Adding trusted_key_groups to default behavior (#19)

DNXLabs · Nov 11, 2024 · ed37b74 · ed37b74
1 parent e790f21
commit ed37b74
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/_variables.tf b/_variables.tf
@@ -180,4 +180,13 @@ The following arguments are supported:
   - actions: The actions to execute when the alarm transitions into an ALARM state (ARN). 
   - ok_actions: The list of actions to execute when this alarm transitions into an OK state from any other state (ARN). 
 EOF
-}
+}
+
+variable "trusted_key_groups" {
+  type = list(object({
+    name                = string
+    public_key_contents = string
+  }))
+  default     = []
+  description = "A list with `name` and `public_key` to create and attach a trusted key group to the distribution"
+}
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -80,6 +80,7 @@ resource "aws_cloudfront_distribution" "default" {
     target_origin_id           = "s3Origin"
     compress                   = true
     response_headers_policy_id = var.default_cache_behavior_response_headers_id
+    trusted_key_groups         = length(var.trusted_key_groups) > 0 ? [for i in aws_cloudfront_key_group.default : i.id] : []
 
     forwarded_values {
       query_string = var.default_cache_behavior_forward_query_string

diff --git a/key_groups.tf b/key_groups.tf
@@ -0,0 +1,13 @@
+resource "aws_cloudfront_public_key" "default" {
+  for_each    = { for public_key in var.trusted_key_groups : public_key.name => public_key }
+  comment     = ""
+  encoded_key = each.value.public_key_contents
+  name        = each.key
+}
+
+resource "aws_cloudfront_key_group" "default" {
+  for_each = { for public_key in var.trusted_key_groups : public_key.name => public_key }
+  comment  = ""
+  items    = [aws_cloudfront_public_key.default[each.key].id]
+  name     = each.key
+}