feat: Add mTLS and connection function support @nickhawkins-proof (#163)
## what- Add
viewer_mtls_configvariable and dynamic block to enable mutual TLS (mTLS) authentication on the distribution - Add
connection_function_idvariable and dynamic block to associate a CloudFront connection function with the distribution - Add
examples/mtls— a self-contained example that provisions a self-signed test CA (via thetlsprovider), an S3-backedaws_cloudfront_trust_store, and two module instances (one with mTLS required, one without) to demonstrate the feature and verify the null default is a no-op - Regenerate README
why
- CloudFront mTLS and connection functions currently have no module support, so users must fork the module or fall back to raw
aws_cloudfront_distributionresources - Both features are purely additive: the new variables default to
null, existing configurations see zero plan diff, and the existing terratest fixtures are unchanged - The trust store and connection function are intentionally left outside the module (passed by ID), since they are commonly shared across multiple distributions
- Verified end-to-end against a real AWS account: deployed
examples/mtls, confirmed via the CloudFront API that the distribution carriesMode: requiredwith the trust store attached, confirmed requests without a client certificate are rejected while requests presenting a certificate issued by the trust-store CA reach the origin, and confirmed a distribution created with the current module code showsNo changeswhen re-planned with this branch - The module's existing
aws >= 6.13.0constraint already supports both blocks — no provider bump needed
references
- closes #160
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/mutual-tls-authentication.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#viewer-mtls-config-arguments
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_trust_store