diff --git a/README.md b/README.md
index 6066615..c34a1c3 100644
--- a/README.md
+++ b/README.md
@@ -233,6 +233,7 @@ Available targets:
| [origin\_protocol\_policy](#input\_origin\_protocol\_policy) | The origin protocol policy to apply to your origin. One of http-only, https-only, or match-viewer | `string` | `"match-viewer"` | no |
| [origin\_read\_timeout](#input\_origin\_read\_timeout) | The Custom Read timeout, in seconds. By default, AWS enforces a limit of 60. But you can request an increase. | `number` | `60` | no |
| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | ID of the origin request policy attached to the cache behavior | `string` | `null` | no |
+| [origin\_shield](#input\_origin\_shield) | The CloudFront Origin Shield settings | object({
enabled = bool
region = string
}) | `null` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`) | `string` | `""` | no |
| [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain this record (or specify `parent_zone_id`) | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 0519e47..86222a3 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -89,6 +89,7 @@
| [origin\_protocol\_policy](#input\_origin\_protocol\_policy) | The origin protocol policy to apply to your origin. One of http-only, https-only, or match-viewer | `string` | `"match-viewer"` | no |
| [origin\_read\_timeout](#input\_origin\_read\_timeout) | The Custom Read timeout, in seconds. By default, AWS enforces a limit of 60. But you can request an increase. | `number` | `60` | no |
| [origin\_request\_policy\_id](#input\_origin\_request\_policy\_id) | ID of the origin request policy attached to the cache behavior | `string` | `null` | no |
+| [origin\_shield](#input\_origin\_shield) | The CloudFront Origin Shield settings | object({
enabled = bool
region = string
}) | `null` | no |
| [origin\_ssl\_protocols](#input\_origin\_ssl\_protocols) | The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS | `list(string)` | [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
| no |
| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain this record (or specify `parent_zone_name`) | `string` | `""` | no |
| [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain this record (or specify `parent_zone_id`) | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 58517c9..2fb944a 100644
--- a/main.tf
+++ b/main.tf
@@ -29,6 +29,7 @@ module "logs" {
}
resource "aws_cloudfront_distribution" "default" {
+ #bridgecrew:skip=BC_AWS_GENERAL_27:Skipping `Ensure CloudFront distribution has WAF enabled` because AWS WAF is indeed configurable and is managed via `var.web_acl_id`.
count = module.this.enabled ? 1 : 0
enabled = var.distribution_enabled
@@ -72,6 +73,14 @@ resource "aws_cloudfront_distribution" "default" {
origin_read_timeout = var.origin_read_timeout
}
+ dynamic "origin_shield" {
+ for_each = var.origin_shield != null ? ["true"] : []
+ content {
+ enabled = var.origin_shield.enabled
+ origin_shield_region = var.origin_shield.region
+ }
+ }
+
dynamic "custom_header" {
for_each = var.custom_header
content {
diff --git a/variables.tf b/variables.tf
index e38f24a..5361aa7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -83,6 +83,15 @@ variable "origin_protocol_policy" {
default = "match-viewer"
}
+variable "origin_shield" {
+ type = object({
+ enabled = bool
+ region = string
+ })
+ description = "The CloudFront Origin Shield settings"
+ default = null
+}
+
variable "origin_ssl_protocols" {
description = "The SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS"
type = list(string)