Skip to content

schubergphilis/terraform-aws-mcaf-cloudfront

Repository files navigation

terraform-aws-mcaf-cloudfront

Requirements

Name Version
terraform >= 0.13
aws >= 4.0.0
okta >= 4.0.0

Providers

Name Version
aws >= 4.0.0
aws.cloudfront >= 4.0.0
okta >= 4.0.0
tls n/a

Modules

Name Source Version
authentication github.com/schubergphilis/terraform-aws-mcaf-lambda v0.3.3
origin_bucket github.com/schubergphilis/terraform-aws-mcaf-s3 v0.10.1

Resources

Name Type
aws_acm_certificate.default resource
aws_acm_certificate_validation.default resource
aws_cloudfront_distribution.default resource
aws_cloudfront_origin_access_identity.default resource
aws_route53_record.cloudfront resource
aws_route53_record.validation resource
aws_ssm_parameter.client_id resource
aws_ssm_parameter.client_secret resource
aws_ssm_parameter.cookie_domain resource
aws_ssm_parameter.okta_org_name resource
aws_ssm_parameter.private_key resource
aws_ssm_parameter.public_key resource
aws_ssm_parameter.redirect_uri resource
okta_app_group_assignments.default resource
okta_app_oauth.default resource
tls_private_key.default resource
aws_iam_policy_document.authentication data source
aws_iam_policy_document.origin_bucket data source
aws_region.current data source
aws_route53_zone.current data source

Inputs

Name Description Type Default Required
name The name of the CloudFront distribution string n/a yes
subdomain A DNS subdomain for this distribution string n/a yes
tags A mapping of tags to assign to all resources map(string) n/a yes
zone_id ID of the Route53 zone in which to create the subdomain record string n/a yes
additional_redirect_uris Additional login redirect URLs list(string) null no
aliases Extra CNAMEs (alternate domain names), if any, for this distribution list(string) [] no
allowed_methods Controls which HTTP methods CloudFront processes and forwards list(string)
[
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
no
application_logo Relative path to the application logo image string null no
authentication Whether to protect the cloudfront distribution behind an Okta application bool false no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket bool true no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket bool true no
bucket_lifecycle_rule List of maps containing lifecycle management configuration settings for this bucket any [] no
bucket_policy The bucket policy to merge with the Cloudfront permissions string null no
cached_methods Controls whether CloudFront caches the response to requests list(string)
[
"GET",
"HEAD"
]
no
certificate_arn The ARN of the AWS Certificate Manager certificate that you wish to use with this distribution string null no
comment Any comments you want to include about the distribution string null no
compress Whether you want CloudFront to automatically compress content for web requests bool false no
cookie_domain The domain to set the authentication cookie on string null no
cors_allowed_headers Specifies which headers are allowed list(string)
[
"*"
]
no
cors_allowed_methods Specifies which methods are allowed list(string)
[
"GET"
]
no
cors_allowed_origins Specifies which origins are allowed list(string) [] no
cors_expose_headers Specifies expose header in the response list(string)
[
"ETag"
]
no
cors_max_age_seconds Specifies time (in seconds) the browser can cache the response for a preflight request number 3600 no
custom_error_response List of one or more custom error response elements
list(object({
error_caching_min_ttl = string
error_code = string
response_code = string
response_page_path = string
}))
[] no
default_root_object The object that you want CloudFront to return string "index.html" no
default_ttl Default amount of time (in seconds) that an object is in a CloudFront cache number 3600 no
deployment_arn A resource ARN that can be used to deploy content to the origin bucket string null no
enabled Whether the distribution is enabled to accept requests for content bool true no
force_destroy A boolean indicating all resources (and their data) should be deleted on destroy bool false no
forward_cookies Specifies whether you want CloudFront to forward cookies string "none" no
forward_headers Specifies the headers you want CloudFront to vary upon for this cache behavior list(string)
[
"Access-Control-Request-Headers",
"Access-Control-Request-Method",
"Origin"
]
no
forward_query_strings Specifies whether you want CloudFront to forward query strings bool false no
geo_restriction_locations The country codes for which you want CloudFront to whitelist or blacklist your content list(string) null no
geo_restriction_type The method that you want to use to restrict distribution of your content by country string "none" no
hide_ios Do not display the Okta application icon to users on mobile app bool false no
hide_web Do not display the Okta application icon to users bool false no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket bool true no
ipv6_enabled Whether IPv6 is enabled for the distribution bool false no
lambda_function_association A config block that triggers a lambda function with specific actions
list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
[] no
logging Enables logging for this distribution bool true no
login_uri_path Optional path to the login URL string null no
max_ttl Maximum amount of time (in seconds) that an object is in a CloudFront cache number 86400 no
min_ttl Minimum amount of time that you want objects to stay in CloudFront caches number 0 no
minimum_protocol_version The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections string "TLSv1.2_2018" no
okta_app_name The Okta OIDC application name string null no
okta_groups The default groups assigned to the Okta OIDC application list(string) [] no
okta_org_name The Okta organization for the OIDC application string null no
okta_spa Set to true if this is a single page web application bool false no
origin_path A path that CloudFront uses to request your content from a specific directory string "" no
price_class Price class for this distribution string "PriceClass_100" no
redirect_uri_path Path to the login redirect URL string "_callback" no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket bool true no
use_regional_endpoint Whether to use a regional instead of the global endpoint address bool false no
viewer_protocol_policy Use this element to specify the protocol that users can use to access the files string "redirect-to-https" no
wait_for_deployment Whether to wait for the deployment of the CloudFront Distribution to be complete bool true no

Outputs

Name Description
application_fqdn Custom FQDN pointing to the distributed application
arn ARN of the CloudFront distribution
bucket_arn ARN of the origin bucket
bucket_name Name of the origin bucket
distribution_fqdn FQDN pointing to the distribution
etag Current version of the distribution's information
id ID of the CloudFront distribution
jwt_public_key The JWT public key
okta_client_id Okta App Client ID
status Current status of the distribution