tf-aws-open-next-multi-zone

Open Next Terraform - tf-aws-open-next-multi-zone

~> I am aware of issues trying to deploy resources using Terraform v1.5.7. If possible please try use Terraform v1.6.1 or above, as it appear changes in Terraform resolve the issue. See #35 for more details

This module allows you to deploy multiple next.js websites using a multi zone architecture. This uses Open Next lambda, S3 and CloudFront.

This module supports three deployment options:

Independent Zones

Note: If you use tools like Terragrunt or CDKTF, you can use the Single Zone module to deploy each zone into its own terraform state

Shared Distribution

Shared Distribution and Bucket

The following are optional:

• Route 53 (A and AAAA records)
• WAF
• Staging Distribution
• Warmer function
• Image Optimization function
• Tag to Path Mapping DB

See the module documentation section below for more info.

Note: This module uses multiple bash scripts to delete data, upload data and mutate resources outside of Terraform. This prevents Terraform from removing resources when they have changed and allows the staging distribution functionality to work correctly.

You must have bash and the AWS CLI available, the CLI must be configured to use the same credentials or environment variables as the default AWS provider for this functionality to work correctly.

If you need to destroy the Terraform resources, it is recommended that you enable force_destroy on the website bucket to delete the assets in the bucket when running a Terraform destory.

Continuous deployment

This module supports CloudFront continuous deployment. See the continuous deployment docs for instructions on how to leverage this capability.

Backend Server Deployment Options

See the backend server deployment docs for instructions to see the options.

Custom Domains

For infomation on managing custom domains see the domain-config documentation

Module documentation

Below is the documentation for the Terraform module, outlining the providers, modules and resources required to deploy the website. The documentation includes the inputs that can be supplied (including any defaults) and what is outputted from the module.

By default, the module will zip all the necessary open-next artefacts as part of a Terraform deployment. To facilitate this, the .open-next folders need to be stored locally.

You can also choose to upload the artefacts to S3 and pass the reference in.

Note: the logic to automatically inject environment variables for lambda@edge functions will not run if you choose this option

Alternatively you can create the zip using your own tooling and supply the path to the zip file and the hash (SHA256 hash of the file encoded using Base64).

You must configure the AWS providers five times because some organizations use different accounts or roles for IAM, DNS, etc. The module has been designed to cater for these requirements. The server function is a separate provider to allow your backend resources to be deployed to a region, i.e. eu-west-1, and deploy the server function to another region, i.e. us-east-1, for lambda@edge. The global provider region should be set to us-east-1 to allow the auth-function, WAF, etc. to be configured correctly.

Below is an example setup.

provider "aws" {}

provider "aws" {
  alias = "server_function"
}

provider "aws" {
  alias = "iam"
}

provider "aws" {
  alias = "dns"
}

provider "aws" {
  alias  = "global"
  region = "us-east-1"
}

Requirements

Name	Version
terraform	>= 1.4.0
archive	>= 2.3.0
aws	>= 5.46.0
local	>= 2.4.0

Providers

Name	Version
aws	5.46.0

Modules

Name	Source	Version
public_resources	../tf-aws-open-next-public-resources	n/a
website_zone	../tf-aws-open-next-zone	n/a

Resources

Name	Type
aws_lambda_permission.function_url_permission	resource
aws_s3_bucket.shared_bucket	resource
aws_s3_bucket_policy.shared_bucket_policy	resource
aws_s3_bucket_policy.shared_distribution_bucket_policy	resource
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
additional_server_functions	Default configutation for all additional server functions with the ability to override the configuration per function. This feature requires open next v3. By default, the module will create a new zip from the server function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. Possible values for backend_deployment_type: - REGIONAL_LAMBDA_WITH_AUTH_LAMBDA - REGIONAL_LAMBDA_WITH_OAC - REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL - REGIONAL_LAMBDA See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/docs/backend-server-deployments.md for a complete breakdown of the different backend options. NOTE: This can be overridden for each zone	object({ enable_streaming = optional(bool) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) iam_policies = optional(object({ include_bucket_access = optional(bool, false) include_revalidation_queue_access = optional(bool, false) include_tag_mapping_db_access = optional(bool, false) }), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) function_overrides = optional(map(object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) enable_streaming = optional(bool) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) iam_policies = optional(object({ include_bucket_access = optional(bool, false) include_revalidation_queue_access = optional(bool, false) include_tag_mapping_db_access = optional(bool, false) }), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })), {}) })	{}	no
aliases	The production and staging aliases to use. This can be overridden for each zone	object({ production = string staging = string })	null	no
behaviours	Override the default behaviour config. When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION' or 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used	object({ custom_error_responses = optional(object({ path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) static_assets = optional(object({ paths = optional(list(string)) additional_paths = optional(list(string)) path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) server = optional(object({ paths = optional(list(string)) path_overrides = map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) })) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) additional_origins = optional(map(object({ paths = optional(list(string)) path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })), {}) image_optimisation = optional(object({ paths = optional(list(string)) path_overrides = map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) })) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) })	{}	no
cache_control_immutable_assets_regex	Regex to set public,max-age=31536000,immutable on immutable resources. This can be overridden for each zone	string	"^.*(\\.next)$"	no
cloudwatch_log	The default cloudwatch log group configuration. This can be overridden for each zone and each function"" Possible values for deployment: - PER_FUNCTION (default) - SHARED_PER_ZONE - USE_EXISTING When deployment is set to SHARED_PER_ZONE or USE_EXISTING, name is mandatory. For SHARED_PER_ZONE, the name will include the aws/lambda namespace and the supplied prefix and suffix For USE_EXISTING, the name will represent the log group name (including prefix)	object({ deployment = optional(string, "PER_FUNCTION") retention_in_days = optional(number, 7) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })	{}	no
content_types	The MIME type mapping and default for artefacts generated by Open Next. This can be overridden for each zone	object({ mapping = optional(map(string), { "svg" = "image/svg+xml", "js" = "application/javascript", "css" = "text/css", "html" = "text/html" }) default = optional(string, "binary/octet-stream") })	{}	no
continuous_deployment	Configuration for continuous deployment config for CloudFront When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If continuous deployment is enabled, updates to the origins, ordered_cache_behaviors and default_cache_behaviors are ignored See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/docs/continuous-deployments.md for a complete breakdown of how to use continuous deployment.	object({ use = optional(bool, false) deployment = optional(string, "NONE") traffic_config = optional(object({ header = optional(object({ name = string value = string })) weight = optional(object({ percentage = number session_stickiness = optional(object({ idle_ttl = number maximum_ttl = number })) })) })) })	{}	no
custom_error_responses	Allow custom error responses to be set on the distributions When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION' or 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used. If the deployment is 'SHARED_DISTRIBUTION', the files are saved into the root zone bucket. If the deployment is 'SHARED_DISTRIBUTION_AND_BUCKET' the files are saved in the shared bucket NOTE: These custom error pages only apply to response codes from the origins. To configure custom error responses for status codes returned by WAF, please configure the custom error responses in WAF.	list(object({ error_code = string error_caching_min_ttl = optional(number) response_code = optional(string) response_page = optional(object({ source = string path_prefix = string })) }))	[]	no
deployment	The deployment model for the multi zone website The possible values are: - INDEPENDENT_ZONES - SHARED_DISTRIBUTION - SHARED_DISTRIBUTION_AND_BUCKET See https://github.com/RJPearson94/terraform-aws-open-next/tree/v3.0.3?tab=readme-ov-file#deployment-options for a complete breakdown of the different deployment options.	string	n/a	yes
distribution	Configuration for the CloudFront distribution. When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION' or 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used Possible values for deployment are: - NONE - CREATE The module has a local copy of the x-forwarded host CloudFront function code by default. The code can be seen at https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/modules/tf-aws-open-next-public-resources/code/xForwardedHost.js (open next v2) and https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/modules/tf-aws-open-next-public-resources/code/cloudfrontFunctionOpenNextV3.js (open next v3). This code can be overridden by passing in the javascript function as a string to the code argument under the x_forwarded_host_function object. An example can be seen below. x_forwarded_host_function = { code = "function handler(event) { var request = event.request; request.headers['x-forwarded-host'] = request.headers.host; return request; }" } The auth function is deployed if the server function backend_deployment_type is set to EDGE_LAMBDA. The module has a local copy of the auth function code, which will be deployed by default. The code can be seen at https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/modules/tf-aws-open-next-public-resources/code/auth/index.js. You can override this to supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. Possible values for the auth_function deployment are: - NONE - USE_EXISTING - CREATE - DETACH The auth function arn is mandatory when deployment is set to USE_EXISTING. When migrating from using the auth function to either public cloud functions or to using OAC, you should set the deployment on the auth_function to CREATE, then apply the changes. Then, you can set deployment to false in a subsequent change to clean up the function. If you run the server function as a lambda@edge, you should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below. auth_function = { timeouts = { delete = "120m" } } As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated. NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur Terraform does not manage cloudwatch log groups for the auth function; the lambda service creates the log group when the function runs in each region. CloudFront supports Origin Access Control (OAC) for lambda URLs. The possible values for the deployment options are: - NONE - CREATE NOTE: If the server function or image optimisation function backend deployment types use OAC, then the OAC will be created. As there is a limit on the number of cache policies associated with an AWS account, you can either configure the module to create the cache policy or use an existing one. The possible values for the cache policy deployment are: - USE_EXISTING - CREATE If cache policy deployment is set to USE_EXISTING, then ID, is a required field. WARNING: The distribution is fundamental to the architecture, and the module is optional to facilitate sharing a distribution for multi-zone deployments and to support edge cases not supported by the module. With that said, it is not recommended to supply a distribution.	object({ deployment = optional(string, "CREATE") enabled = optional(bool, true) ipv6_enabled = optional(bool, true) http_version = optional(string, "http2") price_class = optional(string, "PriceClass_100") geo_restrictions = optional(object({ type = optional(string, "none"), locations = optional(list(string), []) }), {}) x_forwarded_host_function = optional(object({ runtime = optional(string) code = optional(string) }), {}) auth_function = optional(object({ deployment = optional(string, "NONE") qualified_arn = optional(string) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 256) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) }), {}) lambda_url_oac = optional(object({ deployment = optional(string, "NONE") }), {}) cache_policy = optional(object({ deployment = optional(string, "CREATE") id = optional(string) default_ttl = optional(number, 0) max_ttl = optional(number, 31536000) min_ttl = optional(number, 0) cookie_behavior = optional(string, "all") header_behavior = optional(string, "whitelist") header_items = optional(list(string)) query_string_behavior = optional(string, "all") }), {}) })	{}	no
domain_config	Configuration for CloudFront distribution domain When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION' or 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/docs/domain-config.md for a complete breakdown of the different domain configuration options.	object({ evaluate_target_health = optional(bool, true) include_www = optional(bool, false) sub_domain = optional(string) hosted_zones = list(object({ name = string id = optional(string) private_zone = optional(bool, false) })) create_route53_entries = optional(bool, true) route53_record_allow_overwrite = optional(bool, true) viewer_certificate = optional(object({ acm_certificate_arn = string ssl_support_method = optional(string, "sni-only") minimum_protocol_version = optional(string, "TLSv1.2_2021") })) })	null	no
edge_functions	Default configutation for all edge functions with the ability to override the configuration per edge function By default, the module will create a new zip from the edge function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. This feature requires open next v3. NOTE: Terraform does not manage cloudwatch log groups; instead, the lambda service creates the log group when the function runs in each region. The module OPEN_NEXT_ORIGIN environment variable for each edge function, as per the open next documentation for middleware. You have the ability to remove this environment variable by setting the include_open_next_origin_env_variable to false or override this value by setting an environment variable with the same name via the additional_environment_variables attribute. You should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below. timeouts = { delete = "120m" } As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated. NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur NOTE: This can be overridden for each zone	object({ runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 512) include_open_next_origin_env_variable = optional(bool, true) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) function_overrides = optional(map(object({ function_code = optional(object({ handler = optional(string, "handler.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 512) include_open_next_origin_env_variable = optional(bool, true) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })), {}) })	{}	no
function_architecture	The default instruction set architecture for the lambda functions. This can be overridden for each zone and each function	string	"arm64"	no
iam	The default IAM configuration. This can be overridden for each zone and each function	object({ path = optional(string, "/") permissions_boundary = optional(string) })	{}	no
image_optimisation_function	Configuration for the image optimisation function. By default, the module will create a new zip from the image optimisation function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. Possible values for backend_deployment_type: - REGIONAL_LAMBDA_WITH_AUTH_LAMBDA - REGIONAL_LAMBDA_WITH_OAC - REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL - REGIONAL_LAMBDA See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/docs/backend-server-deployments.md for a complete breakdown of the different backend options. If you do not want to provision the image optimisation function, you can set create to false. NOTE: This can be overridden for each zone	object({ create = optional(bool, true) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 25) memory_size = optional(number, 1536) additional_environment_variables = optional(map(string), {}) function_architecture = optional(string) static_image_optimisation = optional(bool, false) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })	{}	no
logging_config	The default function logging configuration. The log group is determined by the cloudwatch_log variable. This can be overridden for each zone and each function	object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })	null	no
open_next_version	The version of open next that is used	string	"v2.x.x"	no
prefix	A prefix which will be attached to the resource name to ensure resources are random	string	null	no
prefix_path_overrides	Whether to add the path to the path overrides. This can be overridden for each zone	bool	true	no
revalidation_function	Configuration for the revalidation function. By default, the module will create a new zip from the revalidation function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. This function is deployed to the region specified on the default AWS Terraform provider. NOTE: This can be overridden for each zone	object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 25) memory_size = optional(number, 1536) additional_environment_variables = optional(map(string), {}) function_architecture = optional(string) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })	{}	no
s3_exclusion_regex	A regex of files to exclude from the s3 copy. his can be overridden for each zone	string	null	no
scripts	Modify default script behaviours	object({ interpreter = optional(string) additional_environment_variables = optional(map(string)) delete_folder_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) file_sync_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) invalidate_cloudfront_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) promote_distribution_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) remove_continuous_deployment_policy_id_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) save_item_to_dynamo_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) update_alias_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) update_parameter_script = optional(object({ interpreter = optional(string) path = optional(string) additional_environment_variables = optional(map(string)) })) })	{}	no
server_function	Configuration for the server function. By default, the module will create a new zip from the server function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. Possible values for backend_deployment_type: - REGIONAL_LAMBDA_WITH_AUTH_LAMBDA - REGIONAL_LAMBDA_WITH_OAC - REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL - REGIONAL_LAMBDA - EDGE_LAMBDA (only supported with open next v2) See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.0.3/docs/backend-server-deployments.md for a complete breakdown of the different backend options. NOTE: When backend_deployment_type is set to EDGE_LAMBDA, Terraform does not manage cloudwatch log groups; instead, the lambda service creates the log group when the function runs in each region. If you run the server function as a lambda@edge, you should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below. timeouts = { delete = "120m" } As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated. NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur NOTE: This can be overridden for each zone	object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) enable_streaming = optional(bool, false) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })	{}	no
suffix	A suffix which will be attached to the resource name to ensure resources are random	string	null	no
tag_mapping_db	Configuration for the ISR tag mapping database By default, the module uploads the items in the dynamodb-cache JSON file stored locally. The cache alias is appended to each item in the DB. Possible values for deployment: - NONE - CREATE The read and write capacity for the Global Secondary Index (GSI) can be overridden; however, the table's read and write capacity will be used by default. NOTE: This can be overridden for each zone	object({ deployment = optional(string, "CREATE") billing_mode = optional(string, "PAY_PER_REQUEST") read_capacity = optional(number) write_capacity = optional(number) revalidate_gsi = optional(object({ read_capacity = optional(number) write_capacity = optional(number) }), {}) })	{}	no
vpc	The default VPC configuration for the lambda resources. This can be overridden for each zone and each function	object({ security_group_ids = list(string), subnet_ids = list(string) })	null	no
waf	Configuration for the CloudFront distribution WAF. When the deployment is set to 'INDEPENDENT_ZONES' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION' or 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used" Possible values for the WAF deployment are: - NONE - USE_EXISTING - CREATE - DETACH The web_acl_id is mandatory when deployment is set to USE_EXISTING. When configuring basic authentication, the encoded username and password are marked as sensitive. This can be turned off by setting mark_as_sensitive to false; however, a bug in Terraform v1.6.0 prevented this from working. If this occurs, please upgrade to at least v1.6.1. Possible values for the WAF default action are: - ALLOW - BLOCK The module provides the ability to configure recommended WAF rules to guard against SQL Injection (sqli), account takeover protection and account creation fraud prevention. Multiple rate limits can be configured with each limit applied across all geographic regions or limited to a specific region. The possible values for the action are: - COUNT - BLOCK The possible values for the action of each additional rule are: - COUNT - BLOCK When IP address restrictions are used as part of additional rules or enforcing basic auth, the possible values for the action are: - BYPASS - BLOCK Examples of maintenance pages, basic auth, and more can be found at https://github.com/RJPearson94/terraform-aws-open-next-examples.	object({ deployment = optional(string, "NONE") web_acl_id = optional(string) aws_managed_rules = optional(list(object({ priority = optional(number) name = string aws_managed_rule_name = string })), [{ name = "amazon-ip-reputation-list" aws_managed_rule_name = "AWSManagedRulesAmazonIpReputationList" }, { name = "common-rule-set" aws_managed_rule_name = "AWSManagedRulesCommonRuleSet" }, { name = "known-bad-inputs" aws_managed_rule_name = "AWSManagedRulesKnownBadInputsRuleSet" }]) rate_limiting = optional(object({ enabled = optional(bool, false) limits = optional(list(object({ priority = optional(number) rule_name_suffix = optional(string) limit = optional(number, 1000) action = optional(string, "BLOCK") geo_match_scope = optional(list(string)) })), []) }), {}) sqli = optional(object({ enabled = optional(bool, false) priority = optional(number) }), {}) account_takeover_protection = optional(object({ enabled = optional(bool, false) priority = optional(number) login_path = string enable_regex_in_path = optional(bool) request_inspection = optional(object({ username_field_identifier = string password_field_identifier = string payload_type = string })) response_inspection = optional(object({ failure_codes = list(string) success_codes = list(string) })) })) account_creation_fraud_prevention = optional(object({ enabled = optional(bool, false) priority = optional(number) creation_path = string registration_page_path = string enable_regex_in_path = optional(bool) request_inspection = optional(object({ email_field_identifier = string username_field_identifier = string password_field_identifier = string payload_type = string })) response_inspection = optional(object({ failure_codes = list(string) success_codes = list(string) })) })) enforce_basic_auth = optional(object({ enabled = optional(bool, false) priority = optional(number) response_code = optional(number, 401) response_header = optional(object({ name = optional(string, "WWW-Authenticate") value = optional(string, "Basic realm="Requires basic auth"") }), {}) header_name = optional(string, "authorization") credentials = optional(object({ username = string password = string mark_as_sensitive = optional(bool, true) })) ip_address_restrictions = optional(list(object({ action = optional(string, "BYPASS") arn = optional(string) name = optional(string) }))) })) additional_rules = optional(list(object({ enabled = optional(bool, false) priority = optional(number) name = string action = optional(string, "COUNT") block_action = optional(object({ response_code = number response_header = optional(object({ name = string value = string })) custom_response_body_key = optional(string) })) ip_address_restrictions = list(object({ action = optional(string, "BYPASS") arn = optional(string) name = optional(string) })) }))) default_action = optional(object({ action = optional(string, "ALLOW") block_action = optional(object({ response_code = number response_header = optional(object({ name = string value = string })) custom_response_body_key = optional(string) })) })) ip_addresses = optional(map(object({ description = optional(string) ip_address_version = string addresses = list(string) }))) custom_response_bodies = optional(list(object({ key = string content = string content_type = string }))) })	{}	no
warmer_function	Configuration for the warmer function. By default, the module will create a new zip from the warmer function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket. If the warmer function is enabled, you can conditionally choose to warm the staging distribution. Enabling this will provision another lambda function. By default, the warmer for the staging distribution will use the same concurrency value as the production distribution. However, you can override this value by specifying a concurrency value for the warm_staging object. This function is deployed to the region specified on the default AWS Terraform provider. NOTE: This can be overridden for each zone	object({ enabled = optional(bool, false) warm_staging = optional(object({ enabled = optional(bool, false) concurrency = optional(number) })) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") concurrency = optional(number, 20) timeout = optional(number, 15 * 60) // 15 minutes memory_size = optional(number, 1024) function_architecture = optional(string) schedule = optional(string, "rate(5 minutes)") additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })	{}	no
website_bucket	Configuration for the website S3 bucket When the deployment is set to 'INDEPENDENT_ZONES' or 'SHARED_DISTRIBUTION' this can be overridden for each zone. If deployment is 'SHARED_DISTRIBUTION_AND_BUCKET' this configuration is used" This bucket is deployed to the region specified on the default AWS Terraform provider.	object({ force_destroy = optional(bool, false) arn = optional(string) region = optional(string) name = optional(string) })	{}	no
zones	The website zones to create. For a complete breakdown of the configuration of each input, see the descriptions above	list(object({ root = bool name = string folder_path = string open_next_version = optional(string) path = optional(string) prefix_path_overrides = optional(bool, true) s3_exclusion_regex = optional(string) function_architecture = optional(string) iam = optional(object({ path = optional(string, "/") permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) aliases = optional(object({ production = string staging = string })) cache_control_immutable_assets_regex = optional(string) content_types = optional(object({ mapping = optional(map(string), { "svg" = "image/svg+xml", "js" = "application/javascript", "css" = "text/css", "html" = "text/html" }) default = optional(string, "binary/octet-stream") })) warmer_function = optional(object({ enabled = optional(bool, false) warm_staging = optional(object({ enabled = optional(bool, false) concurrency = optional(number) })) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") concurrency = optional(number, 20) timeout = optional(number, 15 * 60) // 15 minutes memory_size = optional(number, 1024) function_architecture = optional(string) schedule = optional(string, "rate(5 minutes)") additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })) edge_functions = optional(object({ runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 512) include_open_next_origin_env_variable = optional(bool, true) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) function_overrides = optional(map(object({ function_code = optional(object({ handler = optional(string, "handler.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 512) include_open_next_origin_env_variable = optional(bool, true) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })), {}) })) server_function = optional(object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) enable_streaming = optional(bool, false) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })) additional_server_functions = optional(object({ enable_streaming = optional(bool) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) iam_policies = optional(object({ include_bucket_access = optional(bool, false) include_revalidation_queue_access = optional(bool, false) include_tag_mapping_db_access = optional(bool, false) }), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) function_overrides = optional(map(object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) enable_streaming = optional(bool) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 10) memory_size = optional(number, 1024) function_architecture = optional(string) additional_environment_variables = optional(map(string), {}) iam_policies = optional(object({ include_bucket_access = optional(bool, false) include_revalidation_queue_access = optional(bool, false) include_tag_mapping_db_access = optional(bool, false) }), {}) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })), {}) })) image_optimisation_function = optional(object({ create = optional(bool, true) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") backend_deployment_type = optional(string, "REGIONAL_LAMBDA") timeout = optional(number, 25) memory_size = optional(number, 1536) additional_environment_variables = optional(map(string), {}) function_architecture = optional(string) static_image_optimisation = optional(bool, false) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })) revalidation_function = optional(object({ function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 25) memory_size = optional(number, 1536) additional_environment_variables = optional(map(string), {}) function_architecture = optional(string) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) vpc = optional(object({ security_group_ids = list(string), subnet_ids = list(string) })) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) })) tag_mapping_db = optional(object({ deployment = optional(string, "CREATE") billing_mode = optional(string, "PAY_PER_REQUEST") read_capacity = optional(number) write_capacity = optional(number) revalidate_gsi = optional(object({ read_capacity = optional(number) write_capacity = optional(number) }), {}) })) website_bucket = optional(object({ force_destroy = optional(bool, false) arn = optional(string) region = optional(string) name = optional(string) })) distribution = optional(object({ deployment = optional(string, "CREATE") enabled = optional(bool, true) ipv6_enabled = optional(bool, true) http_version = optional(string, "http2") price_class = optional(string, "PriceClass_100") geo_restrictions = optional(object({ type = optional(string, "none"), locations = optional(list(string), []) }), {}) x_forwarded_host_function = optional(object({ runtime = optional(string) code = optional(string) }), {}) auth_function = optional(object({ deployment = optional(string, "NONE") qualified_arn = optional(string) function_code = optional(object({ handler = optional(string, "index.handler") zip = optional(object({ path = string hash = string })) s3 = optional(object({ bucket = string key = string object_version = optional(string) })) })) runtime = optional(string, "nodejs20.x") timeout = optional(number, 10) memory_size = optional(number, 256) additional_iam_policies = optional(list(object({ name = string, arn = optional(string) policy = optional(string) })), []) iam = optional(object({ path = optional(string) permissions_boundary = optional(string) })) logging_config = optional(object({ log_format = optional(string) application_log_level = optional(string) system_log_level = optional(string) })) cloudwatch_log = optional(object({ deployment = optional(string) retention_in_days = optional(number) name = optional(string) log_group_class = optional(string) skip_destroy = optional(bool) })) timeouts = optional(object({ create = optional(string) update = optional(string) delete = optional(string) }), {}) }), {}) lambda_url_oac = optional(object({ deployment = optional(string, "NONE") }), {}) cache_policy = optional(object({ deployment = optional(string, "CREATE") arn = optional(string) id = optional(string) default_ttl = optional(number, 0) max_ttl = optional(number, 31536000) min_ttl = optional(number, 0) cookie_behavior = optional(string, "all") header_behavior = optional(string, "whitelist") header_items = optional(list(string)) query_string_behavior = optional(string, "all") }), {}) })) behaviours = optional(object({ custom_error_responses = optional(object({ path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) static_assets = optional(object({ paths = optional(list(string)) additional_paths = optional(list(string)) path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) server = optional(object({ paths = optional(list(string)) path_overrides = map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) })) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) additional_origins = optional(map(object({ paths = optional(list(string)) path_overrides = optional(map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) }))) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })), {}) image_optimisation = optional(object({ paths = optional(list(string)) path_overrides = map(object({ allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ arn = string include_body = bool })) origin_response = optional(object({ arn = string })) })) allowed_methods = optional(list(string)) cached_methods = optional(list(string)) cache_policy_id = optional(string) origin_request_policy_id = optional(string) compress = optional(bool) viewer_protocol_policy = optional(string) viewer_request = optional(object({ type = string arn = string include_body = optional(bool) })) viewer_response = optional(object({ type = string arn = string })) origin_request = optional(object({ type = string arn = string include_body = optional(bool) })) origin_response = optional(object({ type = string arn = string })) })) })) waf = optional(object({ deployment = optional(string, "NONE") web_acl_id = optional(string) aws_managed_rules = optional(list(object({ priority = optional(number) name = string aws_managed_rule_name = string })), [{ name = "amazon-ip-reputation-list" aws_managed_rule_name = "AWSManagedRulesAmazonIpReputationList" }, { name = "common-rule-set" aws_managed_rule_name = "AWSManagedRulesCommonRuleSet" }, { name = "known-bad-inputs" aws_managed_rule_name = "AWSManagedRulesKnownBadInputsRuleSet" }]) rate_limiting = optional(object({ enabled = optional(bool, false) limits = optional(list(object({ priority = optional(number) rule_name_suffix = optional(string) limit = optional(number, 1000) action = optional(string, "BLOCK") geo_match_scope = optional(list(string)) })), []) }), {}) sqli = optional(object({ enabled = optional(bool, false) priority = optional(number) }), {}) account_takeover_protection = optional(object({ enabled = optional(bool, false) priority = optional(number) login_path = string enable_regex_in_path = optional(bool) request_inspection = optional(object({ username_field_identifier = string password_field_identifier = string payload_type = string })) response_inspection = optional(object({ failure_codes = list(string) success_codes = list(string) })) })) account_creation_fraud_prevention = optional(object({ enabled = optional(bool, false) priority = optional(number) creation_path = string registration_page_path = string enable_regex_in_path = optional(bool) request_inspection = optional(object({ email_field_identifier = string username_field_identifier = string password_field_identifier = string payload_type = string })) response_inspection = optional(object({ failure_codes = list(string) success_codes = list(string) })) })) enforce_basic_auth = optional(object({ enabled = optional(bool, false) priority = optional(number) response_code = optional(number, 401) response_header = optional(object({ name = optional(string, "WWW-Authenticate") value = optional(string, "Basic realm="Requires basic auth"") }), {}) header_name = optional(string, "authorization") credentials = optional(object({ username = string password = string mark_as_sensitive = optional(bool, true) })) ip_address_restrictions = optional(list(object({ action = optional(string, "BYPASS") arn = optional(string) name = optional(string) }))) })) additional_rules = optional(list(object({ enabled = optional(bool, false) priority = optional(number) name = string action = optional(string, "COUNT") block_action = optional(object({ response_code = number response_header = optional(object({ name = string value = string })) custom_response_body_key = optional(string) })) ip_address_restrictions = list(object({ action = optional(string, "BYPASS") arn = optional(string) name = optional(string) })) }))) default_action = optional(object({ action = optional(string, "ALLOW") block_action = optional(object({ response_code = number response_header = optional(object({ name = string value = string })) custom_response_body_key = optional(string) })) })) ip_addresses = optional(map(object({ description = optional(string) ip_address_version = string addresses = list(string) }))) custom_response_bodies = optional(list(object({ key = string content = string content_type = string }))) })) domain_config = optional(object({ evaluate_target_health = optional(bool, true) include_www = optional(bool, false) sub_domain = optional(string) hosted_zones = list(object({ name = string id = optional(string) private_zone = optional(bool, false) })) create_route53_entries = optional(bool, true) route53_record_allow_overwrite = optional(bool, true) viewer_certificate = optional(object({ acm_certificate_arn = string ssl_support_method = optional(string, "sni-only") minimum_protocol_version = optional(string, "TLSv1.2_2021") })) })) continuous_deployment = optional(object({ use = optional(bool, false) deployment = optional(string, "NONE") traffic_config = optional(object({ header = optional(object({ name = string value = string })) weight = optional(object({ percentage = number session_stickiness = optional(object({ idle_ttl = number maximum_ttl = number })) })) })) })) custom_error_responses = optional(list(object({ error_code = string error_caching_min_ttl = optional(number) response_code = optional(string) response_page = optional(object({ source = string path_prefix = string })) }))) }))	n/a	yes

Outputs

Name	Description
alternate_domain_names	Extra CNAMEs (alternate domain names) associated with the cloudfront distribution
cloudfront_distribution_id	The ID for the root cloudfront distribution
cloudfront_staging_distribution_id	The ID for the root cloudfront staging distribution
cloudfront_url	The URL for the root cloudfront distribution
zones	Configuration details of the zones