_type = 'REST'
  api              = aws_api_gateway_rest_api.your_api.id

  resources = [
    aws_api_gateway_resource.a.id,
    aws_api_gateway_resource.b.id
  ]

  methods = [
    "GET",
    "POST"
  ]

  allowed_origins = ['*']
}

All features

module "basic_cors_rest" {
  source  = "cloudandthings/cors/aws"
  version = "1.0.0"

  api_gateway_type = "REST"
  api              = aws_api_gateway_rest_api.your_api.id

  resources = [
    aws_api_gateway_resource.a.id,
    aws_api_gateway_resource.b.id
  ]

  methods = [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "HEAD",
    "PATCH",
    "OPTIONS"
  ]

  allowed_origins = ["http://your_domain"]

  disable_default_headers = true

  allowed_headers = [
    "Authentication"
  ]
}

Usage with HTTP API (v2)

Caveats

  • PROXY_INTEGRATION does not allow you to modify the response. This means you need to set the CORS headers in your code (see examples folder).
  • The module will create an OPTIONS method on every provided API resource. The browser will not always send a preflight request, this can be forced by adding some custom header ("X-PING: pong").

Terraform Documentation

Inputs

Name Description Type Default Required
allowed_headers A list of additionally allowed headers. If you are using Access-Control-Allow-Headers as a wildcard, you must specify ['*'] explicitly. list(string) [] no
allowed_origins A list of allowed origins. REST API only support a single origin. list(string) n/a yes
api ID of the API Gateway. string n/a yes
api_gateway_type The type of the API Gateway to create. Valid values are REST (v1) or HTTP (v2). Defaults to REST. string n/a yes
disable_default_headers Whether to disable the default headers. Defaults to false. bool false no
methods List of permitted HTTP methods. OPTIONS is added by default. list(string) n/a yes
rest_resources List of the IDs of an aws_api_gateway_resource resource. This must be set if api_gateway_type is REST. list(string) [] no

Modules

Name Source Version
http ./local-modules/HTTP n/a
rest ./local-modules/REST n/a

Outputs

Name Description
headers A list of headers that are allowed in a preflight request.
methods A list of methods that are allowed in a preflight request.
origins A list of origins that are allowed in a preflight request.

Providers

No providers.


Requirements

Name Version
terraform >= 0.15.0
aws >= 4.9
null >= 3.1

Resources

No resources.