Skip to main content
Version: v5.1

AWS CloudFront Requirements

CloudFront Overview#

Amazon CloudFront is a content delivery network operated by Amazon Web Services. It provides a globally distributed network of proxy servers that cache content close to consumers, improving download speeds, particularly for large files such as video.

Before starting your self-hosted installation, ensure that the following CloudFront requirements have been met:

  • Set up default cache behavior
  • Create an AWS CloudFront cache policy
  • Create a CloudFront distribution

Set up default cache behavior#

The CloudFront distribution requires a default cache behavior that allows trusted key groups to perform actions.

Note: For more information, refer to the AWS documentation.

To set up this default cache behavior, do the following:

  1. Generate an RSA public/private keypair.

    Note: The private key is needed for a Kubernetes secret used later in the installation.

  2. Create an AWS CloudFront public key using the public key from the previous step.
  3. Create an AWS CloudFront key group that includes the public key object created in the previous step.
  4. Create an AWS Origin Access Control. See the example module below using the AWS Terraform provider.
resource "aws_cloudfront_origin_access_control" "filesvc" {  name                              = "${var.env_name} filesvc"  description                       = "${var.env_name} filesvc policy"  origin_access_control_origin_type = "s3"  signing_behavior                  = "always"  signing_protocol                  = "sigv4"  lifecycle {    create_before_destroy = true  }}

Create an AWS CloudFront cache policy#

Create an AWS CloudFront cache policy. The example module below uses the AWS Terraform provider.

resource "aws_cloudfront_cache_policy" "filesvc" {  name        = "${var.env_name}-filesvc-bucket"  comment     = "FileService Bucket for ${var.env_name}"  default_ttl = 86400  max_ttl     = 86400  min_ttl     = 86400  parameters_in_cache_key_and_forwarded_to_origin {    cookies_config {      cookie_behavior = "none"    }    headers_config {      header_behavior = "whitelist"      headers {        items = [          "Origin",          "Access-Control-Request-Method",          "Access-Control-Request-Headers"        ]      }    }    query_strings_config {      query_string_behavior = "none"    }  }}

Create a CloudFront distribution#

Create a CloudFront distribution using the resources from the previous steps (or as required by your customer security policy). Refer to the sample module below.

resource "aws_cloudfront_distribution" "filesvc" {  origin {    domain_name              = aws_s3_bucket.filesvc.bucket_regional_domain_name    origin_access_control_id = aws_cloudfront_origin_access_control.filesvc.id    origin_id                = local.origin_id  }  enabled             = true  is_ipv6_enabled     = true  comment             = "FileService Distribution for ${var.env_name}"  price_class         = "PriceClass_All"  default_cache_behavior {    allowed_methods = [      "GET",      "HEAD",      "OPTIONS"    ]    cached_methods  = [      "GET",      "HEAD",      "OPTIONS"    ]    cache_policy_id        = aws_cloudfront_cache_policy.filesvc.id    viewer_protocol_policy = "https-only"    target_origin_id       = local.origin_id    trusted_key_groups = [      aws_cloudfront_key_group.filesvc.id    ]  }  viewer_certificate {    cloudfront_default_certificate = true  }  restrictions {    geo_restriction {      restriction_type = "none"    }  }}