diff --git a/docs/resources/cloudfront_distribution.md b/docs/resources/cloudfront_distribution.md index 463e43b57..49f0e28b6 100644 --- a/docs/resources/cloudfront_distribution.md +++ b/docs/resources/cloudfront_distribution.md @@ -1,5 +1,4 @@ --- -# generated by https://github.com/hashicorp/terraform-plugin-docs page_title: "awscc_cloudfront_distribution Resource - terraform-provider-awscc" subcategory: "" description: |- @@ -10,7 +9,194 @@ description: |- Resource Type definition for AWS::CloudFront::Distribution +## Example Usage + +### Cloudfront Distribution with S3 Origin using Origin Access Control + +```terraform +# S3 Bucket Origin with bucket policy to Origin Access Control +resource "aws_s3_bucket" "s3_origin" { + bucket = "sampleawsccbucket345" +} + +# Block public access to S3 bucket +resource "aws_s3_bucket_public_access_block" "s3_block_public_access" { + bucket = aws_s3_bucket.s3_origin.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Attach bucket policy with object access to cloudfront origin +resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" { + bucket = aws_s3_bucket.s3_origin.id + policy = data.aws_iam_policy_document.bucket_policy.json +} + +# IAM policy document to allow S3 bucket read access to cloudfront origin access control +data "aws_iam_policy_document" "bucket_policy" { + statement { + principals { + type = "Service" + identifiers = ["cloudfront.amazonaws.com"] + } + effect = "Allow" + actions = [ + "s3:GetObject", + ] + resources = [ + "arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*" + ] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:aws:cloudfront::111111111111:distribution/${awscc_cloudfront_distribution.cloudfront_s3_origin.id}"] + } + } +} + +# Cloudfront origin access control using AWSCC provider +resource "awscc_cloudfront_origin_access_control" "cf_oac" { + origin_access_control_config = { + name = "sample-oac" + description = "Sample Origin Access Control Setting using AWSCC" + origin_access_control_origin_type = "s3" + signing_behavior = "always" + signing_protocol = "sigv4" + } +} + +# Cloudfront distribution with S3 origin using AWSCC provider +resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { + distribution_config = { + enabled = true + compress = true + default_root_object = "index.html" + comment = "Sample Cloudfront Distribution using AWSCC provider" + default_cache_behavior = { + target_origin_id = aws_s3_bucket.s3_origin.id + viewer_protocol_policy = "redirect-to-https" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + min_ttl = 0 + default_ttl = 5 * 60 + max_ttl = 60 * 60 + } + restrictions = { + geo_restriction = { + restriction_type = "none" + } + } + viewer_certificate = { + cloudfront_default_certificate = true + minimum_protocol_version = "TLSv1.2_2018" + } + s3_origin = { + dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + } + origins = [{ + domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + id = "SampleCloudfrontOrigin" + origin_access_control_id = awscc_cloudfront_origin_access_control.cf_oac.id + }] + } + tags = [{ + key = "Name" + value = "Cloudfront Distribution with S3 Origin" + }] +} +``` +### Cloudfront Distribution with S3 Origin using Origin Access Identity + +```terraform +# S3 Bucket Origin with bucket policy to Origin Access Control +resource "aws_s3_bucket" "s3_origin" { + bucket = "sampleawsccbucket345" +} + +# Block public access to S3 bucket +resource "aws_s3_bucket_public_access_block" "s3_block_public_access" { + bucket = aws_s3_bucket.s3_origin.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Attach bucket policy with object access to cloudfront origin +resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" { + bucket = aws_s3_bucket.s3_origin.id + policy = data.aws_iam_policy_document.bucket_policy.json +} + +# IAM policy document to allow S3 bucket read access to cloudfront origin access identity +data "aws_iam_policy_document" "bucket_policy" { + statement { + principals { + type = "CanonicalUser" + identifiers = [awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.s3_canonical_user_id] + } + effect = "Allow" + actions = [ + "s3:GetObject", + ] + resources = [ + "arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*" + ] + } +} + +# Cloudfront origin access identity +resource "awscc_cloudfront_cloudfront_origin_access_identity" "cf_oai" { + cloudfront_origin_access_identity_config = { + comment = "SampleCloudFrontOAI" + } +} + +# Cloudfront distribution with S3 origin using AWSCC provider +resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { + distribution_config = { + enabled = true + compress = true + default_root_object = "index.html" + comment = "Sample Cloudfront Distribution using AWSCC provider" + default_cache_behavior = { + target_origin_id = aws_s3_bucket.s3_origin.id + viewer_protocol_policy = "redirect-to-https" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + min_ttl = 0 + default_ttl = 5 * 60 + max_ttl = 60 * 60 + } + restrictions = { + geo_restriction = { + restriction_type = "none" + } + } + viewer_certificate = { + cloudfront_default_certificate = true + minimum_protocol_version = "TLSv1.2_2018" + } + s3_origin = { + dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + } + origins = [{ + domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + id = "SampleCloudfrontOrigin" + s3_origin_config = { + origin_access_identity = awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.id + } + }] + } + tags = [{ + key = "Name" + value = "Cloudfront Distribution with S3 Origin" + }] +} +``` ## Schema @@ -426,4 +612,4 @@ Import is supported using the following syntax: ```shell $ terraform import awscc_cloudfront_distribution.example -``` +``` \ No newline at end of file diff --git a/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oac.tf b/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oac.tf new file mode 100644 index 000000000..82194da00 --- /dev/null +++ b/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oac.tf @@ -0,0 +1,92 @@ +# S3 Bucket Origin with bucket policy to Origin Access Control +resource "aws_s3_bucket" "s3_origin" { + bucket = "sampleawsccbucket345" +} + +# Block public access to S3 bucket +resource "aws_s3_bucket_public_access_block" "s3_block_public_access" { + bucket = aws_s3_bucket.s3_origin.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Attach bucket policy with object access to cloudfront origin +resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" { + bucket = aws_s3_bucket.s3_origin.id + policy = data.aws_iam_policy_document.bucket_policy.json +} + +# IAM policy document to allow S3 bucket read access to cloudfront origin access control +data "aws_iam_policy_document" "bucket_policy" { + statement { + principals { + type = "Service" + identifiers = ["cloudfront.amazonaws.com"] + } + effect = "Allow" + actions = [ + "s3:GetObject", + ] + resources = [ + "arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*" + ] + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:aws:cloudfront::111111111111:distribution/${awscc_cloudfront_distribution.cloudfront_s3_origin.id}"] + } + } +} + +# Cloudfront origin access control using AWSCC provider +resource "awscc_cloudfront_origin_access_control" "cf_oac" { + origin_access_control_config = { + name = "sample-oac" + description = "Sample Origin Access Control Setting using AWSCC" + origin_access_control_origin_type = "s3" + signing_behavior = "always" + signing_protocol = "sigv4" + } +} + +# Cloudfront distribution with S3 origin using AWSCC provider +resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { + distribution_config = { + enabled = true + compress = true + default_root_object = "index.html" + comment = "Sample Cloudfront Distribution using AWSCC provider" + default_cache_behavior = { + target_origin_id = aws_s3_bucket.s3_origin.id + viewer_protocol_policy = "redirect-to-https" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + min_ttl = 0 + default_ttl = 5 * 60 + max_ttl = 60 * 60 + } + restrictions = { + geo_restriction = { + restriction_type = "none" + } + } + viewer_certificate = { + cloudfront_default_certificate = true + minimum_protocol_version = "TLSv1.2_2018" + } + s3_origin = { + dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + } + origins = [{ + domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + id = "SampleCloudfrontOrigin" + origin_access_control_id = awscc_cloudfront_origin_access_control.cf_oac.id + }] + } + tags = [{ + key = "Name" + value = "Cloudfront Distribution with S3 Origin" + }] +} \ No newline at end of file diff --git a/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oai.tf b/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oai.tf new file mode 100644 index 000000000..9f18630bc --- /dev/null +++ b/examples/resources/awscc_cloudfront_distribution/cloudfront_with_s3_origin_oai.tf @@ -0,0 +1,85 @@ +# S3 Bucket Origin with bucket policy to Origin Access Control +resource "aws_s3_bucket" "s3_origin" { + bucket = "sampleawsccbucket345" +} + +# Block public access to S3 bucket +resource "aws_s3_bucket_public_access_block" "s3_block_public_access" { + bucket = aws_s3_bucket.s3_origin.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Attach bucket policy with object access to cloudfront origin +resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" { + bucket = aws_s3_bucket.s3_origin.id + policy = data.aws_iam_policy_document.bucket_policy.json +} + +# IAM policy document to allow S3 bucket read access to cloudfront origin access identity +data "aws_iam_policy_document" "bucket_policy" { + statement { + principals { + type = "CanonicalUser" + identifiers = [awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.s3_canonical_user_id] + } + effect = "Allow" + actions = [ + "s3:GetObject", + ] + resources = [ + "arn:aws:s3:::${aws_s3_bucket.s3_origin.id}/*" + ] + } +} + +# Cloudfront origin access identity +resource "awscc_cloudfront_cloudfront_origin_access_identity" "cf_oai" { + cloudfront_origin_access_identity_config = { + comment = "SampleCloudFrontOAI" + } +} + +# Cloudfront distribution with S3 origin using AWSCC provider +resource "awscc_cloudfront_distribution" "cloudfront_s3_origin" { + distribution_config = { + enabled = true + compress = true + default_root_object = "index.html" + comment = "Sample Cloudfront Distribution using AWSCC provider" + default_cache_behavior = { + target_origin_id = aws_s3_bucket.s3_origin.id + viewer_protocol_policy = "redirect-to-https" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + min_ttl = 0 + default_ttl = 5 * 60 + max_ttl = 60 * 60 + } + restrictions = { + geo_restriction = { + restriction_type = "none" + } + } + viewer_certificate = { + cloudfront_default_certificate = true + minimum_protocol_version = "TLSv1.2_2018" + } + s3_origin = { + dns_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + } + origins = [{ + domain_name = aws_s3_bucket.s3_origin.bucket_regional_domain_name + id = "SampleCloudfrontOrigin" + s3_origin_config = { + origin_access_identity = awscc_cloudfront_cloudfront_origin_access_identity.cf_oai.id + } + }] + } + tags = [{ + key = "Name" + value = "Cloudfront Distribution with S3 Origin" + }] +} \ No newline at end of file diff --git a/templates/resources/cloudfront_distribution.md.tmpl b/templates/resources/cloudfront_distribution.md.tmpl new file mode 100644 index 000000000..b41289753 --- /dev/null +++ b/templates/resources/cloudfront_distribution.md.tmpl @@ -0,0 +1,31 @@ +--- +page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}" +subcategory: "" +description: |- +{{ .Description | plainmarkdown | trimspace | prefixlines " " }} +--- + +# {{.Name}} ({{.Type}}) + +{{ .Description | trimspace }} + +## Example Usage + +### Cloudfront Distribution with S3 Origin using Origin Access Control + +{{ tffile (printf "examples/resources/%s/cloudfront_with_s3_origin_oac.tf" .Name)}} + +### Cloudfront Distribution with S3 Origin using Origin Access Identity + +{{ tffile (printf "examples/resources/%s/cloudfront_with_s3_origin_oai.tf" .Name)}} + +{{ .SchemaMarkdown | trimspace }} +{{- if .HasImport }} + +## Import + +Import is supported using the following syntax: + +{{ codefile "shell" .ImportFile }} + +{{- end }} \ No newline at end of file