https://github.com/ministryofjustice/cloud-platform-terraform-cloudfront
CloudFront distribution for use on the Cloud Platform
https://github.com/ministryofjustice/cloud-platform-terraform-cloudfront
cloud-platform-engineering
Last synced: 3 months ago
JSON representation
CloudFront distribution for use on the Cloud Platform
- Host: GitHub
- URL: https://github.com/ministryofjustice/cloud-platform-terraform-cloudfront
- Owner: ministryofjustice
- License: mit
- Created: 2022-11-30T17:39:46.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-12-02T16:07:12.000Z (7 months ago)
- Last Synced: 2025-12-03T21:55:25.671Z (7 months ago)
- Topics: cloud-platform-engineering
- Language: HCL
- Homepage:
- Size: 86.9 KB
- Stars: 1
- Watchers: 2
- Forks: 3
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# cloud-platform-terraform-cloudfront
[](https://github.com/ministryofjustice/cloud-platform-terraform-cloudfront/releases)
This Terraform module will create an [Amazon CloudFront](https://aws.amazon.com/cloudfront/) distribution to use with an S3 origin for use on the Cloud Platform.
## Usage
```hcl
module "cloudfront" {
source = "github.com/ministryofjustice/cloud-platform-terraform-cloudfront?ref=version" # use the latest release
# Configuration
bucket_id = module.s3.bucket_name
bucket_domain_name = module.s3.bucket_domain_name
# Tags
business_unit = var.business_unit
application = var.application
is_production = var.is_production
team_name = var.team_name
namespace = var.namespace
environment_name = var.environment
infrastructure_support = var.infrastructure_support
service_area = var.service_area
# Ordered cache behaviors (optional)
enable_ordered_cache_behavior = true # Default is false
ordered_cache_behavior = {
path_pattern = "/images/*"
# Optional parameters
# cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" ### CachingDisabled
}
}
```
See the [examples/](examples/) folder for more information.
cache policy id can be changed to match your requirements. Here is the documentation on [CloudFront cache policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache.html#cache-policy-overview).
- [Main Cache Policy Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html)
- [Using Managed Cache Policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html)
- [List of AWS Managed Cache Policies (with IDs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policies-list)
- [Creating Custom Cache Policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cache-key-create-cache-policy.html)
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.2.5 |
| [aws](#requirement\_aws) | >= 4.0.0 |
| [random](#requirement\_random) | >= 3.0.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 4.0.0 |
| [random](#provider\_random) | >= 3.0.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
| [aws_cloudfront_key_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_key_group) | resource |
| [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
| [aws_cloudfront_public_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_public_key) | resource |
| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [random_id.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_ssm_parameter.prisoner_content_hub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aliases](#input\_aliases) | Extra CNAMEs (alternate domain names), if any, for this distribution. | `list(string)` | `[]` | no |
| [aliases\_cert\_arn](#input\_aliases\_cert\_arn) | ACM certificate ARN for the aliases | `string` | `null` | no |
| [application](#input\_application) | Application name | `string` | n/a | yes |
| [attach\_bucket\_policy](#input\_attach\_bucket\_policy) | n/a | `bool` | `true` | no |
| [bucket\_domain\_name](#input\_bucket\_domain\_name) | S3 bucket domain name to serve content from | `string` | n/a | yes |
| [bucket\_id](#input\_bucket\_id) | S3 bucket ID to serve content from (used to automatically create the appropriate policy) | `string` | n/a | yes |
| [business\_unit](#input\_business\_unit) | Area of the MOJ responsible for the service | `string` | n/a | yes |
| [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | `list(any)` | `[]` | no |
| [default\_cache\_behavior](#input\_default\_cache\_behavior) | Default cache behaviour | `map(any)` | `{}` | no |
| [default\_root\_object](#input\_default\_root\_object) | Object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | `string` | `null` | no |
| [enable\_ordered\_cache\_behavior](#input\_enable\_ordered\_cache\_behavior) | Whether to enable ordered cache behavior | `bool` | `false` | no |
| [environment\_name](#input\_environment\_name) | Environment name | `string` | n/a | yes |
| [geo\_restriction](#input\_geo\_restriction) | Geographical restrictions | `map(any)` | `{}` | no |
| [infrastructure\_support](#input\_infrastructure\_support) | The team responsible for managing the infrastructure. Should be of the form () | `string` | n/a | yes |
| [ip\_allow\_listing\_environment](#input\_ip\_allow\_listing\_environment) | [Prisoner Content Hub only]: specify the environment name to restrict CloudFront to a preset IP allow-list, either `development`, `staging`, `production`. Leave empty for unrestricted access. | `string` | `null` | no |
| [is\_production](#input\_is\_production) | Whether this is used for production or not | `string` | n/a | yes |
| [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
| [opt\_in\_xsiam\_logging](#input\_opt\_in\_xsiam\_logging) | If set to true, it will send cloudfront logs to an S3 bucket and send them to Cortex XSIAM. | `bool` | `false` | no |
| [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | Ordered cache behavior configuration. Must include path\_pattern. Optional: allowed\_methods, cached\_methods, compress, default\_ttl, max\_ttl, min\_ttl, cache\_policy\_id, response\_headers\_policy\_id | `map(any)` | `{}` | no |
| [origin](#input\_origin) | Origin configuration (origin.connection\_attempts, origin.connection\_timeout) | `map(any)` | `{}` | no |
| [price\_class](#input\_price\_class) | Price Class to use | `string` | `"PriceClass_All"` | no |
| [service\_area](#input\_service\_area) | The MOJ service area this application supports | `string` | n/a | yes |
| [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes |
| [trusted\_public\_keys](#input\_trusted\_public\_keys) | Public key in PEM format. Including --- BEGIN PUBLIC KEY --- and --- END PUBLIC KEY ---. Optional comment. |
list(object({
encoded_key = string
comment = string
associate = bool
})) | `[]` | no |
## Outputs
| Name | Description |
|------|-------------|
| [cloudfront\_hosted\_zone\_id](#output\_cloudfront\_hosted\_zone\_id) | The CloudFront Route 53 zone ID |
| [cloudfront\_public\_keys](#output\_cloudfront\_public\_keys) | The CloudFront public key IDs, with reference to the public key's comment, defaults to first 8 characters of it's sha256. |
| [cloudfront\_url](#output\_cloudfront\_url) | The CloudFront distrubtion domain name |
## Tags
Some of the inputs for this module are tags. All infrastructure resources must be tagged to meet the MOJ Technical Guidance on [Documenting owners of infrastructure](https://technical-guidance.service.justice.gov.uk/documentation/standards/documenting-infrastructure-owners.html).
You should use your namespace variables to populate these. See the [Usage](#usage) section for more information.
## Reading Material
- [Cloud Platform user guide](https://user-guide.cloud-platform.service.justice.gov.uk/#cloud-platform-user-guide)
- [Amazon CloudFront developer guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html)