feat: Improve CDN origin control @jwadolowski (#140)
## what- Enable explicit origin type definition - generic backend (default for compatibility reasons) vs S3 bucket
- Ignore OAC unless S3 origin was specified
- Add OAI support
- Make sure origin shield can be specified for non-default origins
why
Currently, the module aims for a backend/cloud/platform-agnostic default origin. All of its details (port, protocol, domain, etc) are placed inside custom_origin_config block. Unfortunately, custom_origin_config presence implies lack of OAC/OAI support.
Here's my use case:
- I manage a CloudFront instance using
cloudposse/cloudfront-cdn/awsin AWS accountA - the CF distribution is pointed at an S3 bucket that's deployed to AWS account
B(outside of my control) - the team that manages the
Baccount would like to protect the bucket from unauthorized access by leveraging either Origin Access Identity or Origin Access Control
Technically, the module allows me to assign an S3 bucket URL to origin_domain_name, but I can associate neither OAC (even though origin_access_control_id exists) nor OAI (no such option at the moment, however OAI gets created by the module) with it.
The following code fails upon apply:
resource "aws_cloudfront_origin_access_control" "s3" {
name = "example"
origin_access_control_origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
module "cdn" {
source = "cloudposse/cloudfront-cdn/aws"
version = "1.2.0"
namespace = "test"
# ...
origin_domain_name = "<MY_BUCKET_NAME>.s3.us-west-2.amazonaws.com"
origin_protocol_policy = "https-only"
origin_shield = {
enabled = true
region = "us-west-2"
}
origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
# ...
}╷
│ Error: updating CloudFront Distribution (XXXXXXXXXXXXXX): operation error CloudFront: UpdateDistribution, https response error StatusCode: 400, RequestID: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy, IllegalOriginAccessConfiguration: Illegal configuration: The origin type and OAC origin type differ.
│
│ with module.myapp.module.cdn.aws_cloudfront_distribution.default[0],
│ on .terraform/modules/myapp.cdn/main.tf line 45, in resource "aws_cloudfront_distribution" "default":
│ 45: resource "aws_cloudfront_distribution" "default" {
│
╵That's because OAC works only when the origin block doesn't reference the custom_origin_config sub-block inside.
All in all, currently S3 origin silently implies public access to the bucket, which would be an eyebrow-raising requirement.
At first glance, cloudposse/cloudfront-s3-cdn/aws may seem to be a viable alternative (it supports pre-existing S3 buckets), but it's not going to work - behind the scenes it assumes that both the CloudFront distribution and the bucket belong to the same AWS account (which is totally fine, that's just a different use case).
Aside from the above, this PR includes the following improvements:
- OAC makes sense only for S3 origins, therefore its value should be zeroed if that's not the case
- OAI support (both built-in OAI and external one can be used, see examples)
- user can choose between OAI and OAC (when both are specified, OAC takes precedence)
- origin shield can now be configured for any non-default origin
- fixes deprecated
map()references
references
fix: Avoid phantom resource changes in the plan @jwadolowski (#141)
## what- Zero all
*_ttlparams when custom cache policy is specified (TTLs included in the policy take precedence) - Use
TLSv1minimum viewer policy for alias-less distribution
why
Certain parameter combinations may lead to phantom changes in the plan. This PR aligns some arguments with AWS's default values that aren't explicitly stated in the documentation.
#
# Slightly modified version of examples/complete/main.tf
#
provider "aws" {
region = var.region
}
resource "aws_cloudfront_cache_policy" "default" {
name = "DefaultCachePolicy"
default_ttl = 180
max_ttl = 3600
min_ttl = 1
parameters_in_cache_key_and_forwarded_to_origin {
cookies_config {
cookie_behavior = "none"
}
headers_config {
header_behavior = "none"
}
query_strings_config {
query_string_behavior = "none"
}
}
}
module "cdn" {
# source = "../../"
source = "cloudposse/cloudfront-cdn/aws"
version = "1.2.0"
aliases = var.aliases
origin_domain_name = var.origin_domain_name
parent_zone_name = var.parent_zone_name
logging_enabled = false
cache_policy_id = aws_cloudfront_cache_policy.default.id
context = module.this.context
}No matter how many times you apply the above, the plan always produces the following (the min_ttl does not show up, as it's set to 0 by default):
Terraform will perform the following actions:
# module.cdn.aws_cloudfront_distribution.default[0] will be updated in-place
~ resource "aws_cloudfront_distribution" "default" {
id = "E1NE1WD4E24L7"
tags = {
"Name" = "eg-test-cdn"
"Namespace" = "eg"
"Stage" = "test"
}
# (23 unchanged attributes hidden)
~ default_cache_behavior {
~ default_ttl = 0 -> 60
~ max_ttl = 0 -> 31536000
# (14 unchanged attributes hidden)
# (1 unchanged block hidden)
}
~ viewer_certificate {
~ minimum_protocol_version = "TLSv1" -> "TLSv1.2_2021"
# (4 unchanged attributes hidden)
}
# (2 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.When a local module is referenced (source = "../../"), then the subsequent apply works as expected:
No changes. Your infrastructure matches the configuration.