feat: Viewer mTLS Support (#194)

Author: magreenbaum

README.md

@@ -149,6 +149,7 @@ module "cdn" {
 ## Examples
 
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples/complete) - Complete example which creates AWS CloudFront distribution and integrates it with other [terraform-aws-modules](https://github.com/terraform-aws-modules) to create additional resources: S3 buckets, Lambda Functions, CloudFront Functions, VPC Origins, ACM Certificate, Route53 Records.
+- [mTLS](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples/mtls) - mTLS example which creates AWS CloudFront distribution with viewer mTLS support.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -172,6 +173,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudfront_connection_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_connection_function) | resource |
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [aws_cloudfront_monitoring_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_monitoring_subscription) | resource |
@@ -193,8 +195,14 @@ No modules.
 | <a name="input_anycast_ip_list_id"></a> [anycast\_ip\_list\_id](#input\_anycast\_ip\_list\_id) | ID of the Anycast static IP list that is associated with the distribution | `string` | `null` | no |
 | <a name="input_cloudfront_functions"></a> [cloudfront\_functions](#input\_cloudfront\_functions) | Map of CloudFront Function configurations. Key is used as default function name if 'name' not specified | <pre>map(object({<br/>    name                         = optional(string)<br/>    runtime                      = optional(string, "cloudfront-js-2.0")<br/>    comment                      = optional(string)<br/>    publish                      = optional(bool)<br/>    code                         = string<br/>    key_value_store_associations = optional(list(string))<br/>  }))</pre> | `null` | no |
 | <a name="input_comment"></a> [comment](#input\_comment) | Any comments you want to include about the distribution | `string` | `null` | no |
+| <a name="input_connection_function_association_id"></a> [connection\_function\_association\_id](#input\_connection\_function\_association\_id) | Identifier of the connection function to associate with the distribution | `string` | `null` | no |
+| <a name="input_connection_function_code"></a> [connection\_function\_code](#input\_connection\_function\_code) | The code of the CloudFront connection function | `string` | `null` | no |
+| <a name="input_connection_function_config"></a> [connection\_function\_config](#input\_connection\_function\_config) | Configuration block for the CloudFront connection function | <pre>object({<br/>    comment = string<br/>    runtime = string<br/>    key_value_store_association = optional(object({<br/>      key_value_store_arn = string<br/>    }))<br/>  })</pre> | `null` | no |
+| <a name="input_connection_function_name"></a> [connection\_function\_name](#input\_connection\_function\_name) | The name of the CloudFront connection function | `string` | `null` | no |
+| <a name="input_connection_function_publish"></a> [connection\_function\_publish](#input\_connection\_function\_publish) | Whether to publish the function to the LIVE stage after creation or update. Defaults to false | `bool` | `null` | no |
 | <a name="input_continuous_deployment_policy_id"></a> [continuous\_deployment\_policy\_id](#input\_continuous\_deployment\_policy\_id) | Identifier of a continuous deployment policy. This argument should only be set on a production distribution | `string` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
+| <a name="input_create_connection_function"></a> [create\_connection\_function](#input\_create\_connection\_function) | Controls whether to create a CloudFront connection function | `bool` | `false` | no |
 | <a name="input_create_monitoring_subscription"></a> [create\_monitoring\_subscription](#input\_create\_monitoring\_subscription) | If enabled, the resource for monitoring subscription will created | `bool` | `false` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | <pre>list(object({<br/>    error_caching_min_ttl = optional(number)<br/>    error_code            = number<br/>    response_code         = optional(number)<br/>    response_page_path    = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | <pre>object({<br/>    allowed_methods           = optional(list(string), ["GET", "HEAD", "OPTIONS"])<br/>    cache_policy_id           = optional(string)<br/>    cache_policy_name         = optional(string)<br/>    cached_methods            = optional(list(string), ["GET", "HEAD"])<br/>    compress                  = optional(bool, true)<br/>    default_ttl               = optional(number)<br/>    field_level_encryption_id = optional(string)<br/>    forwarded_values = optional(object({<br/>      cookies = object({<br/>        forward           = optional(string, "none")<br/>        whitelisted_names = optional(list(string))<br/>      })<br/>      headers                 = optional(list(string))<br/>      query_string            = optional(bool, false)<br/>      query_string_cache_keys = optional(list(string))<br/>      }),<br/>      {<br/>        cookies = {<br/>          forward = "none"<br/>        }<br/>        query_string = false<br/>      }<br/>    )<br/>    function_association = optional(map(object({<br/>      event_type   = optional(string)<br/>      function_arn = optional(string)<br/>      function_key = optional(string)<br/>    })))<br/>    grpc_config = optional(object({<br/>      enabled = optional(bool)<br/>    }))<br/>    lambda_function_association = optional(map(object({<br/>      event_type   = optional(string)<br/>      include_body = optional(bool)<br/>      lambda_arn   = string<br/>    })))<br/>    max_ttl                      = optional(number)<br/>    min_ttl                      = optional(number)<br/>    origin_request_policy_id     = optional(string)<br/>    origin_request_policy_name   = optional(string)<br/>    realtime_log_config_arn      = optional(string)<br/>    response_headers_policy_id   = optional(string)<br/>    response_headers_policy_key  = optional(string)<br/>    response_headers_policy_name = optional(string)<br/>    smooth_streaming             = optional(bool)<br/>    target_origin_id             = string<br/>    trusted_key_groups           = optional(list(string))<br/>    trusted_signers              = optional(list(string))<br/>    viewer_protocol_policy       = optional(string, "https-only")<br/>  })</pre> | n/a | yes |
@@ -217,6 +225,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_v2_logging"></a> [v2\_logging](#input\_v2\_logging) | Configuration block for v2 logging destination | <pre>object({<br/>    # Destination<br/>    delivery_destination_configuration = optional(object({<br/>      destination_resource_arn = optional(string)<br/>    }))<br/>    delivery_destination_type = optional(string)<br/>    name                      = string<br/>    output_format             = optional(string)<br/>    # Delivery<br/>    field_delimiter = optional(string)<br/>    record_fields   = optional(list(string))<br/>    s3_delivery_configuration = optional(object({<br/>      enable_hive_compatible_path = optional(bool)<br/>      suffix_path                 = optional(string)<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_viewer_certificate"></a> [viewer\_certificate](#input\_viewer\_certificate) | The SSL configuration for this distribution | <pre>object({<br/>    acm_certificate_arn            = optional(string)<br/>    cloudfront_default_certificate = optional(bool)<br/>    iam_certificate_id             = optional(string)<br/>    minimum_protocol_version       = optional(string, "TLSv1.2_2025")<br/>    ssl_support_method             = optional(string)<br/>  })</pre> | `{}` | no |
+| <a name="input_viewer_mtls_config"></a> [viewer\_mtls\_config](#input\_viewer\_mtls\_config) | The viewer mTLS configuration for this distribution | <pre>object({<br/>    mode = optional(string)<br/>    trust_store_config = optional(object({<br/>      trust_store_id                 = string<br/>      advertise_trust_store_ca_names = optional(bool)<br/>      ignore_certificate_expiry      = optional(bool)<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_vpc_origin"></a> [vpc\_origin](#input\_vpc\_origin) | Map of CloudFront VPC origins | <pre>map(object({<br/>    arn                    = string<br/>    http_port              = number<br/>    https_port             = number<br/>    name                   = optional(string)<br/>    origin_protocol_policy = string<br/>    origin_ssl_protocols = object({<br/>      items    = optional(list(string), ["TLSv1.2"])<br/>      quantity = optional(number, 1)<br/>    })<br/>    timeouts = optional(object({<br/>      create = optional(string)<br/>      update = optional(string)<br/>      delete = optional(string)<br/>    }))<br/>    tags = optional(map(string), {})<br/>  }))</pre> | `null` | no |
 | <a name="input_wait_for_deployment"></a> [wait\_for\_deployment](#input\_wait\_for\_deployment) | If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this to false will skip the process | `bool` | `null` | no |
 | <a name="input_web_acl_id"></a> [web\_acl\_id](#input\_web\_acl\_id) | If you're using AWS WAF to filter CloudFront requests, the Id of the AWS WAF web ACL that is associated with the distribution. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned. If using WAFv2, provide the ARN of the web ACL | `string` | `null` | no |
@@ -240,6 +249,11 @@ No modules.
 | <a name="output_cloudfront_origin_access_controls"></a> [cloudfront\_origin\_access\_controls](#output\_cloudfront\_origin\_access\_controls) | The origin access controls created |
 | <a name="output_cloudfront_response_headers_policies"></a> [cloudfront\_response\_headers\_policies](#output\_cloudfront\_response\_headers\_policies) | The response headers policies created |
 | <a name="output_cloudfront_vpc_origins"></a> [cloudfront\_vpc\_origins](#output\_cloudfront\_vpc\_origins) | The IDS of the VPC origin created |
+| <a name="output_connection_function_arn"></a> [connection\_function\_arn](#output\_connection\_function\_arn) | ARN of the connection function |
+| <a name="output_connection_function_etag"></a> [connection\_function\_etag](#output\_connection\_function\_etag) | ETag of the connection function |
+| <a name="output_connection_function_id"></a> [connection\_function\_id](#output\_connection\_function\_id) | ID of the connection function |
+| <a name="output_connection_function_live_stage_etag"></a> [connection\_function\_live\_stage\_etag](#output\_connection\_function\_live\_stage\_etag) | ETag of the function's LIVE stage. Will be empty if the function has not been published |
+| <a name="output_connection_function_status"></a> [connection\_function\_status](#output\_connection\_function\_status) | Status of the connection function |
 <!-- END_TF_DOCS -->
 
 ## Authors

examples/mtls/README.md

@@ -0,0 +1,70 @@
+# mTLS with CloudFront Distribution
+
+Configuration in this directory creates CloudFront distribution with viewer mTLS support.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.28 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.28 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 4.0 |
+| <a name="module_ca_certificates"></a> [ca\_certificates](#module\_ca\_certificates) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
+| <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | ../../ | n/a |
+| <a name="module_records"></a> [records](#module\_records) | terraform-aws-modules/route53/aws//modules/records | ~> 5.0 |
+| <a name="module_s3"></a> [s3](#module\_s3) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
+| <a name="module_trust_store"></a> [trust\_store](#module\_trust\_store) | ../../modules/trust_store | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_object.ca_certificates](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [tls_cert_request.client](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_locally_signed_cert.client](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_private_key.ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.client](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain"></a> [domain](#input\_domain) | The domain name to use when deploying the CloudFront distribution | `string` | `"terraform-aws-modules.modules.tf"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_ca_certificate_pem"></a> [ca\_certificate\_pem](#output\_ca\_certificate\_pem) | The CA certificate in PEM format |
+| <a name="output_client_certificate_pem"></a> [client\_certificate\_pem](#output\_client\_certificate\_pem) | The client certificate in PEM format |
+| <a name="output_client_private_key_pem"></a> [client\_private\_key\_pem](#output\_client\_private\_key\_pem) | The client private key in PEM format |
+| <a name="output_cloudfront_distribution_domain"></a> [cloudfront\_distribution\_domain](#output\_cloudfront\_distribution\_domain) | The domain name of the CloudFront distribution |
+| <a name="output_cloudfront_distribution_id"></a> [cloudfront\_distribution\_id](#output\_cloudfront\_distribution\_id) | The ID of the CloudFront distribution |
+| <a name="output_connection_function_arn"></a> [connection\_function\_arn](#output\_connection\_function\_arn) | ARN of the connection function |
+| <a name="output_connection_function_etag"></a> [connection\_function\_etag](#output\_connection\_function\_etag) | ETag of the connection function |
+| <a name="output_connection_function_id"></a> [connection\_function\_id](#output\_connection\_function\_id) | ID of the connection function |
+| <a name="output_connection_function_live_stage_etag"></a> [connection\_function\_live\_stage\_etag](#output\_connection\_function\_live\_stage\_etag) | ETag of the function's LIVE stage. Will be empty if the function has not been published |
+| <a name="output_connection_function_status"></a> [connection\_function\_status](#output\_connection\_function\_status) | Status of the connection function |
+| <a name="output_trust_store_arn"></a> [trust\_store\_arn](#output\_trust\_store\_arn) | The ARN of the CloudFront trust store |
+| <a name="output_trust_store_etag"></a> [trust\_store\_etag](#output\_trust\_store\_etag) | ETAG of the CloudFront trust store |
+| <a name="output_trust_store_id"></a> [trust\_store\_id](#output\_trust\_store\_id) | The ID of the CloudFront trust store |
+| <a name="output_trust_store_number_of_ca_certificates"></a> [trust\_store\_number\_of\_ca\_certificates](#output\_trust\_store\_number\_of\_ca\_certificates) | Number of CA certificates in the trust store |
+<!-- END_TF_DOCS -->

examples/mtls/functions/connection.js

@@ -0,0 +1,18 @@
+function connectionHandler(connection) {
+    // Only process if a certificate was presented
+    if (!connection.clientCertificate) {
+        console.log("No certificate presented");
+        connection.deny();
+    }
+
+    // Check the subject field for specific organization
+    const subject = connection.clientCertificate.certificates.leaf.subject;
+    if (!subject.includes("O=Example Inc")) {
+        console.log("Certificate not from authorized organization");
+       connection.deny();
+    } else {
+        // All checks passed
+        console.log("Certificate validation passed");
+        connection.allow();
+    }
+}

examples/mtls/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>CloudFront mTLS Example</title>
+</head>
+<body>
+    <h1>CloudFront mTLS Example</h1>
+    <p>This page is served through CloudFront with mutual TLS (mTLS) authentication.</p>
+    <p>The mTLS configuration validates client certificates against a trust store containing CA certificates.</p>
+</body>
+</html>