Skip to content

Commit

Permalink
Merge pull request #4 from osodevops/AS/output-validation
Browse files Browse the repository at this point in the history
As/output validation
  • Loading branch information
andysingleton authored Jul 10, 2024
2 parents f8ee874 + ff6b9ab commit 61ef1d5
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 6 deletions.
6 changes: 4 additions & 2 deletions aws_cloudfront_distribution.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
origin_id = "${data.aws_s3_bucket.origin_bucket.id}-origin"

s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.current.cloudfront_access_identity_path
origin_access_identity = local.shared_origin_path
}
}
comment = "${var.distribution_name} distribution"
Expand Down Expand Up @@ -93,7 +93,9 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
depends_on = [module.bucket_cloudwatch_logs_backup, aws_acm_certificate.certificate]
}

resource "aws_cloudfront_origin_access_identity" "current" {}
resource "aws_cloudfront_origin_access_identity" "current" {
count = var.shared_origin_access_identity != "" ? 0 : 1
}

resource "aws_cloudfront_response_headers_policy" "security_headers_policy" {
name = "${var.distribution_name}-cloudfront-security-headers-policy"
Expand Down
8 changes: 5 additions & 3 deletions aws_s3_origin_bucket_policy.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
resource "aws_s3_bucket_policy" "allow_cloudfront" {
count = var.shared_origin_access_identity != "" ? 0 : 1
bucket = data.aws_s3_bucket.origin_bucket.id
policy = data.aws_iam_policy_document.cloudfront.json
policy = data.aws_iam_policy_document.cloudfront[0].json
}

data "aws_iam_policy_document" "cloudfront" {
count = var.shared_origin_access_identity != "" ? 0 : 1
statement {
actions = [
"s3:ListBucket",
Expand All @@ -14,7 +16,7 @@ data "aws_iam_policy_document" "cloudfront" {
principals {
type = "AWS"
identifiers = [
aws_cloudfront_origin_access_identity.current.iam_arn,
aws_cloudfront_origin_access_identity.current[0].iam_arn,
]
}
}
Expand All @@ -30,7 +32,7 @@ data "aws_iam_policy_document" "cloudfront" {
type = "AWS"

identifiers = [
aws_cloudfront_origin_access_identity.current.iam_arn,
aws_cloudfront_origin_access_identity.current[0].iam_arn,
]
}
}
Expand Down
5 changes: 4 additions & 1 deletion outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ output "distribution" {
}

output "identity" {
value = aws_cloudfront_origin_access_identity.current
value = try(aws_cloudfront_origin_access_identity.current[0], "")
}

output "domain_validations" {
value = aws_route53_record.certificate_validation
}
7 changes: 7 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,12 @@ variable "response_header_policy_enable" {
default = true
}

variable "shared_origin_access_identity" {
description = "cloudfront_access_identity_path from a previous distribution, so we can use the same origin"
type = string
default = ""
}

variable "use_cloudfront_default_certificate" {
type = bool
description = "Default SSL certificate."
Expand All @@ -134,4 +140,5 @@ variable "common_tags" {

locals {
logging_bucket_name = "${var.distribution_name}-cf-logs-${data.aws_region.current.name}-${lower(data.aws_iam_account_alias.current.account_alias)}"
shared_origin_path = var.shared_origin_access_identity != "" ? var.shared_origin_access_identity : aws_cloudfront_origin_access_identity.current[0].cloudfront_access_identity_path
}

0 comments on commit 61ef1d5

Please sign in to comment.