CloudFront

resource "random_string" "cf_random" {
  length           = 4
  upper            = false
  lower            = true
  numeric          = false
  special          = false
}

resource "aws_s3_bucket_policy" "cdn_oac_policy" {
  bucket = aws_s3_bucket.s3.id
  policy = data.aws_iam_policy_document.s3.json
}

data "aws_iam_policy_document" "s3" {
  statement {
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.s3.arn}/*"]
    principals {
      type        = "Service"
      identifiers = ["cloudfront.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"
      values   = [aws_cloudfront_distribution.cf.arn]
    }
  }

  statement {
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.s3.arn}/*"]
    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "AWS:SourceArn"
      values   = [aws_lambda_function.lambda.arn]
    }
  }
}

resource "aws_cloudfront_origin_access_control" "s3_oac" {
  name                              = "s3_oac_${random_string.cf_random.result}"
  description                       = "S3 OAC Policy"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

locals { 
  s3_origin_id = "s3_origin"
}

resource "aws_cloudfront_origin_request_policy" "cf" {
  name    = "origin-policy"
  comment = "origin-policy"
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
  query_strings_config {
    query_string_behavior = "whitelist"
    query_strings {
      items = ["img"]
    }
  }
}

resource "aws_cloudfront_distribution" "cf" {
    provider = aws.us-east-1

    origin {
        domain_name              = aws_s3_bucket.s3.bucket_regional_domain_name
        origin_access_control_id = aws_cloudfront_origin_access_control.s3_oac.id
        origin_id                = local.s3_origin_id
        origin_path              = "/frontend"
    }
    enabled             = true
    is_ipv6_enabled     = false
    comment             = "CloudFront For S3, ALB"
    default_root_object = "index.html"
    default_cache_behavior {
        cache_policy_id  = "658327ea-f89d-4fab-a63d-7e88639e58f6"
        target_origin_id = local.s3_origin_id

        allowed_methods = ["GET", "HEAD"]
        cached_methods  = ["GET", "HEAD"]

        compress = true
        viewer_protocol_policy = "redirect-to-https"
    }
    price_class = "PriceClass_All"

    restrictions {
      geo_restriction {
        restriction_type = "none"
        locations        = []
      }
    }

    ordered_cache_behavior {
      path_pattern     = "/preview"
      cache_policy_id  = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
      origin_request_policy_id = aws_cloudfront_origin_request_policy.cf.id
      target_origin_id = local.s3_origin_id

      allowed_methods = ["GET", "HEAD"]
      cached_methods  = ["GET", "HEAD"]

      compress = true
      viewer_protocol_policy = "redirect-to-https"

      lambda_function_association {
        event_type   = "origin-request"
        lambda_arn   = aws_lambda_function.lambda.qualified_arn
        include_body = true
      }
    }
    
    viewer_certificate {
      cloudfront_default_certificate = true
    }

    tags = {
      Name = "wsi-cdn"
    }
}

output "cloudfront" {
  value = aws_cloudfront_distribution.cf.id
}
JSON
복사

Console