Merge pull request #10 from Flaconi/OPS-4735

OPS-4735 added optional Cloud Front functions
Flaconi · Dec 3, 2021 · 49599c0 · 49599c0
2 parents 4ad7317 + 32147af
commit 49599c0
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Terraform module for CDN
 
-This module will create cdn endpoint with alias and SSL-certificate
+This module will create cdn endpoint with alias and SSL-certificate and optional Cloud Front functions.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -28,6 +28,7 @@ This module will create cdn endpoint with alias and SSL-certificate
 
 | Name | Type |
 |------|------|
+| [aws_cloudfront_function.functions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_s3_bucket_policy.s3_origin_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [null_resource.either_s3_origin_hostname_or_s3_origin_name_is_required](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -42,6 +43,7 @@ This module will create cdn endpoint with alias and SSL-certificate
 | <a name="input_r53_hostname"></a> [r53\_hostname](#input\_r53\_hostname) | Hostname for CloudFront alias | `string` | n/a | yes |
 | <a name="input_r53_zone_id"></a> [r53\_zone\_id](#input\_r53\_zone\_id) | Route53 zone ID to be used for hostname and certificate validation | `string` | n/a | yes |
 | <a name="input_cdn_logging"></a> [cdn\_logging](#input\_cdn\_logging) | Prefix in s3 bucket for cdn logs | `string` | `""` | no |
+| <a name="input_cf_functions"></a> [cf\_functions](#input\_cf\_functions) | The Cloud Front function configuration<br>    {type = object{}} ie. {"viewer-request" = object{}}<br>  *type:*<br>    Allowed cf event types are viewer-request and viewer-response<br>  *name:*<br>    Name of the function<br>  *comment:*<br>    Description of the function<br>  *code:*<br>    Source code of the function<br>  *assign:*<br>    true for associating the function with the cf distribution,<br>    false to remove the association. (to remove the cf function firstly set it<br>    to false to dissociate from the cf distribution) | <pre>map(object({<br>    name    = string<br>    comment = string<br>    code    = string<br>    assign  = bool<br>  }))</pre> | `{}` | no |
 | <a name="input_override_s3_origin_policy"></a> [override\_s3\_origin\_policy](#input\_override\_s3\_origin\_policy) | Overrides the S3-bucket policy to set OAI | `bool` | `false` | no |
 | <a name="input_s3_logging_hostname"></a> [s3\_logging\_hostname](#input\_s3\_logging\_hostname) | Hostname of S3-bucket to be used for logging | `string` | `""` | no |
 | <a name="input_s3_origin_hostname"></a> [s3\_origin\_hostname](#input\_s3\_origin\_hostname) | Hostname of S3-bucket to be used as origin | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -6,6 +6,8 @@ locals {
 
   origin_hostname        = local.origin_hostname_options[var.s3_origin_name != "" ? "use_name" : "use_host"]
   override_origin_policy = var.override_s3_origin_policy && var.s3_origin_name != ""
+
+  function_association = { for type, func in var.cf_functions : type => { function_arn = aws_cloudfront_function.functions[type].arn } if func.assign }
 }
 
 # Workaround for the input variable validation
@@ -70,10 +72,12 @@ module "cloudfront" {
     target_origin_id       = "s3_origin"
     viewer_protocol_policy = "redirect-to-https"
 
-    allowed_methods = ["GET", "HEAD", "OPTIONS"]
-    cached_methods  = ["GET", "HEAD"]
-    compress        = true
-    query_string    = false
+    allowed_methods      = ["GET", "HEAD", "OPTIONS"]
+    cached_methods       = ["GET", "HEAD"]
+    compress             = true
+    query_string         = false
+    function_association = local.function_association
+
   }
 
   viewer_certificate = {
@@ -115,3 +119,13 @@ resource "aws_route53_record" "this" {
     evaluate_target_health = false
   }
 }
+
+resource "aws_cloudfront_function" "functions" {
+  for_each = var.cf_functions
+
+  name    = each.value.name
+  runtime = "cloudfront-js-1.0"
+  comment = each.value.comment
+  publish = true
+  code    = each.value.code
+}
diff --git a/variables.tf b/variables.tf
@@ -49,3 +49,33 @@ variable "s3_origin_policy_restrict_access" {
   type        = string
   default     = "/*"
 }
+
+variable "cf_functions" {
+  description = <<EOT
+  The Cloud Front function configuration
+    {type = object{}} ie. {"viewer-request" = object{}}
+  *type:*
+    Allowed cf event types are viewer-request and viewer-response
+  *name:*
+    Name of the function
+  *comment:*
+    Description of the function
+  *code:*
+    Source code of the function
+  *assign:*
+    true for associating the function with the cf distribution,
+    false to remove the association. (to remove the cf function firstly set it
+    to false to dissociate from the cf distribution)
+  EOT
+  type = map(object({
+    name    = string
+    comment = string
+    code    = string
+    assign  = bool
+  }))
+  default = {}
+  validation {
+    condition     = alltrue([for type, func in var.cf_functions : contains(["viewer-request", "viewer-response"], type)])
+    error_message = "Only the following event types are allowed: viewer-request, viewer-response."
+  }
+}