2016-04-14 21:55:11 +02:00
|
|
|
---
|
|
|
|
layout: "aws"
|
|
|
|
page_title: "AWS: cloudfront_distribution"
|
|
|
|
sidebar_current: "docs-aws-resource-cloudfront-distribution"
|
|
|
|
description: |-
|
|
|
|
Provides a CloudFront web distribution resource.
|
|
|
|
---
|
|
|
|
|
|
|
|
# aws\_cloudfront\_distribution
|
|
|
|
|
|
|
|
Creates an Amazon CloudFront web distribution.
|
|
|
|
|
|
|
|
For information about CloudFront distributions, see the
|
|
|
|
[Amazon CloudFront Developer Guide][1]. For specific information about creating
|
|
|
|
CloudFront web distributions, see the [POST Distribution][2] page in the Amazon
|
|
|
|
CloudFront API Reference.
|
|
|
|
|
|
|
|
~> **NOTE:** CloudFront distributions take about 15 minutes to a deployed state
|
|
|
|
after creation or modification. During this time, deletes to resources will be
|
|
|
|
blocked. If you need to delete a distribution that is enabled and you do not
|
|
|
|
want to wait, you need to use the `retain_on_delete` flag.
|
|
|
|
|
|
|
|
## Example Usage
|
|
|
|
|
|
|
|
The following example below creates a CloudFront distribution with an S3 origin.
|
|
|
|
|
|
|
|
```
|
|
|
|
resource "aws_cloudfront_distribution" "s3_distribution" {
|
2016-04-19 23:40:30 +02:00
|
|
|
origin {
|
|
|
|
domain_name = "mybucket.s3.amazonaws.com"
|
|
|
|
origin_id = "myS3Origin"
|
|
|
|
|
|
|
|
s3_origin_config {
|
2016-04-14 21:55:11 +02:00
|
|
|
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
|
|
|
|
}
|
2016-04-19 23:40:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
enabled = true
|
|
|
|
comment = "Some comment"
|
|
|
|
default_root_object = "index.html"
|
|
|
|
|
|
|
|
logging_config {
|
|
|
|
include_cookies = false
|
|
|
|
bucket = "mylogs.s3.amazonaws.com"
|
|
|
|
prefix = "myprefix"
|
|
|
|
}
|
|
|
|
|
|
|
|
aliases = ["mysite.example.com", "yoursite.example.com"]
|
|
|
|
|
|
|
|
default_cache_behavior {
|
|
|
|
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
|
|
|
|
cached_methods = ["GET", "HEAD"]
|
|
|
|
target_origin_id = "myS3Origin"
|
|
|
|
|
|
|
|
forwarded_values {
|
|
|
|
query_string = false
|
|
|
|
|
|
|
|
cookies {
|
|
|
|
forward = "none"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
viewer_protocol_policy = "allow-all"
|
|
|
|
min_ttl = 0
|
|
|
|
default_ttl = 3600
|
|
|
|
max_ttl = 86400
|
|
|
|
}
|
|
|
|
|
|
|
|
price_class = "PriceClass_200"
|
|
|
|
|
|
|
|
restrictions {
|
|
|
|
geo_restriction {
|
|
|
|
restriction_type = "whitelist"
|
|
|
|
locations = ["US", "CA", "GB", "DE"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
viewer_certificate {
|
|
|
|
cloudfront_default_certificate = true
|
|
|
|
}
|
2016-04-14 21:55:11 +02:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
The CloudFront distribution argument layout is a complex structure composed
|
|
|
|
of several sub-resources - these resources are laid out below.
|
|
|
|
|
|
|
|
### Top-Level Arguments
|
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `aliases` (Optional) - Extra CNAMEs (alternate domain names), if any, for
|
|
|
|
this distribution.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `cache_behavior` (Optional) - A [cache behavior](#cache-behavior-arguments)
|
|
|
|
resource for this distribution (multiples allowed).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `comment` (Optional) - Any comments you want to include about the
|
|
|
|
distribution.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `custom_error_response` (Optional) - One or more [custom error
|
|
|
|
response](#custom-error-response-arguments) elements (multiples allowed).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `default_cache_behavior` (Required) - The [default cache
|
|
|
|
behavior](#default-cache-behavior-arguments) for this distribution (maximum
|
|
|
|
one).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `default_root_object` (Optional) - The object that you want CloudFront to
|
|
|
|
return (for example, index.html) when an end user requests the root URL.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `enabled` (Required) - Whether the distribution is enabled to accept end
|
|
|
|
user requests for content.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-09-11 22:58:07 +02:00
|
|
|
* `http_version` (Optional) - The maximum HTTP version to support on the
|
|
|
|
distribution. Allowed values are `http1.1` and `http2`. The default is
|
|
|
|
`http2`.
|
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `logging_config` (Optional) - The [logging
|
|
|
|
configuration](#logging-config-arguments) that controls how logs are written
|
|
|
|
to your distribution (maximum one).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `origin` (Required) - One or more [origins](#origin-arguments) for this
|
|
|
|
distribution (multiples allowed).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `price_class` (Optional) - The price class for this distribution. One of
|
|
|
|
`PriceClass_All`, `PriceClass_200`, `PriceClass_100`
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `restrictions` (Required) - The [restriction
|
|
|
|
configuration](#restrictions-arguments) for this distribution (maximum one).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `viewer_certificate` (Required) - The [SSL
|
|
|
|
configuration](#viewer-certificate-arguments) for this distribution (maximum
|
|
|
|
one).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `web_acl_id` (Optional) - If you're using AWS WAF to filter CloudFront
|
|
|
|
requests, the Id of the AWS WAF web ACL that is associated with the
|
|
|
|
distribution.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `retain_on_delete` (Optional) - Disables the distribution instead of
|
|
|
|
deleting it when destroying the resource through Terraform. If this is set,
|
|
|
|
the distribution needs to be deleted manually afterwards. Default: `false`.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
#### Cache Behavior Arguments
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `allowed_methods` (Required) - Controls which HTTP methods CloudFront
|
|
|
|
processes and forwards to your Amazon S3 bucket or your custom origin.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `cached_methods` (Required) - Controls whether CloudFront caches the
|
|
|
|
response to requests using the specified HTTP methods.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `compress` (Optional) - Whether you want CloudFront to automatically
|
|
|
|
compress content for web requests that include `Accept-Encoding: gzip` in
|
|
|
|
the request header (default: `false`).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `default_ttl` (Required) - The default amount of time (in seconds) that an
|
|
|
|
object is in a CloudFront cache before CloudFront forwards another request
|
|
|
|
in the absence of an `Cache-Control max-age` or `Expires` header.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `forwarded_values` (Required) - The [forwarded values
|
|
|
|
configuration](#forwarded-values-arguments) that specifies how CloudFront
|
|
|
|
handles query strings, cookies and headers (maximum one).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `max_ttl` (Required) - The maximum amount of time (in seconds) that an
|
|
|
|
object is in a CloudFront cache before CloudFront forwards another request
|
|
|
|
to your origin to determine whether the object has been updated. Only
|
|
|
|
effective in the presence of `Cache-Control max-age`, `Cache-Control
|
|
|
|
s-maxage`, and `Expires` headers.
|
|
|
|
|
|
|
|
* `min_ttl` (Required) - The minimum amount of time that you want objects to
|
|
|
|
stay in CloudFront caches before CloudFront queries your origin to see
|
|
|
|
whether the object has been updated.
|
|
|
|
|
|
|
|
* `path_pattern` (Required) - The pattern (for example, `images/*.jpg)` that
|
|
|
|
specifies which requests you want this cache behavior to apply to.
|
|
|
|
|
|
|
|
* `smooth_streaming` (Optional) - Indicates whether you want to distribute
|
|
|
|
media files in Microsoft Smooth Streaming format using the origin that is
|
|
|
|
associated with this cache behavior.
|
|
|
|
|
|
|
|
* `target_origin_id` (Required) - The value of ID for the origin that you want
|
|
|
|
CloudFront to route requests to when a request matches the path pattern
|
|
|
|
either for a cache behavior or for the default cache behavior.
|
|
|
|
|
|
|
|
* `trusted_signers` (Optional) - The AWS accounts, if any, that you want to
|
|
|
|
allow to create signed URLs for private content.
|
|
|
|
|
|
|
|
* `viewer_protocol_policy` (Required) - Use this element to specify the
|
|
|
|
protocol that users can use to access the files in the origin specified by
|
|
|
|
TargetOriginId when a request matches the path pattern in PathPattern. One
|
|
|
|
of `allow-all`, `https-only`, or `redirect-to-https`.
|
|
|
|
|
|
|
|
##### Forwarded Values Arguments
|
|
|
|
|
2016-05-05 22:44:35 +02:00
|
|
|
* `cookies` (Required) - The [forwarded values cookies](#cookies-arguments)
|
2016-04-29 01:28:45 +02:00
|
|
|
that specifies how CloudFront handles cookies (maximum one).
|
|
|
|
|
|
|
|
* `headers` (Optional) - Specifies the Headers, if any, that you want
|
|
|
|
CloudFront to vary upon for this cache behavior. Specify `*` to include all
|
|
|
|
headers.
|
|
|
|
|
|
|
|
* `query_string` (Required) - Indicates whether you want CloudFront to forward
|
|
|
|
query strings to the origin that is associated with this cache behavior.
|
|
|
|
|
2016-09-11 05:26:19 +02:00
|
|
|
* `query_string_cache_keys` (Optional) - When specified, along with a value of
|
|
|
|
`true` for `query_string`, all query strings are forwarded, however only the
|
|
|
|
query string keys listed in this argument are cached. When omitted with a
|
|
|
|
value of `true` for `query_string`, all query string keys are cached.
|
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
##### Cookies Arguments
|
|
|
|
|
|
|
|
* `forward` (Required) - Specifies whether you want CloudFront to forward
|
|
|
|
cookies to the origin that is associated with this cache behavior. You can
|
2016-05-05 22:44:35 +02:00
|
|
|
specify `all`, `none` or `whitelist`. If `whitelist`, you must include the
|
|
|
|
subsequent `whitelisted_names`
|
2016-04-29 01:28:45 +02:00
|
|
|
|
|
|
|
* `whitelisted_names` (Optional) - If you have specified `whitelist` to
|
|
|
|
`forward`, the whitelisted cookies that you want CloudFront to forward to
|
|
|
|
your origin.
|
|
|
|
|
|
|
|
#### Custom Error Response Arguments
|
|
|
|
|
|
|
|
* `error_caching_min_ttl` (Optional) - The minimum amount of time you want
|
|
|
|
HTTP error codes to stay in CloudFront caches before CloudFront queries your
|
|
|
|
origin to see whether the object has been updated.
|
|
|
|
|
|
|
|
* `error_code` (Required) - The 4xx or 5xx HTTP status code that you want to
|
|
|
|
customize.
|
|
|
|
|
|
|
|
* `response_code` (Optional) - The HTTP status code that you want CloudFront
|
|
|
|
to return with the custom error page to the viewer.
|
|
|
|
|
|
|
|
* `response_page_path` (Optional) - The path of the custom error page (for
|
|
|
|
example, `/custom_404.html`).
|
|
|
|
|
|
|
|
#### Default Cache Behavior Arguments
|
|
|
|
|
|
|
|
The arguments for `default_cache_behavior` are the same as for
|
|
|
|
[`cache_behavior`](#cache-behavior-arguments), except for the `path_pattern`
|
|
|
|
argument is not required.
|
|
|
|
|
|
|
|
#### Logging Config Arguments
|
|
|
|
|
|
|
|
* `bucket` (Required) - The Amazon S3 bucket to store the access logs in, for
|
|
|
|
example, `myawslogbucket.s3.amazonaws.com`.
|
|
|
|
|
|
|
|
* `include_cookies` (Optional) - Specifies whether you want CloudFront to
|
|
|
|
include cookies in access logs (default: `false`).
|
|
|
|
|
|
|
|
* `prefix` (Optional) - An optional string that you want CloudFront to prefix
|
|
|
|
to the access log filenames for this distribution, for example, `myprefix/`.
|
|
|
|
|
|
|
|
#### Origin Arguments
|
|
|
|
|
|
|
|
* `custom_origin_config` - The [CloudFront custom
|
|
|
|
origin](#custom-origin-config-arguments) configuration information. If an S3
|
|
|
|
origin is required, use `s3_origin_config` instead.
|
|
|
|
|
|
|
|
* `domain_name` (Required) - The DNS domain name of either the S3 bucket, or
|
|
|
|
web site of your custom origin.
|
|
|
|
|
|
|
|
* `custom_header` (Optional) - One or more sub-resources with `name` and
|
|
|
|
`value` parameters that specify header data that will be sent to the origin
|
|
|
|
(multiples allowed).
|
|
|
|
|
|
|
|
* `origin_id` (Required) - A unique identifier for the origin.
|
|
|
|
|
|
|
|
* `origin_path` (Optional) - An optional element that causes CloudFront to
|
|
|
|
request your content from a directory in your Amazon S3 bucket or your
|
|
|
|
custom origin.
|
|
|
|
|
|
|
|
* `s3_origin_config` - The [CloudFront S3 origin](#s3-origin-config-arguments)
|
|
|
|
configuration information. If a custom origin is required, use
|
|
|
|
`custom_origin_config` instead.
|
|
|
|
|
|
|
|
##### Custom Origin Config Arguments
|
|
|
|
|
|
|
|
* `http_port` (Required) - The HTTP port the custom origin listens on.
|
|
|
|
|
|
|
|
* `https_port` (Required) - The HTTPS port the custom origin listens on.
|
|
|
|
|
|
|
|
* `origin_protocol_policy` (Required) - The origin protocol policy to apply to
|
|
|
|
your origin. One of `http-only`, `https-only`, or `match-viewer`.
|
|
|
|
|
|
|
|
* `origin_ssl_protocols` (Required) - The SSL/TLS protocols that you want
|
|
|
|
CloudFront to use when communicating with your origin over HTTPS. A list of
|
|
|
|
one or more of `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`.
|
|
|
|
|
|
|
|
##### S3 Origin Config Arguments
|
|
|
|
|
|
|
|
* `origin_access_identity` (Optional) - The [CloudFront origin access
|
|
|
|
identity][5] to associate with the origin.
|
|
|
|
|
|
|
|
#### Restrictions Arguments
|
|
|
|
|
|
|
|
The `restrictions` sub-resource takes another single sub-resource named
|
|
|
|
`geo_restriction` (see the example for usage).
|
2016-04-14 21:55:11 +02:00
|
|
|
|
|
|
|
The arguments of `geo_restriction` are:
|
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `locations` (Optional) - The [ISO 3166-1-alpha-2 codes][4] for which you
|
|
|
|
want CloudFront either to distribute your content (`whitelist`) or not
|
|
|
|
distribute your content (`blacklist`).
|
|
|
|
|
|
|
|
* `restriction_type` (Required) - The method that you want to use to restrict
|
|
|
|
distribution of your content by country: `none`, `whitelist`, or
|
|
|
|
`blacklist`.
|
|
|
|
|
|
|
|
#### Viewer Certificate Arguments
|
|
|
|
|
|
|
|
* `acm_certificate_arn` - The ARN of the [AWS Certificate Manager][6]
|
|
|
|
certificate that you wish to use with this distribution. Specify this,
|
2016-10-03 18:23:53 +02:00
|
|
|
`cloudfront_default_certificate`, or `iam_certificate_id`. The ACM
|
|
|
|
certificate must be in US-EAST-1.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `cloudfront_default_certificate` - `true` if you want viewers to use HTTPS
|
|
|
|
to request your objects and you're using the CloudFront domain name for your
|
|
|
|
distribution. Specify this, `acm_certificate_arn`, or `iam_certificate_id`.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `iam_certificate_id` - The IAM certificate identifier of the custom viewer
|
|
|
|
certificate for this distribution if you are using a custom domain. Specify
|
|
|
|
this, `acm_certificate_arn`, or `cloudfront_default_certificate`.
|
|
|
|
|
|
|
|
* `minimum_protocol_version` - The minimum version of the SSL protocol that
|
|
|
|
you want CloudFront to use for HTTPS connections. One of `SSLv3` or `TLSv1`.
|
|
|
|
Default: `SSLv3`. **NOTE**: If you are using a custom certificate (specified
|
|
|
|
with `acm_certificate_arn` or `iam_certificate_id`), and have specified
|
|
|
|
`sni-only` in `ssl_support_method`, `TLSv1` must be specified.
|
|
|
|
|
|
|
|
* `ssl_support_method`: Specifies how you want CloudFront to serve HTTPS
|
|
|
|
requests. One of `vip` or `sni-only`. Required if you specify
|
|
|
|
`acm_certificate_arn` or `iam_certificate_id`. **NOTE:** `vip` causes
|
|
|
|
CloudFront to use a dedicated IP address and may incur extra charges.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
|
|
|
## Attribute Reference
|
|
|
|
|
|
|
|
The following attributes are exported:
|
|
|
|
|
2016-04-29 01:28:45 +02:00
|
|
|
* `id` - The identifier for the distribution. For example: `EDFDVBD632BHDS5`.
|
|
|
|
|
|
|
|
* `caller_reference` - Internal value used by CloudFront to allow future
|
|
|
|
updates to the distribution configuration.
|
|
|
|
|
|
|
|
* `status` - The current status of the distribution. `Deployed` if the
|
|
|
|
distribution's information is fully propagated throughout the Amazon
|
|
|
|
CloudFront system.
|
|
|
|
|
|
|
|
* `active_trusted_signers` - The key pair IDs that CloudFront is aware of for
|
|
|
|
each trusted signer, if the distribution is set up to serve private content
|
|
|
|
with signed URLs.
|
|
|
|
|
|
|
|
* `domain_name` - The domain name corresponding to the distribution. For
|
|
|
|
example: `d604721fxaaqy9.cloudfront.net`.
|
|
|
|
|
|
|
|
* `last_modified_time` - The date and time the distribution was last modified.
|
|
|
|
|
|
|
|
* `in_progress_validation_batches` - The number of invalidation batches
|
|
|
|
currently in progress.
|
|
|
|
|
|
|
|
* `etag` - The current version of the distribution's information. For example:
|
|
|
|
`E2QWRUHAPOMQZL`.
|
2016-10-03 18:23:53 +02:00
|
|
|
|
2016-05-09 01:40:30 +02:00
|
|
|
* `hosted_zone_id` - The CloudFront Route 53 zone ID that can be used to
|
|
|
|
route an [Alias Resource Record Set][7] to. This attribute is simply an
|
|
|
|
alias for the zone ID `Z2FDTNDATAQYW2`.
|
2016-04-14 21:55:11 +02:00
|
|
|
|
|
|
|
|
|
|
|
[1]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
|
|
|
|
[2]: http://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/CreateDistribution.html
|
|
|
|
[3]: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
|
|
|
|
[4]: http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
|
|
|
|
[5]: /docs/providers/aws/r/cloudfront_origin_access_identity.html
|
|
|
|
[6]: https://aws.amazon.com/certificate-manager/
|
2016-05-09 01:40:30 +02:00
|
|
|
[7]: http://docs.aws.amazon.com/Route53/latest/APIReference/CreateAliasRRSAPI.html
|
2016-09-29 22:40:57 +02:00
|
|
|
|
|
|
|
|
|
|
|
## Import
|
|
|
|
|
2016-10-03 18:23:53 +02:00
|
|
|
Cloudfront Distributions can be imported using the `id`, e.g.
|
2016-09-29 22:40:57 +02:00
|
|
|
|
|
|
|
```
|
|
|
|
$ terraform import aws_cloudfront_distribution.distribution E74FTE3EXAMPLE
|
|
|
|
```
|