Merge pull request #9 from TechHoldingLLC/fix/ordered-cache-ttl-values

Fix: Ordered cache TTL values

Author: th-dharmikmashru

EXAMPLE.md

@@ -5,19 +5,21 @@ Below is an examples of calling this module.
 ```
 module "cloudfront" {
   source = "./cloudfront"
-  origin = {
-    domain_name = "s3_bucket_regional_domain_name"
-    origin_id   = "s3_bucket_name"
-
-    ## We can only use Any one of Origin Access Control or Origin Access Identity
-    # For Origin Access Control
-    origin_access_control_id = "s3_cloudfront_origin_access_control_id"
-    # For Origin Access Identity
-    s3_origin_config = {
-      s3_origin_access_identity = "s3_cloudfront_origin_access_identity_path"
-    }
+  origin = [
+    {
+      domain_name = "s3_bucket_regional_domain_name"
+      origin_id   = "s3_bucket_name"
 
-  }
+      ## We can only use Any one of Origin Access Control or Origin Access Identity
+      # For Origin Access Control
+      origin_access_control_id = "s3_cloudfront_origin_access_control_id"
+      # For Origin Access Identity
+      s3_origin_config = {
+        s3_origin_access_identity = "s3_cloudfront_origin_access_identity_path"
+      }
+
+    }
+  ]
   domain_aliases = ["example.com", "www.example.com"]
   acm_arn        = "acm_arn"
 }
@@ -27,62 +29,67 @@ module "cloudfront" {
 ```
 module "cloudfront" {
   source     = "./cloudfront"
-  origin = {
-    domain_name = "s3_bucket_regional_domain_name"
-    origin_id   = "s3_bucket_name"
+  origin = [
+    {
+      domain_name = "s3_bucket_regional_domain_name"
+      origin_id   = "s3_bucket_name"
 
-    ## for http endpoint
-    custom_origin_config = {
-      origin_protocol_policy = "http-only"
-    }
-    ## for https endpoint
-    # custom_origin_config = {
-    #  origin_protocol_policy = "https-only"
-    # }
-
-    ## We can restrict publically accessible endpoint by adding custom headers in request sends from cloudfront to custom origin endpoint and validate headers on origin endpoint side
-    custom_header = [
-      {
-        name  = "Referer"
-        value = "https://example.com"
-      },
-      {
-        name  = "Referer"
-        value = "https://www.example.com"
-      }
-    ]
-    
-    domain_aliases = ["example.com", "www.example.com"]
-    acm_arn        = "acm_arn"
-    ## it's helpful to handle 404 to redirect on index.html with 200 response for read based build
-    custom_error_response = [
-      {
-        error_caching_min_ttl = 300
-        error_code            = 404
-        response_code         = 200
-        response_page_path    = "/index.html"
+      ## for http endpoint
+      custom_origin_config = {
+        origin_protocol_policy = "http-only"
       }
-    ]
+      ## for https endpoint
+      # custom_origin_config = {
+      #  origin_protocol_policy = "https-only"
+      # }
+
+      ## We can restrict publically accessible endpoint by adding custom headers in request sends from cloudfront to custom origin endpoint and validate headers on origin endpoint side
+      custom_header = [
+        {
+          name  = "Referer"
+          value = "https://example.com"
+        },
+        {
+          name  = "Referer"
+          value = "https://www.example.com"
+        }
+      ]
+    }
+  ]
+      
+  domain_aliases = ["example.com", "www.example.com"]
+  acm_arn        = "acm_arn"
+  ## it's helpful to handle 404 to redirect on index.html with 200 response for read based build
+  custom_error_response = [
+    {
+      error_caching_min_ttl = 300
+      error_code            = 404
+      response_code         = 200
+      response_page_path    = "/index.html"
+    }
+  ]
 }
 ```
 
 ## Cloudfront distribution with s3 Origin with TTL value
 ```
 module "cloudfront" {
   source = "./cloudfront"
-  origin = {
-    domain_name = "s3_bucket_regional_domain_name"
-    origin_id   = "s3_bucket_name"
-
-    ## We can only use Any one of Origin Access Control or Origin Access Identity
-    # For Origin Access Control
-    origin_access_control_id = "s3_cloudfront_origin_access_control_id"
-    # For Origin Access Identity
-    s3_origin_config = {
-      s3_origin_access_identity = "s3_cloudfront_origin_access_identity_path"
-    }
+  origin = [
+    {
+      domain_name = "s3_bucket_regional_domain_name"
+      origin_id   = "s3_bucket_name"
 
-  }
+      ## We can only use Any one of Origin Access Control or Origin Access Identity
+      # For Origin Access Control
+      origin_access_control_id = "s3_cloudfront_origin_access_control_id"
+      # For Origin Access Identity
+      s3_origin_config = {
+        s3_origin_access_identity = "s3_cloudfront_origin_access_identity_path"
+      }
+
+    }
+  ]
   domain_aliases = ["example.com", "www.example.com"]
   acm_arn        = "acm_arn"
 
@@ -94,4 +101,79 @@ module "cloudfront" {
     default_ttl = 3500  # default amount of time that you want objects to stay in cloudfront cache before it sends another request to origin
   }
 }
+```
+
+## Cloudfront distribution with multiple origin and cache behavior
+```
+module "cloudfront" {
+  source = "./cloudfront"
+  origin = [
+    {
+      domain_name = "domain_name"
+      origin_id   = "origin_id"
+    },
+    {
+      domain_name = "domain_name"
+      origin_id   = "origin_id"
+      origin_path = "/origin_path"
+    }
+  ]
+
+  domain_aliases = ["example.com", "www.example.com"]
+  acm_arn        = "acm_arn"
+
+  default_cache_behaviour_target_origin_id = default_cache_behaviour_target_origin_id
+  allowed_methods                          = ["list of allowed methods"]
+  cache_policy_id                          = aws_managed_cache_policy_id
+
+  ## Can be used only if cache_policy_id is not used
+  # forwarded_values = {
+  #   query_string            = true 
+  #   query_string_cache_keys = ["list of query string cache keys"]     # set only if query_string is true and not all query string are meant to be cached
+  #   headers                 = ["list of headers"]                     # specify * to include all headers
+  #   cookie_forward           = ""
+  #   cookies_whitelisted_names = ["list of whitelisted cookie names"]  # specify only if cookie forward is set to whitelist
+  # }
+
+  ## Can be used only if cache_policy_id is not used
+  # ttl_values = {
+  #   min_ttl     = 0
+  #   max_ttl     = 31536000
+  #   default_ttl = 86400
+  # }
+
+  ordered_cache_behavior = [
+    {
+      path_pattern           = "path_pattern"
+      target_origin_id       = origin_id
+
+      ttl_values = {
+        min_ttl     = 0
+        max_ttl     = 31536000
+        default_ttl = 86400
+      }
+
+      forwarded_values = {
+        query_string = true
+      }
+
+      ## Used to associate a cloudfront_function
+      function_association = [
+        {
+          event_type   = "event_type"
+          function_arn = cloudfront_function_arn
+        }
+      ]
+
+      ## Used to associate a lambda_function
+      lambda_function_association = [
+        {
+          event_type   = "event_type"
+          lambda_arn   = lambda_function_arn
+          include_body = true
+        }
+      ]
+    }
+  ]
+}
 ```

cloudfront.tf

@@ -67,13 +67,16 @@ resource "aws_cloudfront_distribution" "cloudfront" {
     default_ttl            = lookup(var.ttl_values, "default_ttl", null)
 
     dynamic "forwarded_values" {
-      for_each = var.cache_policy_id != "" ? [] : [1]
+      for_each = var.cache_policy_id != "" ? [] : [var.default_cache_forwarded_values]
 
       content {
-        query_string = false
+        query_string            = lookup(forwarded_values.value, "query_string", false)
+        query_string_cache_keys = lookup(forwarded_values.value, "query_string_cache_keys", [])
+        headers                 = lookup(forwarded_values.value, "headers", [])
 
         cookies {
-          forward = "none"
+          forward           = lookup(forwarded_values.value, "cookies_forward", "none")
+          whitelisted_names = lookup(forwarded_values.value, "cookies_whitelisted_names", [])
         }
       }
     }
@@ -110,18 +113,21 @@ resource "aws_cloudfront_distribution" "cloudfront" {
 
       viewer_protocol_policy = lookup(ordered_cache_behavior.value, "viewer_protocol_policy", "redirect-to-https")
       compress               = lookup(ordered_cache_behavior.value, "compress", false)
-      min_ttl                = lookup(var.ttl_values, "min_ttl", null)
-      max_ttl                = lookup(var.ttl_values, "max_ttl", null)
-      default_ttl            = lookup(var.ttl_values, "default_ttl", null)
+      min_ttl                = lookup(ordered_cache_behavior.value.ttl_values, "min_ttl", null)
+      max_ttl                = lookup(ordered_cache_behavior.value.ttl_values, "max_ttl", null)
+      default_ttl            = lookup(ordered_cache_behavior.value.ttl_values, "default_ttl", null)
 
       dynamic "forwarded_values" {
-        for_each = contains(keys(ordered_cache_behavior.value), "cache_policy_id") ? [] : [1]
+        for_each = contains(keys(ordered_cache_behavior.value), "cache_policy_id") ? [] : [ordered_cache_behavior.value.forwarded_values]
 
         content {
-          query_string = false
+          query_string            = lookup(forwarded_values.value, "query_string", false)
+          query_string_cache_keys = lookup(forwarded_values.value, "query_string_cache_keys", [])
+          headers                 = lookup(forwarded_values.value, "headers", [])
 
           cookies {
-            forward = "none"
+            forward           = lookup(forwarded_values.value, "cookies_forward", "none")
+            whitelisted_names = lookup(forwarded_values.value, "cookies_whitelisted_names", [])
           }
         }
       }

variables.tf

@@ -131,4 +131,10 @@ variable "ordered_cache_behavior" {
   description = "List of ordered cache behaviour"
   type        = any
   default     = []
+}
+
+variable "default_cache_forwarded_values" {
+  description = "forwarded values for default cache behavior"
+  type        = any
+  default     = []
 }