Skip to content

Commit

Permalink
PLT-0 - Allow to set origin access controls
Browse files Browse the repository at this point in the history 
* update modules
* allow to create origin access controls
  • Loading branch information
@Engerim
Engerim committed Dec 22, 2023
1 parent 0c844a6 commit ad8cbb2
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 21 deletions.
83 changes: 64 additions & 19 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,37 @@ locals {
override_origin_policy = var.override_s3_origin_policy && var.s3_origin_name != ""

function_association = { for type, func in var.cf_functions : type => { function_arn = aws_cloudfront_function.functions[type].arn } if func.assign }

origin_access_identities = var.create_origin_access_identity ? {
s3_bucket = "Access identity for CDN (${var.r53_hostname})"
} : {}

oac_key = "${var.r53_hostname}-origin-access-control"

origin_access_control = var.create_origin_access_control ? {
(local.oac_key) = {
description = "Origin access control for s3 bucket ${data.aws_s3_bucket.s3_origin[0].id}"
origin_type = "s3"
signing_behavior = "always"
signing_protocol = "sigv4"
}
} : {}

origin_oai = var.create_origin_access_identity ? tomap({
s3_origin = {
domain_name = local.origin_hostname
s3_origin_config = {
origin_access_identity = "s3_bucket"
}
}
}) : tomap({})
origin_oac = var.create_origin_access_control ? tomap({
s3_origin = {
domain_name = data.aws_s3_bucket.s3_origin[0].bucket_domain_name
origin_access_control = local.oac_key
}
}) : tomap({})

}

# Workaround for the input variable validation
Expand All @@ -26,19 +57,20 @@ data "aws_s3_bucket" "s3_origin" {
}

module "certificate" {
source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v3.2.0"
source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.0"
tags = var.tags

domain_name = var.r53_hostname
zone_id = var.r53_zone_id
domain_name = var.r53_hostname
zone_id = var.r53_zone_id
validation_method = "DNS"

providers = {
aws = aws.us-east-1
}
}

module "cloudfront" {
source = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v2.7.0"
source = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v3.2.1"
tags = var.tags
aliases = [var.r53_hostname]

Expand All @@ -50,26 +82,19 @@ module "cloudfront" {

default_root_object = var.default_root_object

create_origin_access_identity = true
origin_access_identities = {
s3_bucket = "Access identity for CDN (${var.r53_hostname})"
}
create_origin_access_identity = var.create_origin_access_identity
origin_access_identities = local.origin_access_identities

create_origin_access_control = var.create_origin_access_control
origin_access_control = local.origin_access_control

logging_config = var.s3_logging_hostname == "" ? {} : {
bucket = var.s3_logging_hostname
include_cookies = false
prefix = var.cdn_logging
}

origin = {
s3_origin = {
domain_name = local.origin_hostname
s3_origin_config = {
origin_access_identity = "s3_bucket"
}
}
}

origin = merge(local.origin_oai, local.origin_oac)
default_cache_behavior = {
target_origin_id = "s3_origin"
viewer_protocol_policy = "redirect-to-https"
Expand All @@ -89,7 +114,7 @@ module "cloudfront" {
}

data "aws_iam_policy_document" "oai_policy" {
count = local.override_origin_policy ? 1 : 0
count = local.override_origin_policy && var.create_origin_access_identity ? 1 : 0

statement {
actions = ["s3:GetObject"]
Expand All @@ -102,11 +127,31 @@ data "aws_iam_policy_document" "oai_policy" {
}
}

data "aws_iam_policy_document" "oac_policy" {
count = local.override_origin_policy && var.create_origin_access_control ? 1 : 0

statement {
actions = ["s3:GetObject"]
resources = ["${data.aws_s3_bucket.s3_origin[0].arn}${var.s3_origin_policy_restrict_access}"]

principals {
type = "Service"
identifiers = ["cloudfront.amazonaws.com"]
}

condition {
test = "StringEquals"
values = [module.cloudfront.cloudfront_distribution_arn]
variable = "AWS:SourceArn"
}
}
}

resource "aws_s3_bucket_policy" "s3_origin_policy" {
count = local.override_origin_policy ? 1 : 0

bucket = data.aws_s3_bucket.s3_origin[0].id
policy = data.aws_iam_policy_document.oai_policy[0].json
policy = var.create_origin_access_identity ? data.aws_iam_policy_document.oai_policy[0].json : data.aws_iam_policy_document.oac_policy[0].json
}

resource "aws_route53_record" "this" {
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,3 +85,15 @@ variable "default_root_object" {
type = string
default = null
}

variable "create_origin_access_identity" {
description = "Controls if CloudFront origin access identity should be created"
type = bool
default = true
}

variable "create_origin_access_control" {
description = "Controls if CloudFront origin access control should be created"
type = bool
default = false
}
4 changes: 2 additions & 2 deletions versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
terraform {
required_version = ">= 0.12.26"
required_version = ">= 0.13.1"

required_providers {
aws = ">= 3"
aws = ">= 4.29"
}
}

0 comments on commit ad8cbb2

Please sign in to comment.