aws.cloudfront-distribution resource¶
Description¶
Distribution manages a CloudFront distribution: the edge configuration that tells CloudFront where to fetch content (its origins) and how to serve it (its cache behaviors), plus the TLS, geo, logging, and error-handling settings. CloudFront takes the whole configuration in one call and replaces it whole on every update, guarded by an optimistic-concurrency token (an ETag) and a long propagation wait, so no field forces a new resource.
Caching for each behavior is configured through its cache-policy-id, a managed or custom cache policy; the deprecated inline forwarded-values path (forwarded values and the min, default, and max TTLs) is intentionally not supported, since AWS recommends a cache policy for new distributions.
A delete is a two-step dance: CloudFront refuses to remove an enabled or still-deploying distribution, so Delete first disables it and waits for that to propagate, then deletes it and waits for it to disappear.
This is the minimal usable core. The following genuine properties of AWS::CloudFront::Distribution are deferred to a follow-up: origin groups (failover); an origin's VPC origin, origin shield, connection attempts and timeouts, and connection-function association; the continuous-deployment policy and the staging flag (the only field that would force a replace); trusted signers and trusted key groups; per-behavior field-level encryption, real-time log config, smooth streaming, and gRPC; the anycast IP list; the cache-tag config; the viewer mTLS config; and the multi-tenant distribution (a separate resource).
Source: internal/service/cloudfront/distribution_rsrc.go:51
Example usage:
imports: {
aws: 'github.com/cloudboss/unobin-library-aws'
}
resources: {
example: aws.cloudfront-distribution {
# Set input fields here.
}
}
Inputs¶
enabled
optional(boolean)
aliases
list(string)
comment
optional(string)
default-root-object
optional(string)
price-class
optional(string)
http-version
optional(string)
is-ipv6-enabled
optional(boolean)
web-acl-id
optional(string)
origins
list(object)
list(
object({
domain-name: string
origin-id: string
origin-path: optional(string)
origin-access-control-id: optional(string)
custom-headers: list(
object({
header-name: string
header-value: string
})
)
s3-origin-config: optional(
object({
origin-access-identity: optional(string)
})
)
custom-origin-config: optional(
object({
http-port: optional(integer)
https-port: optional(integer)
origin-protocol-policy: optional(string)
origin-ssl-protocols: list(string)
origin-read-timeout: optional(integer)
origin-keepalive-timeout: optional(integer)
})
)
})
)default-cache-behavior
object
object({
target-origin-id: string
viewer-protocol-policy: string
cache-policy-id: string
allowed-methods: list(string)
cached-methods: list(string)
compress: optional(boolean)
origin-request-policy-id: optional(string)
response-headers-policy-id: optional(string)
function-associations: list(
object({
event-type: string
function-arn: string
})
)
lambda-function-associations: list(
object({
event-type: string
lambda-arn: string
include-body: optional(boolean)
})
)
})cache-behaviors
list(object)
list(
object({
path-pattern: string
target-origin-id: string
viewer-protocol-policy: string
cache-policy-id: string
allowed-methods: list(string)
cached-methods: list(string)
compress: optional(boolean)
origin-request-policy-id: optional(string)
response-headers-policy-id: optional(string)
function-associations: list(
object({
event-type: string
function-arn: string
})
)
lambda-function-associations: list(
object({
event-type: string
lambda-arn: string
include-body: optional(boolean)
})
)
})
)custom-error-responses
list(object)
list(
object({
error-code: optional(integer)
response-code: optional(string)
response-page-path: optional(string)
error-caching-min-ttl: optional(integer)
})
)viewer-certificate
optional(object)
optional(
object({
cloudfront-default-certificate: optional(boolean)
acm-certificate-arn: optional(string)
iam-certificate-id: optional(string)
minimum-protocol-version: optional(string)
ssl-support-method: optional(string)
})
)restrictions
optional(object)
optional(
object({
geo-restriction: optional(
object({
restriction-type: optional(string)
locations: list(string)
})
)
})
)logging
optional(object)
optional(
object({
bucket: string
prefix: optional(string)
include-cookies: optional(boolean)
})
)tags
map(string)
Input Constraints¶
Price class rules
price-class must be PriceClass_100, PriceClass_200, or PriceClass_All.
Rule logic
- When
input.price-class != null- Require
input.price-class == 'PriceClass_100'
|| input.price-class == 'PriceClass_200'
|| input.price-class == 'PriceClass_All'
Http version rules
http-version must be http1.1, http2, http2and3, or http3.
Rule logic
- When
input.http-version != null- Require
input.http-version == 'http1.1'
|| input.http-version == 'http2'
|| input.http-version == 'http2and3'
|| input.http-version == 'http3'
Viewer certificate rules
viewer-certificate must set exactly one of cloudfront-default-certificate true, acm-certificate-arn, or iam-certificate-id.
Rule logic
- When
input.viewer-certificate != null- Require
((input.viewer-certificate.cloudfront-default-certificate == true) && (input.viewer-certificate.acm-certificate-arn == null) && (input.viewer-certificate.iam-certificate-id == null))
|| ((input.viewer-certificate.acm-certificate-arn != null) && (input.viewer-certificate.iam-certificate-id == null) && !(input.viewer-certificate.cloudfront-default-certificate == true))
|| ((input.viewer-certificate.iam-certificate-id != null) && (input.viewer-certificate.acm-certificate-arn == null) && !(input.viewer-certificate.cloudfront-default-certificate == true))
viewer-certificate minimum-protocol-version must be one of SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016, TLSv1.2_2018, TLSv1.2_2019, TLSv1.2_2021, TLSv1.3_2025, TLSv1.2_2025.
Rule logic
- When
input.viewer-certificate.minimum-protocol-version != null- Require
input.viewer-certificate.minimum-protocol-version == 'SSLv3'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1_2016'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.1_2016'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.2_2018'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.2_2019'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.2_2021'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.3_2025'
|| input.viewer-certificate.minimum-protocol-version == 'TLSv1.2_2025'
viewer-certificate ssl-support-method must be sni-only, vip, or static-ip.
Rule logic
- When
input.viewer-certificate.ssl-support-method != null- Require
input.viewer-certificate.ssl-support-method == 'sni-only'
|| input.viewer-certificate.ssl-support-method == 'vip'
|| input.viewer-certificate.ssl-support-method == 'static-ip'
Restrictions rules
restrictions geo-restriction restriction-type must be none, whitelist, or blacklist.
Rule logic
- When
input.restrictions.geo-restriction.restriction-type != null- Require
input.restrictions.geo-restriction.restriction-type == 'none'
|| input.restrictions.geo-restriction.restriction-type == 'whitelist'
|| input.restrictions.geo-restriction.restriction-type == 'blacklist'
Default cache behavior rules
default-cache-behavior viewer-protocol-policy must be allow-all, https-only, or redirect-to-https.
Rule logic
- Require
input.default-cache-behavior.viewer-protocol-policy == 'allow-all'
|| input.default-cache-behavior.viewer-protocol-policy == 'https-only'
|| input.default-cache-behavior.viewer-protocol-policy == 'redirect-to-https'
Cache behaviors rules
cache-behaviors viewer-protocol-policy must be allow-all, https-only, or redirect-to-https.
Rule logic
- For each
input.cache-behaviors- Require
@each.value.viewer-protocol-policy == 'allow-all'
|| @each.value.viewer-protocol-policy == 'https-only'
|| @each.value.viewer-protocol-policy == 'redirect-to-https'
Origins rules
At most one of origins[*].s3-origin-config or origins[*].custom-origin-config.
custom-origin-config origin-protocol-policy must be http-only, https-only, or match-viewer.
Rule logic
- For each
input.origins- When
@each.value.custom-origin-config.origin-protocol-policy != null- Require
@each.value.custom-origin-config.origin-protocol-policy == 'http-only'
|| @each.value.custom-origin-config.origin-protocol-policy == 'https-only'
|| @each.value.custom-origin-config.origin-protocol-policy == 'match-viewer'
Outputs¶
id
string
arn
string
domain-name
string
hosted-zone-id
string
status
string
etag
string
caller-reference
string