feat(vpc-origin): add a new module

Author: posquit0

.github/labeler.yaml

@@ -28,3 +28,8 @@
 - changed-files:
   - any-glob-to-any-file:
     - modules/response-headers-policy/**/*
+
+":floppy_disk: vpc-origin":
+- changed-files:
+  - any-glob-to-any-file:
+    - modules/vpc-origin/**/*

.github/labels.yaml

@@ -58,3 +58,6 @@
 - color: "fbca04"
   description: "This issue or pull request is related to response-headers-policy module."
   name: ":floppy_disk: response-headers-policy"
+- color: "fbca04"
+  description: "This issue or pull request is related to vpc-origin module."
+  name: ":floppy_disk: vpc-origin"

README.md

@@ -12,6 +12,7 @@ Terraform module which creates CloudFront related resources on AWS.
 - [origin-access-control](./modules/origin-access-control)
 - [origin-request-policy](./modules/origin-request-policy)
 - [response-headers-policy](./modules/response-headers-policy)
+- [vpc-origin](./modules/vpc-origin)
 
 
 ## Target AWS Services
@@ -22,6 +23,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
   - Distribution
   - Key-value Store
   - Real-time Log Configuration (Comming soon!)
+  - Origins
+    - Custom Origin
+    - S3 Origin
+    - VPC Origin
   - Origin Access
     - Origin Access Control
   - Policies
@@ -47,4 +52,4 @@ Like this project? Follow the repository on [GitHub](https://github.com/tedilabs
 
 Provided under the terms of the [Apache License](LICENSE).
 
-Copyright © 2022-2025, [Byungjin Park](https://www.posquit0.com).
+Copyright © 2022-2025, [Byungjin Park](https://www.posquit0.com).

modules/vpc-origin/README.md

@@ -0,0 +1,64 @@
+# vpc-origin
+
+This module creates following resources.
+
+- `aws_cloudfront_vpc_origin`
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.20 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.24.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
+| <a name="module_share"></a> [share](#module\_share) | tedilabs/organization/aws//modules/ram-share | ~> 0.5.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudfront_vpc_origin.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_vpc_origin) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_endpoint"></a> [endpoint](#input\_endpoint) | (Required) The ARN of the VPC origin endpoint to associate with the CloudFront VPC Origin. The VPC origin endpoint must be an Application Load Balancer (ALB), Network Load Balancer (NLB), or EC2 instance in the same AWS Region as the CloudFront distribution. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | (Required) The name of the CloudFront VPC Origin. | `string` | n/a | yes |
+| <a name="input_http_port"></a> [http\_port](#input\_http\_port) | (Optional) The HTTP port for the CloudFront VPC origin endpoint configuration. Defaults to `80`. | `number` | `80` | no |
+| <a name="input_https_port"></a> [https\_port](#input\_https\_port) | (Optional) The HTTPS port for the CloudFront VPC origin endpoint configuration. Defaults to `443`. | `number` | `443` | no |
+| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
+| <a name="input_protocol_policy"></a> [protocol\_policy](#input\_protocol\_policy) | (Optional) The origin protocol policy for the CloudFront VPC origin endpoint configuration. The origin protocol policy determines the protocol (HTTP or HTTPS) that you want CloudFront to use when connecting to the origin. Valid values are `HTTP_ONLY`, `HTTPS_ONLY` or `MATCH_VIEWER`. Defaults to `MATCH_VIEWER`. | `string` | `"MATCH_VIEWER"` | no |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
+| <a name="input_shares"></a> [shares](#input\_shares) | (Optional) A list of resource shares via RAM (Resource Access Manager). | <pre>list(object({<br/>    name = optional(string)<br/><br/>    permissions = optional(set(string), ["AWSRAMDefaultPermissionCloudfrontVpcOrigin"])<br/><br/>    external_principals_allowed = optional(bool, false)<br/>    principals                  = optional(set(string), [])<br/><br/>    tags = optional(map(string), {})<br/>  }))</pre> | `[]` | no |
+| <a name="input_ssl_security_policy"></a> [ssl\_security\_policy](#input\_ssl\_security\_policy) | (Optional) The minimum SSL protocol that CloudFront uses with the origin. Valid values are `SSLv3`, `TLSv1`, `TLSv1.1` or `TLSv1.2`. Defaults to `TLSv1.2`. | `string` | `"TLSv1.2"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the CloudFront VPC Origin. |
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | The ARN of the CloudFront VPC Origin endpoint. |
+| <a name="output_etag"></a> [etag](#output\_etag) | The ETag of the CloudFront VPC Origin. |
+| <a name="output_http_port"></a> [http\_port](#output\_http\_port) | The HTTP port of the CloudFront VPC Origin. |
+| <a name="output_https_port"></a> [https\_port](#output\_https\_port) | The HTTPS port of the CloudFront VPC Origin. |
+| <a name="output_id"></a> [id](#output\_id) | The ID of the CloudFront VPC Origin. |
+| <a name="output_name"></a> [name](#output\_name) | The name of the CloudFront VPC Origin. |
+| <a name="output_protocol_policy"></a> [protocol\_policy](#output\_protocol\_policy) | The origin protocol policy applied to the CloudFront VPC Origin. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
+| <a name="output_sharing"></a> [sharing](#output\_sharing) | The configuration for sharing of the Cloudfront VPC Origin.<br/>    `status` - An indication of whether the VPC Origin is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.<br/>    `shares` - The list of resource shares via RAM (Resource Access Manager). |
+| <a name="output_ssl_security_policy"></a> [ssl\_security\_policy](#output\_ssl\_security\_policy) | The minimum SSL protocol that CloudFront uses with the origin. |
+<!-- END_TF_DOCS -->

modules/vpc-origin/main.tf

@@ -0,0 +1,64 @@
+locals {
+  metadata = {
+    package = "terraform-aws-cloudfront"
+    version = trimspace(file("${path.module}/../../VERSION"))
+    module  = basename(path.module)
+    name    = var.name
+  }
+  module_tags = var.module_tags_enabled ? {
+    "module.terraform.io/package"   = local.metadata.package
+    "module.terraform.io/version"   = local.metadata.version
+    "module.terraform.io/name"      = local.metadata.module
+    "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}"
+    "module.terraform.io/instance"  = local.metadata.name
+  } : {}
+}
+
+locals {
+  protocol_policy = {
+    "HTTP_ONLY"    = "http-only"
+    "HTTPS_ONLY"   = "https-only"
+    "MATCH_VIEWER" = "match-viewer"
+  }
+  ssl_security_policy = {
+    "SSLv3"   = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
+    "TLSv1"   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+    "TLSv1.1" = ["TLSv1.1", "TLSv1.2"]
+    "TLSv1.2" = ["TLSv1.2"]
+  }
+}
+
+
+###################################################
+# VPC Origin for CloudFront Distribution
+###################################################
+
+resource "aws_cloudfront_vpc_origin" "this" {
+  vpc_origin_endpoint_config {
+    name = var.name
+    arn  = var.endpoint
+
+    origin_protocol_policy = local.protocol_policy[var.protocol_policy]
+    http_port = (contains(["HTTP_ONLY", "MATCH_VIEWER"], var.protocol_policy)
+      ? var.http_port
+      : null
+    )
+    https_port = (contains(["HTTPS_ONLY", "MATCH_VIEWER"], var.protocol_policy)
+      ? var.https_port
+      : null
+    )
+
+    origin_ssl_protocols {
+      items    = local.ssl_security_policy[var.ssl_security_policy]
+      quantity = length(local.ssl_security_policy[var.ssl_security_policy])
+    }
+  }
+
+  tags = merge(
+    {
+      "Name" = local.metadata.name
+    },
+    local.module_tags,
+    var.tags,
+  )
+}

modules/vpc-origin/outputs.tf

@@ -0,0 +1,89 @@
+output "id" {
+  description = "The ID of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.id
+}
+
+output "arn" {
+  description = "The ARN of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.arn
+}
+
+output "etag" {
+  description = "The ETag of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.etag
+}
+
+output "name" {
+  description = "The name of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0].name
+}
+
+output "endpoint" {
+  description = "The ARN of the CloudFront VPC Origin endpoint."
+  value       = aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0].arn
+}
+
+output "protocol_policy" {
+  description = "The origin protocol policy applied to the CloudFront VPC Origin."
+  value = {
+    for k, v in local.protocol_policy :
+    v => k
+  }[aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0].origin_protocol_policy]
+}
+
+output "ssl_security_policy" {
+  description = "The minimum SSL protocol that CloudFront uses with the origin."
+  value       = var.ssl_security_policy
+}
+
+output "http_port" {
+  description = "The HTTP port of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0].http_port
+}
+
+output "https_port" {
+  description = "The HTTPS port of the CloudFront VPC Origin."
+  value       = aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0].https_port
+}
+
+output "resource_group" {
+  description = "The resource group created to manage resources in this module."
+  value = merge(
+    {
+      enabled = var.resource_group.enabled && var.module_tags_enabled
+    },
+    (var.resource_group.enabled && var.module_tags_enabled
+      ? {
+        arn  = module.resource_group[0].arn
+        name = module.resource_group[0].name
+      }
+      : {}
+    )
+  )
+}
+
+output "sharing" {
+  description = <<EOF
+  The configuration for sharing of the Cloudfront VPC Origin.
+    `status` - An indication of whether the VPC Origin is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`.
+    `shares` - The list of resource shares via RAM (Resource Access Manager).
+  EOF
+  value = {
+    status = length(module.share) > 0 ? "SHARED_BY_ME" : "NOT_SHARED"
+    shares = module.share
+  }
+}
+
+# output "debug" {
+#   value = merge({
+#     for k, v in aws_cloudfront_vpc_origin.this :
+#     k => v
+#     if !contains(["id", "arn", "etag", "origin_protocol_policy", "tags", "tags_all", "timeouts"], k)
+#     }, {
+#     vpc_origin_endpoint_config = {
+#       for k, v in aws_cloudfront_vpc_origin.this.vpc_origin_endpoint_config[0] :
+#       k => v
+#       if !contains(["name", "arn", "origin_protocol_policy", "http_port", "https_port", "origin_ssl_protocols"], k)
+#     }
+#   })
+# }

modules/vpc-origin/ram-shares.tf

@@ -0,0 +1,43 @@
+locals {
+  ram_share_name_prefix = join(".", [
+    "cloudfront",
+    "vpc-origin",
+    replace(var.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+  ])
+}
+
+
+###################################################
+# Resource Sharing by RAM (Resource Access Manager)
+###################################################
+
+module "share" {
+  source  = "tedilabs/organization/aws//modules/ram-share"
+  version = "~> 0.5.0"
+
+  for_each = {
+    for share in var.shares :
+    share.name => share
+  }
+
+  name = "${local.ram_share_name_prefix}.${each.key}"
+
+  resources = {
+    (var.name) = aws_cloudfront_vpc_origin.this.arn
+  }
+  permissions = each.value.permissions
+
+  external_principals_allowed = each.value.external_principals_allowed
+  principals                  = each.value.principals
+
+  resource_group = {
+    enabled = false
+  }
+  module_tags_enabled = false
+
+  tags = merge(
+    local.module_tags,
+    var.tags,
+    each.value.tags,
+  )
+}

modules/vpc-origin/resource-group.tf

@@ -0,0 +1,31 @@
+locals {
+  resource_group_name = (var.resource_group.name != ""
+    ? var.resource_group.name
+    : join(".", [
+      local.metadata.package,
+      local.metadata.module,
+      replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"),
+    ])
+  )
+}
+
+
+module "resource_group" {
+  source  = "tedilabs/misc/aws//modules/resource-group"
+  version = "~> 0.12.0"
+
+  count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0
+
+  name        = local.resource_group_name
+  description = var.resource_group.description
+
+  query = {
+    resource_tags = local.module_tags
+  }
+
+  module_tags_enabled = false
+  tags = merge(
+    local.module_tags,
+    var.tags,
+  )
+}