0
0
TerraformHow-ToBeginner · 4 min read

How to Create AWS CloudFront Distribution with Terraform

To create an AWS CloudFront distribution with terraform, define a aws_cloudfront_distribution resource specifying the origin (like an S3 bucket or HTTP server) and default cache behavior. Then run terraform init, terraform plan, and terraform apply to deploy the distribution.
📐

Syntax

The aws_cloudfront_distribution resource defines a CloudFront distribution in Terraform. Key parts include:

  • origin: Where CloudFront fetches content (e.g., S3 bucket or web server).
  • default_cache_behavior: How CloudFront caches and serves content.
  • enabled: Whether the distribution is active.
  • viewer_certificate: SSL/TLS settings for HTTPS.
terraform
resource "aws_cloudfront_distribution" "example" {
  origin {
    domain_name = "example-bucket.s3.amazonaws.com"
    origin_id   = "S3-example-bucket"
  }

  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "S3-example-bucket"

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}
💻

Example

This example creates a CloudFront distribution that serves content from an S3 bucket named my-example-bucket. It enables HTTPS with the default CloudFront certificate and redirects HTTP to HTTPS.

terraform
provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "example" {
  bucket = "my-example-bucket"
  acl    = "public-read"
}

resource "aws_cloudfront_distribution" "example" {
  origin {
    domain_name = aws_s3_bucket.example.bucket_regional_domain_name
    origin_id   = "S3-my-example-bucket"
  }

  enabled             = true
  is_ipv6_enabled     = true
  default_root_object = "index.html"

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "S3-my-example-bucket"

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}
Output
Apply complete! Resources: 2 added, 0 changed, 0 destroyed. Outputs: cloudfront_domain_name = <CloudFront distribution domain name>
⚠️

Common Pitfalls

Common mistakes when creating CloudFront distributions with Terraform include:

  • Using the wrong origin.domain_name (must be the bucket's regional domain name, not the website endpoint).
  • Not setting viewer_protocol_policy, causing HTTP requests to fail or not redirect.
  • Forgetting to enable the distribution (enabled = true).
  • Not configuring SSL certificates properly, leading to insecure connections.
terraform
resource "aws_cloudfront_distribution" "wrong_example" {
  origin {
    domain_name = "my-example-bucket.s3-website-us-east-1.amazonaws.com" # Wrong for S3 origin
    origin_id   = "S3-my-example-bucket"
  }

  enabled = false # Distribution disabled

  default_cache_behavior {
    viewer_protocol_policy = "allow-all" # No redirect to HTTPS
  }

  viewer_certificate {
    cloudfront_default_certificate = false # No certificate set
  }
}

# Corrected version:
resource "aws_cloudfront_distribution" "correct_example" {
  origin {
    domain_name = aws_s3_bucket.example.bucket_regional_domain_name
    origin_id   = "S3-my-example-bucket"
  }

  enabled = true

  default_cache_behavior {
    viewer_protocol_policy = "redirect-to-https"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}
📊

Quick Reference

Key Terraform attributes for aws_cloudfront_distribution:

AttributeDescription
origin.domain_nameOrigin server domain (S3 bucket regional domain or custom origin)
default_cache_behavior.viewer_protocol_policyControls HTTP/HTTPS behavior (e.g., redirect-to-https)
enabledEnable or disable the distribution
viewer_certificate.cloudfront_default_certificateUse default SSL certificate for HTTPS
AttributeDescription
origin.domain_nameOrigin server domain (S3 bucket regional domain or custom origin)
default_cache_behavior.viewer_protocol_policyControls HTTP/HTTPS behavior (e.g., redirect-to-https)
enabledEnable or disable the distribution
viewer_certificate.cloudfront_default_certificateUse default SSL certificate for HTTPS

Key Takeaways

Use the aws_cloudfront_distribution resource to define CloudFront in Terraform.
Set origin.domain_name correctly, usually the S3 bucket's regional domain name.
Enable the distribution with enabled = true to deploy it.
Configure viewer_protocol_policy to manage HTTP/HTTPS access properly.
Use viewer_certificate to enable HTTPS with CloudFront's default certificate.

Related by keyword

How to Use AWS Provider in Terraform: Syntax and ExampleProvidersHow to Use data aws_ami in Terraform for AMI LookupData SourcesHow to Use data aws_vpc in Terraform for VPC LookupData SourcesTerraform Cloud vs Terraform Enterprise: Key Differences and Usage GuideTerraform CloudHow to Use terraform fmt: Format Terraform Configuration FilesCore Workflow

Up next

When to Use Workspaces in Terraform: Simple GuideWorkspace vs Separate State Files in Terraform: Key Differences and UsageHow to Use Cost Estimation in Terraform CloudHow to Use Remote Backend with Terraform Cloud

More in AWS Resources

How to Create an Application Load Balancer (ALB) with TerraformHow to Create API Gateway with Terraform: Simple GuideHow to Create Auto Scaling Group with TerraformHow to Create a DynamoDB Table with Terraform