-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudfront.tf
142 lines (114 loc) · 3.46 KB
/
cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> v2.0"
domain_name = var.site_domain
zone_id = data.aws_route53_zone.this.zone_id
tags = var.tags
providers = {
aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region
}
}
resource "aws_cloudfront_distribution" "this" {
origin {
domain_name = var.public_alb_domain
origin_id = "alb"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
}
}
enabled = true
is_ipv6_enabled = true
comment = var.site_domain
aliases = [var.site_domain]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "alb"
forwarded_values {
query_string = true
headers = ["*"]
cookies {
forward = "all"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 0
max_ttl = 0
compress = true
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "wp-content/*"
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "alb"
forwarded_values {
query_string = true
headers = ["Host"]
cookies {
forward = "all"
}
}
min_ttl = 900
default_ttl = 900
max_ttl = 900
compress = true
viewer_protocol_policy = "redirect-to-https"
}
# Cache behavior with precedence 1
ordered_cache_behavior {
path_pattern = "wp-includes/*"
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "alb"
forwarded_values {
query_string = true
headers = ["Host"]
cookies {
forward = "all"
}
}
min_ttl = 3600
default_ttl = 3600
max_ttl = 3600
compress = true
viewer_protocol_policy = "redirect-to-https"
}
price_class = var.cf_price_class
tags = var.tags
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = module.acm.this_acm_certificate_arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.1_2016"
}
# By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html
custom_error_response {
error_code = 400
error_caching_min_ttl = var.error_ttl
}
custom_error_response {
error_code = 403
error_caching_min_ttl = var.error_ttl
}
custom_error_response {
error_code = 404
error_caching_min_ttl = var.error_ttl
}
custom_error_response {
error_code = 405
error_caching_min_ttl = var.error_ttl
}
depends_on = [
aws_ecs_service.this
]
}