Updated example for VPC Origin

Author: antonbabenko

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.96.2
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

README.md

@@ -79,7 +79,7 @@ module "cdn" {
 
 ## Examples
 
-- [Complete](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples/complete) - Complete example which creates AWS CloudFront distribution and integrates it with other [terraform-aws-modules](https://github.com/terraform-aws-modules) to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, ACM Certificate, Route53 Records.
+- [Complete](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples/complete) - Complete example which creates AWS CloudFront distribution and integrates it with other [terraform-aws-modules](https://github.com/terraform-aws-modules) to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.
 
 ## Notes
 
@@ -107,13 +107,13 @@ ordered_cache_behavior = [{
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
 
 ## Modules
 

examples/complete/README.md

@@ -8,6 +8,7 @@ Configuration in this directory creates CloudFront distribution which demos such
 - Lambda@Edge
 - ACM certificate
 - Route53 record
+- VPC Origins
 
 ## Usage
 
@@ -50,9 +51,6 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_log_bucket"></a> [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
 | <a name="module_records"></a> [records](#module\_records) | terraform-aws-modules/route53/aws//modules/records | ~> 2.0 |
 | <a name="module_s3_one"></a> [s3\_one](#module\_s3\_one) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
-| <a name="module_security_group_ec2"></a> [security\_group\_ec2](#module\_security\_group\_ec2) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
-| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 5.0 |
 
 ## Resources
 
@@ -63,12 +61,10 @@ Note that this example may create resources which cost money. Run `terraform des
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_ami.al2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
-| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
-| [aws_security_group.vpc_origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 
 ## Inputs
 

examples/complete/main.tf

@@ -56,7 +56,7 @@ module "cloudfront" {
   create_vpc_origin = true
   vpc_origin = {
     ec2_vpc_origin = {
-      name                   = local.subdomain
+      name                   = random_pet.this.id
       arn                    = module.ec2.arn
       http_port              = 80
       https_port             = 443
@@ -348,6 +348,10 @@ module "records" {
   ]
 }
 
+#########################################
+# S3 bucket policy
+#########################################
+
 data "aws_iam_policy_document" "s3_policy" {
   # Origin Access Identities
   statement {
@@ -383,108 +387,41 @@ resource "aws_s3_bucket_policy" "bucket_policy" {
   policy = data.aws_iam_policy_document.s3_policy.json
 }
 
-########
-# Extra
-########
-
-resource "random_pet" "this" {
-  length = 2
-}
+#########################################
+# CloudFront function
+#########################################
 
 resource "aws_cloudfront_function" "example" {
   name    = "example-${random_pet.this.id}"
   runtime = "cloudfront-js-1.0"
   code    = file("${path.module}/example-function.js")
 }
 
-#######################################
-# EC2 and VPC for CloudFront VPC origin
-#######################################
-
-locals {
-  vpc_cidr = "10.0.0.0/16"
-  vpc_azs  = slice(data.aws_availability_zones.available.names, 0, 2)
-}
+#########################################
+# EC2 instance for CloudFront VPC origin
+#########################################
 
-module "ec2" {
-  source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 5.0"
-
-  name = local.subdomain
-  ami  = data.aws_ami.al2023.id
-
-  user_data = <<-EOF
-    #!/bin/bash
-    dnf update
-    dnf install -y nginx
-    systemctl start nginx
-  EOF
-
-  subnet_id              = element(module.vpc.intra_subnets, 0)
-  vpc_security_group_ids = [module.security_group_ec2.security_group_id]
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
-
-  name = local.subdomain
-  cidr = local.vpc_cidr
-
-  azs            = local.vpc_azs
-  intra_subnets  = [for k, v in local.vpc_azs : cidrsubnet(local.vpc_cidr, 8, k)]
-  public_subnets = [for k, v in local.vpc_azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
-}
-
-module "vpc_endpoints" {
-  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "~> 5.0"
-
-  vpc_id = module.vpc.vpc_id
+data "aws_ami" "al2023" {
+  most_recent = true
+  owners      = ["amazon"]
 
-  endpoints = {
-    s3 = {
-      service         = "s3"
-      service_type    = "Gateway"
-      route_table_ids = module.vpc.intra_route_table_ids
-    },
+  filter {
+    name   = "name"
+    values = ["al2023-ami-2023*-x86_64"]
   }
 }
 
-module "security_group_ec2" {
-  source  = "terraform-aws-modules/security-group/aws"
+module "ec2" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
   version = "~> 5.0"
 
-  name        = "${local.subdomain}-ec2"
-  description = "Security Group for EC2 Instance Egress"
-
-  vpc_id = module.vpc.vpc_id
-
-  egress_rules = ["http-80-tcp", "https-443-tcp"]
-  ingress_with_source_security_group_id = [
-    {
-      from_port                = 80
-      to_port                  = 80
-      protocol                 = "tcp"
-      description              = "Allow access to the CloudFront origin"
-      source_security_group_id = data.aws_security_group.vpc_origin.id
-  }]
+  ami = data.aws_ami.al2023.id
 }
 
-data "aws_availability_zones" "available" {}
-
-data "aws_security_group" "vpc_origin" {
-  name       = "CloudFront-VPCOrigins-Service-SG"
-  vpc_id     = module.vpc.vpc_id
-  depends_on = [module.cloudfront]
-}
-
-data "aws_ami" "al2023" {
-  most_recent = true
-  owners      = ["amazon"]
+########
+# Extra
+########
 
-  filter {
-    name   = "name"
-    values = ["al2023-ami-2023*-x86_64"]
-  }
+resource "random_pet" "this" {
+  length = 2
 }

main.tf

@@ -28,8 +28,6 @@ resource "aws_cloudfront_origin_access_control" "this" {
 resource "aws_cloudfront_vpc_origin" "this" {
   for_each = local.create_vpc_origin ? var.vpc_origin : {}
 
-  tags = var.tags
-
   vpc_origin_endpoint_config {
     name                   = each.value["name"]
     arn                    = each.value["arn"]
@@ -42,6 +40,8 @@ resource "aws_cloudfront_vpc_origin" "this" {
       quantity = each.value.origin_ssl_protocols.quantity
     }
   }
+
+  tags = var.tags
 }
 
 resource "aws_cloudfront_distribution" "this" {

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82.0"
+      version = ">= 5.82"
     }
   }
 }

wrappers/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82.0"
+      version = ">= 5.82"
     }
   }
 }