diff --git a/README.md b/README.md
index 0a7e4b52..e9b6566a 100644
--- a/README.md
+++ b/README.md
@@ -451,6 +451,7 @@ Available targets:
| [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `website_enabled` is also true, a password will be required in the `Referrer` field of the
HTTP request in order to access the website, and Cloudfront will be configured to pass this password in its requests.
This will make it much harder for people to bypass Cloudfront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| [trusted\_key\_groups](#input\_trusted\_key\_groups) | A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies. | `list(string)` | `[]` | no |
| [trusted\_signers](#input\_trusted\_signers) | The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable. | `list(string)` | `[]` | no |
| [versioning\_enabled](#input\_versioning\_enabled) | When set to 'true' the s3 origin bucket will have versioning enabled | `bool` | `true` | no |
| [viewer\_protocol\_policy](#input\_viewer\_protocol\_policy) | Limit the protocol users can use to access content. One of `allow-all`, `https-only`, or `redirect-to-https` | `string` | `"redirect-to-https"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 1c2b1970..e1901dc6 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -131,6 +131,7 @@
| [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `website_enabled` is also true, a password will be required in the `Referrer` field of the
HTTP request in order to access the website, and Cloudfront will be configured to pass this password in its requests.
This will make it much harder for people to bypass Cloudfront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| [trusted\_key\_groups](#input\_trusted\_key\_groups) | A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies. | `list(string)` | `[]` | no |
| [trusted\_signers](#input\_trusted\_signers) | The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable. | `list(string)` | `[]` | no |
| [versioning\_enabled](#input\_versioning\_enabled) | When set to 'true' the s3 origin bucket will have versioning enabled | `bool` | `true` | no |
| [viewer\_protocol\_policy](#input\_viewer\_protocol\_policy) | Limit the protocol users can use to access content. One of `allow-all`, `https-only`, or `redirect-to-https` | `string` | `"redirect-to-https"` | no |
diff --git a/main.tf b/main.tf
index 78ffb300..a0dfe8e5 100644
--- a/main.tf
+++ b/main.tf
@@ -390,12 +390,13 @@ resource "aws_cloudfront_distribution" "default" {
}
default_cache_behavior {
- allowed_methods = var.allowed_methods
- cached_methods = var.cached_methods
- cache_policy_id = var.cache_policy_id
- target_origin_id = module.this.id
- compress = var.compress
- trusted_signers = var.trusted_signers
+ allowed_methods = var.allowed_methods
+ cached_methods = var.cached_methods
+ cache_policy_id = var.cache_policy_id
+ target_origin_id = module.this.id
+ compress = var.compress
+ trusted_signers = var.trusted_signers
+ trusted_key_groups = var.trusted_key_groups
dynamic "forwarded_values" {
# If a cache policy is specified, we cannot include a `forwarded_values` block at all in the API request
@@ -442,11 +443,12 @@ resource "aws_cloudfront_distribution" "default" {
content {
path_pattern = ordered_cache_behavior.value.path_pattern
- allowed_methods = ordered_cache_behavior.value.allowed_methods
- cached_methods = ordered_cache_behavior.value.cached_methods
- target_origin_id = ordered_cache_behavior.value.target_origin_id == "" ? module.this.id : ordered_cache_behavior.value.target_origin_id
- compress = ordered_cache_behavior.value.compress
- trusted_signers = var.trusted_signers
+ allowed_methods = ordered_cache_behavior.value.allowed_methods
+ cached_methods = ordered_cache_behavior.value.cached_methods
+ target_origin_id = ordered_cache_behavior.value.target_origin_id == "" ? module.this.id : ordered_cache_behavior.value.target_origin_id
+ compress = ordered_cache_behavior.value.compress
+ trusted_signers = var.trusted_signers
+ trusted_key_groups = var.trusted_key_groups
cache_policy_id = ordered_cache_behavior.value.cache_policy_id
origin_request_policy_id = ordered_cache_behavior.value.origin_request_policy_id
diff --git a/variables.tf b/variables.tf
index 1bd935cf..e74faef1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -226,6 +226,12 @@ variable "trusted_signers" {
description = "The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable."
}
+variable "trusted_key_groups" {
+ type = list(string)
+ default = []
+ description = "A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies."
+}
+
variable "geo_restriction_type" {
type = string