Skip to content

Commit

Permalink
disable cdn
Browse files Browse the repository at this point in the history
  • Loading branch information
coilysiren committed Dec 10, 2024
1 parent c3c7c22 commit f8e551a
Showing 1 changed file with 74 additions and 74 deletions.
148 changes: 74 additions & 74 deletions infra/modules/service/cdn.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,77 +35,77 @@ resource "aws_cloudfront_cache_policy" "default" {
}
}

resource "aws_cloudfront_distribution" "cdn" {
count = var.enable_cdn ? 1 : 0

enabled = var.enable_cdn ? true : false
aliases = var.domain == null ? null : [var.domain]

origin {
domain_name = aws_lb.alb[0].dns_name
origin_id = local.default_origin_id
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = var.cert_arn == null ? "http-only" : "https-only"

# See possible values here:
# https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginSslProtocols.html
origin_ssl_protocols = ["TLSv1.2"]
}
# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
dynamic "origin_shield" {
for_each = var.cert_arn == null ? [1] : []
content {
enabled = true
origin_shield_region = data.aws_region.current.name
}
}
}

logging_config {
include_cookies = false
bucket = aws_s3_bucket.cdn[0].bucket_domain_name
}

default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.default_origin_id
cache_policy_id = aws_cloudfront_cache_policy.default[0].id
compress = true
viewer_protocol_policy = var.cert_arn == null ? "allow-all" : "redirect-to-https"

# Default to caching for 1 hour.
# The default TTL can be overriden by the `Cache-Control max-age` or `Expires` headers
# There's also a `max_ttl` option, which can be used to override the above headers.
min_ttl = 0
default_ttl = 3600
}

restrictions {
geo_restriction {
restriction_type = "none"
}
}

viewer_certificate {
acm_certificate_arn = var.cert_arn == null ? null : var.cert_arn
cloudfront_default_certificate = var.cert_arn == null ? true : false
}

depends_on = [
aws_s3_bucket_public_access_block.cdn[0],
aws_s3_bucket_policy.cdn[0],
aws_s3_bucket.cdn[0],
]

#checkov:skip=CKV2_AWS_46:We aren't using a S3 origin
#checkov:skip=CKV_AWS_174:False positive
#checkov:skip=CKV_AWS_310:Configure a failover in future work
#checkov:skip=CKV_AWS_68:Configure WAF in future work
#checkov:skip=CKV2_AWS_47:Configure WAF in future work
#checkov:skip=CKV2_AWS_32:Configure response headers policy in future work
#checkov:skip=CKV_AWS_374:Ignore the geo restriction
#checkov:skip=CKV_AWS_305:We don't need a default root object... we don't need to redirect / to index.html.
}
# resource "aws_cloudfront_distribution" "cdn" {
# count = var.enable_cdn ? 1 : 0

# enabled = var.enable_cdn ? true : false
# aliases = var.domain == null ? null : [var.domain]

# origin {
# domain_name = aws_lb.alb[0].dns_name
# origin_id = local.default_origin_id
# custom_origin_config {
# http_port = 80
# https_port = 443
# origin_protocol_policy = var.cert_arn == null ? "http-only" : "https-only"

# # See possible values here:
# # https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginSslProtocols.html
# origin_ssl_protocols = ["TLSv1.2"]
# }
# # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
# dynamic "origin_shield" {
# for_each = var.cert_arn == null ? [1] : []
# content {
# enabled = true
# origin_shield_region = data.aws_region.current.name
# }
# }
# }

# logging_config {
# include_cookies = false
# bucket = aws_s3_bucket.cdn[0].bucket_domain_name
# }

# default_cache_behavior {
# allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
# cached_methods = ["GET", "HEAD", "OPTIONS"]
# target_origin_id = local.default_origin_id
# cache_policy_id = aws_cloudfront_cache_policy.default[0].id
# compress = true
# viewer_protocol_policy = var.cert_arn == null ? "allow-all" : "redirect-to-https"

# # Default to caching for 1 hour.
# # The default TTL can be overriden by the `Cache-Control max-age` or `Expires` headers
# # There's also a `max_ttl` option, which can be used to override the above headers.
# min_ttl = 0
# default_ttl = 3600
# }

# restrictions {
# geo_restriction {
# restriction_type = "none"
# }
# }

# viewer_certificate {
# acm_certificate_arn = var.cert_arn == null ? null : var.cert_arn
# cloudfront_default_certificate = var.cert_arn == null ? true : false
# }

# depends_on = [
# aws_s3_bucket_public_access_block.cdn[0],
# aws_s3_bucket_policy.cdn[0],
# aws_s3_bucket.cdn[0],
# ]

# #checkov:skip=CKV2_AWS_46:We aren't using a S3 origin
# #checkov:skip=CKV_AWS_174:False positive
# #checkov:skip=CKV_AWS_310:Configure a failover in future work
# #checkov:skip=CKV_AWS_68:Configure WAF in future work
# #checkov:skip=CKV2_AWS_47:Configure WAF in future work
# #checkov:skip=CKV2_AWS_32:Configure response headers policy in future work
# #checkov:skip=CKV_AWS_374:Ignore the geo restriction
# #checkov:skip=CKV_AWS_305:We don't need a default root object... we don't need to redirect / to index.html.
# }

0 comments on commit f8e551a

Please sign in to comment.