feat: Allow all policies to be specified by name or ID (#134)

szubersk · antonbabenko · web-flow · commit fcd12c3fee57 · 2024-03-15T13:52:02.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.88.2
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
@@ -127,6 +127,9 @@ No modules.
 | [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
+| [aws_cloudfront_cache_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source |
+| [aws_cloudfront_origin_request_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source |
+| [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_response_headers_policy) | data source |
 
 ## Inputs
 
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -113,10 +113,10 @@ module "cloudfront" {
     viewer_protocol_policy = "allow-all"
     allowed_methods        = ["GET", "HEAD", "OPTIONS"]
     cached_methods         = ["GET", "HEAD"]
-    compress               = true
-    query_string           = true
 
-    # This is id for SecurityHeadersPolicy copied from https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html
+    use_forwarded_values = false
+
+    cache_policy_id            = "b2884449-e4de-46a7-ac36-70bc7f1ddd6d"
     response_headers_policy_id = "67f7725c-6f97-4210-82d7-5512b31e9d03"
 
     lambda_function_association = {
@@ -141,8 +141,12 @@ module "cloudfront" {
 
       allowed_methods = ["GET", "HEAD", "OPTIONS"]
       cached_methods  = ["GET", "HEAD"]
-      compress        = true
-      query_string    = true
+
+      use_forwarded_values = false
+
+      cache_policy_name            = "Managed-CachingOptimized"
+      origin_request_policy_name   = "Managed-UserAgentRefererHeaders"
+      response_headers_policy_name = "Managed-SimpleCORS"
 
       function_association = {
         # Valid keys: viewer-request, viewer-response
@@ -154,6 +158,18 @@ module "cloudfront" {
           function_arn = aws_cloudfront_function.example.arn
         }
       }
+    },
+    {
+      path_pattern           = "/static-no-policies/*"
+      target_origin_id       = "s3_one"
+      viewer_protocol_policy = "redirect-to-https"
+
+      allowed_methods = ["GET", "HEAD", "OPTIONS"]
+      cached_methods  = ["GET", "HEAD"]
+
+      # Using Cache/ResponseHeaders/OriginRequest policies is not allowed together with `compress` and `query_string` settings
+      compress     = true
+      query_string = true
     }
   ]
 
diff --git a/main.tf b/main.tf
@@ -139,10 +139,11 @@ resource "aws_cloudfront_distribution" "this" {
       trusted_signers           = lookup(i.value, "trusted_signers", null)
       trusted_key_groups        = lookup(i.value, "trusted_key_groups", null)
 
-      cache_policy_id            = lookup(i.value, "cache_policy_id", null)
-      origin_request_policy_id   = lookup(i.value, "origin_request_policy_id", null)
-      response_headers_policy_id = lookup(i.value, "response_headers_policy_id", null)
-      realtime_log_config_arn    = lookup(i.value, "realtime_log_config_arn", null)
+      cache_policy_id            = try(i.value.cache_policy_id, data.aws_cloudfront_cache_policy.this[i.value.cache_policy_name].id, null)
+      origin_request_policy_id   = try(i.value.origin_request_policy_id, data.aws_cloudfront_origin_request_policy.this[i.value.origin_request_policy_name].id, null)
+      response_headers_policy_id = try(i.value.response_headers_policy_id, data.aws_cloudfront_response_headers_policy.this[i.value.response_headers_policy_name].id, null)
+
+      realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
 
       min_ttl     = lookup(i.value, "min_ttl", null)
       default_ttl = lookup(i.value, "default_ttl", null)
@@ -203,10 +204,11 @@ resource "aws_cloudfront_distribution" "this" {
       trusted_signers           = lookup(i.value, "trusted_signers", null)
       trusted_key_groups        = lookup(i.value, "trusted_key_groups", null)
 
-      cache_policy_id            = lookup(i.value, "cache_policy_id", null)
-      origin_request_policy_id   = lookup(i.value, "origin_request_policy_id", null)
-      response_headers_policy_id = lookup(i.value, "response_headers_policy_id", null)
-      realtime_log_config_arn    = lookup(i.value, "realtime_log_config_arn", null)
+      cache_policy_id            = try(i.value.cache_policy_id, data.aws_cloudfront_cache_policy.this[i.value.cache_policy_name].id, null)
+      origin_request_policy_id   = try(i.value.origin_request_policy_id, data.aws_cloudfront_origin_request_policy.this[i.value.origin_request_policy_name].id, null)
+      response_headers_policy_id = try(i.value.response_headers_policy_id, data.aws_cloudfront_response_headers_policy.this[i.value.response_headers_policy_name].id, null)
+
+      realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
 
       min_ttl     = lookup(i.value, "min_ttl", null)
       default_ttl = lookup(i.value, "default_ttl", null)
@@ -294,3 +296,21 @@ resource "aws_cloudfront_monitoring_subscription" "this" {
     }
   }
 }
+
+data "aws_cloudfront_cache_policy" "this" {
+  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.cache_policy_name if can(v.cache_policy_name)])
+
+  name = each.key
+}
+
+data "aws_cloudfront_origin_request_policy" "this" {
+  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.origin_request_policy_name if can(v.origin_request_policy_name)])
+
+  name = each.key
+}
+
+data "aws_cloudfront_response_headers_policy" "this" {
+  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.response_headers_policy_name if can(v.response_headers_policy_name)])
+
+  name = each.key
+}
