diff --git a/modules/spa-s3-cloudfront/README.md b/modules/spa-s3-cloudfront/README.md
index 60c2b8263..ab362226e 100644
--- a/modules/spa-s3-cloudfront/README.md
+++ b/modules/spa-s3-cloudfront/README.md
@@ -165,6 +165,8 @@ components:
| Name | Type |
|------|------|
+| [aws_cloudfront_cache_policy.created_cache_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource |
+| [aws_cloudfront_origin_request_policy.created_origin_request_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
| [aws_iam_policy.additional_lambda_edge_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.additional_lambda_edge_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -236,7 +238,7 @@ components:
| [lambda\_edge\_runtime](#input\_lambda\_edge\_runtime) | The default Lambda@Edge runtime for all functions.
This value is deep merged in `module.lambda_edge_functions` with `var.lambda_edge_functions` and can be overwritten for any individual function. | `string` | `"nodejs16.x"` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
-| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_id = string
origin_request_policy_id = string
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
response_headers_policy_id = string
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
forward_cookies_whitelisted_names = list(string)
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
+| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.
Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.
Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_name = optional(string)
cache_policy_id = optional(string)
origin_request_policy_name = optional(string)
origin_request_policy_id = optional(string)
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
response_headers_policy_id = string
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
forward_cookies_whitelisted_names = list(string)
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
| [origin\_allow\_ssl\_requests\_only](#input\_origin\_allow\_ssl\_requests\_only) | Set to `true` in order to have the origin bucket require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
| [origin\_deployment\_actions](#input\_origin\_deployment\_actions) | List of actions to permit `origin_deployment_principal_arns` to perform on bucket and bucket prefixes (see `origin_deployment_principal_arns`) | `list(string)` | [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload"
]
| no |
| [origin\_deployment\_principal\_arns](#input\_origin\_deployment\_principal\_arns) | List of role ARNs to grant deployment permissions to the origin Bucket. | `list(string)` | `[]` | no |
diff --git a/modules/spa-s3-cloudfront/main.tf b/modules/spa-s3-cloudfront/main.tf
index 240593db4..29b5aa03c 100644
--- a/modules/spa-s3-cloudfront/main.tf
+++ b/modules/spa-s3-cloudfront/main.tf
@@ -106,7 +106,7 @@ module "spa_web" {
min_ttl = local.cloudfront_min_ttl
max_ttl = local.cloudfront_max_ttl
- ordered_cache = var.ordered_cache
+ ordered_cache = local.ordered_cache
forward_cookies = var.forward_cookies
forward_header_values = local.forward_header_values
diff --git a/modules/spa-s3-cloudfront/ordered_cache.tf b/modules/spa-s3-cloudfront/ordered_cache.tf
new file mode 100644
index 000000000..0b68f3c2b
--- /dev/null
+++ b/modules/spa-s3-cloudfront/ordered_cache.tf
@@ -0,0 +1,49 @@
+resource "aws_cloudfront_cache_policy" "created_cache_policies" {
+ for_each = {
+ for cache in var.ordered_cache : cache.cache_policy_name => cache if cache.cache_policy_id == null
+ }
+
+ comment = var.comment
+ default_ttl = each.value.default_ttl
+ max_ttl = each.value.max_ttl
+ min_ttl = each.value.min_ttl
+ name = each.value.cache_policy_name
+ parameters_in_cache_key_and_forwarded_to_origin {
+ cookies_config {
+ cookie_behavior = "none"
+ }
+ headers_config {
+ header_behavior = "none"
+ }
+ query_strings_config {
+ query_string_behavior = "none"
+ }
+ }
+}
+
+resource "aws_cloudfront_origin_request_policy" "created_origin_request_policies" {
+ for_each = {
+ for cache in var.ordered_cache : cache.origin_request_policy_name => cache if cache.origin_request_policy_id == null
+ }
+
+ comment = var.comment
+ name = each.value.origin_request_policy_name
+ cookies_config {
+ cookie_behavior = "none"
+ }
+ headers_config {
+ header_behavior = "none"
+ }
+ query_strings_config {
+ query_string_behavior = "none"
+ }
+}
+
+locals {
+ ordered_cache = [
+ for cache in var.ordered_cache : merge(cache, {
+ cache_policy_id = cache.cache_policy_id == null ? aws_cloudfront_cache_policy.created_cache_policies[cache.cache_policy_name].id : cache.cache_policy_id
+ origin_request_policy_id = cache.origin_request_policy_id == null ? aws_cloudfront_origin_request_policy.created_origin_request_policies[cache.origin_request_policy_name].id : cache.origin_request_policy_id
+ })
+ ]
+}
diff --git a/modules/spa-s3-cloudfront/variables.tf b/modules/spa-s3-cloudfront/variables.tf
index 1505e784d..2831bb64c 100644
--- a/modules/spa-s3-cloudfront/variables.tf
+++ b/modules/spa-s3-cloudfront/variables.tf
@@ -398,8 +398,10 @@ variable "ordered_cache" {
trusted_signers = list(string)
trusted_key_groups = list(string)
- cache_policy_id = string
- origin_request_policy_id = string
+ cache_policy_name = optional(string)
+ cache_policy_id = optional(string)
+ origin_request_policy_name = optional(string)
+ origin_request_policy_id = optional(string)
viewer_protocol_policy = string
min_ttl = number
@@ -428,6 +430,8 @@ variable "ordered_cache" {
An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module.
+ Set `cache_policy_id` to `""` to use `cache_policy_name` for creating a new policy. At least one of the two must be set.
+ Set `origin_request_policy_id` to `""` to use `origin_request_policy_name` for creating a new policy. At least one of the two must be set.
EOT
}