Parameterize the following features

- response_headers are now optional
- Versioning of the logging S3 bucket
- Cors rules

aws_cloudfront_distribution.tf

@@ -95,8 +95,9 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
 
 resource "aws_cloudfront_origin_access_identity" "current" {}
 
- resource "aws_cloudfront_response_headers_policy" "security_headers_policy" {
-  name = "${var.distribution_name}-cloudfront-security-headers-policy"
+resource "aws_cloudfront_response_headers_policy" "security_headers_policy" {
+  name  = "${var.distribution_name}-cloudfront-security-headers-policy"
+  count = var.response_header_policy_enable ? 1 : 0
   security_headers_config {
     # https://infosec.mozilla.org/guidelines/web_security#x-content-type-options
     # content_type_options {

aws_route53_a_record.tf

@@ -1,7 +1,9 @@
 resource "aws_route53_record" "fqdn_cloudfront_dist" {
   zone_id = data.aws_route53_zone.current.zone_id
   name    = var.distribution_fqdn
-  type    = "A"
+
+  allow_overwrite = false
+  type            = "A"
   alias {
     evaluate_target_health = false
     name                   = aws_cloudfront_distribution.s3_distribution.domain_name

data_aws_caller_identity.tf

@@ -4,4 +4,6 @@ data "aws_availability_zones" "this" {}
 
 data "aws_caller_identity" "current" {}
 
+data "aws_canonical_user_id" "current" {}
+
 data "aws_iam_account_alias" "current" {}

module_s3_bucket_cloudfront_logging.tf

@@ -20,7 +20,7 @@ module "bucket_cloudwatch_logs_backup" {
   ignore_public_acls      = true
 
   versioning = {
-    status     = "Suspended"
+    status     = var.s3_logging_versioning
     mfa_delete = "Disabled"
   }
 
@@ -33,4 +33,7 @@ module "bucket_cloudwatch_logs_backup" {
       }
     }
   }
+
+  cors_rule = var.cors_rules
+
 }

variables.tf

@@ -22,6 +22,18 @@ variable "cloudfront_cache_compress_content" {
   default     = false
 }
 
+variable "cors_rules" {
+  description = "List of maps of cors rules to ap[ply to the logging bucket"
+  type = list(object({
+    allowed_headers = list(string)
+    allowed_methods = list(string)
+    allowed_origins = list(string)
+    expose_headers  = list(string)
+    max_age_seconds = number
+  }))
+  default = []
+}
+
 variable "custom_error_response_error_code" {
   description = "Custom error code for error response"
   type        = number
@@ -55,6 +67,12 @@ variable "hosted_zone_name" {
   description = "The route53 zone."
 }
 
+variable "s3_logging_versioning" {
+  description = "Whether to version the contents of the logging bucket"
+  type = string
+  default = "Suspended"
+}
+
 variable "minimum_protocol_version" {
   description = "Minimum protocol version for the viewer certificate"
   type        = string
@@ -85,6 +103,12 @@ variable "function_associations" {
   default     = []
 }
 
+variable "response_header_policy_enable" {
+  description = "Feature-flag for including response header policy"
+  type        = bool
+  default     = true
+}
+
 variable "use_cloudfront_default_certificate" {
   type        = bool
   description = "Default SSL certificate."