Skip to content

Latest commit

 

History

History

tf-aws-open-next-zone

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
scripts
scripts
 
 
README.md
README.md
 
 
data.tf
data.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Open Next Terraform - tf-aws-open-next-zone

This module allows you to deploy a next.js website using Open Next to AWS utilizing lambda, S3 and CloudFront. Using this module will enable you to configure a single zone. If you want to manage multiple zones, please use the tf-aws-open-next-multi-zone module instead.

The module will allow you to configure the following resources.

Single Zone Complete

The following are optional:

  • Route 53 (A and AAAA records)
  • WAF
  • Staging Distribution
  • Warmer function
  • Image Optimization function
  • Tag to Path Mapping DB

See the module documentation section below for more info.

Note: This module uses multiple bash scripts to delete data, upload data and mutate resources outside of Terraform. This prevents Terraform from removing resources when they have changed and allows the staging distribution functionality to work correctly.

You must have bash and the AWS CLI available, the CLI must be configured to use the same credentials or environment variables as the default AWS provider for this functionality to work correctly.

If you need to destroy the Terraform resources, it is recommended that you enable force_destroy on the website bucket to delete the assets in the bucket when running a Terraform destory.

Continuous deployment

This module supports CloudFront continuous deployment. See the continuous deployment docs for instructions on how to leverage this capability.

Backend Server Deployment Options

See the backend server deployment docs for instructions to see the options.

Custom Domains

For infomation on managing custom domains see the domain-config documentation

Module documentation

Below is the documentation for the Terraform module, outlining the providers, modules and resources required to deploy the website. The documentation includes the inputs that can be supplied (including any defaults) and what is outputted from the module.

By default, the module will zip all the necessary open-next artefacts as part of a Terraform deployment. To facilitate this, the .open-next folders need to be stored locally.

You can also choose to upload the artefacts to S3 and pass the reference in.

Note: the logic to automatically inject environment variables for lambda@edge functions will not run if you choose this option

Alternatively you can create the zip using your own tooling and supply the path to the zip file and the hash (SHA256 hash of the file encoded using Base64).

You must configure the AWS providers five times because some organizations use different accounts or roles for IAM, DNS, etc. The module has been designed to cater for these requirements. The server function is a separate provider to allow your backend resources to be deployed to a region, i.e. eu-west-1, and deploy the server function to another region, i.e. us-east-1, for lambda@edge. The global provider region should be set to us-east-1 to allow the auth-function, WAF, etc. to be configured correctly.

Below is an example setup.

provider "aws" {}

provider "aws" {
  alias = "server_function"
}

provider "aws" {
  alias = "iam"
}

provider "aws" {
  alias = "dns"
}

provider "aws" {
  alias  = "global"
  region = "us-east-1"
}

Requirements

Name Version
terraform >= 1.4.0
archive >= 2.3.0
aws >= 5.46.0
local >= 2.4.0

Providers

Name Version
archive 2.4.2
aws 5.46.0
local 2.5.1
terraform n/a

Modules

Name Source Version
additional_server_function ../tf-aws-lambda n/a
edge_function ../tf-aws-lambda n/a
image_optimisation_function ../tf-aws-lambda n/a
open_next_aliases ../tf-aws-open-next-aliases n/a
public_resources ../tf-aws-open-next-public-resources n/a
revalidation_function ../tf-aws-lambda n/a
s3_assets ../tf-aws-open-next-s3-assets n/a
server_function ../tf-aws-lambda n/a
warmer_function ../tf-aws-lambda n/a

Resources

Name Type
aws_cloudwatch_log_group.log_group resource
aws_dynamodb_table.isr_table resource
aws_lambda_event_source_mapping.revalidation_queue_source resource
aws_lambda_permission.additional_server_function_url_permission resource
aws_lambda_permission.image_optimisation_function_url_permission resource
aws_lambda_permission.server_function_url_permission resource
aws_s3_bucket.bucket resource
aws_s3_bucket_policy.bucket_policy resource
aws_sqs_queue.revalidation_queue resource
local_file.edge_functions_modifications resource
local_file.lambda_at_edge_modifications resource
terraform_data.isr_table_item resource
terraform_data.update_aliases resource
archive_file.additional_server_function data source
archive_file.edge_function data source
archive_file.image_optimisation_function data source
archive_file.revalidation_function data source
archive_file.server_function data source
archive_file.warmer_function data source
aws_region.current data source

Inputs

Name Description Type Default Required
additional_server_functions Default configutation for all additional server functions with the ability to override the configuration per function.

This feature requires open next v3.

By default, the module will create a new zip from the server function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

Possible values for backend_deployment_type:
- REGIONAL_LAMBDA_WITH_AUTH_LAMBDA
- REGIONAL_LAMBDA_WITH_OAC
- REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL
- REGIONAL_LAMBDA

See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/docs/backend-server-deployments.md for a complete breakdown of the different backend options.		 
object({
 enable_streaming = optional(bool)
 runtime = optional(string, "nodejs20.x")
 backend_deployment_type = optional(string, "REGIONAL_LAMBDA")
 timeout = optional(number, 10)
 memory_size = optional(number, 1024)
 function_architecture = optional(string)
 layers = optional(list(string))
 additional_environment_variables = optional(map(string), {})
 iam_policies = optional(object({
 include_bucket_access = optional(bool, false)
 include_revalidation_queue_access = optional(bool, false)
 include_tag_mapping_db_access = optional(bool, false)
 }), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 origin_timeouts = optional(object({
 keepalive_timeout = optional(number)
 read_timeout = optional(number)
 connection_attempts = optional(number)
 connection_timeout = optional(number)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 function_overrides = optional(map(object({
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 enable_streaming = optional(bool)
 runtime = optional(string, "nodejs20.x")
 backend_deployment_type = optional(string, "REGIONAL_LAMBDA")
 timeout = optional(number, 10)
 memory_size = optional(number, 1024)
 function_architecture = optional(string)
 layers = optional(list(string))
 additional_environment_variables = optional(map(string), {})
 iam_policies = optional(object({
 include_bucket_access = optional(bool, false)
 include_revalidation_queue_access = optional(bool, false)
 include_tag_mapping_db_access = optional(bool, false)
 }), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 origin_timeouts = optional(object({
 keepalive_timeout = optional(number)
 read_timeout = optional(number)
 connection_attempts = optional(number)
 connection_timeout = optional(number)
 }), {})
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })), {})
 })
 {} no
aliases The production and staging aliases to use 
object({
 production = string
 staging = string
 })
 null no
behaviours Override the default behaviour config 
object({
 custom_error_responses = optional(object({
 path_overrides = optional(map(object({
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 arn = string
 include_body = bool
 }))
 origin_response = optional(object({
 arn = string
 }))
 })))
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 origin_response = optional(object({
 type = string
 arn = string
 }))
 }))
 static_assets = optional(object({
 paths = optional(list(string))
 additional_paths = optional(list(string))
 path_overrides = optional(map(object({
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 arn = string
 include_body = bool
 }))
 origin_response = optional(object({
 arn = string
 }))
 })))
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 origin_response = optional(object({
 type = string
 arn = string
 }))
 }))
 server = optional(object({
 paths = optional(list(string))
 path_overrides = optional(map(object({
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 arn = string
 include_body = bool
 }))
 origin_response = optional(object({
 arn = string
 }))
 })))
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 origin_response = optional(object({
 type = string
 arn = string
 }))
 }))
 additional_origins = optional(map(object({
 zone_overrides = optional(map(object({
 paths = optional(list(string))
 })))
 paths = optional(list(string))
 path_overrides = optional(map(object({
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 arn = string
 include_body = bool
 }))
 origin_response = optional(object({
 arn = string
 }))
 })))
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 origin_response = optional(object({
 type = string
 arn = string
 }))
 })), {})
 image_optimisation = optional(object({
 paths = optional(list(string))
 path_overrides = optional(map(object({
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 arn = string
 include_body = bool
 }))
 origin_response = optional(object({
 arn = string
 }))
 })))
 allowed_methods = optional(list(string))
 cached_methods = optional(list(string))
 cache_policy_id = optional(string)
 origin_request_policy_id = optional(string)
 response_headers_policy_id = optional(string)
 compress = optional(bool)
 viewer_protocol_policy = optional(string)
 viewer_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 viewer_response = optional(object({
 type = string
 arn = string
 }))
 origin_request = optional(object({
 type = string
 arn = string
 include_body = optional(bool)
 }))
 origin_response = optional(object({
 type = string
 arn = string
 }))
 }))
 })
 {} no
cache_control_immutable_assets_regex Regex to set public,max-age=31536000,immutable on immutable resources string "^.*(\\.next)$" no
cloudwatch_log The default cloudwatch log group configuration. This can be overridden for each function."

Possible values for deployment:
- PER_FUNCTION (default)
- SHARED_PER_ZONE
- USE_EXISTING

When deployment is set to SHARED_PER_ZONE or USE_EXISTING, name is mandatory.

For SHARED_PER_ZONE, the name will include the aws/lambda namespace and the supplied prefix and suffix
For USE_EXISTING, the name will represent the log group name (including prefix)		 
object({
 deployment = optional(string, "PER_FUNCTION")
 retention_in_days = optional(number, 7)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 })
 {} no
content_types The MIME type mapping and default for artefacts generated by Open Next 
object({
 mapping = optional(map(string), {
 "svg" = "image/svg+xml",
 "js" = "application/javascript",
 "css" = "text/css",
 "html" = "text/html"
 })
 default = optional(string, "binary/octet-stream")
 })
 {} no
continuous_deployment Configuration for continuous deployment config for CloudFront

See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/docs/continuous-deployments.md for a complete breakdown of how to use continuous deployment.		 
object({
 use = optional(bool, true)
 deployment = optional(string, "NONE")
 traffic_config = optional(object({
 header = optional(object({
 name = string
 value = string
 }))
 weight = optional(object({
 percentage = number
 session_stickiness = optional(object({
 idle_ttl = number
 maximum_ttl = number
 }))
 }))
 }))
 })
 {} no
custom_error_responses Allow custom error responses to be set on the distributions

NOTE: These custom error pages only apply to response codes from the origins. To configure custom error responses for status codes returned by WAF, please configure the custom error responses in WAF.		 
list(object({
 error_code = string
 error_caching_min_ttl = optional(number)
 response_code = optional(string)
 response_page = optional(object({
 source = string
 path_prefix = string
 }))
 }))
 [] no
distribution Configuration for the CloudFront distribution.

Possible values for deployment are:
- NONE
- CREATE

The module has a local copy of the x-forwarded host CloudFront function code by default. The code can be seen at https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/modules/tf-aws-open-next-public-resources/code/xForwardedHost.js (open next v2) and https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/modules/tf-aws-open-next-public-resources/code/cloudfrontFunctionOpenNextV3.js (open next v3).

This code can be overridden by passing in the javascript function as a string to the code argument under the x_forwarded_host_function object. An example can be seen below.
x_forwarded_host_function = {
 code = "function handler(event) { var request = event.request; request.headers['x-forwarded-host'] = request.headers.host; return request; }"
}
The auth function is deployed if the server function backend_deployment_type is set to EDGE_LAMBDA.

The module has a local copy of the auth function code, which will be deployed by default. The code can be seen at https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/modules/tf-aws-open-next-public-resources/code/auth/index.js. You can override this to supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

Possible values for the auth_function deployment are:
- NONE
- USE_EXISTING
- CREATE
- DETACH

The auth function arn is mandatory when deployment is set to USE_EXISTING.

When migrating from using the auth function to either public cloud functions or to using OAC, you should set the deployment on the auth_function to CREATE, then apply the changes. Then, you can set deployment to false in a subsequent change to clean up the function.

If you run the server function as a lambda@edge, you should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below.
auth_function = {
 timeouts = {
 delete = "120m"
 }
}
As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated.
NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur

Terraform does not manage cloudwatch log groups for the auth function; the lambda service creates the log group when the function runs in each region.

CloudFront supports Origin Access Control (OAC) for lambda URLs. The possible values for the deployment options are:
- NONE
- CREATE

NOTE: If the server function or image optimisation function backend deployment types use OAC, then the OAC will be created.

As there is a limit on the number of cache policies associated with an AWS account, you can either configure the module to create the cache policy or use an existing one. The possible values for the cache policy deployment are:
- USE_EXISTING
- CREATE

If cache policy deployment is set to USE_EXISTING, then ID, is a required field.

WARNING: The distribution is fundamental to the architecture, and the module is optional to facilitate sharing a distribution for multi-zone deployments and to support edge cases not supported by the module. With that said, it is not recommended to supply a distribution.		 
object({
 deployment = optional(string, "CREATE")
 enabled = optional(bool, true)
 ipv6_enabled = optional(bool, true)
 http_version = optional(string, "http2")
 price_class = optional(string, "PriceClass_100")
 geo_restrictions = optional(object({
 type = optional(string, "none"),
 locations = optional(list(string), [])
 }), {})
 x_forwarded_host_function = optional(object({
 runtime = optional(string)
 code = optional(string)
 }), {})
 auth_function = optional(object({
 deployment = optional(string, "NONE")
 qualified_arn = optional(string)
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 runtime = optional(string, "nodejs20.x")
 timeout = optional(number, 10)
 memory_size = optional(number, 256)
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 }), {})
 lambda_url_oac = optional(object({
 deployment = optional(string, "NONE")
 }), {})
 cache_policy = optional(object({
 deployment = optional(string, "CREATE")
 id = optional(string)
 default_ttl = optional(number, 0)
 max_ttl = optional(number, 31536000)
 min_ttl = optional(number, 0)
 cookie_behavior = optional(string, "all")
 header_behavior = optional(string, "whitelist")
 header_items = optional(list(string))
 query_string_behavior = optional(string, "all")
 enable_accept_encoding_brotli = optional(bool)
 enable_accept_encoding_gzip = optional(bool)
 }), {})
 response_headers = optional(object({
 deployment = optional(string, "NONE") # NONE, CREATE or USE_EXISTING
 id = optional(string)
 cors_config = optional(object({
 access_control_allow_credentials = bool
 access_control_allow_headers = list(string)
 access_control_allow_methods = list(string)
 access_control_allow_origins = list(string)
 access_control_expose_headers = optional(list(string), [])
 access_control_max_age_seconds = optional(number)
 origin_override = bool
 }))
 custom_headers_config = optional(list(object({
 header = string
 override = bool
 value = string
 })), [])
 remove_headers = optional(list(string), [])
 security_headers_config = optional(object({
 content_security_policy = optional(object({
 policy = string
 override = bool
 }))
 content_type_options = optional(object({
 override = bool
 }))
 frame_options = optional(object({
 frame_option = string
 override = bool
 }))
 referrer_policy = optional(object({
 override = bool
 policy = string
 }))
 strict_transport_security = optional(object({
 max_age = number
 include_subdomains = optional(bool)
 override = bool
 preload = optional(bool)
 }))
 xss_protection = optional(object({
 mode_block = optional(bool)
 override = bool
 protection = bool
 report_uri = optional(string)
 }))
 }))
 server_timing_headers_config = optional(object({
 enabled = bool
 sampling_rate = number
 }))
 }), {})
 })
 {} no
domain_config Configuration for CloudFront distribution domain

See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/docs/domain-config.md for a complete breakdown of the different domain configuration options.		 
object({
 evaluate_target_health = optional(bool, true)
 include_www = optional(bool, false)
 sub_domain = optional(string)
 hosted_zones = list(object({
 name = string
 id = optional(string)
 private_zone = optional(bool, false)
 }))
 create_route53_entries = optional(bool, true)
 route53_record_allow_overwrite = optional(bool, true)
 viewer_certificate = optional(object({
 acm_certificate_arn = string
 ssl_support_method = optional(string, "sni-only")
 minimum_protocol_version = optional(string, "TLSv1.2_2021")
 }))
 })
 null no
edge_functions Default configutation for all edge functions with the ability to override the configuration per edge function

By default, the module will create a new zip from the edge function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

This feature requires open next v3.

NOTE: Terraform does not manage cloudwatch log groups; instead, the lambda service creates the log group when the function runs in each region.

The module OPEN_NEXT_ORIGIN environment variable for each edge function, as per the open next documentation for middleware. You have the ability to remove this environment variable by setting the include_open_next_origin_env_variable to false or override this value by setting an environment variable with the same name via the additional_environment_variables attribute.

You should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below.
timeouts = {
 delete = "120m"
}
As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated.
NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur		 
object({
 runtime = optional(string, "nodejs20.x")
 timeout = optional(number, 10)
 memory_size = optional(number, 512)
 include_open_next_origin_env_variable = optional(bool, true)
 additional_environment_variables = optional(map(string), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 function_overrides = optional(map(object({
 function_code = optional(object({
 handler = optional(string, "handler.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 runtime = optional(string, "nodejs20.x")
 timeout = optional(number, 10)
 memory_size = optional(number, 512)
 include_open_next_origin_env_variable = optional(bool, true)
 additional_environment_variables = optional(map(string), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })), {})
 })
 {} no
folder_path The path to the open next artifacts string n/a yes
function_architecture The default instruction set architecture for the lambda functions. This can be overridden for each function. string "arm64" no
iam The default IAM configuration. This can be overridden for each function. 
object({
 path = optional(string, "/")
 permissions_boundary = optional(string)
 })
 {} no
image_optimisation_function Configuration for the image optimisation function.

By default, the module will create a new zip from the image optimisation function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

Possible values for backend_deployment_type:
- REGIONAL_LAMBDA_WITH_AUTH_LAMBDA
- REGIONAL_LAMBDA_WITH_OAC
- REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL
- REGIONAL_LAMBDA

See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/docs/backend-server-deployments.md for a complete breakdown of the different backend options.

If you do not want to provision the image optimisation function, you can set create to false.		 
object({
 create = optional(bool, true)
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 runtime = optional(string, "nodejs20.x")
 backend_deployment_type = optional(string, "REGIONAL_LAMBDA")
 timeout = optional(number, 25)
 memory_size = optional(number, 1536)
 additional_environment_variables = optional(map(string), {})
 function_architecture = optional(string)
 static_image_optimisation = optional(bool, false)
 layers = optional(list(string))
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 origin_timeouts = optional(object({
 keepalive_timeout = optional(number)
 read_timeout = optional(number)
 connection_attempts = optional(number)
 connection_timeout = optional(number)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })
 {} no
layers The default layers that is applied to all regional functions. This can be overridden for each function. list(string) null no
logging_config The default function logging configuration. The log group is determined by the cloudwatch_log variable. This can be overridden for each function. 
object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 })
 null no
open_next_version The version of open next that is used string "v2.x.x" no
origin_timeouts The default CloudFront origin timeout settings. This can be overridden for each function that is connected as an origin on the CloudFront distribution i.e. not edge functions. 
object({
 keepalive_timeout = optional(number)
 read_timeout = optional(number)
 connection_attempts = optional(number)
 connection_timeout = optional(number)
 })
 null no
prefix A prefix which will be attached to the resource name to ensure resources are random string null no
revalidation_function Configuration for the revalidation function.

By default, the module will create a new zip from the revalidation function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

This function is deployed to the region specified on the default AWS Terraform provider.		 
object({
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 runtime = optional(string, "nodejs20.x")
 timeout = optional(number, 25)
 memory_size = optional(number, 1536)
 additional_environment_variables = optional(map(string), {})
 layers = optional(list(string))
 function_architecture = optional(string)
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })
 {} no
s3_exclusion_regex A regex of files to exclude from the s3 copy string null no
s3_folder_prefix An optional folder to store uploaded assets and cached files under string null no
scripts Modify default script behaviours 
object({
 interpreter = optional(string)
 additional_environment_variables = optional(map(string))
 delete_folder_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 file_sync_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 invalidate_cloudfront_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 promote_distribution_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 remove_continuous_deployment_policy_id_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 save_item_to_dynamo_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 update_alias_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 update_parameter_script = optional(object({
 interpreter = optional(string)
 path = optional(string)
 additional_environment_variables = optional(map(string))
 }))
 })
 {} no
server_function Configuration for the server function.

By default, the module will create a new zip from the server function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

Possible values for backend_deployment_type:
- REGIONAL_LAMBDA_WITH_AUTH_LAMBDA
- REGIONAL_LAMBDA_WITH_OAC
- REGIONAL_LAMBDA_WITH_OAC_AND_ANY_PRINCIPAL
- REGIONAL_LAMBDA
- EDGE_LAMBDA (only supported with open next v2)

See https://github.com/RJPearson94/terraform-aws-open-next/blob/v3.1.0/docs/backend-server-deployments.md for a complete breakdown of the different backend options.

NOTE: When backend_deployment_type is set to EDGE_LAMBDA, Terraform does not manage cloudwatch log groups; instead, the lambda service creates the log group when the function runs in each region.

If you run the server function as a lambda@edge, you should increase the deletion timeout to 2 hours 120m. As the lambda service needs to wait for the replicas to be removed, this often exceeds the default 10-minute deletion timeout. This extended timeout allows Terraform to poll for longer and should help mitigate Terraform failures; an example Terraform configuration can be seen below.
timeouts = {
 delete = "120m"
}
As lambda@edge doesn't support environment variables, the environment variables are injected into the source code before the zip is generated.
NOTE: If the lambda function code is supplied as a zip or via an S3 reference, this code modification will not occur		 
object({
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 enable_streaming = optional(bool)
 runtime = optional(string, "nodejs20.x")
 backend_deployment_type = optional(string, "REGIONAL_LAMBDA")
 timeout = optional(number, 10)
 memory_size = optional(number, 1024)
 function_architecture = optional(string)
 layers = optional(list(string))
 additional_environment_variables = optional(map(string), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 origin_timeouts = optional(object({
 keepalive_timeout = optional(number)
 read_timeout = optional(number)
 connection_attempts = optional(number)
 connection_timeout = optional(number)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })
 {} no
suffix A suffix which will be attached to the resource name to ensure resources are random string null no
tag_mapping_db Configuration for the ISR tag mapping database

By default, the module uploads the items in the dynamodb-cache JSON file stored locally. The cache alias is appended to each item in the DB.

Possible values for deployment:
- NONE
- CREATE

The read and write capacity for the Global Secondary Index (GSI) can be overridden; however, the table's read and write capacity will be used by default.		 
object({
 deployment = optional(string, "CREATE")
 billing_mode = optional(string, "PAY_PER_REQUEST")
 read_capacity = optional(number)
 write_capacity = optional(number)
 revalidate_gsi = optional(object({
 read_capacity = optional(number)
 write_capacity = optional(number)
 }), {})
 })
 {} no
vpc The default VPC configuration for the lambda resources. This can be overridden for each function. 
object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 })
 null no
waf Configuration for the CloudFront distribution WAF.

Possible values for the WAF deployment are:
- NONE
- USE_EXISTING
- CREATE
- DETACH

The web_acl_id is mandatory when deployment is set to USE_EXISTING.

When configuring basic authentication, the encoded username and password are marked as sensitive. This can be turned off by setting mark_as_sensitive to false; however, a bug in Terraform v1.6.0 prevented this from working. If this occurs, please upgrade to at least v1.6.1.

Possible values for the WAF default action are:
- ALLOW
- BLOCK

The module provides the ability to configure recommended WAF rules to guard against SQL Injection (sqli), account takeover protection and account creation fraud prevention.

Multiple rate limits can be configured with each limit applied across all geographic regions or limited to a specific region. The possible values for the action are:
- COUNT
- BLOCK

The possible values for the action of each additional rule are:
- COUNT
- BLOCK

When IP address restrictions are used as part of additional rules or enforcing basic auth, the possible values for the action are:
- BYPASS
- BLOCK

Examples of maintenance pages, basic auth, and more can be found at https://github.com/RJPearson94/terraform-aws-open-next-examples.		 
object({
 deployment = optional(string, "NONE")
 web_acl_id = optional(string)
 aws_managed_rules = optional(list(object({
 priority = optional(number)
 name = string
 aws_managed_rule_name = string
 })), [{
 name = "amazon-ip-reputation-list"
 aws_managed_rule_name = "AWSManagedRulesAmazonIpReputationList"
 }, {
 name = "common-rule-set"
 aws_managed_rule_name = "AWSManagedRulesCommonRuleSet"
 }, {
 name = "known-bad-inputs"
 aws_managed_rule_name = "AWSManagedRulesKnownBadInputsRuleSet"
 }])
 rate_limiting = optional(object({
 enabled = optional(bool, false)
 limits = optional(list(object({
 priority = optional(number)
 rule_name_suffix = optional(string)
 limit = optional(number, 1000)
 action = optional(string, "BLOCK")
 geo_match_scope = optional(list(string))
 })), [])
 }), {})
 sqli = optional(object({
 enabled = optional(bool, false)
 priority = optional(number)
 }), {})
 account_takeover_protection = optional(object({
 enabled = optional(bool, false)
 priority = optional(number)
 login_path = string
 enable_regex_in_path = optional(bool)
 request_inspection = optional(object({
 username_field_identifier = string
 password_field_identifier = string
 payload_type = string
 }))
 response_inspection = optional(object({
 failure_codes = list(string)
 success_codes = list(string)
 }))
 }))
 account_creation_fraud_prevention = optional(object({
 enabled = optional(bool, false)
 priority = optional(number)
 creation_path = string
 registration_page_path = string
 enable_regex_in_path = optional(bool)
 request_inspection = optional(object({
 email_field_identifier = string
 username_field_identifier = string
 password_field_identifier = string
 payload_type = string
 }))
 response_inspection = optional(object({
 failure_codes = list(string)
 success_codes = list(string)
 }))
 }))
 enforce_basic_auth = optional(object({
 enabled = optional(bool, false)
 priority = optional(number)
 response_code = optional(number, 401)
 response_header = optional(object({
 name = optional(string, "WWW-Authenticate")
 value = optional(string, "Basic realm="Requires basic auth"")
 }), {})
 header_name = optional(string, "authorization")
 credentials = optional(object({
 username = string
 password = string
 mark_as_sensitive = optional(bool, true)
 }))
 ip_address_restrictions = optional(list(object({
 action = optional(string, "BYPASS")
 arn = optional(string)
 name = optional(string)
 })))
 }))
 additional_rules = optional(list(object({
 enabled = optional(bool, false)
 priority = optional(number)
 name = string
 action = optional(string, "COUNT")
 block_action = optional(object({
 response_code = number
 response_header = optional(object({
 name = string
 value = string
 }))
 custom_response_body_key = optional(string)
 }))
 ip_address_restrictions = list(object({
 action = optional(string, "BYPASS")
 arn = optional(string)
 name = optional(string)
 }))
 })))
 default_action = optional(object({
 action = optional(string, "ALLOW")
 block_action = optional(object({
 response_code = number
 response_header = optional(object({
 name = string
 value = string
 }))
 custom_response_body_key = optional(string)
 }))
 }))
 ip_addresses = optional(map(object({
 description = optional(string)
 ip_address_version = string
 addresses = list(string)
 })))
 custom_response_bodies = optional(list(object({
 key = string
 content = string
 content_type = string
 })))
 })
 {} no
warmer_function Configuration for the warmer function.

By default, the module will create a new zip from the warmer function code on disk. However, you can override this by supplying a zip file containing the lambda code with either a local reference or a reference to the zip in an S3 bucket.

If the warmer function is enabled, you can conditionally choose to warm the staging distribution. Enabling this will provision another lambda function. By default, the warmer for the staging distribution will use the same concurrency value as the production distribution. However, you can override this value by specifying a concurrency value for the warm_staging object.

This function is deployed to the region specified on the default AWS Terraform provider.		 
object({
 enabled = optional(bool, false)
 warm_staging = optional(object({
 enabled = optional(bool, false)
 concurrency = optional(number)
 }))
 function_code = optional(object({
 handler = optional(string, "index.handler")
 zip = optional(object({
 path = string
 hash = string
 }))
 s3 = optional(object({
 bucket = string
 key = string
 object_version = optional(string)
 }))
 }))
 runtime = optional(string, "nodejs20.x")
 concurrency = optional(number, 20)
 timeout = optional(number, 15 * 60) // 15 minutes
 memory_size = optional(number, 1024)
 function_architecture = optional(string)
 schedule = optional(string, "rate(5 minutes)")
 additional_environment_variables = optional(map(string), {})
 additional_iam_policies = optional(list(object({
 name = string,
 arn = optional(string)
 policy = optional(string)
 })), [])
 vpc = optional(object({
 security_group_ids = list(string),
 subnet_ids = list(string)
 }))
 iam = optional(object({
 path = optional(string)
 permissions_boundary = optional(string)
 }))
 logging_config = optional(object({
 log_format = optional(string)
 application_log_level = optional(string)
 system_log_level = optional(string)
 }))
 cloudwatch_log = optional(object({
 deployment = optional(string)
 retention_in_days = optional(number)
 name = optional(string)
 log_group_class = optional(string)
 skip_destroy = optional(bool)
 }))
 timeouts = optional(object({
 create = optional(string)
 update = optional(string)
 delete = optional(string)
 }), {})
 })
 {} no
website_bucket Configuration for the website S3 bucket

By default, the module will upload the assets and cache folders that are stored locally.

Possible values for deployment:
- NONE
- CREATE

This bucket is deployed to the region specified on the default AWS Terraform provider.

If deployment is set to NONE, then arn, region, name & domain_name are required fields.

WARNING: The bucket is fundamental to the architecture, and the module is optional to facilitate sharing a bucket for multi-zone deployments and to support edge cases not supported by the module. With that said, it is not recommended to supply a bucket.		 
object({
 deployment = optional(string, "CREATE")
 create_bucket_policy = optional(bool, true)
 force_destroy = optional(bool, false)
 arn = optional(string)
 region = optional(string)
 name = optional(string)
 domain_name = optional(string)
 })
 {} no
zone_suffix An optional zone suffix to add to the assets and cache folder to allow files to be loaded correctly string null no

Outputs

Name Description
alias_details The alias config
alternate_domain_names Extra CNAMEs (alternate domain names) associated with the cloudfront distribution
behaviours The behaviours for the zone
bucket_arn The ARN of the s3 bucket
bucket_name The name of the s3 bucket
cloudfront_distribution_id The ID for the cloudfront distribution
cloudfront_staging_distribution_id The ID for the cloudfront staging distribution
cloudfront_url The URL for the cloudfront distribution
custom_error_responses The custom error responses for the zone
response_headers_policy_id n/a
zone_config The zone config