Releases: cloudposse/terraform-aws-cloudfront-s3-cdn
Release list
v2.1.1
feat: Enable additional CloudFront real-time metrics Jakub Wądołowski (@jwadolowski) (#372)
## whatAdd additional_metrics_enabled variable (default: false for backwards compatibility) that provisions an aws_cloudfront_monitoring_subscription resource when enabled.
why
Not all CloudFront metrics are enabled by default. Some (4xx/5xx error rates by HTTP status code, origin latency, and cache hit rate) are hidden behind a monitoring subscription. This adds a convenient switch to enable them when needed.
The realtime_metrics_subscription_status value could have been derived from var.additional_metrics_enabled, but that would introduce an unexpected resource change across all existing deployments.
references
A complementary PR to cloudposse/terraform-aws-cloudfront-cdn#162
docs: web acl id can be an ARN for newer WAFs yangci (@oycyc) (#349)
As per the AWS provider docs. Updating description here so consumers don't get confused why WAF association fails when providing the ID.ID or ARN of the AWS WAF web ACL that is associated with the distribution. NOTE: If using the latest version of WAF (WAFv2), be sure to use the ARN. If using WAF Classic, use the ID. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id-3
v2.1.0
feat: Add `response_completion_timeout` support Jakub Wądołowski (@jwadolowski) (#369)
## what- Add support for
response_completion_timeoutargument (announced by AWS in July 2025 and implemented in the 6.13.0 version of the AWS provider) - Bump the minimum provider version to
>= 6.13.0
why
Allows configuring response_completion_timeout for CloudFront origins.
references
v2.0.0
chore: fix "name" deprecation for aws_region data source Morre (@morremeyer) (#363)
what
This fixes the deprecation of the "name" attribute for the aws_region data source, adding a fallback for provider versions < 6.0.0.
why
To get rid of the deprecation notice and prepare for provider version 7.
references
Resolves #361.
v1.1.1
docs: clarify distribution comment is the description yangci (@oycyc) (#353)
The comment corresponds to the description on the AWS console UI! Updating the text here so it's more easily aware.
Generate readme for submodules Igor Rodionov (@goruha) (#362)
## what * Generate readme for submoduleswhy
- Allow all to keep the README updated
references
v1.1.0
fix: error: No more than 1 "s3_origin_config" blocks are allowed Eyjafjallajokull (#359)
## what- Fixed
No more than 1 s3_origin_config blocks are allowederror when using multiple S3 origins with origin access identity enabled - Changed
for_eachfrom iterating overvar.s3_originsto using[1]to create a singles3_origin_configblock
why
- AWS CloudFront only allows one s3_origin_config block per origin
- The previous implementation incorrectly created multiple blocks when multiple S3 origins were configured
references
fixes #325
to reproduce error
- in examples/complete/main.tf#L102 replace
origin_access_controlwithorigin_access_identity
https://github.com/Eyjafjallajokull/terraform-aws-cloudfront-s3-cdn/blob/96703043867c986ff3fc1550448118111a9f5659/examples/complete/main.tf#L102 terraform planfails with the above error.
v1.0.1
🚀 Enhancements
fix: Resolve unsupported attribute error in S3 website block Jakub Wądołowski (@jwadolowski) (#358)
## whatRestore lookup() calls in main.tf to address the website_enabled = true use case that was broken when #340 replaced them with explicit variable calls to avoid silent default value assignments. Additionally includes corresponding module instances in the test suite.
why
website_enabled = true implies a reference to 2 mutually exclusive configurations defined as the local.website_config variable. In the default case, index_document, error_document, and routing_rules elements exist, but redirect_all_requests_to does not, which leads to the following error:
╷
│ Error: Unsupported attribute
│
│ on ../../main.tf line 325, in resource "aws_s3_bucket" "origin":
│ 325: redirect_all_requests_to = website.value.redirect_all_requests_to
│ ├────────────────
│ │ website.value is object with 3 attributes
│
│ This object does not have an attribute named "redirect_all_requests_to".
╵
Similarly, website_enabled = true combined with redirect_all_requests_to = "https://example.com" would result in missing references to the index_document, error_document, and routing_rules fields.
All in all, in this particular case, the lookup() usage is definitely justified and does not mean a silent/hidden injection of a variable default.
references
- resolves #354
v0.98.2
🤖 Automatic Updates
chore(deps): update terraform cloudposse/s3-log-storage/aws to v1.4.5 (release/v0) @[renovate[bot]](https://github.com/apps/renovate) (#351)
This PR contains the following updates:| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.2 -> 1.4.5 |
Release Notes
cloudposse/terraform-aws-s3-log-storage (cloudposse/s3-log-storage/aws)
v1.4.5
🚀 Enhancements
fix: remove join calls on bucket arn + id usage @carterdanko-dw (#125)
what
- Initially put the wrong values for coditions, just needs to be a list
- Bucket should be single resource vs joining on a list.
references
issue #122
🐛 Bug Fixes
fix: remove join calls on bucket arn + id usage @carterdanko-dw (#125)
what
- Initially put the wrong values for coditions, just needs to be a list
- Bucket should be single resource vs joining on a list.
references
issue #122
v1.4.4
🚀 Enhancements
Issue-122/Values expect list of strings vs string @carterdanko-dw (#123)
what
Updating the sqs iam permissions, as the values expects to be a list of strings vs just the single string arn that is the output of the module.
why
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam\_policy\_document#condition-1 expects to be a list of strings, vs just the single string arn of the s3 bucket.
references
Github issue #122
🐛 Bug Fixes
Issue-122/Values expect list of strings vs string @carterdanko-dw (#123)
what
Updating the sqs iam permissions, as the values expects to be a list of strings vs just the single string arn that is the output of the module.
why
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam\_policy\_document#condition-1 expects to be a list of strings, vs just the single string arn of the s3 bucket.
references
Github issue #122
🤖 Automatic Updates
Migrate new test account @osterman (#119)
what
- Update
.github/settings.yml - Update
.github/chatops.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level to getterratestenvironment - Migrate to new
testaccount
References
- DEV-388 Automate clean up of test account in new organization
- DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
- DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @osterman (#118)
what
- Update
.github/settings.yml - Drop
.github/auto-release.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#112)
what
- Update
.github/settings.yml - Drop
.github/auto-release.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @osterman (#111)
what
- Update
.github/settings.yml - Drop
.github/auto-release.ymlfiles
why
- Re-apply
.github/settings.ymlfrom org level - Use organization level auto-release settings
references
- DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update release workflow to allow pull-requests: write @osterman (#110)
what
- Update workflow (
.github/workflows/release.yaml) to have permission to comment on PR
why
- So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @osterman (#109)
what
- Update workflows (
.github/workflows) to use shared workflows from.githubrepo
why
- Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @osterman (#108)
what
- Update workflows (
.github/workflows) to addissue: writepermission needed by ReviewDogtflintaction
why
- The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @osterman (#107)
what
- Update workflows (
.github/workflows/settings.yaml)
why
- Support new readme generation workflow.
- Generate banners
Use GitHub Action Workflows from `cloudposse/.github` Repo @osterman (#106)
what
- Install latest GitHub Action Workflows
why
- Use shared workflows from
cldouposse/.githubrepository - Simplify management of workflows from centralized hub of configuration
Add GitHub Settings @osterman (#104)
what
- Install a repository config (
.github/settings.yaml)
why
- Programmatically manage GitHub repo settings
Update README.md and docs @cloudpossebot (#99)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
Update Scaffolding @osterman (#100)
what
- Reran
make readmeto rebuildREADME.mdfromREADME.yaml - Migrate to square badges
- Add scaffolding for repo settings and Mergify
why
- Upstream template changed in the
.githubrepo - Work better with repository rulesets
- Modernize look & feel
v1.4.3
🤖 Automatic Updates
Update Terraform cloudposse/s3-bucket/aws to v3.1.3 (main) @renovate (#95)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.2 -> 3.1.3 |
Release Notes
cloudposse/terraform-aws-s3-bucket (cloudposse/s3-bucket/aws)
v3.1.3
Unfortunately, this change makes count unknown at plan time in certain situations. In general, you cannot use the output of compact() in count.
The solution is to stop using the deprecated policy input and revert to 3.1.2 or upgrade to 4.0.
🚀 Enhancements
Fix `source_policy_documents` combined with `var.policy` being ignored @​johncblandii (#​201)
what
- Changed
var.source_policy_documentstolocal.source_policy_documentssovar.policyusage was still supported
why
- The ternary check uses
var,source_policy_documentssovar.policybeing combined withvar.source_policy_documentsintolocal.source_policy_documentsdoes not providetruefor the ternary to execute
references
Update README.md and docs @cloudpossebot (#94)
what
This is an auto-generated PR that updates the README.md and docs
why
To have most recent changes of README.md and doc from origin templates
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the [repository job log](https://develo...
v1.0.0
feat: Backport cloudposse/cloudfront-cdn/aws improvements Jakub Wądołowski (@jwadolowski) (#340)
## whatBackport of the following cloudposse/terraform-aws-cloudfront-cdn improvements:
- cloudposse/terraform-aws-cloudfront-cdn#140
- cloudposse/terraform-aws-cloudfront-cdn#142
- cloudposse/terraform-aws-cloudfront-cdn#147
- cloudposse/terraform-aws-cloudfront-cdn#149
Detailed breakdown:
aws_s3_bucket_cors_configurationis deployed only when at least one CORS origin is defined (examples/complete/minimal.tffails if this isn't handled)- don't use
lookup()(or any other default variable value fallback method) - all defaults should be defined in thevariables.tffile - wrap optional variables with
optional()and provide sane defaults (in most cases that'd be empty string/list/nullor predefined AWS default when applicable, e.g. timeout values) - default origin
- add
origin_keepalive_timeoutandorigin_read_timeout
- add
- custom origin improvements
- enable shield configuration
- custom s3 origins
- allow for shield configuration
- fix
origin_access_control_idassignment (origin.value.s3_origin_config.origin_access_control_iddoesn't exist, butorigin.value.origin_access_control_iddoes)
- ordered cache improvements
- gRPC support
cookieblock should setwhitelisted_namesparam only whenforward=whitelist(in all other cases,allandnone, thewhitelisted_namesis automatically set tonull)
why
Both CloudPosse CDN modules should stay in sync (feature-wise) and leverage the same set of improvements.
references
includes #347 to re-generate docs after changes.#347should get merged first
v0.98.1
fix(lambda@edge): Add support for doc auto-generation with atmos Jakub Wądołowski (@jwadolowski) (#347)
## whatREADME.md generation support with atmos CLI.
why
#342 replaced Makefile with atmos.yaml for the main module, but Lambda@Edge submodule got overlooked.
references
🤖 Automatic Updates
Fix go version in tests Erik Osterman (Cloud Posse) (@osterman) (#343)
## what - Update go `1.24`why
- Error loading shared library libresolv.so.2 in Go 1.20
References
Replace Makefile with atmos.yaml Erik Osterman (Cloud Posse) (@osterman) (#342)
## what - Remove `Makefile` - Add `atmos.yaml`why
- Replace
build-harnesswithatmosfor readme genration
References
- DEV-3229 Migrate from build-harness to atmos
v0.98.0
fix: terratest w/ go updates yangci (@oycyc) (#337)
Not familiar with how Go works, but following the suggestions to update packages looks to fix the tests in this repository!The commands I executed per Nuru (@Nuru) 's suggestion on Slack:
cd test/src
go get -u ./... [github.com/gruntwork-io/terratest](http://github.com/gruntwork-io/terratest) [github.com/stretchr/testify](http://github.com/stretchr/testify) go@1.23
go mod tidy
Slack thread here on CloudPosse: https://sweetops.slack.com/archives/G014YEKDH4K/p1748635698940509?thread_ts=1746672149.263629&cid=G014YEKDH4K
🚀 Enhancements
replace TLSv1.2_2019 with TLSv1.2_2021 as default policy James Mitchell (@jamerply) (#294)
## whatThis PR updates the mimimum_protocol_version variable so that it defaults to TLSv1.2_2021 (the current recommended security policy recommended by AWS) instead of TLSv1.2_2019.
why
The most current security policy is no longer TLSv1.2_2019 but is TLSv1.2_2021.
references
See the "Security Policy" heading under the "Distribution Setting" section of the AWS CloudFront Documentation for further information.
