Add Cloudfront Function support

Author: joshAtRula

README.md

@@ -77,6 +77,128 @@ module "cdn" {
 }
 ```
 
+### CloudFront distribution with CloudFront Functions
+
+```hcl
+module "cdn" {
+  source = "terraform-aws-modules/cloudfront/aws"
+
+  aliases = ["cdn.example.com"]
+
+  comment             = "CloudFront with Functions"
+  enabled             = true
+  is_ipv6_enabled     = true
+  price_class         = "PriceClass_All"
+  retain_on_delete    = false
+  wait_for_deployment = false
+
+  # Enable CloudFront Functions
+  create_cloudfront_function = true
+
+  cloudfront_functions = {
+    viewer-request-function = {
+      runtime = "cloudfront-js-2.0"
+      comment = "Function to add security headers and modify requests"
+      code    = file("${path.module}/functions/viewer-request.js")
+      publish = true
+    }
+
+    viewer-response-function = {
+      runtime = "cloudfront-js-2.0"
+      comment = "Function to add security response headers"
+      code    = file("${path.module}/functions/viewer-response.js")
+      publish = true
+      # Optional: Associate with CloudFront KeyValueStore
+      key_value_store_associations = ["arn:aws:cloudfront::123456789012:key-value-store/example-store"]
+    }
+  }
+
+  origin = {
+    s3_bucket = {
+      domain_name = "my-bucket.s3.amazonaws.com"
+      s3_origin_config = {
+        origin_access_identity = "s3_bucket"
+      }
+    }
+  }
+
+  default_cache_behavior = {
+    target_origin_id       = "s3_bucket"
+    viewer_protocol_policy = "redirect-to-https"
+
+    allowed_methods = ["GET", "HEAD", "OPTIONS"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = true
+    query_string    = true
+
+    # Associate CloudFront Functions with cache behavior
+    # Option 1: Direct ARN reference (recommended for external functions)
+    # function_association = {
+    #   viewer-request = {
+    #     function_arn = aws_cloudfront_function.external.arn
+    #   }
+    # }
+
+    # Option 2: Dynamic reference to module-managed functions by name
+    function_association = {
+      viewer-request = {
+        function_name = "viewer-request-function"
+      }
+      viewer-response = {
+        function_name = "viewer-response-function"
+      }
+    }
+  }
+
+  viewer_certificate = {
+    acm_certificate_arn = "arn:aws:acm:us-east-1:135367859851:certificate/1032b155-22da-4ae0-9f69-e206f825458b"
+    ssl_support_method  = "sni-only"
+  }
+}
+```
+
+**CloudFront Functions Features:**
+
+- **Lightweight JavaScript execution** at CloudFront edge locations
+- **Sub-millisecond execution** for viewer request/response modifications
+- **Runtime options**: `cloudfront-js-1.0` (10KB limit) or `cloudfront-js-2.0` (30KB limit, default)
+- **Event types**: viewer-request, viewer-response (not origin-request/response)
+- **Key-Value Store integration**: Associate functions with CloudFront KeyValueStore (max 1 per function)
+- **Cost-effective**: Lower cost than Lambda@Edge for simple transformations
+
+**Common use cases:**
+
+- URL redirects and rewrites
+- Request/response header manipulation
+- Access control and authentication
+- A/B testing and feature flags
+- Cache key normalization
+
+**Usage Pattern Note:**
+
+The module supports two flexible patterns for associating CloudFront Functions with cache behaviors:
+
+1. **Direct ARN Reference** (`function_arn`): Pass the ARN directly from external `aws_cloudfront_function` resources
+
+   ```hcl
+   function_association = {
+     viewer-request = {
+       function_arn = aws_cloudfront_function.external.arn
+     }
+   }
+   ```
+
+2. **Dynamic Name Reference** (`function_name`): Reference module-managed functions by their map key
+   ```hcl
+   function_association = {
+     viewer-request = {
+       function_name = "viewer-request-function"  # Key from cloudfront_functions map
+     }
+   }
+   ```
+
+The module automatically resolves function ARNs using Terraform's `try()` function, checking for `function_arn` first, then falling back to `function_name` lookup in module-created functions. This eliminates circular dependency issues while maintaining flexibility.
+
 ## Examples
 
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples/complete) - Complete example which creates AWS CloudFront distribution and integrates it with other [terraform-aws-modules](https://github.com/terraform-aws-modules) to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.
@@ -124,6 +246,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
@@ -138,8 +261,10 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aliases"></a> [aliases](#input\_aliases) | Extra CNAMEs (alternate domain names), if any, for this distribution. | `list(string)` | `null` | no |
+| <a name="input_cloudfront_functions"></a> [cloudfront\_functions](#input\_cloudfront\_functions) | Map of CloudFront Function configurations. Key is used as default function name if 'name' not specified. | <pre>map(object({<br/>    name                         = optional(string)<br/>    runtime                      = optional(string, "cloudfront-js-2.0")<br/>    comment                      = optional(string)<br/>    publish                      = optional(bool, true)<br/>    code                         = string<br/>    key_value_store_associations = optional(list(string), null)<br/>  }))</pre> | `{}` | no |
 | <a name="input_comment"></a> [comment](#input\_comment) | Any comments you want to include about the distribution. | `string` | `null` | no |
 | <a name="input_continuous_deployment_policy_id"></a> [continuous\_deployment\_policy\_id](#input\_continuous\_deployment\_policy\_id) | Identifier of a continuous deployment policy. This argument should only be set on a production distribution. | `string` | `null` | no |
+| <a name="input_create_cloudfront_function"></a> [create\_cloudfront\_function](#input\_create\_cloudfront\_function) | Controls if CloudFront Functions should be created | `bool` | `false` | no |
 | <a name="input_create_distribution"></a> [create\_distribution](#input\_create\_distribution) | Controls if CloudFront distribution should be created | `bool` | `true` | no |
 | <a name="input_create_monitoring_subscription"></a> [create\_monitoring\_subscription](#input\_create\_monitoring\_subscription) | If enabled, the resource for monitoring subscription will created. | `bool` | `false` | no |
 | <a name="input_create_origin_access_control"></a> [create\_origin\_access\_control](#input\_create\_origin\_access\_control) | Controls if CloudFront origin access control should be created | `bool` | `false` | no |
@@ -186,6 +311,10 @@ No modules.
 | <a name="output_cloudfront_distribution_status"></a> [cloudfront\_distribution\_status](#output\_cloudfront\_distribution\_status) | The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system. |
 | <a name="output_cloudfront_distribution_tags"></a> [cloudfront\_distribution\_tags](#output\_cloudfront\_distribution\_tags) | Tags of the distribution's |
 | <a name="output_cloudfront_distribution_trusted_signers"></a> [cloudfront\_distribution\_trusted\_signers](#output\_cloudfront\_distribution\_trusted\_signers) | List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs |
+| <a name="output_cloudfront_function_arns"></a> [cloudfront\_function\_arns](#output\_cloudfront\_function\_arns) | The ARNs of the CloudFront Functions created |
+| <a name="output_cloudfront_function_etags"></a> [cloudfront\_function\_etags](#output\_cloudfront\_function\_etags) | The ETags of the CloudFront Functions (DEVELOPMENT stage) |
+| <a name="output_cloudfront_function_live_stage_etags"></a> [cloudfront\_function\_live\_stage\_etags](#output\_cloudfront\_function\_live\_stage\_etags) | The ETags of the CloudFront Functions (LIVE stage) |
+| <a name="output_cloudfront_function_status"></a> [cloudfront\_function\_status](#output\_cloudfront\_function\_status) | The deployment status of the CloudFront Functions |
 | <a name="output_cloudfront_monitoring_subscription_id"></a> [cloudfront\_monitoring\_subscription\_id](#output\_cloudfront\_monitoring\_subscription\_id) | The ID of the CloudFront monitoring subscription, which corresponds to the `distribution_id`. |
 | <a name="output_cloudfront_origin_access_controls"></a> [cloudfront\_origin\_access\_controls](#output\_cloudfront\_origin\_access\_controls) | The origin access controls created |
 | <a name="output_cloudfront_origin_access_controls_ids"></a> [cloudfront\_origin\_access\_controls\_ids](#output\_cloudfront\_origin\_access\_controls\_ids) | The IDS of the origin access identities created |

examples/complete/README.md

@@ -1,15 +1,37 @@
 # Complete CloudFront distribution with most of supported features enabled
 
 Configuration in this directory creates CloudFront distribution which demos such capabilities:
+
 - access logging
 - origins and origin groups
 - caching behaviours
 - Origin Access Identities (with S3 bucket policy)
+- Origin Access Control (recommended over OAI)
 - Lambda@Edge
+- **CloudFront Functions** (lightweight JavaScript execution at edge locations)
+- Response Headers Policies
 - ACM certificate
 - Route53 record
 - VPC Origins
 
+## CloudFront Functions
+
+This example demonstrates CloudFront Functions integration with the module:
+
+**Functions included:**
+
+- `viewer-request-security.js` - Security headers and cache key normalization
+- `viewer-response-headers.js` - Add security response headers
+- `ab-testing.js` - A/B testing with path rewriting
+- `kvstore-redirect.js` - Example with CloudFront KeyValueStore integration (commented)
+
+**Features demonstrated:**
+
+- Module-managed CloudFront Functions creation
+- Function association with cache behaviors
+- Runtime selection (cloudfront-js-2.0)
+- KeyValueStore association pattern
+
 ## Usage
 
 To run this example you need to execute:

examples/complete/main.tf

@@ -181,10 +181,23 @@ module "cloudfront" {
 
       function_association = {
         # Valid keys: viewer-request, viewer-response
+
+        # Option 1: Direct ARN reference to standalone resource
         viewer-request = {
           function_arn = aws_cloudfront_function.example.arn
         }
 
+        # Option 2: Dynamic reference to module-managed function by name
+        # Uncomment to use module-managed functions instead:
+        # viewer-request = {
+        #   function_name = "viewer-request-security"
+        # }
+
+        # viewer-response = {
+        #   function_name = "viewer-response-headers"
+        # }
+
+        # For this example, using standalone function for both
         viewer-response = {
           function_arn = aws_cloudfront_function.example.arn
         }
@@ -233,6 +246,39 @@ module "cloudfront" {
     locations        = ["NO", "UA", "US", "GB"]
   }
 
+  # CloudFront Functions - module managed
+  create_cloudfront_function = true
+  cloudfront_functions = {
+    viewer-request-security = {
+      runtime = "cloudfront-js-2.0"
+      comment = "Security headers and cache key normalization"
+      code    = file("${path.module}/viewer-request-security.js")
+      publish = true
+    }
+    viewer-response-headers = {
+      runtime = "cloudfront-js-2.0"
+      comment = "Add security response headers"
+      code    = file("${path.module}/viewer-response-headers.js")
+      publish = true
+    }
+    ab-testing = {
+      runtime = "cloudfront-js-2.0"
+      comment = "A/B testing function"
+      code    = file("${path.module}/ab-testing.js")
+      publish = true
+    }
+    # Example with KeyValueStore association (uncomment and provide actual KV store ARN)
+    # kvstore-redirect = {
+    #   runtime = "cloudfront-js-2.0"
+    #   comment = "Function using CloudFront KeyValueStore for dynamic redirects"
+    #   code    = file("${path.module}/kvstore-redirect.js")
+    #   publish = true
+    #   key_value_store_associations = [
+    #     "arn:aws:cloudfront::123456789012:key-value-store/example-redirects"
+    #   ]
+    # }
+  }
+
   create_response_headers_policy = true
   response_headers_policy = {
     cors_policy = {

main.tf

@@ -3,6 +3,7 @@ locals {
   create_origin_access_control   = var.create_origin_access_control && length(keys(var.origin_access_control)) > 0
   create_vpc_origin              = var.create_vpc_origin && length(keys(var.vpc_origin)) > 0
   create_response_headers_policy = var.create_response_headers_policy && length(keys(var.response_headers_policy)) > 0
+  create_cloudfront_function     = var.create_cloudfront_function && length(keys(var.cloudfront_functions)) > 0
 }
 
 resource "aws_cloudfront_response_headers_policy" "this" {
@@ -144,6 +145,17 @@ resource "aws_cloudfront_response_headers_policy" "this" {
   }
 }
 
+resource "aws_cloudfront_function" "this" {
+  for_each = local.create_cloudfront_function ? var.cloudfront_functions : {}
+
+  name    = each.value.name != null ? each.value.name : each.key
+  runtime = each.value.runtime
+  comment = each.value.comment
+  publish = each.value.publish
+  code    = each.value.code
+
+  key_value_store_associations = each.value.key_value_store_associations
+}
 
 resource "aws_cloudfront_origin_access_identity" "this" {
   for_each = local.create_origin_access_identity ? var.origin_access_identities : {}
@@ -208,6 +220,11 @@ resource "aws_cloudfront_distribution" "this" {
   web_acl_id                      = var.web_acl_id
   tags                            = var.tags
 
+  # Ensure CloudFront Functions are created before the distribution
+  depends_on = [
+    aws_cloudfront_function.this
+  ]
+
   dynamic "logging_config" {
     for_each = length(keys(var.logging_config)) == 0 ? [] : [var.logging_config]
 
@@ -358,7 +375,7 @@ resource "aws_cloudfront_distribution" "this" {
 
         content {
           event_type   = f.key
-          function_arn = f.value.function_arn
+          function_arn = try(f.value.function_arn, aws_cloudfront_function.this[f.value.function_name].arn, null)
         }
       }
 
@@ -430,7 +447,7 @@ resource "aws_cloudfront_distribution" "this" {
 
         content {
           event_type   = f.key
-          function_arn = f.value.function_arn
+          function_arn = try(f.value.function_arn, aws_cloudfront_function.this[f.value.function_name].arn, null)
         }
       }
 

outputs.tf

@@ -102,3 +102,23 @@ output "cloudfront_response_headers_policy_etags" {
   description = "The ETags of the response headers policies created"
   value       = local.create_response_headers_policy ? { for k, v in aws_cloudfront_response_headers_policy.this : k => v.etag } : {}
 }
+
+output "cloudfront_function_arns" {
+  description = "The ARNs of the CloudFront Functions created"
+  value       = local.create_cloudfront_function ? { for k, v in aws_cloudfront_function.this : k => v.arn } : {}
+}
+
+output "cloudfront_function_status" {
+  description = "The deployment status of the CloudFront Functions"
+  value       = local.create_cloudfront_function ? { for k, v in aws_cloudfront_function.this : k => v.status } : {}
+}
+
+output "cloudfront_function_etags" {
+  description = "The ETags of the CloudFront Functions (DEVELOPMENT stage)"
+  value       = local.create_cloudfront_function ? { for k, v in aws_cloudfront_function.this : k => v.etag } : {}
+}
+
+output "cloudfront_function_live_stage_etags" {
+  description = "The ETags of the CloudFront Functions (LIVE stage)"
+  value       = local.create_cloudfront_function ? { for k, v in aws_cloudfront_function.this : k => v.live_stage_etag } : {}
+}

variables.tf

@@ -292,3 +292,30 @@ variable "response_headers_policy" {
   }))
   default = {}
 }
+
+variable "create_cloudfront_function" {
+  description = "Controls if CloudFront Functions should be created"
+  type        = bool
+  default     = false
+}
+
+variable "cloudfront_functions" {
+  description = "Map of CloudFront Function configurations. Key is used as default function name if 'name' not specified."
+  type = map(object({
+    name                         = optional(string)
+    runtime                      = optional(string, "cloudfront-js-2.0")
+    comment                      = optional(string)
+    publish                      = optional(bool, true)
+    code                         = string
+    key_value_store_associations = optional(list(string), null)
+  }))
+  default = {}
+
+  validation {
+    condition = alltrue([
+      for k, v in var.cloudfront_functions :
+      contains(["cloudfront-js-1.0", "cloudfront-js-2.0"], v.runtime)
+    ])
+    error_message = "Runtime must be 'cloudfront-js-1.0' or 'cloudfront-js-2.0'. Provided runtime is invalid."
+  }
+}

wrappers/main.tf

@@ -4,8 +4,10 @@ module "wrapper" {
   for_each = var.items
 
   aliases                         = try(each.value.aliases, var.defaults.aliases, null)
+  cloudfront_functions            = try(each.value.cloudfront_functions, var.defaults.cloudfront_functions, {})
   comment                         = try(each.value.comment, var.defaults.comment, null)
   continuous_deployment_policy_id = try(each.value.continuous_deployment_policy_id, var.defaults.continuous_deployment_policy_id, null)
+  create_cloudfront_function      = try(each.value.create_cloudfront_function, var.defaults.create_cloudfront_function, false)
   create_distribution             = try(each.value.create_distribution, var.defaults.create_distribution, true)
   create_monitoring_subscription  = try(each.value.create_monitoring_subscription, var.defaults.create_monitoring_subscription, false)
   create_origin_access_control    = try(each.value.create_origin_access_control, var.defaults.create_origin_access_control, false)