From 8ea0c65d475189c3363be976e5a21c77c9a61536 Mon Sep 17 00:00:00 2001
From: Yonatan Koren <10080107+korenyoni@users.noreply.github.com>
Date: Wed, 9 Oct 2024 17:56:08 -0400
Subject: [PATCH] feat: Configurable origin request policies for
`spa-s3-cloudfront` (#1151)
---
modules/spa-s3-cloudfront/README.md | 2 +-
modules/spa-s3-cloudfront/ordered_cache.tf | 24 +++++++++++++++++++---
modules/spa-s3-cloudfront/variables.tf | 10 +++++++++
3 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/modules/spa-s3-cloudfront/README.md b/modules/spa-s3-cloudfront/README.md
index 173f9a2b7..04e81a280 100644
--- a/modules/spa-s3-cloudfront/README.md
+++ b/modules/spa-s3-cloudfront/README.md
@@ -245,7 +245,7 @@ components:
| [lambda\_edge\_runtime](#input\_lambda\_edge\_runtime) | The default Lambda@Edge runtime for all functions.
This value is deep merged in `module.lambda_edge_functions` with `var.lambda_edge_functions` and can be overwritten for any individual function. | `string` | `"nodejs16.x"` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
-| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.
Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.
Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_name = optional(string)
cache_policy_id = optional(string)
origin_request_policy_name = optional(string)
origin_request_policy_id = optional(string)
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
response_headers_policy_id = string
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
forward_cookies_whitelisted_names = list(string)
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
+| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.
Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.
Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_name = optional(string)
cache_policy_id = optional(string)
origin_request_policy_name = optional(string)
origin_request_policy_id = optional(string)
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
response_headers_policy_id = string
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
forward_cookies_whitelisted_names = list(string)
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
origin_request_policy = optional(object({
cookie_behavior = optional(string, "none")
header_behavior = optional(string, "none")
query_string_behavior = optional(string, "none")
cookies = optional(list(string), [])
headers = optional(list(string), [])
query_strings = optional(list(string), [])
}), {})
})) | `[]` | no |
| [origin\_allow\_ssl\_requests\_only](#input\_origin\_allow\_ssl\_requests\_only) | Set to `true` in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
| [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, this component will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
| [origin\_deployment\_actions](#input\_origin\_deployment\_actions) | List of actions to permit `origin_deployment_principal_arns` to perform on bucket and bucket prefixes (see `origin_deployment_principal_arns`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
diff --git a/modules/spa-s3-cloudfront/ordered_cache.tf b/modules/spa-s3-cloudfront/ordered_cache.tf
index 0b68f3c2b..5d06f739b 100644
--- a/modules/spa-s3-cloudfront/ordered_cache.tf
+++ b/modules/spa-s3-cloudfront/ordered_cache.tf
@@ -29,13 +29,31 @@ resource "aws_cloudfront_origin_request_policy" "created_origin_request_policies
comment = var.comment
name = each.value.origin_request_policy_name
cookies_config {
- cookie_behavior = "none"
+ cookie_behavior = each.value.origin_request_policy.cookie_behavior
+ dynamic "cookies" {
+ for_each = length(each.value.origin_request_policy.cookies) > 0 ? [each.value.origin_request_policy.cookies] : []
+ content {
+ items = cookies.value
+ }
+ }
}
headers_config {
- header_behavior = "none"
+ header_behavior = each.value.origin_request_policy.header_behavior
+ dynamic "headers" {
+ for_each = length(each.value.origin_request_policy.headers) > 0 ? [each.value.origin_request_policy.headers] : []
+ content {
+ items = headers.value
+ }
+ }
}
query_strings_config {
- query_string_behavior = "none"
+ query_string_behavior = each.value.origin_request_policy.query_string_behavior
+ dynamic "query_strings" {
+ for_each = length(each.value.origin_request_policy.query_strings) > 0 ? [each.value.origin_request_policy.query_strings] : []
+ content {
+ items = query_strings.value
+ }
+ }
}
}
diff --git a/modules/spa-s3-cloudfront/variables.tf b/modules/spa-s3-cloudfront/variables.tf
index cfa689846..ddac62bb4 100644
--- a/modules/spa-s3-cloudfront/variables.tf
+++ b/modules/spa-s3-cloudfront/variables.tf
@@ -447,6 +447,16 @@ variable "ordered_cache" {
event_type = string
function_arn = string
}))
+
+ origin_request_policy = optional(object({
+ cookie_behavior = optional(string, "none")
+ header_behavior = optional(string, "none")
+ query_string_behavior = optional(string, "none")
+
+ cookies = optional(list(string), [])
+ headers = optional(list(string), [])
+ query_strings = optional(list(string), [])
+ }), {})
}))
default = []
description = <<-EOT