AWS CloudFront Function
This page shows how to write Terraform and CloudFormation for CloudFront Function and write them securely.
aws_cloudfront_function (Terraform)
The Function in CloudFront can be configured in Terraform with the resource name aws_cloudfront_function
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are required:
name
- (Required) Unique name for your CloudFront Function.code
- (Required) Source code of the functionruntime
- (Required) Identifier of the function's runtime. Currently onlycloudfront-js-1.0
is valid.
The following arguments are optional:
comment
- (Optional) Comment.publish
- (Optional) Whether to publish creation/change as Live CloudFront Function Version. Defaults totrue
.
In addition to all arguments above, the following attributes are exported:
arn
- Amazon Resource Name (ARN) identifying your CloudFront Function.etag
- ETag hash of the functionstatus
- Status of the function. Can beUNPUBLISHED
,UNASSOCIATED
orASSOCIATED
.
Explanation in Terraform Registry
Provides a CloudFront Function resource. With CloudFront Functions in Amazon CloudFront, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. See CloudFront Functions
NOTE: You cannot delete a function if it’s associated with a cache behavior. First, update your distributions to remove the function association from all cache behaviors, then delete the function.
Tips: Best Practices for The Other AWS CloudFront Resources
In addition to the aws_cloudfront_distribution, AWS CloudFront has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_cloudfront_distribution
Ensure to enable access logging of CloudFront distribution
To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.
AWS::CloudFront::Function (CloudFormation)
The Function in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::Function
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
AutoPublish
optional - Boolean -
FunctionCode
optional - String -
FunctionConfig
optional - FunctionConfig -
FunctionMetadata
optional - FunctionMetadata -
Name
required - String
Explanation in CloudFormation Registry
Creates a CloudFront function.
To create a function, you provide the function code and some configuration information about the function. The response contains an Amazon Resource Name (ARN) that uniquely identifies the function, and the function’s stage.
By default, when you create a function, it’s in the
DEVELOPMENT
stage. In this stage, you can test the function in the CloudFront console (or withTestFunction
in the CloudFront API).When you’re ready to use your function with a CloudFront distribution, publish the function to the
LIVE
stage. You can do this in the CloudFront console, withPublishFunction
in the CloudFront API, or by updating theAWS::CloudFront::Function
resource with theAutoPublish
property set totrue
. When the function is published to theLIVE
stage, you can attach it to a distribution’s cache behavior, using the function’s ARN.To automatically publish the function to the
LIVE
stage when it’s created, set theAutoPublish
property totrue
.