Support additional origins and cache behaviors (#64)

dmurvihill · web-flow · commit 90dc4507c957 · 2023-06-27T09:24:20.000+01:00
* Support additional origins and cache behaviors

* Fix formatter errors
diff --git a/README.md b/README.md
@@ -78,6 +78,7 @@ In order to run all checks at any point run the following command:
 |------|-------------|------|---------|:--------:|
 | <a name="input_acm_certificate_arn_to_use"></a> [acm\_certificate\_arn\_to\_use](#input\_acm\_certificate\_arn\_to\_use) | ACM Certificate ARN to use in case you disable automatic certificate creation. Certificate must be in us-east-1 region. | `string` | `""` | no |
 | <a name="input_aws_accounts_with_read_view_log_bucket"></a> [aws\_accounts\_with\_read\_view\_log\_bucket](#input\_aws\_accounts\_with\_read\_view\_log\_bucket) | List of AWS accounts with read permissions to log bucket | `list(string)` | `[]` | no |
+| <a name="input_cloudfront_additional_origins"></a> [cloudfront\_additional\_origins](#input\_cloudfront\_additional\_origins\_)                                                | (Optional) List of [origin configurations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-arguments) in addiiton to the bucket that hosts the static web site. No support yet for origin shield.        | `list(object)`                                                                                                                                                                            | `[]`                                                          | no |
 | <a name="input_cloudfront_allowed_cached_methods"></a> [cloudfront\_allowed\_cached\_methods](#input\_cloudfront\_allowed\_cached\_methods) | (Optional) Specifies which methods are allowed and cached by CloudFront. Can be GET, PUT, POST, DELETE or HEAD. Defaults to GET and HEAD | `list(string)` | <pre>[<br>  "GET",<br>  "HEAD"<br>]</pre> | no |
 | <a name="input_cloudfront_custom_error_responses"></a> [cloudfront\_custom\_error\_responses](#input\_cloudfront\_custom\_error\_responses) | A list of custom error responses | <pre>list(object({<br>    error_caching_min_ttl = number<br>    error_code            = number<br>    response_code         = number<br>    response_page_path    = string<br>  }))</pre> | `[]` | no |
 | <a name="input_cloudfront_default_root_object"></a> [cloudfront\_default\_root\_object](#input\_cloudfront\_default\_root\_object) | (Optional) - The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. Defaults to index.html | `string` | `"index.html"` | no |
@@ -86,6 +87,7 @@ In order to run all checks at any point run the following command:
 | <a name="input_cloudfront_geo_restriction_locations"></a> [cloudfront\_geo\_restriction\_locations](#input\_cloudfront\_geo\_restriction\_locations) | (Optional) - The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist). Defaults to [] | `list(string)` | `[]` | no |
 | <a name="input_cloudfront_geo_restriction_type"></a> [cloudfront\_geo\_restriction\_type](#input\_cloudfront\_geo\_restriction\_type) | The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. Defaults to none | `string` | `"none"` | no |
 | <a name="input_cloudfront_http_version"></a> [cloudfront\_http\_version](#input\_cloudfront\_http\_version) | (Optional) - The maximum HTTP version to support on the distribution. Allowed values are http1.1 and http2. The default is http2. | `string` | `"http2"` | no |
+| <a name="input_cloudfront_ordered_cache_behaviors"></a> [cloudfront\_ordered\_cache\_behaviors](#input\_cloudfront\_ordered\_cache\_behaviors)                                                         | (Optional) - List of [ordered cache behavior](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) configurations. No support yet for function associations or trusted key groups.         | `list(object)`                                                                                                                                                                            | `[]`                                                          | no |
 | <a name="input_cloudfront_price_class"></a> [cloudfront\_price\_class](#input\_cloudfront\_price\_class) | (Optional) - The price class for this distribution. One of PriceClass\_All, PriceClass\_200, PriceClass\_100. Defaults to PriceClass\_100 | `string` | `"PriceClass_100"` | no |
 | <a name="input_cloudfront_viewer_protocol_policy"></a> [cloudfront\_viewer\_protocol\_policy](#input\_cloudfront\_viewer\_protocol\_policy) | Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. Defautls to redirect-to-https | `string` | `"redirect-to-https"` | no |
 | <a name="input_cloudfront_web_acl_id"></a> [cloudfront\_web\_acl\_id](#input\_cloudfront\_web\_acl\_id) | (Optional) A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. | `string` | `null` | no |
diff --git a/examples/ordered-cache-behavior/main.tf b/examples/ordered-cache-behavior/main.tf
@@ -0,0 +1,40 @@
+module "test_website" {
+  source      = "../../"
+  name_prefix = "test-website"
+
+  providers = {
+    aws.main         = aws.main
+    aws.acm_provider = aws.acm_provider
+  }
+
+  website_domain_name = "test.com"
+
+  create_acm_certificate = true
+
+  create_route53_hosted_zone = true
+
+  cloudfront_additional_origins = [
+    {
+      domain_name = "api.test.com"
+      origin_id   = "api"
+      custom_origin_config = {
+        http_port              = 80
+        https_port             = 443
+        origin_protocol_policy = "https-only"
+        origin_ssl_protocols   = ["TLSv1.2"]
+      }
+    }
+  ]
+
+  cloudfront_ordered_cache_behaviors = [
+    {
+      allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+      cached_methods           = ["GET", "HEAD", "OPTIONS"]
+      cache_policy_id          = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
+      origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+      path_pattern             = "api/*"
+      target_origin_id         = "api"
+      viewer_protocol_policy   = "redirect-to-https"
+    }
+  ]
+}
diff --git a/variables.tf b/variables.tf
@@ -204,6 +204,62 @@ variable "cloudfront_custom_error_responses" {
   default = []
 }
 
+variable "cloudfront_ordered_cache_behaviors" {
+  description = "A list of custom ordered cache behaviors"
+  type = list(object({
+    allowed_methods           = list(string)
+    cached_methods            = list(string)
+    cache_policy_id           = string
+    compress                  = optional(bool)
+    default_ttl               = optional(number)
+    field_level_encryption_id = optional(string)
+    # forwarded_values will not be supported as Hashicorp had already deprecated it at the time of implementing this module
+    # TODO support lambda_function_association and function_association
+    max_ttl                    = optional(number)
+    min_ttl                    = optional(number)
+    origin_request_policy_id   = string
+    path_pattern               = optional(string)
+    realtime_log_config_arn    = optional(string)
+    response_headers_policy_id = optional(string)
+    smooth_streaming           = optional(bool)
+    target_origin_id           = string
+    # TODO support trusted_key_groups and trusted_signers
+    viewer_protocol_policy = string
+  }))
+  default = []
+}
+
+variable "cloudfront_additional_origins" {
+  description = "(Optional) A list of additional origins besides the web site"
+  type = list(object({
+    connection_attempts = optional(number)
+    connection_timeout  = optional(number)
+    custom_origin_config = optional(object({
+      http_port                = number
+      https_port               = number
+      origin_protocol_policy   = string
+      origin_ssl_protocols     = list(string)
+      origin_keepalive_timeout = optional(number)
+      origin_read_timeout      = optional(number)
+    }))
+    domain_name = string
+    custom_header : optional(list(
+      object({
+        name  = string
+        value = string
+      }))
+    )
+    origin_access_control_id = optional(string)
+    origin_id                = string
+    origin_path              = optional(string)
+    # TODO support origin_shield
+    s3_origin_config = optional(object({
+      origin_access_identity = string
+    }))
+  }))
+  default = []
+}
+
 variable "cloudfront_web_acl_id" {
   description = "(Optional) A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution."
   type        = string
diff --git a/website.tf b/website.tf
@@ -11,7 +11,8 @@ resource "aws_cloudfront_origin_access_identity" "cf_oai" {
 # Website S3 Bucket
 #------------------------------------------------------------------------------
 #tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging
-resource "aws_s3_bucket" "website" { # tfsec:ignore:AWS017
+resource "aws_s3_bucket" "website" {
+  # tfsec:ignore:AWS017
   provider = aws.main
 
   bucket        = local.website_bucket_name
@@ -133,7 +134,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "website_bucket_we
 #------------------------------------------------------------------------------
 # tfsec issues ignored
 #  - AWS045: Enable WAF for the CloudFront distribution. Pending to implement.
-resource "aws_cloudfront_distribution" "website" { # tfsec:ignore:AWS045
+resource "aws_cloudfront_distribution" "website" {
+  # tfsec:ignore:AWS045
   provider = aws.main
 
   aliases = var.www_website_redirect_enabled ? [
@@ -188,8 +190,29 @@ resource "aws_cloudfront_distribution" "website" { # tfsec:ignore:AWS045
     prefix          = "cloudfront_website"
   }
 
-  # TODO - Add variable to support ordered_cache_behavior
-  # ordered_cache_behavior (Optional) - An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0.
+  dynamic "ordered_cache_behavior" {
+    for_each = var.cloudfront_ordered_cache_behaviors
+    content {
+      allowed_methods            = tolist(ordered_cache_behavior.value.allowed_methods)
+      cached_methods             = tolist(ordered_cache_behavior.value.cached_methods)
+      cache_policy_id            = ordered_cache_behavior.value.cache_policy_id
+      compress                   = ordered_cache_behavior.value.compress
+      default_ttl                = ordered_cache_behavior.value.default_ttl
+      field_level_encryption_id  = ordered_cache_behavior.value.field_level_encryption_id
+      max_ttl                    = ordered_cache_behavior.value.max_ttl
+      min_ttl                    = ordered_cache_behavior.value.min_ttl
+      origin_request_policy_id   = ordered_cache_behavior.value.origin_request_policy_id
+      path_pattern               = ordered_cache_behavior.value.path_pattern
+      realtime_log_config_arn    = ordered_cache_behavior.value.realtime_log_config_arn
+      response_headers_policy_id = ordered_cache_behavior.value.response_headers_policy_id
+      smooth_streaming           = ordered_cache_behavior.value.smooth_streaming
+      target_origin_id           = ordered_cache_behavior.value.target_origin_id
+      viewer_protocol_policy     = ordered_cache_behavior.value.viewer_protocol_policy
+    }
+  }
+
+  # TODO support origin groups
+  # origin_group (Optional) - One or more origin_group for this distribution (multiples allowed).
 
   origin {
     domain_name = aws_s3_bucket.website.bucket_regional_domain_name
@@ -199,6 +222,51 @@ resource "aws_cloudfront_distribution" "website" { # tfsec:ignore:AWS045
     }
   }
 
+  dynamic "origin" {
+    for_each = var.cloudfront_additional_origins
+    content {
+      domain_name = origin.value.domain_name
+
+      dynamic "custom_header" {
+        for_each = origin.value.custom_header == null ? [] : [
+          for h in origin.value.custom_header : {
+            name  = h.name
+            value = h.value
+          }
+        ]
+        content {
+          name  = custom_header.value.name
+          value = custom_header.value.value
+        }
+      }
+
+      origin_id                = origin.value.origin_id
+      connection_attempts      = origin.value.connection_attempts
+      connection_timeout       = origin.value.connection_timeout
+      origin_access_control_id = origin.value.origin_access_control_id
+      origin_path              = origin.value.origin_path
+
+      dynamic "s3_origin_config" {
+        for_each = origin.value.s3_origin_config[*]
+        content {
+          origin_access_identity = s3_origin_config.value.origin_access_identity
+        }
+      }
+
+      dynamic "custom_origin_config" {
+        for_each = origin.value.custom_origin_config[*]
+        content {
+          http_port                = custom_origin_config.value.http_port
+          https_port               = custom_origin_config.value.https_port
+          origin_protocol_policy   = custom_origin_config.value.origin_protocol_policy
+          origin_ssl_protocols     = custom_origin_config.value.origin_ssl_protocols
+          origin_keepalive_timeout = custom_origin_config.value.origin_keepalive_timeout
+          origin_read_timeout      = custom_origin_config.value.origin_read_timeout
+        }
+      }
+    }
+  }
+
   price_class = var.cloudfront_price_class
 
   restrictions {
