resource "aws_cloudfront_origin_access_control" "this" { origin_access_control_origin_type = "s3" name = "543_oac_green" description = "CloudFront access to S3" signing_behavior = "always" signing_protocol = "sigv4" } resource "aws_cloudfront_distribution" "this" { origin { domain_name = aws_s3_bucket.this.bucket_regional_domain_name origin_id = aws_cloudfront_origin_access_control.this.name origin_access_control_id = aws_cloudfront_origin_access_control.this.id } enabled = true is_ipv6_enabled = true default_root_object = "/index.html" default_cache_behavior { target_origin_id = aws_cloudfront_origin_access_control.this.name compress = true allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD"] viewer_protocol_policy = "redirect-to-https" cache_policy_id = data.aws_cloudfront_cache_policy.this.id origin_request_policy_id = data.aws_cloudfront_origin_request_policy.this.id realtime_log_config_arn = aws_cloudfront_realtime_log_config.this.arn } custom_error_response { error_code = 403 response_code = 200 response_page_path = "/index.html" } custom_error_response { error_code = 404 response_code = 200 response_page_path = "/index.html" } restrictions { geo_restriction { locations = [] restriction_type = "none" } } viewer_certificate { cloudfront_default_certificate = true } } data "aws_cloudfront_origin_request_policy" "this" { name = "Managed-CORS-S3Origin" } data "aws_cloudfront_cache_policy" "this" { name = "Managed-CachingOptimized" } resource "aws_cloudfront_realtime_log_config" "this" { name = "543_cloudfront_log_green" fields = ["timestamp", "c-ip"] sampling_rate = 100 endpoint { stream_type = "Kinesis" kinesis_stream_config { role_arn = aws_iam_role.this.arn stream_arn = aws_kinesis_stream.this.arn } } depends_on = [aws_iam_role_policy.this] } resource "aws_iam_role" "this" { name = "543_cloudfront_role_green" assume_role_policy = data.aws_iam_policy_document.assume.json } resource "aws_iam_role_policy" "this" { name = "543_cloudfront_policy_green" role = aws_iam_role.this.id policy = data.aws_iam_policy_document.permissions.json } data "aws_iam_policy_document" "assume" { statement { effect = "Allow" principals { type = "Service" identifiers = ["cloudfront.amazonaws.com"] } actions = ["sts:AssumeRole"] } } data "aws_iam_policy_document" "permissions" { statement { effect = "Allow" actions = [ "kinesis:DescribeStreamSummary", "kinesis:DescribeStream", "kinesis:PutRecord", "kinesis:PutRecords", ] resources = [aws_kinesis_stream.this.arn] } }