AWS CloudFront Function
This page shows how to write Terraform and CloudFormation for CloudFront Function and write them securely.
aws_cloudfront_function (Terraform)
The Function in CloudFront can be configured in Terraform with the resource name aws_cloudfront_function. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are required:
name- (Required) Unique name for your CloudFront Function.code- (Required) Source code of the functionruntime- (Required) Identifier of the function's runtime. Currently onlycloudfront-js-1.0is valid.
The following arguments are optional:
comment- (Optional) Comment.publish- (Optional) Whether to publish creation/change as Live CloudFront Function Version. Defaults totrue.
In addition to all arguments above, the following attributes are exported:
arn- Amazon Resource Name (ARN) identifying your CloudFront Function.etag- ETag hash of the functionstatus- Status of the function. Can beUNPUBLISHED,UNASSOCIATEDorASSOCIATED.
Explanation in Terraform Registry
Provides a CloudFront Function resource. With CloudFront Functions in Amazon CloudFront, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. See CloudFront Functions
NOTE: You cannot delete a function if it’s associated with a cache behavior. First, update your distributions to remove the function association from all cache behaviors, then delete the function.
Tips: Best Practices for The Other AWS CloudFront Resources
In addition to the aws_cloudfront_distribution, AWS CloudFront has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_cloudfront_distribution
Ensure to enable access logging of CloudFront distribution
To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.
AWS::CloudFront::Function (CloudFormation)
The Function in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::Function. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
AutoPublishoptional - Boolean -
FunctionCodeoptional - String -
FunctionConfigoptional - FunctionConfig -
FunctionMetadataoptional - FunctionMetadata -
Namerequired - String
Explanation in CloudFormation Registry
Creates a CloudFront function.
To create a function, you provide the function code and some configuration information about the function. The response contains an Amazon Resource Name (ARN) that uniquely identifies the function, and the function’s stage.
By default, when you create a function, it’s in the
DEVELOPMENTstage. In this stage, you can test the function in the CloudFront console (or withTestFunctionin the CloudFront API).When you’re ready to use your function with a CloudFront distribution, publish the function to the
LIVEstage. You can do this in the CloudFront console, withPublishFunctionin the CloudFront API, or by updating theAWS::CloudFront::Functionresource with theAutoPublishproperty set totrue. When the function is published to theLIVEstage, you can attach it to a distribution’s cache behavior, using the function’s ARN.To automatically publish the function to the
LIVEstage when it’s created, set theAutoPublishproperty totrue.
