
terraform-aws-arc-cloudfront¶
Module:
sourcefuse/arc-cloudfront/awsRegistry: https://registry.terraform.io/modules/sourcefuse/arc-cloudfront/aws
Category: Networking / CDN
Source: https://github.com/sourcefuse/terraform-aws-arc-cloudfront
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Overview¶
SourceFuse AWS Reference Architecture (ARC) Terraform module for managing Cloudfront
For more information about this repository and its usage, please see Terraform AWS ARC CloudFront Usage Guide.
Usage¶
Important Note: When using custom ACM certificates (acm_details.domain_name is set), the certificate must be created in the us-east-1 region as required by CloudFront. If you're deploying in a different region, you'll need to configure a provider alias for us-east-1.
What It Does¶
- S3 and custom HTTP/HTTPS origins
- Custom cache and origin request policies
- ACM certificate creation (must be in us-east-1)
- Route53 alias records
- Lambda@Edge and CloudFront Functions
- Origin groups for failover
- WAF web ACL association
- Geo-restriction support
For more information about this repository and its usage, please see Terraform AWS CLOUDFRONT Usage Guide.
Quickstart¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 | |
Required Inputs¶
| Name | Type | Description |
|---|---|---|
aliases |
list(string) |
FQDNs for the distribution |
description |
string |
Distribution description |
default_cache_behavior |
object |
Default cache behavior config |
origins |
list(object) |
List of origins |
| ## Key Outputs |
| Name | Description |
|---|---|
cloudfront_id |
CloudFront distribution ID |
cloudfront_domain_name |
CloudFront domain name |
acm_certificate_arn |
ACM certificate ARN |
| ## Full Variable & Output Reference |
The complete inputs/outputs reference is auto-generated below.
Requirements¶
| Name | Version |
|---|---|
| terraform | >= 1.5, < 2.0.0 |
| aws | >= 6.5.0, < 7.0.0 |
Providers¶
| Name | Version |
|---|---|
| aws | 4.67.0 |
| aws.acm | 4.67.0 |
Modules¶
| Name | Source | Version |
|---|---|---|
| kms | sourcefuse/arc-kms/aws | 1.0.11 |
| s3_bucket | sourcefuse/arc-s3/aws | 0.0.7 |
| s3_bucket_logs | sourcefuse/arc-s3/aws | 0.0.7 |
Resources¶
| Name | Type |
|---|---|
| aws_acm_certificate.this | resource |
| aws_acm_certificate_validation.this | resource |
| aws_cloudfront_cache_policy.this | resource |
| aws_cloudfront_distribution.this | resource |
| aws_cloudfront_origin_access_control.s3 | resource |
| aws_cloudfront_origin_request_policy.this | resource |
| aws_cloudfront_response_headers_policy.this | resource |
| aws_route53_record.root_domain | resource |
| aws_route53_record.this | resource |
| aws_s3_bucket_policy.cdn_bucket_policy | resource |
| aws_caller_identity.this | data source |
| aws_route53_zone.this | data source |
Inputs¶
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acm_details | Details required for creating certificate eg. { domain_name = "test.com" subject_alternative_names = ["www.test.com"] } |
object({ |
{ |
no |
| aliases | Fully qualified domain name for site being hosted | list(string) |
n/a | yes |
| cache_behaviors | Set the cache behaviors for the distribution , Note:- You cannot use an origin request policy in a cache behavior without a cache policy. | list(object({ |
[] |
no |
| cache_policies | Cache policies, eg. { "cache-policy-1" = { default_ttl = 86400, max_ttl = 31536000, min_ttl = 0, cookies_config = { cookie_behavior = "none", items = [] }, headers_config = { header_behavior = "whitelist", items = ["Authorization", "Origin", "Accept", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Referer"] }, query_string_behavior = { header_behavior = "none", items = [] }, query_strings_config = { query_string_behavior = "none", items = [] } } } |
map(object( |
{} |
no |
| create_route53_records | made optional route53 | bool |
false |
no |
| custom_error_responses | One or more custom error response elements | list(object({ |
[] |
no |
| default_cache_behavior | Default cache behavior for the distribution | object({ |
n/a | yes |
| default_root_object | Object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | string |
"index.html" |
no |
| description | CloudFron destribution description | string |
n/a | yes |
| geo_restriction | Geographic restriction | object({ |
{ |
no |
| logging_config | CloudFront logging configuration | object({ |
{ |
no |
| origin_groups | List of Origin Groups for failover support | list(object({ |
[] |
no |
| origin_request_policies | Origin request policies, eg. { "origin-req-policy" = { cookies_config = { cookie_behavior = "none", items = [] }, headers_config = { header_behavior = "whitelist", items = ["Accept", "Accept-Charset", "Accept-Datetime", "Accept-Language", "Access-Control-Request-Method", "Access-Control-Request-Headers", "CloudFront-Forwarded-Proto", "CloudFront-Is-Android-Viewer", "CloudFront-Is-Desktop-Viewer", "CloudFront-Is-IOS-Viewer"] }, query_strings_config = { query_string_behavior = "none", items = [] } } } |
map(object({ |
{} |
no |
| origins | List of Origins for Cloudfront | list(object({ |
[] |
no |
| price_class | Price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100. | string |
"PriceClass_All" |
no |
| response_headers_policy | Header policies, eg. { "response-header-policy-1" = { default_ttl = 86400, max_ttl = 31536000, min_ttl = 0, cookies_config = { cookie_behavior = "none", items = [] }, headers_config = { header_behavior = "whitelist", items = ["Authorization", "Origin", "Accept", "Access-Control-Request-Method", "Access-Control-Request-Headers", "Referer"] }, query_string_behavior = { header_behavior = "none", items = [] }, query_strings_config = { query_string_behavior = "none", items = [] } } } |
map(object( |
{} |
no |
| retain_on_delete | Disables the distribution instead of deleting it when destroying the resource through Terraform. If this is set, the distribution needs to be deleted manually afterwards. | bool |
false |
no |
| route53_record_ttl | TTL for Route53 record | string |
60 |
no |
| route53_root_domain | Domain to add to route 53 as alias to distribution | string |
null |
no |
| s3_kms_details | KMS details for S3 encryption | object({ |
{ |
no |
| tags | Tags for AWS resources | map(string) |
{} |
no |
| viewer_certificate | The SSL configuration for this distribution | object({ |
{ |
no |
| web_acl_id | Unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF (WAFv2), use the ACL ARN, for example aws_wafv2_web_acl.example.arn. | string |
null |
no |
Outputs¶
| Name | Description |
|---|---|
| acm_certificate_arn | Certificate ARN |
| cloudfront_arn | CloudFront ARN |
| cloudfront_domain_name | CloudFront Domain name |
| cloudfront_hosted_zone_id | CloudFront Hosted zone ID |
| cloudfront_id | CloudFront ID |
| logging_s3_bucket | Logging bucket name |
| origin_s3_bucket | Origin bucket name |
Development¶
Prerequisites¶
Configurations¶
- Configure pre-commit hooks
Git commits¶
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
Tests¶
- Tests are available in
testdirectory - Configure the dependencies
- Now execute the test
AI Assistant Integration (ARC IaC MCP)¶
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
Setup (one minute)¶
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
Example prompts to try¶
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
Contributing¶
See CONTRIBUTING.md for commit conventions and development setup.
Authors¶
This project is authored by: - SourceFuse ARC Team