feat: Configurable origin request policies for spa-s3-cloudfront (#…

…1151)
cloudposse · Oct 9, 2024 · 8ea0c65 · 8ea0c65
1 parent fdf478a
commit 8ea0c65
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/modules/spa-s3-cloudfront/README.md b/modules/spa-s3-cloudfront/README.md
@@ -245,7 +245,7 @@ components:
 | <a name="input_lambda_edge_runtime"></a> [lambda\_edge\_runtime](#input\_lambda\_edge\_runtime) | The default Lambda@Edge runtime for all functions.<br><br>This value is deep merged in `module.lambda_edge_functions` with `var.lambda_edge_functions` and can be overwritten for any individual function. | `string` | `"nodejs16.x"` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
-| <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br>List in order of precedence (first match wins). This is in addition to the default cache policy.<br>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.<br>Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.<br>Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | <pre>list(object({<br>    target_origin_id = string<br>    path_pattern     = string<br><br>    allowed_methods    = list(string)<br>    cached_methods     = list(string)<br>    compress           = bool<br>    trusted_signers    = list(string)<br>    trusted_key_groups = list(string)<br><br>    cache_policy_name          = optional(string)<br>    cache_policy_id            = optional(string)<br>    origin_request_policy_name = optional(string)<br>    origin_request_policy_id   = optional(string)<br><br>    viewer_protocol_policy     = string<br>    min_ttl                    = number<br>    default_ttl                = number<br>    max_ttl                    = number<br>    response_headers_policy_id = string<br><br>    forward_query_string              = bool<br>    forward_header_values             = list(string)<br>    forward_cookies                   = string<br>    forward_cookies_whitelisted_names = list(string)<br><br>    lambda_function_association = list(object({<br>      event_type   = string<br>      include_body = bool<br>      lambda_arn   = string<br>    }))<br><br>    function_association = list(object({<br>      event_type   = string<br>      function_arn = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br>List in order of precedence (first match wins). This is in addition to the default cache policy.<br>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.<br>Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.<br>Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | <pre>list(object({<br>    target_origin_id = string<br>    path_pattern     = string<br><br>    allowed_methods    = list(string)<br>    cached_methods     = list(string)<br>    compress           = bool<br>    trusted_signers    = list(string)<br>    trusted_key_groups = list(string)<br><br>    cache_policy_name          = optional(string)<br>    cache_policy_id            = optional(string)<br>    origin_request_policy_name = optional(string)<br>    origin_request_policy_id   = optional(string)<br><br>    viewer_protocol_policy     = string<br>    min_ttl                    = number<br>    default_ttl                = number<br>    max_ttl                    = number<br>    response_headers_policy_id = string<br><br>    forward_query_string              = bool<br>    forward_header_values             = list(string)<br>    forward_cookies                   = string<br>    forward_cookies_whitelisted_names = list(string)<br><br>    lambda_function_association = list(object({<br>      event_type   = string<br>      include_body = bool<br>      lambda_arn   = string<br>    }))<br><br>    function_association = list(object({<br>      event_type   = string<br>      function_arn = string<br>    }))<br><br>    origin_request_policy = optional(object({<br>      cookie_behavior       = optional(string, "none")<br>      header_behavior       = optional(string, "none")<br>      query_string_behavior = optional(string, "none")<br><br>      cookies       = optional(list(string), [])<br>      headers       = optional(list(string), [])<br>      query_strings = optional(list(string), [])<br>    }), {})<br>  }))</pre> | `[]` | no |
 | <a name="input_origin_allow_ssl_requests_only"></a> [origin\_allow\_ssl\_requests\_only](#input\_origin\_allow\_ssl\_requests\_only) | Set to `true` in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
 | <a name="input_origin_bucket"></a> [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
 | <a name="input_origin_deployment_actions"></a> [origin\_deployment\_actions](#input\_origin\_deployment\_actions) | List of actions to permit `origin_deployment_principal_arns` to perform on bucket and bucket prefixes (see `origin_deployment_principal_arns`) | `list(string)` | <pre>[<br>  "s3:PutObject",<br>  "s3:PutObjectAcl",<br>  "s3:GetObject",<br>  "s3:DeleteObject",<br>  "s3:ListBucket",<br>  "s3:ListBucketMultipartUploads",<br>  "s3:GetBucketLocation",<br>  "s3:AbortMultipartUpload"<br>]</pre> | no |

diff --git a/modules/spa-s3-cloudfront/ordered_cache.tf b/modules/spa-s3-cloudfront/ordered_cache.tf
@@ -29,13 +29,31 @@ resource "aws_cloudfront_origin_request_policy" "created_origin_request_policies
   comment = var.comment
   name    = each.value.origin_request_policy_name
   cookies_config {
-    cookie_behavior = "none"
+    cookie_behavior = each.value.origin_request_policy.cookie_behavior
+    dynamic "cookies" {
+      for_each = length(each.value.origin_request_policy.cookies) > 0 ? [each.value.origin_request_policy.cookies] : []
+      content {
+        items = cookies.value
+      }
+    }
   }
   headers_config {
-    header_behavior = "none"
+    header_behavior = each.value.origin_request_policy.header_behavior
+    dynamic "headers" {
+      for_each = length(each.value.origin_request_policy.headers) > 0 ? [each.value.origin_request_policy.headers] : []
+      content {
+        items = headers.value
+      }
+    }
   }
   query_strings_config {
-    query_string_behavior = "none"
+    query_string_behavior = each.value.origin_request_policy.query_string_behavior
+    dynamic "query_strings" {
+      for_each = length(each.value.origin_request_policy.query_strings) > 0 ? [each.value.origin_request_policy.query_strings] : []
+      content {
+        items = query_strings.value
+      }
+    }
   }
 }
 

diff --git a/modules/spa-s3-cloudfront/variables.tf b/modules/spa-s3-cloudfront/variables.tf
@@ -447,6 +447,16 @@ variable "ordered_cache" {
       event_type   = string
       function_arn = string
     }))
+
+    origin_request_policy = optional(object({
+      cookie_behavior       = optional(string, "none")
+      header_behavior       = optional(string, "none")
+      query_string_behavior = optional(string, "none")
+
+      cookies       = optional(list(string), [])
+      headers       = optional(list(string), [])
+      query_strings = optional(list(string), [])
+    }), {})
   }))
   default     = []
   description = <<-EOT