diff --git a/README.md b/README.md
index 9e961405..1414cb0a 100644
--- a/README.md
+++ b/README.md
@@ -448,6 +448,7 @@ Available targets:
| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have aes256 encryption enabled by default | `bool` | `true` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [error\_document](#input\_error\_document) | An absolute path to the document to return in case of a 4XX error | `string` | `""` | no |
+| [external\_aliases](#input\_external\_aliases) | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront. No new route53 records will be created for these | `list(string)` | `[]` | no |
| [extra\_logs\_attributes](#input\_extra\_logs\_attributes) | Additional attributes to add to the end of the generated Cloudfront Access Log S3 Bucket name.
Only effective if `cloudfront_access_log_create_bucket` is `true`. | `list(string)` | [
"logs"
]
| no |
| [extra\_origin\_attributes](#input\_extra\_origin\_attributes) | Additional attributes to put onto the origin label | `list(string)` | [
"origin"
]
| no |
| [forward\_cookies](#input\_forward\_cookies) | Specifies whether you want CloudFront to forward all or no cookies to the origin. Can be 'all' or 'none' | `string` | `"none"` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 333c8eb4..851c1f15 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -87,6 +87,7 @@
| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have aes256 encryption enabled by default | `bool` | `true` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| [error\_document](#input\_error\_document) | An absolute path to the document to return in case of a 4XX error | `string` | `""` | no |
+| [external\_aliases](#input\_external\_aliases) | List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront. No new route53 records will be created for these | `list(string)` | `[]` | no |
| [extra\_logs\_attributes](#input\_extra\_logs\_attributes) | Additional attributes to add to the end of the generated Cloudfront Access Log S3 Bucket name.
Only effective if `cloudfront_access_log_create_bucket` is `true`. | `list(string)` | [
"logs"
]
| no |
| [extra\_origin\_attributes](#input\_extra\_origin\_attributes) | Additional attributes to put onto the origin label | `list(string)` | [
"origin"
]
| no |
| [forward\_cookies](#input\_forward\_cookies) | Specifies whether you want CloudFront to forward all or no cookies to the origin. Can be 'all' or 'none' | `string` | `"none"` | no |
diff --git a/main.tf b/main.tf
index 91cd7685..97c91c61 100644
--- a/main.tf
+++ b/main.tf
@@ -232,6 +232,9 @@ resource "aws_s3_bucket_policy" "default" {
resource "aws_s3_bucket" "origin" {
#bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we cannot enable it by default because we do not have a default destination for it.
#bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
+ #bridgecrew:skip=BC_AWS_NETWORKING_52:Skipping `Ensure S3 Bucket has public access blocks` because we have an `aws_s3_bucket_public_access_block` resource rather than inline `block_public_*` attributes.
+ #bridgecrew:skip=BC_AWS_GENERAL_72:Skipping `Ensure S3 bucket has cross-region replication enabled` because this is out of scope of this module's use case.
+ #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure S3 buckets are encrypted with KMS by default` because this module has configurable encryption via `var.encryption_enabled`.
count = local.create_s3_origin_bucket ? 1 : 0
bucket = module.origin_label.id
@@ -274,7 +277,7 @@ resource "aws_s3_bucket" "origin" {
}
dynamic "cors_rule" {
- for_each = distinct(compact(concat(var.cors_allowed_origins, var.aliases)))
+ for_each = distinct(compact(concat(var.cors_allowed_origins, var.aliases, var.external_aliases)))
content {
allowed_headers = var.cors_allowed_headers
allowed_methods = var.cors_allowed_methods
@@ -323,6 +326,7 @@ data "aws_s3_bucket" "cf_logs" {
}
resource "aws_cloudfront_distribution" "default" {
+ #bridgecrew:skip=BC_AWS_GENERAL_27:Skipping `Ensure CloudFront distribution has WAF enabled` because AWS WAF is indeed configurable and is managed via `var.web_acl_id`.
count = local.enabled ? 1 : 0
enabled = var.distribution_enabled
@@ -342,7 +346,7 @@ resource "aws_cloudfront_distribution" "default" {
}
}
- aliases = var.acm_certificate_arn != "" ? var.aliases : []
+ aliases = var.acm_certificate_arn != "" ? concat(var.aliases, var.external_aliases) : []
dynamic "origin_group" {
for_each = var.origin_groups
diff --git a/variables.tf b/variables.tf
index 4f75899b..43017bde 100644
--- a/variables.tf
+++ b/variables.tf
@@ -27,6 +27,12 @@ variable "aliases" {
default = []
}
+variable "external_aliases" {
+ type = list(string)
+ description = "List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront. No new route53 records will be created for these"
+ default = []
+}
+
variable "additional_bucket_policy" {
type = string
default = "{}"