feat(distribution): improve error_responses variable

Author: posquit0

modules/distribution/README.md

@@ -43,7 +43,7 @@ This module creates following resources.
 | <a name="input_custom_origins"></a> [custom\_origins](#input\_custom\_origins) | (Optional) A configuration for custom origins of the distribution. Each key defines a name of each custom origin. Each value of `custom_origins` as defined below.<br/>    (Required) `host` - The DNS domain name of either the web site of your custom origin.<br/>    (Optional) `path` - The URL path to append to `host` which the origin domain name for origin requests. Enter the directory path, beginning with a slash (/). Do not add a slash (/) at the end of the path.<br/>    (Optional) `http_port` - The HTTP port the custom origin listens on. Defaults to `80`.<br/>    (Optional) `https_port` - The HTTPS port the custom origin listens on. Defaults to `443`.<br/>    (Optional) `origin_access` - The configuration of origin access for the origin. `origin_access` block as defined below.<br/>      (Optional) `type` - The type of origin access. Valid values are `CONTROL` and `NONE`. Defaults to `NONE`.<br/>      (Optional) `id` - The ID of origin access control if `type` is `CONTROL`.<br/>    (Optional) `protocol_policy` - The origin protocol policy to apply to your origin. The origin protocol policy determines the protocol (HTTP or HTTPS) that you want CloudFront to use when connecting to the origin. Valid values are `HTTP_ONLY`, `HTTPS_ONLY` or `MATCH_VIEWER`. Defaults to `MATCH_VIEWER`.<br/>    (Optional) `ssl_security_policy` - The minimum SSL/TLS protocol that CloudFront uses with the origin over HTTPS. Valid values are `SSLv3`, `TLSv1`, `TLSv1.1`, and `TLSv1.2`. Defaults to `TLSv1.1`. Recommend the latest TLS protocol that the origin supports.<br/>    (Optional) `custom_headers` - A map of custom HTTP headers to include in all requests to the origin. Each key/value is mapping to HTTP header `name`/`value`.<br/>    (Optional) `origin_shield` - Origin Shield is an additional caching layer that can help reduce the load on your origin and help protect its availability. `origin_shield` block as defined below.<br/>      (Required) `enabled` - Whether to enable Origin Shield. Defaults to `false`.<br/>      (Required) `region` - The AWS Region for Origin Shield. To specify a region. For example, specify the US East (Ohio) region as `us-east-2`.<br/>    (Optional) `connection_attempts` - The number of times that CloudFront attempts to connect to the origin, from `1` to `3`. Defaults to `3`.<br/>    (Optional) `connection_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `10`. Defaults to `10`.<br/>    (Optional) `keepalive_timeout` - The number of seconds that CloudFront maintains an idle connection with the origin, from `1` to `60`. But, the maximum can be changed arbitrarily by AWS Support to a much higher value. Defaults to `5`.<br/>    (Optional) `response_timeout` - The number of seconds that CloudFront waits for a response from the origin, from `1` to `60`. Defaults to `30`. | <pre>map(object({<br/>    host       = string<br/>    path       = optional(string)<br/>    http_port  = optional(number, 80)<br/>    https_port = optional(number, 443)<br/>    origin_access = optional(object({<br/>      type = optional(string, "NONE")<br/>      id   = optional(string)<br/>    }))<br/>    protocol_policy     = optional(string, "MATCH_VIEWER")<br/>    ssl_security_policy = optional(string, "TLSv1.1")<br/>    custom_headers      = optional(map(string), {})<br/>    origin_shield = optional(object({<br/>      enabled = bool<br/>      region  = string<br/>    }))<br/>    connection_attempts = optional(number, 3)<br/>    connection_timeout  = optional(number, 10)<br/>    keepalive_timeout   = optional(number, 5)<br/>    response_timeout    = optional(number, 30)<br/>  }))</pre> | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | (Optional) The description of the distribution. Any comments you want to include about the distribution. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | (Optional) Whether the distribution is enabled to accept end user requests for content. Defaults to `true`. | `bool` | `true` | no |
-| <a name="input_error_responses"></a> [error\_responses](#input\_error\_responses) | (Optional) A configurations of custom error responses for the distribution. Each key means the HTTP status code that you want to customize like `404`, `503`. Each value of `error_responses` as defined below.<br/>    (Optional) `cache_min_ttl` - The minimum TTL(Time-to-live) in seconds that you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `10`.<br/>    (Optional) `custom_response_code` - The HTTP status code to return to the viewer. CloudFront can return a different status code to the viewer than what it received from the origin.<br/>    (Optional) `custom_response_path` - The path to the custom error response page. | `any` | `{}` | no |
+| <a name="input_error_responses"></a> [error\_responses](#input\_error\_responses) | (Optional) A configurations of custom error responses for the distribution. Each key means the HTTP status code that you want to customize like `404`, `503`. Each value of `error_responses` as defined below.<br/>    (Optional) `cache_min_ttl` - The minimum TTL(Time-to-live) in seconds that you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `10`.<br/>    (Optional) `custom_response` - A configuration for custom error response. `custom_response` block as defined below.<br/>      (Required) `status_code` - The HTTP status code that you want CloudFront to return to the viewer along with the custom error page. You must specify a value for `status_code`, even if it is the same value as the `error_code`.<br/>      (Required) `path` - The path of the custom error page that you want CloudFront to return to a viewer when your origin returns the corresponding `error_code`. The path must begin with a slash (/). | <pre>map(object({<br/>    cache_min_ttl = optional(number, 10)<br/>    custom_response = optional(object({<br/>      status_code = number<br/>      path        = string<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_geographic_restriction"></a> [geographic\_restriction](#input\_geographic\_restriction) | (Optional) A configuration for CloudFront geographic restrictions. `geographic_restriction` as defined below.<br/>    (Optiona) `type` - The method that you want to use to restrict distribution of the content by country. Valid values are `NONE`, `WHITELIST` or `BLACKLIST`. Defaults to `NONE`.<br/>    (Optiona) `countries` - A list of the ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (`WHITELIST`) or not distribute your content (`BLACKLIST`). | <pre>object({<br/>    type      = optional(string, "NONE")<br/>    countries = optional(set(string), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_http_version"></a> [http\_version](#input\_http\_version) | (Optional) The maximum HTTP version to support on the distribution. Valid values are `HTTP1.1`, `HTTP2`, `HTTP2AND3`, or `HTTP3`. Defaults to `HTTP2`. | `string` | `"HTTP2"` | no |
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | (Optional) Whether the IPv6 is enabled for the distribution. Defaults to `true`. | `bool` | `true` | no |

modules/distribution/main.tf

@@ -100,13 +100,20 @@ resource "aws_cloudfront_distribution" "this" {
 
   dynamic "custom_error_response" {
     for_each = var.error_responses
+    iterator = response
 
     content {
-      error_code            = custom_error_response.key
-      error_caching_min_ttl = try(custom_error_response.value.cache_min_ttl, 10)
+      error_code            = response.key
+      error_caching_min_ttl = response.value.cache_min_ttl
 
-      response_code      = try(custom_error_response.value.custom_response_code, null)
-      response_page_path = try(custom_error_response.value.custom_response_path, null)
+      response_code = (response.value.custom_response != null
+        ? response.value.custom_response.status_code
+        : null
+      )
+      response_page_path = (response.value.custom_response != null
+        ? response.value.custom_response.path
+        : null
+      )
     }
   }
 

modules/distribution/outputs.tf

@@ -85,8 +85,13 @@ output "error_responses" {
     response.error_code => {
       cache_min_ttl = response.error_caching_min_ttl
 
-      custom_response_code = response.response_code
-      custom_response_path = response.response_page_path
+      custom_response = (response.response_code != null
+        ? {
+          status_code = response.response_code
+          path        = response.response_page_path
+        }
+        : null
+      )
     }
   }
 }

modules/distribution/variables.tf

@@ -102,12 +102,19 @@ variable "error_responses" {
   description = <<EOF
   (Optional) A configurations of custom error responses for the distribution. Each key means the HTTP status code that you want to customize like `404`, `503`. Each value of `error_responses` as defined below.
     (Optional) `cache_min_ttl` - The minimum TTL(Time-to-live) in seconds that you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to `10`.
-    (Optional) `custom_response_code` - The HTTP status code to return to the viewer. CloudFront can return a different status code to the viewer than what it received from the origin.
-    (Optional) `custom_response_path` - The path to the custom error response page.
+    (Optional) `custom_response` - A configuration for custom error response. `custom_response` block as defined below.
+      (Required) `status_code` - The HTTP status code that you want CloudFront to return to the viewer along with the custom error page. You must specify a value for `status_code`, even if it is the same value as the `error_code`.
+      (Required) `path` - The path of the custom error page that you want CloudFront to return to a viewer when your origin returns the corresponding `error_code`. The path must begin with a slash (/).
   EOF
-  type        = any
-  default     = {}
-  nullable    = false
+  type = map(object({
+    cache_min_ttl = optional(number, 10)
+    custom_response = optional(object({
+      status_code = number
+      path        = string
+    }))
+  }))
+  default  = {}
+  nullable = false
 }
 
 variable "geographic_restriction" {