AWS CloudFront Distribution
This page shows how to write Terraform and CloudFormation for CloudFront Distribution and write them securely.
aws_cloudfront_distribution (Terraform)
The Distribution in CloudFront can be configured in Terraform with the resource name aws_cloudfront_distribution
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_cloudfront_distribution" "lib-haxe-org" {
aliases = ["lib.haxe.org"]
enabled = true
is_ipv6_enabled = true
price_class = "PriceClass_100"
resource "aws_cloudfront_distribution" "default" {
viewer_certificate {
cloudfront_default_certificate = true
}
}
resource "aws_cloudfront_distribution" "positive1" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
resource "aws_cloudfront_distribution" "pass" {
enabled = true
default_cache_behavior {
response_headers_policy_id = aws_cloudfront_response_headers_policy.pass.id
}
resource "aws_cloudfront_distribution" "allowed" {
web_acl_id = "arn:1234"
logging_config {}
}
resource "aws_cloudfront_distribution" "denied" {
Security Best Practices for aws_cloudfront_distribution
There are 3 settings in aws_cloudfront_distribution that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable access logging of CloudFront distribution
To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.
Ensure to use modern TLS protocols
A CloudFront distribution uses outdated TLS protocols. It's better to adopt TLS v1.2+.
Ensure to use HTTPS as much as possible
To avoid attacks, it is better to use HTTPS as much as possible. CloudFront is available through HTTP, which is vulnerable to Meet-in-the-Middle (MITM) attacks.
Parameters
-
aliases
optional - set of string -
arn
optional computed - string -
caller_reference
optional computed - string -
comment
optional - string -
default_root_object
optional - string -
domain_name
optional computed - string -
enabled
required - bool -
etag
optional computed - string -
hosted_zone_id
optional computed - string -
http_version
optional - string -
id
optional computed - string -
in_progress_validation_batches
optional computed - number -
is_ipv6_enabled
optional - bool -
last_modified_time
optional computed - string -
price_class
optional - string -
retain_on_delete
optional - bool -
status
optional computed - string -
tags
optional - map from string to string -
trusted_key_groups
optional computed - list of object-
enabled
- bool -
items
- list of object-
key_group_id
- string -
key_pair_ids
- set of string
-
-
-
trusted_signers
optional computed - list of object-
enabled
- bool -
items
- list of object-
aws_account_number
- string -
key_pair_ids
- set of string
-
-
-
wait_for_deployment
optional - bool -
web_acl_id
optional - string -
custom_error_response
set block-
error_caching_min_ttl
optional - number -
error_code
required - number -
response_code
optional - number -
response_page_path
optional - string
-
-
default_cache_behavior
list block-
allowed_methods
required - set of string -
cache_policy_id
optional - string -
cached_methods
required - set of string -
compress
optional - bool -
default_ttl
optional computed - number -
field_level_encryption_id
optional - string -
max_ttl
optional computed - number -
min_ttl
optional - number -
origin_request_policy_id
optional - string -
realtime_log_config_arn
optional - string -
smooth_streaming
optional - bool -
target_origin_id
required - string -
trusted_key_groups
optional computed - list of string -
trusted_signers
optional computed - list of string -
viewer_protocol_policy
required - string -
forwarded_values
list block-
headers
optional computed - set of string -
query_string
required - bool -
query_string_cache_keys
optional computed - list of string -
cookies
list block-
forward
required - string -
whitelisted_names
optional computed - set of string
-
-
-
lambda_function_association
set block-
event_type
required - string -
include_body
optional - bool -
lambda_arn
required - string
-
-
-
logging_config
list block-
bucket
required - string -
include_cookies
optional - bool -
prefix
optional - string
-
-
ordered_cache_behavior
list block-
allowed_methods
required - set of string -
cache_policy_id
optional - string -
cached_methods
required - set of string -
compress
optional - bool -
default_ttl
optional computed - number -
field_level_encryption_id
optional - string -
max_ttl
optional computed - number -
min_ttl
optional - number -
origin_request_policy_id
optional - string -
path_pattern
required - string -
realtime_log_config_arn
optional - string -
smooth_streaming
optional - bool -
target_origin_id
required - string -
trusted_key_groups
optional - list of string -
trusted_signers
optional - list of string -
viewer_protocol_policy
required - string -
forwarded_values
list block-
headers
optional computed - set of string -
query_string
required - bool -
query_string_cache_keys
optional computed - list of string -
cookies
list block-
forward
required - string -
whitelisted_names
optional - set of string
-
-
-
lambda_function_association
set block-
event_type
required - string -
include_body
optional - bool -
lambda_arn
required - string
-
-
-
origin
set block-
domain_name
required - string -
origin_id
required - string -
origin_path
optional - string -
custom_header
set block -
custom_origin_config
list block-
http_port
required - number -
https_port
required - number -
origin_keepalive_timeout
optional - number -
origin_protocol_policy
required - string -
origin_read_timeout
optional - number -
origin_ssl_protocols
required - set of string
-
-
s3_origin_config
list block-
origin_access_identity
required - string
-
-
-
origin_group
set block-
origin_id
required - string -
failover_criteria
list block-
status_codes
required - set of number
-
-
member
list block-
origin_id
required - string
-
-
-
restrictions
list block-
geo_restriction
list block-
locations
optional computed - set of string -
restriction_type
required - string
-
-
-
viewer_certificate
list block-
acm_certificate_arn
optional - string -
cloudfront_default_certificate
optional - bool -
iam_certificate_id
optional - string -
minimum_protocol_version
optional - string -
ssl_support_method
optional - string
-
Explanation in Terraform Registry
Creates an Amazon CloudFront web distribution. For information about CloudFront distributions, see the [Amazon CloudFront Developer Guide][1]. For specific information about creating CloudFront web distributions, see the [POST Distribution][2] page in the Amazon CloudFront API Reference.
NOTE: CloudFront distributions take about 15 minutes to a deployed state after creation or modification. During this time, deletes to resources will be blocked. If you need to delete a distribution that is enabled and you do not want to wait, you need to use the
retain_on_delete
flag.
AWS::CloudFront::Distribution (CloudFormation)
The Distribution in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::Distribution
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
DistributionConfig
required - DistributionConfig -
Tags
optional - List of Tag
Explanation in CloudFormation Registry
A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.
Frequently asked questions
What is AWS CloudFront Distribution?
AWS CloudFront Distribution is a resource for CloudFront of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CloudFront Distribution?
For Terraform, the HaxeFoundation/haxe-terraform, snyk-labs/infrastructure-as-code-goof and Checkmarx/kics source code examples are useful. See the Terraform Example section for further details.