https://github.com/launchbynttdata/tf-aws-module_primitive-cloudfront_distribution
https://github.com/launchbynttdata/tf-aws-module_primitive-cloudfront_distribution
Last synced: 6 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/launchbynttdata/tf-aws-module_primitive-cloudfront_distribution
- Owner: launchbynttdata
- License: apache-2.0
- Created: 2024-04-17T19:43:32.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-05-08T20:44:35.000Z (about 2 years ago)
- Last Synced: 2024-05-08T21:45:48.669Z (about 2 years ago)
- Language: HCL
- Size: 107 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# tf-aws-module_primitive-wafv2_web_acl_regional
[](https://opensource.org/licenses/Apache-2.0)
[](https://creativecommons.org/licenses/by-nc-nd/4.0/)
## Overview
Provides a Regional Web ACL for a WAFv2 Resource. To obtain a non-regional (CloudFront) Web ACL, use the global variant, [found here](https://github.com/launchbynttdata/tf-aws-module_primitive-wafv2_web_acl_global).
## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests
Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)
If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.
`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```
## To test the resource group module locally
1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.
```
make configure
```
This adds in several files and directories that are ignored by `git`. They expose many new Make targets.
2. _THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP._ The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by `terratest` integration suit.
Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.
```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```
Then run this make target to set the environment variables on developer workstation.
```
make env
```
3. The first target you care about is `check`.
**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named `provider.tf` with contents below
```
provider "azurerm" {
features {}
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.
Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
```
make check
```
If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.
`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.0 |
| [aws](#requirement\_aws) | ~> 5.0 |
| [random](#requirement\_random) | ~> 3.6 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 5.73.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_cloudfront_distribution.cloudfront_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aliases](#input\_aliases) | Extra CNAMEs (alternate domain names), if any, for this distribution. | `list(string)` | `[]` | no |
| [comment](#input\_comment) | Any comments you want to include about the distribution. | `string` | `null` | no |
| [continuous\_deployment\_policy\_id](#input\_continuous\_deployment\_policy\_id) | Identifier of a continuous deployment policy. This argument should only be set on a production distribution. See the aws\_cloudfront\_continuous\_deployment\_policy resource for additional details: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_continuous_deployment_policy | `string` | `null` | no |
| [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements. |
list(object({
error_caching_min_ttl = optional(number, null)
error_code = number
response_code = optional(number, null)
response_page_path = optional(string, null)
})) | `[]` | no |
| [default\_cache\_behavior](#input\_default\_cache\_behavior) | Default cache behavior for this distribution. | object({
allowed_methods = optional(list(string), ["GET", "HEAD", "OPTIONS"])
cached_methods = optional(list(string), ["GET", "HEAD"])
cache_policy_id = string
compress = optional(bool, false)
default_ttl = optional(number, null)
field_level_encryption_id = optional(string, null)
lambda_function_association = optional(list(object({
event_type = string
function_arn = string
})), [])
function_association = optional(list(object({
event_type = string
function_arn = string
})), [])
max_ttl = optional(number, null)
min_ttl = optional(number, null)
origin_request_policy_id = optional(string, null)
realtime_log_config_arn = optional(string, null)
response_headers_policy_id = optional(string, null)
smooth_streaming = optional(bool, null)
target_origin_id = string
trusted_key_groups = optional(list(string), [])
trusted_signers = optional(list(string), [])
viewer_protocol_policy = optional(string, "redirect-to-https")
}) | n/a | yes |
| [default\_root\_object](#input\_default\_root\_object) | Object that you want CloudFront to return (e.g. `index.html`) when an end user requests the root URL. | `string` | `null` | no |
| [enabled](#input\_enabled) | Whether the distribution is enabled to accept end user requests for content. Defaults to `true`. | `bool` | `true` | no |
| [is\_ipv6\_enabled](#input\_is\_ipv6\_enabled) | Whether the IPv6 is enabled for the distribution. Defaults to `false`. | `bool` | `false` | no |
| [http\_version](#input\_http\_version) | Maximum HTTP version to support on the distribution. Allowed values are `http1.1`, `http2`, `http2and3` and `http3`. The default is `http2`. | `string` | `"http2"` | no |
| [logging\_config](#input\_logging\_config) | The logging configuration that controls how logs are written to your distribution. | object({
bucket = string
include_cookies = optional(bool, false)
prefix = optional(string, null)
}) | `null` | no |
| [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | Ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | list(object({
allowed_methods = optional(list(string), ["GET", "HEAD", "OPTIONS"])
cached_methods = optional(list(string), ["GET", "HEAD"])
cache_policy_id = optional(string, null)
compress = optional(bool, false)
default_ttl = optional(number, null)
field_level_encryption_id = optional(string, null)
lambda_function_association = optional(list(object({
event_type = string
function_arn = string
include_body = optional(bool, false)
})), [])
function_association = optional(list(object({
event_type = string
function_arn = string
})), [])
max_ttl = optional(number, null)
min_ttl = optional(number, null)
origin_request_policy_id = optional(string, null)
path_pattern = optional(string, null)
realtime_log_config_arn = optional(string, null)
response_headers_policy_id = optional(string, null)
smooth_streaming = optional(bool, null)
target_origin_id = string
trusted_key_groups = optional(list(string), [])
trusted_signers = optional(list(string), [])
viewer_protocol_policy = optional(string, "redirect-to-https")
})) | `[]` | no |
| [origin](#input\_origin) | Map of origins for this distribution. | map(object({
connection_attempts = optional(number, 3)
connection_timeout = optional(number, 10)
custom_origin_config = optional(object({
http_port = number
https_port = number
origin_protocol_policy = optional(string, "https-only")
origin_ssl_protocols = optional(list(string), ["TLSv1.2"])
}), null)
domain_name = string
custom_header = optional(list(object({
name = string
value = string
})), [])
origin_access_control_id = optional(string, null)
origin_path = optional(string, null)
origin_shield = optional(object({
enabled = bool
origin_shield_region = string
}), null)
s3_origin_config = optional(object({
origin_access_identity = string
}), null)
})) | n/a | yes |
| [price\_class](#input\_price\_class) | Price class for this distribution. One of `PriceClass_All`, `PriceClass_100`, `PriceClass_200`. Defaults to `PriceClass_All`. | `string` | `"PriceClass_All"` | no |
| [geo\_restrictions\_locations](#input\_geo\_restrictions\_locations) | ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (`whitelist`) or not distribute your content (`blacklist`). If the type is specified as `none` an empty array can be used (default). | `list(string)` | `[]` | no |
| [geo\_restrictions\_type](#input\_geo\_restrictions\_type) | Method that you want to use to restrict distribution of your content by country: `none`, `whitelist`, or `blacklist`. | `string` | `"none"` | no |
| [staging](#input\_staging) | A Boolean that indicates whether this is a staging distribution. Defaults to `false`. | `bool` | `false` | no |
| [tags](#input\_tags) | Map of key-value pairs to associate with the resource. | `map(string)` | `{}` | no |
| [viewer\_certificate](#input\_viewer\_certificate) | The SSL configuration for this distribution. Will use the cloudfront\_default\_certificate unless `acm_certificate_arn` or `iam_certificate_id` are specified (pick one; do not specify both). For specifics on configuration of minimum protocol versions, see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#viewer-certificate-arguments. | object({
acm_certificate_arn = optional(string, null)
iam_certificate_id = optional(string, null)
minimum_protocol_version = optional(string, "TLSv1")
ssl_support_method = optional(string, "sni-only")
}) | {
"acm_certificate_arn": null,
"iam_certificate_id": null,
"minimum_protocol_version": "TLSv1",
"ssl_support_method": null
} | no |
| [web\_acl\_id](#input\_web\_acl\_id) | Unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF (WAFv2), use the ACL ARN, for example aws\_wafv2\_web\_acl.example.arn. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example aws\_waf\_web\_acl.example.id. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned. | `string` | `null` | no |
| [retain\_on\_delete](#input\_retain\_on\_delete) | Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. Default: `false`. | `bool` | `false` | no |
| [wait\_for\_deployment](#input\_wait\_for\_deployment) | If enabled, the resource will wait for the distribution status to change from `InProgress` to `Deployed`. Setting this to `false` will skip the process. Default: `true`. | `bool` | `true` | no |
## Outputs
| Name | Description |
|------|-------------|
| [cloudfront\_distribution\_id](#output\_cloudfront\_distribution\_id) | The ID of the CloudFront Distribution. |
| [cloudfront\_distribution\_arn](#output\_cloudfront\_distribution\_arn) | The ARN of the CloudFront Distribution. |
| [cloudfront\_distribution\_status](#output\_cloudfront\_distribution\_status) | The deployment status of the CloudFront Distribution. |
| [cloudfront\_distribution\_domain\_name](#output\_cloudfront\_distribution\_domain\_name) | The Domain Name of the CloudFront Distribution. |
| [cloudfront\_distribution\_hosted\_zone\_id](#output\_cloudfront\_distribution\_hosted\_zone\_id) | The Hosted Zone ID of the CloudFront Distribution. |