AWS CloudFront Function

This page shows how to write Terraform and CloudFormation for CloudFront Function and write them securely.

aws_cloudfront_function (Terraform)

The Function in CloudFront can be configured in Terraform with the resource name aws_cloudfront_function. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


The following arguments are required:

  • name - (Required) Unique name for your CloudFront Function.
  • code - (Required) Source code of the function
  • runtime - (Required) Identifier of the function's runtime. Currently only cloudfront-js-1.0 is valid.

The following arguments are optional:

  • comment - (Optional) Comment.
  • publish - (Optional) Whether to publish creation/change as Live CloudFront Function Version. Defaults to true.

In addition to all arguments above, the following attributes are exported:

  • arn - Amazon Resource Name (ARN) identifying your CloudFront Function.
  • etag - ETag hash of the function
  • status - Status of the function. Can be UNPUBLISHED, UNASSOCIATED or ASSOCIATED.

Explanation in Terraform Registry

Provides a CloudFront Function resource. With CloudFront Functions in Amazon CloudFront, you can write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. See CloudFront Functions

NOTE: You cannot delete a function if it’s associated with a cache behavior. First, update your distributions to remove the function association from all cache behaviors, then delete the function.

Tips: Best Practices for The Other AWS CloudFront Resources

In addition to the aws_cloudfront_distribution, AWS CloudFront has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure to enable access logging of CloudFront distribution

To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.

Review your AWS CloudFront settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::CloudFront::Function (CloudFormation)

The Function in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::Function. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.


Explanation in CloudFormation Registry

Creates a CloudFront function.

To create a function, you provide the function code and some configuration information about the function. The response contains an Amazon Resource Name (ARN) that uniquely identifies the function, and the function’s stage.

By default, when you create a function, it’s in the DEVELOPMENT stage. In this stage, you can test the function in the CloudFront console (or with TestFunction in the CloudFront API).

When you’re ready to use your function with a CloudFront distribution, publish the function to the LIVE stage. You can do this in the CloudFront console, with PublishFunction in the CloudFront API, or by updating the AWS::CloudFront::Function resource with the AutoPublish property set to true. When the function is published to the LIVE stage, you can attach it to a distribution’s cache behavior, using the function’s ARN.

To automatically publish the function to the LIVE stage when it’s created, set the AutoPublish property to true.

Frequently asked questions

What is AWS CloudFront Function?

AWS CloudFront Function is a resource for CloudFront of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.