11# Terraform Module: CloudFront Middleware-at-Edge
22
3- _ This module is under active development and is not yet ready for use. Please
4- see ` dev ` branch for current progress. _
3+ This Terraform module deploys customizable and reusable Lambda@Edge functions
4+ that provide middleware for AWS CloudFront.
55
66## Features
77
8- - TBA
8+ - ** Authentication & Authorization** : This feature provides authentication and
9+ authorization to restrict access to a site hosted on CloudFront. Users can
10+ optionally customize the authorization rules via an Open Policy Agent (OPA)
11+ policy.
12+ - ** URL Rewriting** : This feature rewrites the URLs of requests. Users can
13+ define URL rewrite rules via an Open Policy Agent (OPA) policy.
914
1015## Usage
1116
@@ -14,7 +19,29 @@ module "cloudfront_middleware_at_edge" {
1419 source = "sgtoj/cloudfront-middleware-at-edge/aws"
1520 version = "x.x.x"
1621
17- # TBD
22+ auth_service_config = {
23+ enabled = true
24+ cognito_idp_arn = "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_TESTPOOL"
25+ cognito_idp_domain = "test.auth.us-east-1.amazoncognito.com"
26+ cognito_idp_client_id = "your-client-id"
27+ cognito_idp_client_secret = "your-client-secret"
28+ cognito_idp_client_scopes = ["openid", "email", "profile"]
29+
30+ cognito_idp_jwks = {
31+ keys = [
32+ { "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
33+ { "alg": "RS256", "e": "AQAB", "kid": "...", "kty": "RSA", "n": "...", "use": "sig" },
34+ ]
35+ }
36+ }
37+
38+ urlrewrite_service_config = {
39+ enabled = true
40+ policy_content = <<-EOF
41+ package urlrewriter
42+ result := []
43+ EOF
44+ }
1845}
1946```
2047
@@ -27,18 +54,50 @@ module "cloudfront_middleware_at_edge" {
2754
2855## Inputs
2956
30- _ This module does not currently provide any input._
31-
32- ### Note
33-
34- This module uses the ` cloudposse/label/null ` module for naming and tagging
35- resources. As such, it also includes a ` context.tf ` file with additional
36- optional variables you can set. Refer to the [ ` cloudposse/label ` documentation] ( https://registry.terraform.io/modules/cloudposse/label/null/latest )
37- for more details on these variables.
57+ In addition to the variables documented below, this module includes several
58+ other optional variables (e.g., ` name ` , ` tags ` , etc.) provided by the
59+ ` cloudposse/label/null ` module. Please refer to the [ ` cloudposse/label ` documentation] ( https://registry.terraform.io/modules/cloudposse/label/null/latest ) for more details on these variables.
60+
61+ | Name | Description | Type | Default | Required |
62+ | ---------------------------| ---------------------------------------------------------------------------| :------:| :-------:| :--------:|
63+ | auth_service_config | Configuration details for the authentication service. More details below. | object | ` {} ` | no |
64+ | urlrewrite_service_config | Configuration details for the URL rewrite service, More details below. | object | ` {} ` | no |
65+ | destruction_delay | Delay before destroying resources when they are deleted | string | ` "20m" ` | no |
66+ | aws_account_id | The AWS account ID that the module will be deployed in | string | ` "" ` | no |
67+ | aws_region_name | The AWS region name where the module will be deployed | string | ` "" ` | no |
68+
69+ ### ` auth_service_config `
70+
71+ | Property | Description | Type | Default | Required |
72+ | ---------------------------| ------------------------------------------------| --------------------------------------| ----------| ----------|
73+ | enabled | Enable the authentication service | bool | ` true ` | no |
74+ | log_level | Logging level | string | ` "info" ` | no |
75+ | aws_region | AWS region for the service | string | ` null ` | no |
76+ | cognito_idp_arn | ARN of the Cognito Identity Provider | string | n/a | yes |
77+ | cognito_idp_domain | Domain of the Cognito Identity Provider | string | n/a | yes |
78+ | cognito_idp_jwks | JWKS of the Cognito Identity Provider | object({ keys = list(map(string)) }) | n/a | yes |
79+ | cognito_idp_client_id | Client ID of the Cognito Identity Provider | string | n/a | yes |
80+ | cognito_idp_client_secret | Client secret of the Cognito Identity Provider | string | n/a | yes |
81+ | cognito_idp_client_scopes | Client scopes of the Cognito Identity Provider | list(string) | n/a | yes |
82+ | opa_policy_content | Content of the OPA policy | string | ` null ` | no |
83+ | opa_policy_data | Data for the OPA policy | map(string) | ` {} ` | no |
84+
85+ ### ` urlrewrite_service_config `
86+
87+ | Property | Description | Type | Default | Required |
88+ | ----------------| -----------------------------------| --------| ---------------------------------------| ----------|
89+ | enabled | Enable the URL rewrite service | bool | ` false ` | no |
90+ | log_level | Logging level | string | ` "info" ` | no |
91+ | aws_region | AWS region for the service | string | ` null ` | no |
92+ | policy_content | Content of the URL rewrite policy | string | ` "package urlrewriter\nresult := []" ` | no |
3893
3994## Outputs
4095
41- _ This module does not currently provide any outputs._
96+ | Name | Description |
97+ | ---------------------| ---------------------------------------------------------------------------|
98+ | auth_services | Details of the created AWS Lambda functions for each of the auth services |
99+ | auth_routes | Route configurations for the auth services |
100+ | urlrewrite_services | Details of the created AWS Lambda function for the URL rewrite service |
42101
43102## Contributing
44103
0 commit comments