diff --git a/README.md b/README.md
index 78a62547..54043a0e 100644
--- a/README.md
+++ b/README.md
@@ -475,6 +475,7 @@ Available targets:
| [aws_iam_policy_document.s3_ssl_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_website_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_s3_bucket.cf_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
| [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
@@ -559,6 +560,7 @@ Available targets:
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
| [origin\_path](#input\_origin\_path) | An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin. It must begin with a /. Do not add a / at the end of the path. | `string` | `""` | no |
| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | The unique identifier of the origin request policy that is attached to the behavior.
Should be used in conjunction with `cache_policy_id`. | `string` | `null` | no |
+| [origin\_shield\_enabled](#input\_origin\_shield\_enabled) | If enabled, origin shield will be enabled for the default origin | `bool` | `false` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 2970ff12..794bb23a 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -43,6 +43,7 @@
| [aws_iam_policy_document.s3_ssl_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3_website_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_s3_bucket.cf_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
| [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
@@ -127,6 +128,7 @@
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
| [origin\_path](#input\_origin\_path) | An optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin. It must begin with a /. Do not add a / at the end of the path. | `string` | `""` | no |
| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | The unique identifier of the origin request policy that is attached to the behavior.
Should be used in conjunction with `cache_policy_id`. | `string` | `null` | no |
+| [origin\_shield\_enabled](#input\_origin\_shield\_enabled) | If enabled, origin shield will be enabled for the default origin | `bool` | `false` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [override\_origin\_bucket\_policy](#input\_override\_origin\_bucket\_policy) | When using an existing origin bucket (through var.origin\_bucket), setting this to 'false' will make it so the existing bucket policy will not be overriden | `bool` | `true` | no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`). Requires `dns_alias_enabled` set to true | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 0ca6fa23..77ca6401 100644
--- a/main.tf
+++ b/main.tf
@@ -74,6 +74,20 @@ locals {
}
]
}
+
+ # Based on https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html#choose-origin-shield-region
+ # If a region is not specified, we assume it supports Origin Shield.
+ origin_shield_region_fallback_map = {
+ "us-west-1" = "us-west-2"
+ "af-south-1" = "eu-west-1"
+ "ap-east-1" = "ap-southeast-1"
+ "ca-central-1" = "us-east-1"
+ "eu-south-1" = "eu-central-1"
+ "eu-west-3" = "eu-west-2"
+ "eu-north-1" = "eu-west-2"
+ "me-south-1" = "ap-south-1"
+ }
+ origin_shield_region = local.enabled ? lookup(local.origin_shield_region_fallback_map, data.aws_region.current[0].name, data.aws_region.current[0].name) : "this string is never used"
}
## Make up for deprecated template_file and lack of templatestring
@@ -90,6 +104,10 @@ data "aws_partition" "current" {
count = local.enabled ? 1 : 0
}
+data "aws_region" "current" {
+ count = local.enabled ? 1 : 0
+}
+
module "origin_label" {
source = "cloudposse/label/null"
version = "0.25.0"
@@ -422,6 +440,14 @@ resource "aws_cloudfront_distribution" "default" {
value = custom_header.value["value"]
}
}
+
+ dynamic "origin_shield" {
+ for_each = var.origin_shield_enabled ? [1] : []
+ content {
+ enabled = true
+ origin_shield_region = local.origin_shield_region
+ }
+ }
}
dynamic "origin" {
diff --git a/variables.tf b/variables.tf
index a71155d7..a2f2044e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -668,3 +668,9 @@ variable "allow_ssl_requests_only" {
default = true
description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
}
+
+variable "origin_shield_enabled" {
+ type = bool
+ default = false
+ description = "If enabled, origin shield will be enabled for the default origin"
+}