Skip to main content
Static Assets Modules 0.19.1Last updated in version 0.18.5

S3 CloudFront Module

View Source Release Notes

This module deploys a CloudFront distribution as a Content Distribution Network (CDN) in front of an S3 bucket. This reduces latency for your users, by caching your static content in servers around the world. It also allows you to use SSL with the static content in an S3 bucket.

See the s3-static-website module for how to deploy static content in an S3 bucket.

Quick Start

Public vs private S3 buckets

This module can work with two types of S3 buckets:

  • Public S3 bucket: You can use this module to deploy CloudFront in front of an S3 bucket that has been configured as a website. This configuration allows you to configure custom routing rules, custom error documents and other useful features for running a static website. The disadvantage is that you have to make your S3 bucket publicly accessible, which means users who know the URL could access the bucket directly, bypassing CloudFront. Despite this minor limitation, we recommend this option for most users, as it provides the best experience for running a website on S3. To use this option, set the s3_bucket_is_public_website parameter to true and set the bucket_website_endpoint parameter to the publicly-accessible endpoint for your S3 website.

  • Private S3 bucket: You can use this module to deploy CloudFront in front of a standard, private S3 bucket. The advantage of this is that users can only access the contents of the S3 bucket by going via CloudFront (they can't access the S3 bucket directly). The disadvantage is that you cannot use any of the S3 website features, such as routing rules and custom error pages. This option is recommended if you have to keep the contents of the S3 bucket secure (see also Serving Private Content through CloudFront). To use this option, set the s3_bucket_is_public_website parameter to false and make sure to configure the IAM permissions for your S3 bucket to allow access from the CloudFront distributions Origin Access Identity, which is accessible via the cloudfront_origin_access_identity_iam_arn output variable.

NOTE: For some reason, the Private S3 bucket option currently ONLY works in us-east1. In all other regions, you get 403: Access Denied errors. We are still investigating why, but for the time being, deploy your entire static website in us-east-1 and things will work fine.

How do I test my website?

This module outputs the domain name of your website using the cloudfront_domain_name output variable.

By default, the domain name will be of the form:

<ID>.cloudfront.net

Where ID is a unique ID generated for your CloudFront distribution. For example:

d111111abcdef8.cloudfront.net

If you set var.create_route53_entry to true, then this module will create a DNS A record in Route 53 for your CloudFront distribution with the domain name in var.domain_name, and you will be able to use that custom domain name to access your bucket instead of the amazonaws.com domain.

How do I configure HTTPS (SSL)?

If you are using the default .cloudfront.net domain name, then you can use it with HTTPS with no extra changes:

https://<ID>.cloudfront.net

If you are using a custom domain name, to use HTTPS, you need to specify the ARN of either an AWS Certificate Manager (ACM) certificate via the acm_certificate_arn parameter or a custom certificate in IAM via the iam_certificate_id parameter. We recommend using ACM certs as they are free, very quick to set up, and best of all, AWS automatically renews them for you.

NOTE: If you set either acm_certificate_arn or iam_certificate_id you must set use_cloudfront_default_certificate to false.

Origin Group Support

This module can also create a CloudFront distribution that uses an Origin Group to serve content. The primary purpose of this is to have secondary bucket(s), which serve as a failover bucket in the event your primary bucket and/or its contents are not accessible.

How To Configure

To use the Origin Group feature, you will need to provide values for the following variables:

  • failover_buckets
  • failover_bucket_website_endpoints (if making a public site)

Limitations

To create a CloudFront distribution with Terraform, you use the aws_cloudfront_distribution resource. Unfortunately, this resource primarily consists of "inline blocks", which do not work well in Terraform modules, as there is no way to create them dynamically based on the module's inputs.

As a results, the CloudFront distribution in this module is limited to a fixed set of settings that should work for most use cases, but is not particularly flexible. In particular, the limitations are as follows:

  • Only one origin—an S3 bucket—is supported (origin is an inline block). You specify the bucket to use via the bucket_name parameter.

  • Only one set of geo restrictions is supported (geo_restrictions is an inline block). You can optionally specify the restrictions via the geo_restriction_type and geo_locations_list parameters.

  • Only one default cache behavior is supported (cache behaviors is an inline block). You can control the default cache settings using a number of parameters, including cached_methods, default_ttl, min_ttl, max_ttl, and many others (see vars.tf for the full list).

  • Only two error responses are supported (error responses is an inline block). You can specify the 404 and 500 response paths using the error_document_404 and error_document_500 parameters, respectively.

  • You can not specify specify query string parameters to cache (query_string_cache_keys is an inline block nested in an inline block).

  • custom_header is not yet supported as it consists of inline blocks in an inline block.

  • If configuring an Origin Group, due to an AWS limitation, only "GET", "HEAD", and "OPTIONS" methods are allowed for caching

If you absolutely need some of these features, the only solution available for now is to copy and paste this module into your own codebase, using it as a guide, and adding the tweaks you need.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S S3-CLOUDFRONT MODULE
# ------------------------------------------------------------------------------------------------------

module "s_3_cloudfront" {

source = "git::git@github.com:gruntwork-io/terraform-aws-static-assets.git//modules/s3-cloudfront?ref=v0.19.1"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# The name of the S3 bucket.
bucket_name = <string>

# The default amount of time, in seconds, that an object is in a CloudFront
# cache before CloudFront forwards another request in the absence of an
# 'Cache-Control max-age' or 'Expires' header.
default_ttl = <number>

# The path that you want CloudFront to query on the origin server when an end
# user requests the root URL (e.g. index.html).
index_document = <string>

# The maximum amount of time, in seconds, that an object is in a CloudFront
# cache before CloudFront forwards another request to your origin to determine
# whether the object has been updated. Only effective in the presence of
# 'Cache-Control max-age', 'Cache-Control s-maxage', and 'Expires' headers.
max_ttl = <number>

# The minimum amount of time that you want objects to stay in CloudFront
# caches before CloudFront queries your origin to see whether the object has
# been updated.
min_ttl = <number>

# Set to true if your S3 bucket is configured as a website and publicly
# accessible. Set to false if it's a regular S3 bucket and only privately
# accessible to CloudFront. If it's a public website, you can use all the S3
# website features (e.g. routing, error pages), but users can bypass
# CloudFront and talk to S3 directly. If it's a private S3 bucket, users can
# only reach it via CloudFront, but you don't get all the website features.
s3_bucket_is_public_website = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# The folder in the access logs bucket where logs should be written.
access_log_prefix = null

# The suffix for the access logs bucket where logs should be written.
access_logs_bucket_suffix = "cloudfront-logs"

# Set to true to enable versioning for the access logs S3 bucket. If enabled,
# instead of overriding objects, the S3 bucket will always create a new
# version of each object, so all the old values are retained.
access_logs_enable_versioning = false

# How many days to keep access logs around for before deleting them.
access_logs_expiration_time_in_days = 30

# The ARN of the AWS Certificate Manager certificate that you wish to use with
# this distribution. The ACM certificate must be in us-east-1. You must set
# exactly one of var.use_cloudfront_default_certificate,
# var.acm_certificate_arn, or var.iam_certificate_id.
acm_certificate_arn = ""

# A Map with the bucket name as key and the additional information about
# region and v4_auth as values.
additional_bucket_information = {}

# Controls which HTTP methods CloudFront will forward to the S3 bucket.
allowed_methods = ["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]

# Controls which HTTP methods CloudFront will forward to Origin Group.
# Currently only allows GET,HEAD, and OPTIONS
allowed_origin_group_methods = ["GET","HEAD","OPTIONS"]

# The domain name associated with a hosted zone in Route 53. Usually the base
# domain name of one of the var.domain_names (e.g. foo.com). This is used to
# find the hosted zone that will be used for the CloudFront distribution.
base_domain_name = null

# The tags associated with var.base_domain_name. If there are multiple hosted
# zones for the same base_domain_name, this will help filter the hosted zones
# so that the correct hosted zone is found.
base_domain_name_tags = {}

# The origin protocol policy to apply to the S3 bucket origin. Must be one of
# http-only, https-only, and match-viewer.
bucket_origin_config_protocol_policy = "http-only"

# The SSL/TLS protocols that you want CloudFront to use when communicating
# with the S3 bucket over HTTPS. A list of one or more of SSLv3, TLSv1,
# TLSv1.1, and TLSv1.2.
bucket_origin_config_ssl_protocols = ["TLSv1.2"]

# Set a custom origin_id to be used. If not set, the default bucket_name will
# be used. Defaults to null (not set).
bucket_origin_id = null

# Set a custom target_origin_id to be used. If not set, the default
# bucket_name will be used. Defaults to null (not set).
bucket_target_origin_id = null

# The website endpoint for this S3 bucket. This value should be of the format
# <BUCKET_NAME>.s3-website-<AWS_REGION>.amazonaws.com. Only used if
# var.s3_bucket_is_public_website is true.
bucket_website_endpoint = null

# CloudFront will cache the responses for these methods.
cached_methods = ["GET","HEAD"]

# Whether you want CloudFront to automatically compress content for web
# requests that include 'Accept-Encoding: gzip' in the request header.
compress = true

# If set to true, create a DNS A Record in Route 53 with each domain name in
# var.domain_names.
create_route53_entries = false

# A map of custom tags to apply to the S3 bucket and Cloudfront Distribution.
# The key is the tag name and the value is the tag value.
custom_tags = {}

# Unique identifier of the cache policy that is attached to the default cache
# behavior. If this var is enabled, forwarded_values will not be set.
default_cache_policy_id = null

# A list of existing CloudFront functions to associate with the default cached
# behavior. CloudFront functions are lightweight alternatives to Lambda for
# high-scale, latency sensitive CDN customizations
default_function_associations = []

# A list of existing Lambda@Edge functions to associate with the default
# cached behavior. Lambda version must be a published version and cannot be
# `$LATEST` (See
# https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#lambda_function_association
# for available options).
default_lambda_associations = []

# Unique identifier of the origin request policy that is attached to the
# behavior. This variable can be passed only if a default_cache_policy_id is
# specified as well.
default_origin_request_policy_id = null

# Option to disable cloudfront log delivery to s3. This is required in
# regions where cloudfront cannot deliver logs to s3, see
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket
disable_logging = false

# The custom domain name to use instead of the default cloudfront.net domain
# name (e.g. static.foo.com). Only used if var.create_route53_entries is true.
domain_names = []

# Whether the distribution is enabled to accept end user requests for content.
enabled = true

# The error responses you want CloudFront to return to the viewer.
error_responses = null

# The name of an existing logging bucket to use instead of creating.
existing_s3_log_bucket_name = null

# The website endpoints for each failover S3 bucket. This value of each should
# be of the format <BUCKET_NAME>.s3-website-<AWS_REGION>.amazonaws.com. Only
# used if var.s3_bucket_is_public_website is true, and if you are providing a
# failover S3 bucket to be used in a CloudFront Origin Group configuration.
failover_bucket_website_endpoints = []

# The list of the names of the failover S3 buckets. Provide if you wish to
# configure a CloudFront distribution with an Origin Group.
failover_buckets = []

# List of HTTP status codes to configure the Origin Group to fail over on.
# Provide if you wish to not failover on all provided 4xx and 5xx status
# codes.
failover_status_codes = [500,502,503,504,404,403]

# If set to true, this will force the delete of the access logs S3 bucket when
# you run terraform destroy, even if there is still content in it. This is
# only meant for testing and should not be used in production.
force_destroy_access_logs_bucket = false

# Specifies whether you want CloudFront to forward cookies to the origin that
# is associated with this cache behavior. You can specify all, none or
# whitelist. If whitelist, you must define var.whitelisted_cookie_names.
forward_cookies = "none"

# The headers you want CloudFront to forward to the origin. Set to * to
# forward all headers.
forward_headers = []

# Indicates whether you want CloudFront to forward query strings to the
# origin. If set to true, CloudFront will cache all query string parameters.
forward_query_string = true

# The ISO 3166-1-alpha-2 codes for which you want CloudFront either to
# distribute your content (if var.geo_restriction_type is whitelist) or not
# distribute your content (if var.geo_restriction_type is blacklist).
geo_locations_list = []

# The method that you want to use to restrict distribution of your content by
# country: none, whitelist, or blacklist.
geo_restriction_type = "none"

# The ID of the Route 53 Hosted Zone in which to create the DNS A Records
# specified in var.domain_names. Only used if var.create_route53_entries is
# true.
hosted_zone_id = null

# The maximum HTTP version to support on the distribution. Allowed values are
# http1.1 and http2.
http_version = "http2"

# The IAM certificate identifier of the custom viewer certificate for this
# distribution if you are using a custom domain. You must set exactly one of
# var.use_cloudfront_default_certificate, var.acm_certificate_arn, or
# var.iam_certificate_id.
iam_certificate_id = ""

# Specifies whether you want CloudFront to include cookies in access logs.
include_cookies_in_logs = false

# Whether the IPv6 is enabled for the distribution.
is_ipv6_enabled = true

# The minimum version of the SSL protocol that you want CloudFront to use for
# HTTPS connections. One of SSLv3 or TLSv1. Default: SSLv3. NOTE: If you are
# using a custom certificate (specified with acm_certificate_arn or
# iam_certificate_id), and have specified sni-only in ssl_support_method,
# TLSv1 must be specified.
minimum_protocol_version = "TLSv1"

# An ordered list of cache behaviors resource for this distribution. List from
# top to bottom in order of precedence. The topmost cache behavior will have
# precedence 0.
ordered_cache_behaviors = []

# The price class for this distribution. One of PriceClass_All,
# PriceClass_200, PriceClass_100. Higher price classes support more edge
# locations, but cost more. See:
# https://aws.amazon.com/cloudfront/pricing/#price-classes.
price_class = "PriceClass_100"

# Whether the Route 53 Hosted Zone associated with var.base_domain_name is
# private.
private_zone = false

# ID of response headers policy to apply to this CloudFront distribution.
response_headers_policy_id = null

# If set, CloudFront will request all content from the specified folder,
# rather than the root of the S3 bucket.
s3_bucket_base_path = null

# Specifies how you want CloudFront to serve HTTPS requests. One of vip or
# sni-only. Required if you specify acm_certificate_arn or iam_certificate_id.
# NOTE: vip causes CloudFront to use a dedicated IP address and may incur
# extra charges.
ssl_support_method = "sni-only"

# The list of key group IDs that CloudFront can use to validate signed URLs or
# signed cookies. Only used if trusted_signers is empty.
trusted_key_groups = []

# The list of AWS account IDs that you want to allow to create signed URLs for
# private content.
trusted_signers = []

# In older AWS accounts, you must set this variable to true to use the ARN of
# the CloudFront log delivery AWS account in the access log bucket policy. In
# newer AWS accounts, you must set this variable to false to use the
# CanonicalUser ID of the CloudFront log delivery account. If you pick the
# wrong value, you'll get a perpetual diff on the IAM policy. See
# https://github.com/terraform-providers/terraform-provider-aws/issues/10158
# for context.
use_cloudfront_arn_for_bucket_policy = false

# Set to true if you want viewers to use HTTPS to request your objects and
# you're using the CloudFront domain name for your distribution. You must set
# exactly one of var.use_cloudfront_default_certificate,
# var.acm_certificate_arn, or var.iam_certificate_id.
use_cloudfront_default_certificate = true

# Enable the use of CloudFront OAC. Enabling the use of OAC will disable
# Origin Access Identity (OAI)
use_cloudfront_origin_access_control = false

# Use this element to specify the protocol that users can use to access the
# files in the origin specified by TargetOriginId when a request matches the
# path pattern in PathPattern. One of allow-all, https-only, or
# redirect-to-https.
viewer_protocol_policy = "allow-all"

# If enabled, the resource will wait for the distribution status to change
# from InProgress to Deployed, which can take quite a long time in
# Cloudfront's case. Setting this to false will skip the process.
wait_for_deployment = true

# If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF
# web ACL that is associated with the distribution.
web_acl_id = null

# If you have specified whitelist in var.forward_cookies, the whitelisted
# cookies that you want CloudFront to forward to your origin.
whitelisted_cookie_names = []

}


Reference

Required

bucket_namestringrequired

The name of the S3 bucket.

default_ttlnumberrequired

The default amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an 'Cache-Control max-age' or 'Expires' header.

index_documentstringrequired

The path that you want CloudFront to query on the origin server when an end user requests the root URL (e.g. index.html).

max_ttlnumberrequired

The maximum amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of 'Cache-Control max-age', 'Cache-Control s-maxage', and 'Expires' headers.

min_ttlnumberrequired

The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.

Set to true if your S3 bucket is configured as a website and publicly accessible. Set to false if it's a regular S3 bucket and only privately accessible to CloudFront. If it's a public website, you can use all the S3 website features (e.g. routing, error pages), but users can bypass CloudFront and talk to S3 directly. If it's a private S3 bucket, users can only reach it via CloudFront, but you don't get all the website features.

Optional

access_log_prefixstringoptional

The folder in the access logs bucket where logs should be written.

null

The suffix for the access logs bucket where logs should be written.

"cloudfront-logs"

Set to true to enable versioning for the access logs S3 bucket. If enabled, instead of overriding objects, the S3 bucket will always create a new version of each object, so all the old values are retained.

false

How many days to keep access logs around for before deleting them.

30
acm_certificate_arnstringoptional

The ARN of the AWS Certificate Manager certificate that you wish to use with this distribution. The ACM certificate must be in us-east-1. You must set exactly one of use_cloudfront_default_certificate, acm_certificate_arn, or iam_certificate_id.

""
additional_bucket_informationmap(object(…))optional

A Map with the bucket name as key and the additional information about region and v4_auth as values.

map(object({
region = string
v4_auth = bool
}))
{}
Example
   {
bucket-name = {
region = "eu-central-1"
v4_auth = true
}
}

allowed_methodslist(string)optional

Controls which HTTP methods CloudFront will forward to the S3 bucket.

[
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
allowed_origin_group_methodslist(string)optional

Controls which HTTP methods CloudFront will forward to Origin Group. Currently only allows GET,HEAD, and OPTIONS

[
"GET",
"HEAD",
"OPTIONS"
]
base_domain_namestringoptional

The domain name associated with a hosted zone in Route 53. Usually the base domain name of one of the domain_names (e.g. foo.com). This is used to find the hosted zone that will be used for the CloudFront distribution.

null
base_domain_name_tagsmap(any)optional

The tags associated with base_domain_name. If there are multiple hosted zones for the same base_domain_name, this will help filter the hosted zones so that the correct hosted zone is found.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
{}

The origin protocol policy to apply to the S3 bucket origin. Must be one of http-only, https-only, and match-viewer.

"http-only"

The SSL/TLS protocols that you want CloudFront to use when communicating with the S3 bucket over HTTPS. A list of one or more of SSLv3, TLSv1, TLSv1.1, and TLSv1.2.

[ "TLSv1.2" ]
bucket_origin_idstringoptional

Set a custom origin_id to be used. If not set, the default bucket_name will be used. Defaults to null (not set).

null

Set a custom target_origin_id to be used. If not set, the default bucket_name will be used. Defaults to null (not set).

null

The website endpoint for this S3 bucket. This value should be of the format <BUCKET_NAME>.s3-website-<AWS_REGION>.amazonaws.com. Only used if s3_bucket_is_public_website is true.

null
cached_methodslist(string)optional

CloudFront will cache the responses for these methods.

[
"GET",
"HEAD"
]
compressbooloptional

Whether you want CloudFront to automatically compress content for web requests that include 'Accept-Encoding: gzip' in the request header.

true

If set to true, create a DNS A Record in Route 53 with each domain name in domain_names.

false
custom_tagsmap(string)optional

A map of custom tags to apply to the S3 bucket and Cloudfront Distribution. The key is the tag name and the value is the tag value.

{}

Unique identifier of the cache policy that is attached to the default cache behavior. If this var is enabled, forwarded_values will not be set.

null
default_function_associationslist(object(…))optional

A list of existing CloudFront functions to associate with the default cached behavior. CloudFront functions are lightweight alternatives to Lambda for high-scale, latency sensitive CDN customizations

list(object({
event_type = string
function_arn = string
}))
[]
default_lambda_associationslist(object(…))optional

A list of existing Lambda@Edge functions to associate with the default cached behavior. Lambda version must be a published version and cannot be $LATEST (See https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#lambda_function_association for available options).

list(object({
event_type = string
lambda_arn = string
include_body = bool
}))
[]

Unique identifier of the origin request policy that is attached to the behavior. This variable can be passed only if a default_cache_policy_id is specified as well.

null
disable_loggingbooloptional

Option to disable cloudfront log delivery to s3. This is required in regions where cloudfront cannot deliver logs to s3, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket

false
domain_nameslist(string)optional

The custom domain name to use instead of the default cloudfront.net domain name (e.g. static.foo.com). Only used if create_route53_entries is true.

[]
enabledbooloptional

Whether the distribution is enabled to accept end user requests for content.

true
error_responsesmapoptional

The error responses you want CloudFront to return to the viewer.

null

The name of an existing logging bucket to use instead of creating.

null

The website endpoints for each failover S3 bucket. This value of each should be of the format <BUCKET_NAME>.s3-website-<AWS_REGION>.amazonaws.com. Only used if s3_bucket_is_public_website is true, and if you are providing a failover S3 bucket to be used in a CloudFront Origin Group configuration.

[]
failover_bucketslist(string)optional

The list of the names of the failover S3 buckets. Provide if you wish to configure a CloudFront distribution with an Origin Group.

[]
failover_status_codeslist(number)optional

List of HTTP status codes to configure the Origin Group to fail over on. Provide if you wish to not failover on all provided 4xx and 5xx status codes.

[
500,
502,
503,
504,
404,
403
]

If set to true, this will force the delete of the access logs S3 bucket when you run terraform destroy, even if there is still content in it. This is only meant for testing and should not be used in production.

false
forward_cookiesstringoptional

Specifies whether you want CloudFront to forward cookies to the origin that is associated with this cache behavior. You can specify all, none or whitelist. If whitelist, you must define whitelisted_cookie_names.

"none"
forward_headerslist(string)optional

The headers you want CloudFront to forward to the origin. Set to * to forward all headers.

[]

Indicates whether you want CloudFront to forward query strings to the origin. If set to true, CloudFront will cache all query string parameters.

true
geo_locations_listlist(string)optional

The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (if geo_restriction_type is whitelist) or not distribute your content (if geo_restriction_type is blacklist).

[]
geo_restriction_typestringoptional

The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist.

"none"
hosted_zone_idstringoptional

The ID of the Route 53 Hosted Zone in which to create the DNS A Records specified in domain_names. Only used if create_route53_entries is true.

null
http_versionstringoptional

The maximum HTTP version to support on the distribution. Allowed values are http1.1 and http2.

"http2"
iam_certificate_idstringoptional

The IAM certificate identifier of the custom viewer certificate for this distribution if you are using a custom domain. You must set exactly one of use_cloudfront_default_certificate, acm_certificate_arn, or iam_certificate_id.

""

Specifies whether you want CloudFront to include cookies in access logs.

false
is_ipv6_enabledbooloptional

Whether the IPv6 is enabled for the distribution.

true

The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. One of SSLv3 or TLSv1. Default: SSLv3. NOTE: If you are using a custom certificate (specified with acm_certificate_arn or iam_certificate_id), and have specified sni-only in ssl_support_method, TLSv1 must be specified.

"TLSv1"
ordered_cache_behaviorslist(any)optional

An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
[]
price_classstringoptional

The price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100. Higher price classes support more edge locations, but cost more. See: https://aws.amazon.com/cloudfront/pricing/#price-classes.

"PriceClass_100"
private_zonebooloptional

Whether the Route 53 Hosted Zone associated with base_domain_name is private.

false

ID of response headers policy to apply to this CloudFront distribution.

null
s3_bucket_base_pathstringoptional

If set, CloudFront will request all content from the specified folder, rather than the root of the S3 bucket.

null
ssl_support_methodstringoptional

Specifies how you want CloudFront to serve HTTPS requests. One of vip or sni-only. Required if you specify acm_certificate_arn or iam_certificate_id. NOTE: vip causes CloudFront to use a dedicated IP address and may incur extra charges.

"sni-only"
trusted_key_groupslist(string)optional

The list of key group IDs that CloudFront can use to validate signed URLs or signed cookies. Only used if trusted_signers is empty.

[]
trusted_signerslist(string)optional

The list of AWS account IDs that you want to allow to create signed URLs for private content.

[]

In older AWS accounts, you must set this variable to true to use the ARN of the CloudFront log delivery AWS account in the access log bucket policy. In newer AWS accounts, you must set this variable to false to use the CanonicalUser ID of the CloudFront log delivery account. If you pick the wrong value, you'll get a perpetual diff on the IAM policy. See https://github.com/terraform-providers/terraform-provider-aws/issues/10158 for context.

false

Set to true if you want viewers to use HTTPS to request your objects and you're using the CloudFront domain name for your distribution. You must set exactly one of use_cloudfront_default_certificate, acm_certificate_arn, or iam_certificate_id.

true

Enable the use of CloudFront OAC. Enabling the use of OAC will disable Origin Access Identity (OAI)

false

Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https.

"allow-all"

If enabled, the resource will wait for the distribution status to change from InProgress to Deployed, which can take quite a long time in Cloudfront's case. Setting this to false will skip the process.

true
web_acl_idstringoptional

If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution.

null
whitelisted_cookie_nameslist(string)optional

If you have specified whitelist in forward_cookies, the whitelisted cookies that you want CloudFront to forward to your origin.

[]