feat!: Bump AWS provider version to 5.82, added VPC Origin support

README.md

@@ -107,13 +107,13 @@ ordered_cache_behavior = [{
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.12.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.12.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82.0 |
 
 ## Modules
 
@@ -127,6 +127,7 @@ No modules.
 | [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
+| [aws_cloudfront_vpc_origin.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_vpc_origin) | resource |
 | [aws_cloudfront_cache_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source |
 | [aws_cloudfront_origin_request_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source |
 | [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_response_headers_policy) | data source |
@@ -142,6 +143,7 @@ No modules.
 | <a name="input_create_monitoring_subscription"></a> [create\_monitoring\_subscription](#input\_create\_monitoring\_subscription) | If enabled, the resource for monitoring subscription will created. | `bool` | `false` | no |
 | <a name="input_create_origin_access_control"></a> [create\_origin\_access\_control](#input\_create\_origin\_access\_control) | Controls if CloudFront origin access control should be created | `bool` | `false` | no |
 | <a name="input_create_origin_access_identity"></a> [create\_origin\_access\_identity](#input\_create\_origin\_access\_identity) | Controls if CloudFront origin access identity should be created | `bool` | `false` | no |
+| <a name="input_create_vpc_origin"></a> [create\_vpc\_origin](#input\_create\_vpc\_origin) | If enabled, the resource for VPC origin will be created. | `bool` | `false` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | `any` | `{}` | no |
 | <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | `any` | `null` | no |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | `string` | `null` | no |
@@ -161,6 +163,7 @@ No modules.
 | <a name="input_staging"></a> [staging](#input\_staging) | Whether the distribution is a staging distribution. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
 | <a name="input_viewer_certificate"></a> [viewer\_certificate](#input\_viewer\_certificate) | The SSL configuration for this distribution | `any` | <pre>{<br/>  "cloudfront_default_certificate": true,<br/>  "minimum_protocol_version": "TLSv1"<br/>}</pre> | no |
+| <a name="input_vpc_origin"></a> [vpc\_origin](#input\_vpc\_origin) | Map of CloudFront VPC origin | <pre>map(object({<br/>    name                   = string<br/>    arn                    = string<br/>    http_port              = number<br/>    https_port             = number<br/>    origin_protocol_policy = string<br/>    origin_ssl_protocols = object({<br/>      items    = list(string)<br/>      quantity = number<br/>    })<br/>  }))</pre> | `{}` | no |
 | <a name="input_wait_for_deployment"></a> [wait\_for\_deployment](#input\_wait\_for\_deployment) | If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this to false will skip the process. | `bool` | `true` | no |
 | <a name="input_web_acl_id"></a> [web\_acl\_id](#input\_web\_acl\_id) | If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned. If using WAFv2, provide the ARN of the web ACL. | `string` | `null` | no |
 
@@ -185,6 +188,7 @@ No modules.
 | <a name="output_cloudfront_origin_access_identities"></a> [cloudfront\_origin\_access\_identities](#output\_cloudfront\_origin\_access\_identities) | The origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_iam_arns"></a> [cloudfront\_origin\_access\_identity\_iam\_arns](#output\_cloudfront\_origin\_access\_identity\_iam\_arns) | The IAM arns of the origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_ids"></a> [cloudfront\_origin\_access\_identity\_ids](#output\_cloudfront\_origin\_access\_identity\_ids) | The IDS of the origin access identities created |
+| <a name="output_cloudfront_vpc_origin_ids"></a> [cloudfront\_vpc\_origin\_ids](#output\_cloudfront\_vpc\_origin\_ids) | The IDS of the VPC origin created |
 <!-- END_TF_DOCS -->
 
 ## Authors

examples/complete/README.md

@@ -27,15 +27,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.29 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.29 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
@@ -45,10 +45,14 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 4.0 |
 | <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | ../../ | n/a |
+| <a name="module_ec2"></a> [ec2](#module\_ec2) | terraform-aws-modules/ec2-instance/aws | ~> 5.0 |
 | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 7.0 |
 | <a name="module_log_bucket"></a> [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
 | <a name="module_records"></a> [records](#module\_records) | terraform-aws-modules/route53/aws//modules/records | ~> 2.0 |
 | <a name="module_s3_one"></a> [s3\_one](#module\_s3\_one) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
+| <a name="module_security_group_ec2"></a> [security\_group\_ec2](#module\_security\_group\_ec2) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 5.0 |
 
 ## Resources
 
@@ -58,10 +62,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_ami.al2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+| [aws_security_group.vpc_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 
 ## Inputs
 
@@ -84,4 +91,5 @@ No inputs.
 | <a name="output_cloudfront_origin_access_identities"></a> [cloudfront\_origin\_access\_identities](#output\_cloudfront\_origin\_access\_identities) | The origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_iam_arns"></a> [cloudfront\_origin\_access\_identity\_iam\_arns](#output\_cloudfront\_origin\_access\_identity\_iam\_arns) | The IAM arns of the origin access identities created |
 | <a name="output_cloudfront_origin_access_identity_ids"></a> [cloudfront\_origin\_access\_identity\_ids](#output\_cloudfront\_origin\_access\_identity\_ids) | The IDS of the origin access identities created |
+| <a name="output_cloudfront_vpc_origin_ids"></a> [cloudfront\_vpc\_origin\_ids](#output\_cloudfront\_vpc\_origin\_ids) | The IDS of the VPC origin created |
 <!-- END_TF_DOCS -->

examples/complete/main.tf

@@ -53,6 +53,21 @@ module "cloudfront" {
     }
   }
 
+  create_vpc_origin = true
+  vpc_origin = {
+    ec2_vpc_origin = {
+      name                   = local.subdomain
+      arn                    = module.ec2.arn
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols = {
+        items    = ["TLSv1.2"]
+        quantity = 1
+      }
+    }
+  }
+
   logging_config = {
     bucket = module.log_bucket.s3_bucket_bucket_domain_name
     prefix = "cloudfront"
@@ -98,6 +113,14 @@ module "cloudfront" {
       origin_access_control = "s3_oac" # key in `origin_access_control`
       #      origin_access_control_id = "E345SXM82MIOSU" # external OAС resource
     }
+
+    ec2_vpc_origin = {
+      domain_name = module.ec2.private_dns
+      vpc_origin_config = {
+        vpc_origin = "ec2_vpc_origin" # key in `vpc_origin`
+        #  vpc_origin_id  = "vo_Cg6A14otX0DB1yyDQ6Nond" # external VPC Origin resource
+      }
+    }
   }
 
   origin_group = {
@@ -170,7 +193,16 @@ module "cloudfront" {
       # Using Cache/ResponseHeaders/OriginRequest policies is not allowed together with `compress` and `query_string` settings
       compress     = true
       query_string = true
+    },
+    {
+      path_pattern           = "/vpc-origin/*"
+      target_origin_id       = "ec2_vpc_origin"
+      viewer_protocol_policy = "redirect-to-https"
+
+      allowed_methods = ["GET", "HEAD", "OPTIONS"]
+      cached_methods  = ["GET", "HEAD"]
     }
+
   ]
 
   viewer_certificate = {
@@ -364,3 +396,100 @@ resource "aws_cloudfront_function" "example" {
   runtime = "cloudfront-js-1.0"
   code    = file("${path.module}/example-function.js")
 }
+
+#######################################
+# EC2 and VPC for CloudFront VPC origin
+#######################################
+
+locals {
+  vpc_cidr = "10.0.0.0/16"
+  vpc_azs  = slice(data.aws_availability_zones.available.names, 0, 2)
+}
+
+module "ec2" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 5.0"
+
+  name = local.subdomain
+  ami  = data.aws_ami.al2023.id
+
+  user_data = <<-EOF
+    #!/bin/bash
+    dnf update
+    dnf install -y nginx
+    systemctl start nginx
+  EOF
+
+  subnet_id              = element(module.vpc.intra_subnets, 0)
+  vpc_security_group_ids = [module.security_group_ec2.security_group_id]
+
+  create_iam_instance_profile = true
+  iam_role_description        = "IAM role for EC2 instance"
+  iam_role_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+}
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.subdomain
+  cidr = local.vpc_cidr
+
+  azs            = local.vpc_azs
+  intra_subnets  = [for k, v in local.vpc_azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets = [for k, v in local.vpc_azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+}
+
+module "vpc_endpoints" {
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.0"
+
+  vpc_id = module.vpc.vpc_id
+
+  endpoints = {
+    s3 = {
+      service         = "s3"
+      service_type    = "Gateway"
+      route_table_ids = module.vpc.intra_route_table_ids
+    },
+  }
+}
+
+module "security_group_ec2" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.subdomain}-ec2"
+  description = "Security Group for EC2 Instance Egress"
+
+  vpc_id = module.vpc.vpc_id
+
+  egress_rules = ["http-80-tcp", "https-443-tcp"]
+  ingress_with_source_security_group_id = [
+    {
+      from_port                = 80
+      to_port                  = 80
+      protocol                 = "tcp"
+      description              = "Allow access to the CloudFront origin"
+      source_security_group_id = data.aws_security_group.vpc_origin.id
+  }]
+}
+
+data "aws_availability_zones" "available" {}
+
+data "aws_security_group" "vpc_origin" {
+  name       = "CloudFront-VPCOrigins-Service-SG"
+  vpc_id     = module.vpc.vpc_id
+  depends_on = [module.cloudfront]
+}
+
+data "aws_ami" "al2023" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-2023*-x86_64"]
+  }
+}

examples/complete/outputs.tf

@@ -62,3 +62,8 @@ output "cloudfront_origin_access_identity_iam_arns" {
   description = "The IAM arns of the origin access identities created"
   value       = module.cloudfront.cloudfront_origin_access_identity_iam_arns
 }
+
+output "cloudfront_vpc_origin_ids" {
+  description = "The IDS of the VPC origin created"
+  value       = module.cloudfront.cloudfront_vpc_origin_ids
+}

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.29"
+      version = ">= 5.82"
     }
     random = {
       source  = "hashicorp/random"

main.tf

@@ -1,6 +1,7 @@
 locals {
   create_origin_access_identity = var.create_origin_access_identity && length(keys(var.origin_access_identities)) > 0
   create_origin_access_control  = var.create_origin_access_control && length(keys(var.origin_access_control)) > 0
+  create_vpc_origin             = var.create_vpc_origin && length(keys(var.vpc_origin)) > 0
 }
 
 resource "aws_cloudfront_origin_access_identity" "this" {
@@ -24,6 +25,23 @@ resource "aws_cloudfront_origin_access_control" "this" {
   signing_protocol                  = each.value["signing_protocol"]
 }
 
+resource "aws_cloudfront_vpc_origin" "this" {
+  for_each = local.create_vpc_origin ? var.vpc_origin : {}
+
+  vpc_origin_endpoint_config {
+    name                   = each.value["name"]
+    arn                    = each.value["arn"]
+    http_port              = each.value["http_port"]
+    https_port             = each.value["https_port"]
+    origin_protocol_policy = each.value["origin_protocol_policy"]
+
+    origin_ssl_protocols {
+      items    = each.value.origin_ssl_protocols.items
+      quantity = each.value.origin_ssl_protocols.quantity
+    }
+  }
+}
+
 resource "aws_cloudfront_distribution" "this" {
   count = var.create_distribution ? 1 : 0
 
@@ -100,6 +118,16 @@ resource "aws_cloudfront_distribution" "this" {
           origin_shield_region = origin_shield.value.origin_shield_region
         }
       }
+
+      dynamic "vpc_origin_config" {
+        for_each = length(keys(lookup(origin.value, "vpc_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "vpc_origin_config", {})]
+
+        content {
+          vpc_origin_id            = lookup(vpc_origin_config.value, "vpc_origin_id", lookup(lookup(aws_cloudfront_vpc_origin.this, lookup(vpc_origin_config.value, "vpc_origin", ""), {}), "id", null))
+          origin_keepalive_timeout = lookup(vpc_origin_config.value, "origin_keepalive_timeout", null)
+          origin_read_timeout      = lookup(vpc_origin_config.value, "origin_read_timeout", null)
+        }
+      }
     }
   }
 

outputs.tf

@@ -82,3 +82,8 @@ output "cloudfront_origin_access_controls_ids" {
   description = "The IDS of the origin access identities created"
   value       = local.create_origin_access_control ? [for v in aws_cloudfront_origin_access_control.this : v.id] : []
 }
+
+output "cloudfront_vpc_origin_ids" {
+  description = "The IDS of the VPC origin created"
+  value       = local.create_vpc_origin ? [for v in aws_cloudfront_vpc_origin.this : v.id] : []
+}

variables.tf

@@ -181,3 +181,25 @@ variable "realtime_metrics_subscription_status" {
   type        = string
   default     = "Enabled"
 }
+
+variable "create_vpc_origin" {
+  description = "If enabled, the resource for VPC origin will be created."
+  type        = bool
+  default     = false
+}
+
+variable "vpc_origin" {
+  description = "Map of CloudFront VPC origin"
+  type = map(object({
+    name                   = string
+    arn                    = string
+    http_port              = number
+    https_port             = number
+    origin_protocol_policy = string
+    origin_ssl_protocols = object({
+      items    = list(string)
+      quantity = number
+    })
+  }))
+  default = {}
+}

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.12.0"
+      version = ">= 5.82.0"
     }
   }
 }

wrappers/main.tf

@@ -10,6 +10,7 @@ module "wrapper" {
   create_monitoring_subscription  = try(each.value.create_monitoring_subscription, var.defaults.create_monitoring_subscription, false)
   create_origin_access_control    = try(each.value.create_origin_access_control, var.defaults.create_origin_access_control, false)
   create_origin_access_identity   = try(each.value.create_origin_access_identity, var.defaults.create_origin_access_identity, false)
+  create_vpc_origin               = try(each.value.create_vpc_origin, var.defaults.create_vpc_origin, false)
   custom_error_response           = try(each.value.custom_error_response, var.defaults.custom_error_response, {})
   default_cache_behavior          = try(each.value.default_cache_behavior, var.defaults.default_cache_behavior, null)
   default_root_object             = try(each.value.default_root_object, var.defaults.default_root_object, null)
@@ -39,6 +40,7 @@ module "wrapper" {
     cloudfront_default_certificate = true
     minimum_protocol_version       = "TLSv1"
   })
+  vpc_origin          = try(each.value.vpc_origin, var.defaults.vpc_origin, {})
   wait_for_deployment = try(each.value.wait_for_deployment, var.defaults.wait_for_deployment, true)
   web_acl_id          = try(each.value.web_acl_id, var.defaults.web_acl_id, null)
 }

wrappers/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.12.0"
+      version = ">= 5.82.0"
     }
   }
 }