Support for origin group

.gitignore

@@ -20,7 +20,7 @@ override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
-
+.DS_Store
 # Include override files you do wish to add to version control using negated pattern
 #
 # !example_override.tf

examples/cf-edge-function/README.md

@@ -41,7 +41,6 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_create_route53_records"></a> [create\_route53\_records](#input\_create\_route53\_records) | made optional route53 | `bool` | `true` | no |
-| <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Enable logging for Cloudfront destribution, this will create new S3 bucket | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
 
 ## Outputs

examples/cf-edge-function/main.tf

@@ -38,7 +38,6 @@ module "cloudfront" {
   route53_root_domain    = "arc-poc.link" // Used to fetch the Hosted Zone
   create_route53_records = var.create_route53_records
   aliases                = ["cf.arc-poc.link", "www.cf.arc-poc.link", "test.arc-poc.link", "*.arc-poc.link", "test1.arc-poc.link"]
-  enable_logging         = var.enable_logging // Create a new S3 bucket for storing Cloudfront logs
 
   default_cache_behavior = {
     origin_id                               = "cloudfront-arc",

examples/cf-edge-function/variables.tf

@@ -4,12 +4,6 @@ variable "region" {
   default     = "us-east-1"
 }
 
-variable "enable_logging" {
-  type        = bool
-  description = "Enable logging for Cloudfront destribution, this will create new S3 bucket"
-  default     = false
-}
-
 variable "create_route53_records" {
   type        = bool
   description = "made optional route53"

examples/custom-origin/main.tf

@@ -29,7 +29,6 @@ module "cloudfront" {
   route53_root_domain    = local.cloudfront_config.route53_root_domain
   create_route53_records = local.cloudfront_config.create_route53_records
   aliases                = local.cloudfront_config.aliases
-  enable_logging         = local.cloudfront_config.enable_logging
   default_cache_behavior = local.cloudfront_config.default_cache_behavior
   viewer_certificate     = local.cloudfront_config.viewer_certificate
   acm_details            = local.cloudfront_config.acm_details

examples/origin-group-dr/README.md

@@ -0,0 +1,90 @@
+# CloudFront Origin Group for Disaster Recovery
+
+This example demonstrates how to configure CloudFront with origin groups for disaster recovery scenarios.
+
+## Features
+
+- **Primary and Secondary Origins**: Configure multiple origins for failover
+- **Automatic Failover**: CloudFront automatically routes traffic to secondary origin when primary fails
+- **Configurable Status Codes**: Define which HTTP status codes trigger failover
+- **High Availability**: Ensures continuous service availability during outages
+
+## Usage
+
+```hcl
+origin_groups = [
+  {
+    origin_id = "failover-group"
+    failover_criteria = {
+      status_codes = [403, 404, 500, 502, 503, 504]
+    }
+    members = [
+      {
+        origin_id = "primary-origin"
+      },
+      {
+        origin_id = "secondary-origin"
+      }
+    ]
+  }
+]
+```
+
+## Deployment
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+The distribution will automatically failover to the secondary origin when the primary returns any of the configured status codes.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0, < 7.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | 3.7.2 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.dr"></a> [aws.dr](#provider\_aws.dr) | 6.20.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.7.2 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | ../../ | n/a |
+| <a name="module_primary_bucket"></a> [primary\_bucket](#module\_primary\_bucket) | sourcefuse/arc-s3/aws | 0.0.7 |
+| <a name="module_secondary_bucket"></a> [secondary\_bucket](#module\_secondary\_bucket) | sourcefuse/arc-s3/aws | 0.0.7 |
+| <a name="module_tags"></a> [tags](#module\_tags) | sourcefuse/arc-tags/aws | 1.2.3 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket_policy.dr_cdn_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [random_id.bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.7.2/docs/resources/id) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_route53_records"></a> [create\_route53\_records](#input\_create\_route53\_records) | Create Route53 records | `bool` | `false` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment name | `string` | `"dev"` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name | `string` | `"arc-cloudfront-dr"` | no |
+| <a name="input_route53_root_domain"></a> [route53\_root\_domain](#input\_route53\_root\_domain) | Route53 root domain | `string` | `"arc-poc.link"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudfront_domain_name"></a> [cloudfront\_domain\_name](#output\_cloudfront\_domain\_name) | CloudFront domain name |
+| <a name="output_cloudfront_id"></a> [cloudfront\_id](#output\_cloudfront\_id) | CloudFront distribution ID |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/origin-group-dr/main.tf

@@ -0,0 +1,147 @@
+################################################################################
+## Tags Module
+################################################################################
+
+module "tags" {
+  source  = "sourcefuse/arc-tags/aws"
+  version = "1.2.3"
+
+  environment = var.environment
+  project     = var.project_name
+
+  extra_tags = {
+    RepoName = "terraform-aws-refarch-cloudfront"
+  }
+}
+
+################################################################################
+## S3 Buckets for Origins
+################################################################################
+
+module "primary_bucket" {
+  source  = "sourcefuse/arc-s3/aws"
+  version = "0.0.7"
+
+  name = "${var.project_name}-primary-${random_id.bucket_suffix.hex}"
+  acl  = "private"
+
+  tags = module.tags.tags
+}
+
+module "secondary_bucket" {
+  source  = "sourcefuse/arc-s3/aws"
+  version = "0.0.7"
+
+  providers = {
+    aws = aws.dr
+  }
+
+  name = "${var.project_name}-secondary-${random_id.bucket_suffix.hex}"
+  acl  = "private"
+
+  tags = module.tags.tags
+}
+
+resource "random_id" "bucket_suffix" {
+  byte_length = 4
+}
+
+################################################################################
+## Module Cloudfront with Origin Groups for DR
+################################################################################
+
+module "cloudfront" {
+  source = "../../"
+
+  providers = {
+    aws.acm = aws.acm
+  }
+
+  origins = [
+    {
+      origin_type          = "s3"
+      origin_id            = "primary-origin"
+      domain_name          = module.primary_bucket.bucket_regional_domain_name
+      bucket_name          = module.primary_bucket.bucket_id
+      create_bucket        = false
+      manage_bucket_policy = true
+    },
+    {
+      origin_type          = "s3"
+      origin_id            = "secondary-origin"
+      domain_name          = module.secondary_bucket.bucket_regional_domain_name
+      bucket_name          = module.secondary_bucket.bucket_id
+      create_bucket        = false
+      manage_bucket_policy = false # Set to false for cross-region buckets, managed by separate aws_s3_bucket_policy resource below
+    }
+  ]
+
+  origin_groups = [
+    {
+      origin_id = "failover-group"
+      failover_criteria = {
+        status_codes = [403, 404, 500, 502, 503, 504]
+      }
+      members = [
+        {
+          origin_id = "primary-origin"
+        },
+        {
+          origin_id = "secondary-origin"
+        }
+      ]
+    }
+  ]
+
+  description            = "CloudFront distribution with origin group for DR"
+  route53_root_domain    = var.route53_root_domain
+  create_route53_records = var.create_route53_records
+  aliases                = []
+
+  default_cache_behavior = {
+    origin_id                             = "failover-group"
+    allowed_methods                       = ["GET", "HEAD", "OPTIONS"]
+    cached_methods                        = ["GET", "HEAD"]
+    compress                              = true
+    viewer_protocol_policy                = "redirect-to-https"
+    use_aws_managed_cache_policy          = true
+    cache_policy_name                     = "CachingOptimized"
+    use_aws_managed_origin_request_policy = true
+    origin_request_policy_name            = "CORS-S3Origin"
+  }
+
+  viewer_certificate = {
+    cloudfront_default_certificate = true
+    minimum_protocol_version       = "TLSv1.2_2018"
+    ssl_support_method             = "sni-only"
+  }
+
+  tags = module.tags.tags
+}
+
+
+resource "aws_s3_bucket_policy" "dr_cdn_bucket_policy" {
+  bucket = module.secondary_bucket.bucket_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowCloudFrontServicePrincipal"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudfront.amazonaws.com"
+        }
+        Action   = "s3:GetObject"
+        Resource = "${module.secondary_bucket.bucket_arn}/*"
+        Condition = {
+          StringEquals = {
+            "aws:SourceArn" = module.cloudfront.cloudfront_arn
+          }
+        }
+      }
+    ]
+  })
+
+  provider = aws.dr
+}

examples/origin-group-dr/outputs.tf

@@ -0,0 +1,9 @@
+output "cloudfront_id" {
+  value       = module.cloudfront.cloudfront_id
+  description = "CloudFront distribution ID"
+}
+
+output "cloudfront_domain_name" {
+  value       = module.cloudfront.cloudfront_domain_name
+  description = "CloudFront domain name"
+}

examples/origin-group-dr/provider.tf

@@ -0,0 +1,27 @@
+terraform {
+  required_version = ">= 1.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0, < 7.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.7.2"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "acm"
+  region = "us-east-1"
+}
+
+provider "aws" {
+  alias  = "dr"
+  region = "us-east-2"
+}

examples/origin-group-dr/variables.tf

@@ -0,0 +1,23 @@
+variable "environment" {
+  description = "Environment name"
+  type        = string
+  default     = "dev"
+}
+
+variable "project_name" {
+  description = "Project name"
+  type        = string
+  default     = "arc-cloudfront-dr"
+}
+
+variable "route53_root_domain" {
+  description = "Route53 root domain"
+  type        = string
+  default     = "arc-poc.link"
+}
+
+variable "create_route53_records" {
+  description = "Create Route53 records"
+  type        = bool
+  default     = false
+}