Skip to main content
Version: v4.5

AWS CloudFront Requirements

CloudFront Overview#

Amazon CloudFront is a content delivery network operated by Amazon Web Services. CloudFront was created to provide a globally-distributed network of proxy servers to cache content, locally to consumers. CloudFront improves access speed for downloading, particularly for large files such as video.

Prior to your SMI installation, ensure that the following requirements for CloudFront have been met:

  • Set up default cache behavior
  • Create an AWS CloudFront cache policy
  • Create a CloudFront distribution

Set up default cache behavior#

The CloudFront distribution requires a default cache behavior that allows trusted key groups to perform actions.

Note: For more information on this topic, refer to this AWS documentation.

To set up this default cache behaviour, do the following:

  1. Generate an RSA public/private keypair.

    Note: The private key will be needed for a Kubernetes secret which is used later in the installation.)

  2. Create an AWS CloudFront public key using the public key from the previous step.
  3. Create an AWS CloudFront key group that lists the AWS CloudFront public key object
  4. Create an AWS Origin Access control. See example module below using the AWS Terraform Provider.
resource "aws_cloudfront_origin_access_control" "filesvc" {  name                              = "${var.env_name} filesvc"  description                       = "${var.env_name} filesvc policy"  origin_access_control_origin_type = "s3"  signing_behavior                  = "always"  signing_protocol                  = "sigv4"  lifecycle {    create_before_destroy = true  }}

Create an AWS CloudFront cache policy#

Create an AWS CloudFront cache policy by using a script such as the one listed below. (The example module below uses AWS Terraform Provider.)

resource "aws_cloudfront_cache_policy" "filesvc" {  name        = "${var.env_name}-filesvc-bucket"  comment     = "FileService Bucket for ${var.env_name}"  default_ttl = 86400  max_ttl     = 86400  min_ttl     = 86400  parameters_in_cache_key_and_forwarded_to_origin {    cookies_config {      cookie_behavior = "none"    }    headers_config {      header_behavior = "whitelist"      headers {        items = [          "Origin",          "Access-Control-Request-Method",          "Access-Control-Request-Headers"        ]      }    }    query_strings_config {      query_string_behavior = "none"    }  }}

Create a CloudFront distribution#

You can now create a CloudFront distribution with information provided by the previous steps (or as required by customer security policy). Refer to sample module below. 

resource "aws_cloudfront_distribution" "filesvc" {  origin {    domain_name              = aws_s3_bucket.filesvc.bucket_regional_domain_name    origin_access_control_id = aws_cloudfront_origin_access_control.filesvc.id    origin_id                = local.origin_id  }  enabled             = true  is_ipv6_enabled     = true  comment             = "FileService Distribution for ${var.env_name}"  price_class         = "PriceClass_All"  default_cache_behavior {    allowed_methods = [      "GET",      "HEAD",      "OPTIONS"    ]    cached_methods  = [      "GET",      "HEAD",      "OPTIONS"    ]    cache_policy_id        = aws_cloudfront_cache_policy.filesvc.id    viewer_protocol_policy = "https-only"    target_origin_id       = local.origin_id    trusted_key_groups = [      aws_cloudfront_key_group.filesvc.id    ]  }  viewer_certificate {    cloudfront_default_certificate = true  }  restrictions {    geo_restriction {      restriction_type = "none"    }  }}