{"id":48211157,"url":"https://github.com/techservicesillinois/terraform-aws-cloudfront-distribution","last_synced_at":"2026-04-04T18:48:35.735Z","repository":{"id":35617014,"uuid":"179355449","full_name":"techservicesillinois/terraform-aws-cloudfront-distribution","owner":"techservicesillinois","description":"Provide a CloudFront distribution","archived":false,"fork":false,"pushed_at":"2024-11-15T18:56:38.000Z","size":41,"stargazers_count":1,"open_issues_count":5,"forks_count":3,"subscribers_count":16,"default_branch":"main","last_synced_at":"2024-11-15T19:35:03.726Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/techservicesillinois.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-04-03T19:21:55.000Z","updated_at":"2024-11-15T18:50:55.000Z","dependencies_parsed_at":"2024-11-15T19:29:21.062Z","dependency_job_id":"fe33af42-cdee-4f2b-884e-63aeb2cf4dfe","html_url":"https://github.com/techservicesillinois/terraform-aws-cloudfront-distribution","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/techservicesillinois/terraform-aws-cloudfront-distribution","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techservicesillinois%2Fterraform-aws-cloudfront-distribution","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techservicesillinois%2Fterraform-aws-cloudfront-distribution/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techservicesillinois%2Fterraform-aws-cloudfront-distribution/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techservicesillinois%2Fterraform-aws-cloudfront-distribution/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/techservicesillinois","download_url":"https://codeload.github.com/techservicesillinois/terraform-aws-cloudfront-distribution/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/techservicesillinois%2Fterraform-aws-cloudfront-distribution/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31409470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T18:48:34.956Z","updated_at":"2026-04-04T18:48:35.711Z","avatar_url":"https://github.com/techservicesillinois.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cloudfront-distribution\n\n[![Terraform actions status](https://github.com/techservicesillinois/terraform-aws-cloudfront-distribution/workflows/terraform/badge.svg)](https://github.com/techservicesillinois/terraform-aws-cloudfront-distribution/actions)\n\nProvides a CloudFront distribution for static (read-only) content residing in a zone hosted in Route 53.\n\nThis module expects all content for the distribution to reside in an S3 bucket\nwhich is served by CloudFront. Authorized administrators and applications can manage\nthis content through the Amazon S3 API (including the AWS command line interface (CLI).\n\nThis module supports multiple distinct CloudFront distributions sharing a single S3 bucket, with each distribution rooted at a top-level key within the shared bucket.\nBy default, the *prefix* – the top-level key referred to above – is the distribution's fully-qualified domain name (FQDN) prefixed with the first four hexidecimal digits of the MD5 checksum computed from that FQDN.\n\nThe intent of this hash was to improve performance based on [recommendations to optimize for legacy S3 behavior](https://aws.amazon.com/blogs/aws/amazon-s3-performance-tips-tricks-seattle-hiring-event/). Current  [best practices for optimizing S3 performance](https://docs.aws.amazon.com/whitepapers/latest/s3-optimizing-performance-best-practices/introduction.html) no longer requires this prefix.\n\nBy default, an ACM certificate and Route 53 alias for the hostname\nare created in the zone determined by the user-supplied Route 53 domain.\nIn addition, requests ending in `/` are appended with `index.html`, and redirected\nby using the\n[cloudfront-directory-index](https://github.com/techservicesillinois/terraform-aws-cloudfront-lambda-directory-index) lambda function. This default behavior can be overridden.\n\nExample Usage\n-----------------\n\n### Server FQDN of `www.foo.com` (record within zone)\n\nThis example creates a CloudFront distribution, and a Route 53 alias record to\nallow the CloudFront content to be referenced by the FQDN `www.foo.com`.\nPresumably additional Route 53 records reside in the `foo.com` zone.\nIn this case, the module creates a Route 53 alias record `www` that resides in zone `foo.com`. The FQDN is formed by concatenating the hostname with the name of the zone.\n\n```hcl\nmodule \"foo\" {\n  source = \"git@github.com:techservicesillinois/terraform-aws-cloudfront-distribution\"\n\n  domain   = \"foo.com\"\n  hostname = \"www\"\n\n  aliases                     = [ \"static.foo.com\", \"bar.foo.com\", \"foo.com\" ]\n  bucket                      = \"some-S3-bucket\"\n  origin_access_identity_path = \"origin-access-identity/cloudfront/QA0DOUCO4WRZ2\"\n}\n```\n\n### Server FQDN is `bar.com` (record at apex of zone)\n\nThis example creates a CloudFront distribution which is referenced by the FQDN\n`bar.com`. This is said to be the *apex* of the zone, so in this case, we either omit the hostname or explicitly assign it a `null` value.\n\n```hcl\nmodule \"bar\" {\n  source = \"git@github.com:techservicesillinois/terraform-aws-cloudfront-distribution\"\n\n  domain   = \"bar.com\"\n  hostname = null        # Explicitly omit hostname.\n\n  bucket                      = \"some-S3-bucket\"\n  origin_access_identity_path = \"origin-access-identity/cloudfront/QA0DOUCO4WRZ2\"\n\n  lambda_function_association = {\n    origin-request = {\n      name    = \"cloudfront-directory-index\",\n      version = 4\n    }\n  }\n}\n```\n\n### HTTP basic authentication for `www.foo.com`\n\nThis example creates a distribution that is password-protected with\n[HTTP basic authentication](https://tools.ietf.org/html/rfc7617).\nThe usernames and passwords are stored in a DynamoDB table in the same\nregion as the CloudFront distribution itself. DynamoDB replicas are\ndeployed in the regions specified (e.g. `us-east-1`, `us-east-2`,\n`us-west-1`, `us-west-2`).\n\nThis example uses geo restrictions to prevent access from outside the\nUnited States. **NOTE:** Regardless of geo restrictions, the Lambda@Edge\ninvocation can occasionally take place in regions other than those\nspecified if Amazon's algorithms route traffic there. Specify a wildcard `[\"*\"]`\nto create DynamoDB replica tables in *all* supported (and opted-in) AWS regions.\n\nHTTP basic authentication is performed using the lambda function\n[cloudfront-basic-auth](https://github.com/techservicesillinois/terraform-aws-cloudfront-lambda-basic-auth), which must be deployed separately before being used.\n\nThis module version only supports [version 2019.11.21](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables.V2.html) version of\nDynamoDB global tables.\n\n```hcl\nmodule \"foo\" {\n  source = \"git@github.com:techservicesillinois/terraform-aws-cloudfront-distribution\"\n\n  domain   = \"foo.com\"\n  hostname = \"www\"\n\n  bucket                      = \"some-S3-bucket\"\n  origin_access_identity_path = \"origin-access-identity/cloudfront/QA0DOUCO4WRZ2\"\n\n  basic_auth = {\n    regions = [\"us-east-1\", \"us-east-2\", \"us-west-1\", \"us-west-2\"]\n  }\n\n  geo_restriction = {\n    locations        = [\"US\"]\n    restriction_type = \"whitelist\"\n  }\n}\n```\n\nThis example deploys DynamoDB replica tables to all supported regions, \nand does not use geo restrictions.\n\n```hcl\nmodule \"foo\" {\n  source = \"git@github.com:techservicesillinois/terraform-aws-cloudfront-distribution\"\n\n  domain                      = \"www.foo.com\"\n  bucket                      = \"some-S3-bucket\"\n  origin_access_identity_path = \"origin-access-identity/cloudfront/QA0DOUCO4WRZ2\"\n\n  basic_auth = {\n    regions = [\"*\"]\n  }\n}\n```\n**NOTE:** Regardless of whether Lambda@Edge functions are defined for a CloudFront\ndistribution, the ACM certificate is searched for or created in the `us-east-1` region,\nand the ACM certificate validation resource must reside there as well. You will *not*\nfind these resources in the AWS console, CLI, or API unless you issue the request\nin the `us-east-1` region.\n\nArgument Reference\n-----------------\n\nThe following arguments are supported:\n\n* `aliases` - (Optional) Extra hostnames handled by the distribution.\n\n* `basic_auth` - (Optional) [HTTP basic authentication](#basic_auth) block.\n\n* `bucket` - (Required) S3 bucket used as the CloudFront origin.\n\n* `create_acm_cert` - If false, do not create an ACM certificate for the `hostname` and `aliases` in `domain`. (Defaults to true.)\n\n* `create_route53_record` - If false, do not create a Route53 alias for the `hostname` in `domain`. (Defaults to true.)\n\n* `domain` - (Required) The primary domain used in the S3 prefix, to create a Route 53 record, and ACM certificate.\n\n* `enabled` - (Optional) Allow the distribution to accept requests. (Defaults to true).\n\n* `geo_restriction` - [Location restriction](#geo_restriction) block, controls the countries from which users may or may not access your content.\n\n* `hostname` - (Optional) The primary hostname used in the S3 prefix, to create a Route 53 record, and ACM certificate.\n\n* `lambda_function_association` - (Optional) A\n  [lambda\\_function\\_association](#lambda_function_association) block\n  defines specific Lambda@Edge functions to be invoked for particular actions.\n\n* `log_bucket` - (Optional) Log bucket (default is `uiuc-logs-account-region`.)\n\n* `origin_access_identity_path` - (Required) CloudFront origin access identity for the S3 bucket.\n\n* `origin_path` - (Optional) Set specific origin path within S3 bucket instead of default value derived from FQDN.\n\n* `price_class` - (Optional) Price class for this distribution. (Defaults to `PriceClass_All`.)\n\n* `redirect` - (Optional) Enables appending index.html to requests ending in a slash (Defaults to true).\n\n* `tags` - (Optional) Tags to be applied to resources where supported.\n\n* `ttl` - (Optional) A [time-to-live](#ttl) block.\n\nbasic\\_auth\n---------------------------\n\nA `basic_auth` block supports the following:\n\n* `regions` - A list of AWS region names where to create DynamoDB table replicas. A special case is a region list consisting of a single element containing the value \"*\" means that DynamoDB replica tables are deployed globally in all supported, opted-in\nregions.\n\n* `policy_name` - (Optional) The name of the IAM policy for the DynamoDB table.\n\nIf configured the module will create a DynamodDB table named in a format\nlike `CloudFront-Basic-Auth-DistributionID`, with replicas in the regions\nspecified.\n\nDynamoDB is used to store username and password pairs used by the\nLambda@Edge function\n[cloudfront-basic-auth](https://github.com/techservicesillinois/terraform-aws-cloudfront-lambda-basic-auth) to perform HTTP basic authentication. **NOTE:** This lambda function is must be deployed separately before creating a CloudFront distribution using \nHTTP basic authentication.\n\ngeo\\_restriction\n---------------------------\n\nA `geo_restriction` block controls the countries from which users are allowed to access your content (\"allow list\"), or the countries from which users are prevented from accessing your content (\"block list\").\nThe block consists of the following attributes:\n\n* `locations` - (Required) The [ISO\n3166-1-alpha-2](https://www.iso.org/iso-3166-country-codes.html)\ncodes for which you want CloudFront either to distribute your\ncontent (`whitelist`) or not distribute your content (`blacklist`).\n\n* `restriction_type` - (Required) The method that you want to use\nto restrict distribution of your content by country: `whitelist`,\n`blacklist`, or `none`.\n\nlambda\\_function\\_association\n---------------------------\n\nThe lambda\\_function\\_association block takes up to four\n[event](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-cloudfront-trigger-events.html)\nblocks. Valid values: `origin-request`, `origin-response`, `viewer-request`, `viewer-response`.\n\nThe arguments of each event block are:\n\n* `name` - (Required) Name of the lambda function.\n\n* `version` - (Optional) Alias name or version number of the lambda\nfunction.\n\n* `include_body` - (Optional) When true, the request body is exposed to the lambda function (Default: `false`)\n\nLambda@Edge allows you to associate an AWS lambda function with a predefined event.\nYou can associate a single function per event type. See\n[Customizing at the edge with Lambda@Edge](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html)\nfor more information.\n\nttl\n---------------------------\n\nA `ttl` block supports the following:\n\n* `default` - Default time to live (in seconds) for object in a CloudFront cache.\n\n* `max` - Maximum time to live (in seconds) for object in a CloudFront cache.\n\n* `min` - Minimum time to live (in seconds) for object in a CloudFront cache.\n\nAttributes Reference\n--------------------\n\nThe following attributes are exported:\n\n* `certificate_arn` - ARN of ACM certificate attached to the CloudFront distribution.\n\n* `cloudfront_domain_name` - Full domain name of CloudFront distribution.\n\n* `dynamodb_table_name` - Name of the DynamoDB table holding credentials if configured for HTTP basic authentication.\n\n* `id` - Cloudfront distribution ID.\n\n* `log_bucket` - Name of S3 bucket used for logging from distribution.\n\n* `s3_prefix` - Prefix of this distribution within the origin S3 bucket.\n\nCredits\n--------------------\n\n**Nota bene** the vast majority of the verbiage on this page was\ntaken directly from the Terraform manual, and in a few cases from\nAmazon's documentation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechservicesillinois%2Fterraform-aws-cloudfront-distribution","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftechservicesillinois%2Fterraform-aws-cloudfront-distribution","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechservicesillinois%2Fterraform-aws-cloudfront-distribution/lists"}