AWS CloudFront Distribution

aws_cloudfront_distribution (Terraform)

The Distribution in CloudFront can be configured in Terraform with the resource name aws_cloudfront_distribution. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

HaxeFoundation/haxe-terraform

resource "aws_cloudfront_distribution" "lib-haxe-org" {
  aliases         = ["lib.haxe.org"]
  enabled         = true
  is_ipv6_enabled = true
  price_class     = "PriceClass_100"

snyk-labs/infrastructure-as-code-goof

resource "aws_cloudfront_distribution" "default" {
  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

Checkmarx/kics

resource "aws_cloudfront_distribution" "positive1" {
  origin {
    domain_name = aws_s3_bucket.b.bucket_regional_domain_name
    origin_id   = local.s3_origin_id

    s3_origin_config {

bridgecrewio/checkov

resource "aws_cloudfront_distribution" "pass" {
  enabled = true

  default_cache_behavior {
    response_headers_policy_id = aws_cloudfront_response_headers_policy.pass.id
  }

snyk-labs/infrastructure-as-code-goof

resource "aws_cloudfront_distribution" "allowed" {
  web_acl_id = "arn:1234"
  logging_config {}
}

resource "aws_cloudfront_distribution" "denied" {

Security Best Practices for aws_cloudfront_distribution

There are 3 settings in aws_cloudfront_distribution that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure to enable access logging of CloudFront distribution

To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.

Ensure to use modern TLS protocols

A CloudFront distribution uses outdated TLS protocols. It's better to adopt TLS v1.2+.

Ensure to use HTTPS as much as possible

To avoid attacks, it is better to use HTTPS as much as possible. CloudFront is available through HTTP, which is vulnerable to Meet-in-the-Middle (MITM) attacks.

Parameters

• aliases optional - set of string
• arn optional computed - string
• caller_reference optional computed - string
• comment optional - string
• default_root_object optional - string
• domain_name optional computed - string
• enabled required - bool
• etag optional computed - string
• hosted_zone_id optional computed - string
• http_version optional - string
• id optional computed - string
• in_progress_validation_batches optional computed - number
• is_ipv6_enabled optional - bool
• last_modified_time optional computed - string
• price_class optional - string
• retain_on_delete optional - bool
• status optional computed - string
• tags optional - map from string to string
• trusted_key_groups optional computed - list of object
  • enabled - bool
  • items - list of object
    • key_group_id - string
    • key_pair_ids - set of string
• trusted_signers optional computed - list of object
  • enabled - bool
  • items - list of object
    • aws_account_number - string
    • key_pair_ids - set of string
• wait_for_deployment optional - bool
• web_acl_id optional - string
• custom_error_response set block
  • error_caching_min_ttl optional - number
  • error_code required - number
  • response_code optional - number
  • response_page_path optional - string
• default_cache_behavior list block
  • allowed_methods required - set of string
  • cache_policy_id optional - string
  • cached_methods required - set of string
  • compress optional - bool
  • default_ttl optional computed - number
  • field_level_encryption_id optional - string
  • max_ttl optional computed - number
  • min_ttl optional - number
  • origin_request_policy_id optional - string
  • realtime_log_config_arn optional - string
  • smooth_streaming optional - bool
  • target_origin_id required - string
  • trusted_key_groups optional computed - list of string
  • trusted_signers optional computed - list of string
  • viewer_protocol_policy required - string
  • forwarded_values list block
    • headers optional computed - set of string
    • query_string required - bool
    • query_string_cache_keys optional computed - list of string
    • cookies list block
      • forward required - string
      • whitelisted_names optional computed - set of string
  • lambda_function_association set block
    • event_type required - string
    • include_body optional - bool
    • lambda_arn required - string
• logging_config list block
  • bucket required - string
  • include_cookies optional - bool
  • prefix optional - string
• ordered_cache_behavior list block
  • allowed_methods required - set of string
  • cache_policy_id optional - string
  • cached_methods required - set of string
  • compress optional - bool
  • default_ttl optional computed - number
  • field_level_encryption_id optional - string
  • max_ttl optional computed - number
  • min_ttl optional - number
  • origin_request_policy_id optional - string
  • path_pattern required - string
  • realtime_log_config_arn optional - string
  • smooth_streaming optional - bool
  • target_origin_id required - string
  • trusted_key_groups optional - list of string
  • trusted_signers optional - list of string
  • viewer_protocol_policy required - string
  • forwarded_values list block
    • headers optional computed - set of string
    • query_string required - bool
    • query_string_cache_keys optional computed - list of string
    • cookies list block
      • forward required - string
      • whitelisted_names optional - set of string
  • lambda_function_association set block
    • event_type required - string
    • include_body optional - bool
    • lambda_arn required - string
• origin set block
  • domain_name required - string
  • origin_id required - string
  • origin_path optional - string
  • custom_header set block
    • name required - string
    • value required - string
  • custom_origin_config list block
    • http_port required - number
    • https_port required - number
    • origin_keepalive_timeout optional - number
    • origin_protocol_policy required - string
    • origin_read_timeout optional - number
    • origin_ssl_protocols required - set of string
  • s3_origin_config list block
    • origin_access_identity required - string
• origin_group set block
  • origin_id required - string
  • failover_criteria list block
    • status_codes required - set of number
  • member list block
    • origin_id required - string
• restrictions list block
  • geo_restriction list block
    • locations optional computed - set of string
    • restriction_type required - string
• viewer_certificate list block
  • acm_certificate_arn optional - string
  • cloudfront_default_certificate optional - bool
  • iam_certificate_id optional - string
  • minimum_protocol_version optional - string
  • ssl_support_method optional - string

Explanation in Terraform Registry

Creates an Amazon CloudFront web distribution. For information about CloudFront distributions, see the [Amazon CloudFront Developer Guide][1]. For specific information about creating CloudFront web distributions, see the [POST Distribution][2] page in the Amazon CloudFront API Reference.

NOTE: CloudFront distributions take about 15 minutes to a deployed state after creation or modification. During this time, deletes to resources will be blocked. If you need to delete a distribution that is enabled and you do not want to wait, you need to use the retain_on_delete flag.