feat: spa-s3-cloudfront creates cache policies (#1061)

Co-authored-by: Dan Miller <[email protected]>

modules/spa-s3-cloudfront/README.md

@@ -165,6 +165,8 @@ components:
 
 | Name | Type |
 |------|------|
+| [aws_cloudfront_cache_policy.created_cache_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource |
+| [aws_cloudfront_origin_request_policy.created_origin_request_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
 | [aws_iam_policy.additional_lambda_edge_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.additional_lambda_edge_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -236,7 +238,7 @@ components:
 | <a name="input_lambda_edge_runtime"></a> [lambda\_edge\_runtime](#input\_lambda\_edge\_runtime) | The default Lambda@Edge runtime for all functions.<br><br>This value is deep merged in `module.lambda_edge_functions` with `var.lambda_edge_functions` and can be overwritten for any individual function. | `string` | `"nodejs16.x"` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
-| <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br>List in order of precedence (first match wins). This is in addition to the default cache policy.<br>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | <pre>list(object({<br>    target_origin_id = string<br>    path_pattern     = string<br><br>    allowed_methods    = list(string)<br>    cached_methods     = list(string)<br>    compress           = bool<br>    trusted_signers    = list(string)<br>    trusted_key_groups = list(string)<br><br>    cache_policy_id          = string<br>    origin_request_policy_id = string<br><br>    viewer_protocol_policy     = string<br>    min_ttl                    = number<br>    default_ttl                = number<br>    max_ttl                    = number<br>    response_headers_policy_id = string<br><br>    forward_query_string              = bool<br>    forward_header_values             = list(string)<br>    forward_cookies                   = string<br>    forward_cookies_whitelisted_names = list(string)<br><br>    lambda_function_association = list(object({<br>      event_type   = string<br>      include_body = bool<br>      lambda_arn   = string<br>    }))<br><br>    function_association = list(object({<br>      event_type   = string<br>      function_arn = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_ordered_cache"></a> [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.<br>List in order of precedence (first match wins). This is in addition to the default cache policy.<br>Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.<br>Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.<br>Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | <pre>list(object({<br>    target_origin_id = string<br>    path_pattern     = string<br><br>    allowed_methods    = list(string)<br>    cached_methods     = list(string)<br>    compress           = bool<br>    trusted_signers    = list(string)<br>    trusted_key_groups = list(string)<br><br>    cache_policy_name          = optional(string)<br>    cache_policy_id            = optional(string)<br>    origin_request_policy_name = optional(string)<br>    origin_request_policy_id   = optional(string)<br><br>    viewer_protocol_policy     = string<br>    min_ttl                    = number<br>    default_ttl                = number<br>    max_ttl                    = number<br>    response_headers_policy_id = string<br><br>    forward_query_string              = bool<br>    forward_header_values             = list(string)<br>    forward_cookies                   = string<br>    forward_cookies_whitelisted_names = list(string)<br><br>    lambda_function_association = list(object({<br>      event_type   = string<br>      include_body = bool<br>      lambda_arn   = string<br>    }))<br><br>    function_association = list(object({<br>      event_type   = string<br>      function_arn = string<br>    }))<br>  }))</pre> | `[]` | no |
 | <a name="input_origin_allow_ssl_requests_only"></a> [origin\_allow\_ssl\_requests\_only](#input\_origin\_allow\_ssl\_requests\_only) | Set to `true` in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
 | <a name="input_origin_deployment_actions"></a> [origin\_deployment\_actions](#input\_origin\_deployment\_actions) | List of actions to permit `origin_deployment_principal_arns` to perform on bucket and bucket prefixes (see `origin_deployment_principal_arns`) | `list(string)` | <pre>[<br>  "s3:PutObject",<br>  "s3:PutObjectAcl",<br>  "s3:GetObject",<br>  "s3:DeleteObject",<br>  "s3:ListBucket",<br>  "s3:ListBucketMultipartUploads",<br>  "s3:GetBucketLocation",<br>  "s3:AbortMultipartUpload"<br>]</pre> | no |
 | <a name="input_origin_deployment_principal_arns"></a> [origin\_deployment\_principal\_arns](#input\_origin\_deployment\_principal\_arns) | List of role ARNs to grant deployment permissions to the origin Bucket. | `list(string)` | `[]` | no |

modules/spa-s3-cloudfront/main.tf

@@ -106,7 +106,7 @@ module "spa_web" {
   min_ttl               = local.cloudfront_min_ttl
   max_ttl               = local.cloudfront_max_ttl
 
-  ordered_cache         = var.ordered_cache
+  ordered_cache         = local.ordered_cache
   forward_cookies       = var.forward_cookies
   forward_header_values = local.forward_header_values
 

modules/spa-s3-cloudfront/ordered_cache.tf

@@ -0,0 +1,49 @@
+resource "aws_cloudfront_cache_policy" "created_cache_policies" {
+  for_each = {
+    for cache in var.ordered_cache : cache.cache_policy_name => cache if cache.cache_policy_id == null
+  }
+
+  comment     = var.comment
+  default_ttl = each.value.default_ttl
+  max_ttl     = each.value.max_ttl
+  min_ttl     = each.value.min_ttl
+  name        = each.value.cache_policy_name
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+    headers_config {
+      header_behavior = "none"
+    }
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
+
+resource "aws_cloudfront_origin_request_policy" "created_origin_request_policies" {
+  for_each = {
+    for cache in var.ordered_cache : cache.origin_request_policy_name => cache if cache.origin_request_policy_id == null
+  }
+
+  comment = var.comment
+  name    = each.value.origin_request_policy_name
+  cookies_config {
+    cookie_behavior = "none"
+  }
+  headers_config {
+    header_behavior = "none"
+  }
+  query_strings_config {
+    query_string_behavior = "none"
+  }
+}
+
+locals {
+  ordered_cache = [
+    for cache in var.ordered_cache : merge(cache, {
+      cache_policy_id          = cache.cache_policy_id == null ? aws_cloudfront_cache_policy.created_cache_policies[cache.cache_policy_name].id : cache.cache_policy_id
+      origin_request_policy_id = cache.origin_request_policy_id == null ? aws_cloudfront_origin_request_policy.created_origin_request_policies[cache.origin_request_policy_name].id : cache.origin_request_policy_id
+    })
+  ]
+}

modules/spa-s3-cloudfront/variables.tf

@@ -398,8 +398,10 @@ variable "ordered_cache" {
     trusted_signers    = list(string)
     trusted_key_groups = list(string)
 
-    cache_policy_id          = string
-    origin_request_policy_id = string
+    cache_policy_name          = optional(string)
+    cache_policy_id            = optional(string)
+    origin_request_policy_name = optional(string)
+    origin_request_policy_id   = optional(string)
 
     viewer_protocol_policy     = string
     min_ttl                    = number
@@ -428,6 +430,8 @@ variable "ordered_cache" {
     An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
     List in order of precedence (first match wins). This is in addition to the default cache policy.
     Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.
+    Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.
+    Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set.
     EOT
 }