Add trusted_key_groups

README.md

@@ -450,6 +450,7 @@ Available targets:
 | <a name="input_s3_website_password_enabled"></a> [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `website_enabled` is also true, a password will be required in the `Referrer` field of the<br>HTTP request in order to access the website, and Cloudfront will be configured to pass this password in its requests.<br>This will make it much harder for people to bypass Cloudfront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| <a name="input_trusted_key_groups"></a> [trusted\_key\_groups](#input\_trusted\_key\_groups) | A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies. | `list(string)` | `[]` | no |
 | <a name="input_trusted_signers"></a> [trusted\_signers](#input\_trusted\_signers) | The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable. | `list(string)` | `[]` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | When set to 'true' the s3 origin bucket will have versioning enabled | `bool` | `true` | no |
 | <a name="input_viewer_protocol_policy"></a> [viewer\_protocol\_policy](#input\_viewer\_protocol\_policy) | Limit the protocol users can use to access content. One of `allow-all`, `https-only`, or `redirect-to-https` | `string` | `"redirect-to-https"` | no |

docs/terraform.md

@@ -130,6 +130,7 @@
 | <a name="input_s3_website_password_enabled"></a> [s3\_website\_password\_enabled](#input\_s3\_website\_password\_enabled) | If set to true, and `website_enabled` is also true, a password will be required in the `Referrer` field of the<br>HTTP request in order to access the website, and Cloudfront will be configured to pass this password in its requests.<br>This will make it much harder for people to bypass Cloudfront and access the S3 website directly via its website endpoint. | `bool` | `false` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| <a name="input_trusted_key_groups"></a> [trusted\_key\_groups](#input\_trusted\_key\_groups) | A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies. | `list(string)` | `[]` | no |
 | <a name="input_trusted_signers"></a> [trusted\_signers](#input\_trusted\_signers) | The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable. | `list(string)` | `[]` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | When set to 'true' the s3 origin bucket will have versioning enabled | `bool` | `true` | no |
 | <a name="input_viewer_protocol_policy"></a> [viewer\_protocol\_policy](#input\_viewer\_protocol\_policy) | Limit the protocol users can use to access content. One of `allow-all`, `https-only`, or `redirect-to-https` | `string` | `"redirect-to-https"` | no |

main.tf

@@ -390,12 +390,13 @@ resource "aws_cloudfront_distribution" "default" {
   }
 
   default_cache_behavior {
-    allowed_methods  = var.allowed_methods
-    cached_methods   = var.cached_methods
-    cache_policy_id  = var.cache_policy_id
-    target_origin_id = module.this.id
-    compress         = var.compress
-    trusted_signers  = var.trusted_signers
+    allowed_methods    = var.allowed_methods
+    cached_methods     = var.cached_methods
+    cache_policy_id    = var.cache_policy_id
+    target_origin_id   = module.this.id
+    compress           = var.compress
+    trusted_signers    = var.trusted_signers
+    trusted_key_groups = var.trusted_key_groups
 
     dynamic "forwarded_values" {
       # If a cache policy is specified, we cannot include a `forwarded_values` block at all in the API request
@@ -434,11 +435,12 @@ resource "aws_cloudfront_distribution" "default" {
     content {
       path_pattern = ordered_cache_behavior.value.path_pattern
 
-      allowed_methods  = ordered_cache_behavior.value.allowed_methods
-      cached_methods   = ordered_cache_behavior.value.cached_methods
-      target_origin_id = ordered_cache_behavior.value.target_origin_id == "" ? module.this.id : ordered_cache_behavior.value.target_origin_id
-      compress         = ordered_cache_behavior.value.compress
-      trusted_signers  = var.trusted_signers
+      allowed_methods    = ordered_cache_behavior.value.allowed_methods
+      cached_methods     = ordered_cache_behavior.value.cached_methods
+      target_origin_id   = ordered_cache_behavior.value.target_origin_id == "" ? module.this.id : ordered_cache_behavior.value.target_origin_id
+      compress           = ordered_cache_behavior.value.compress
+      trusted_signers    = var.trusted_signers
+      trusted_key_groups = var.trusted_key_groups
 
       forwarded_values {
         query_string = ordered_cache_behavior.value.forward_query_string

variables.tf

@@ -226,6 +226,12 @@ variable "trusted_signers" {
   description = "The AWS accounts, if any, that you want to allow to create signed URLs for private content. 'self' is acceptable."
 }
 
+variable "trusted_key_groups" {
+  type        = list(string)
+  default     = []
+  description = "A list of key group IDs that CloudFront can use to validate signed URLs or signed cookies."
+}
+
 variable "geo_restriction_type" {
   type = string