Added Terraform example - CloudFront distribution (#23)

infra/terraform/README.md

@@ -9,7 +9,7 @@ The Terraform modules for each identity provider are in the [modules](./modules)
 1. Call the module in your Terraform configuration. CloudFront uses the `us-east-1` region, so you must pass a `us-east-1` provider to the module.
 
     ```hcl
-    module "cloudfront_auth_okta_native" {
+    module "auth" {
       source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
 
       # Lambda function version to deploy (see the Releases page of this GitHub repository)
@@ -38,9 +38,8 @@ The Terraform modules for each identity provider are in the [modules](./modules)
         # ... other configuration ...
 
         lambda_function_association {
-          event_type   = "viewer-request"
-          lambda_arn   = module.cloudfront_auth_okta_native.auth_lambda_arn
-          include_body = false
+          event_type = "viewer-request"
+          lambda_arn = module.auth.auth_lambda_arn
         }
       }
     }

infra/terraform/examples/cloudfront-s3/cloudfront.tf

@@ -0,0 +1,53 @@
+locals {
+  s3_origin_id = var.name
+}
+
+resource "aws_cloudfront_origin_access_identity" "example" {
+  comment = var.name
+}
+
+resource "aws_cloudfront_distribution" "example" {
+  origin {
+    domain_name = aws_s3_bucket.example.bucket_regional_domain_name
+    origin_id   = local.s3_origin_id
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.example.cloudfront_access_identity_path
+    }
+  }
+
+  enabled             = true
+  comment             = var.name
+  default_root_object = "index.html"
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = local.s3_origin_id
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+
+    lambda_function_association {
+      event_type = "viewer-request"
+      lambda_arn = var.lambda_arn
+    }    
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+}

infra/terraform/examples/cloudfront-s3/index.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>Cloudfront authentication example</title>
+    </head>
+    <body>
+        <p>Cloudfront authentication is working correctly.</p>
+    </body>
+</html>

infra/terraform/examples/cloudfront-s3/outputs.tf

@@ -0,0 +1,4 @@
+output "domain_name" {
+  value       = aws_cloudfront_distribution.example.domain_name
+  description = "The domain name corresponding to the CloudFront distribution"
+}

infra/terraform/examples/cloudfront-s3/s3.tf

@@ -0,0 +1,29 @@
+resource "aws_s3_bucket" "example" {
+  bucket_prefix = "${var.name}-"
+  acl           = "private"
+}
+
+data "aws_iam_policy_document" "oai_access" {
+  statement {
+    sid       = "Allow-OAI-Access-To-Bucket"
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.example.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.example.iam_arn]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "oai_access" {
+  bucket = aws_s3_bucket.example.id
+  policy = data.aws_iam_policy_document.oai_access.json
+}
+
+resource "aws_s3_bucket_object" "index" {
+  bucket       = aws_s3_bucket.example.id
+  key          = "index.html"
+  source       = "${path.module}/index.html"
+  content_type = "text/html"
+}

infra/terraform/examples/cloudfront-s3/variables.tf

@@ -0,0 +1,9 @@
+variable "name" {
+  description = "A name for the AWS resources created by this module"
+  type        = string
+}
+
+variable "lambda_arn" {
+  description = "The Amazon Resource Name (ARN) identifying the Lambda Function Version to associate with the CloudFront distribution"
+  type        = string
+}

infra/terraform/examples/okta-native/main.tf

@@ -0,0 +1,24 @@
+locals {
+  name = "cloudfront-auth-example-okta-native"
+}
+
+module "auth" {
+  source = "github.com/iress/cloudfront-auth//infra/terraform/modules/okta_native"
+
+  release_version = "v3.0.0"
+  name            = local.name
+  org_url         = "https://my-org.okta.com/oauth2/default"
+  client_id       = "Nf2qSD9wXKU9ph8an22T"
+  domain_name     = module.cloudfront_s3.domain_name
+
+  providers = {
+    aws = aws.global_services
+  }
+}
+
+module "cloudfront_s3" {
+  source = "../cloudfront-s3"
+
+  name       = local.name
+  lambda_arn = module.auth.auth_lambda_arn
+}

infra/terraform/examples/okta-native/outputs.tf

@@ -0,0 +1,4 @@
+output "domain_name" {
+  value       = module.cloudfront_s3.domain_name
+  description = "The domain name corresponding to the CloudFront distribution"
+}