diff --git a/README.md b/README.md
index daccecc1..88b8979b 100644
--- a/README.md
+++ b/README.md
@@ -473,7 +473,7 @@ Available targets:
| [minimum\_protocol\_version](#input\_minimum\_protocol\_version) | Cloudfront TLS minimum protocol version.
If `var.acm_certificate_arn` is unset, only "TLSv1" can be specified. See: [AWS Cloudfront create-distribution documentation](https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-distribution.html)
and [Supported protocols and ciphers between viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) for more information.
Defaults to "TLSv1.2\_2019" unless `var.acm_certificate_arn` is unset, in which case it defaults to `TLSv1` | `string` | `""` | no |
| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
-| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
cache_policy_id = string
origin_request_policy_id = string
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
+| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_id = string
origin_request_policy_id = string
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
| [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, it will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
| [origin\_force\_destroy](#input\_origin\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no |
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index e053e8d0..c7ec306d 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -112,7 +112,7 @@
| [minimum\_protocol\_version](#input\_minimum\_protocol\_version) | Cloudfront TLS minimum protocol version.
If `var.acm_certificate_arn` is unset, only "TLSv1" can be specified. See: [AWS Cloudfront create-distribution documentation](https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-distribution.html)
and [Supported protocols and ciphers between viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) for more information.
Defaults to "TLSv1.2\_2019" unless `var.acm_certificate_arn` is unset, in which case it defaults to `TLSv1` | `string` | `""` | no |
| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
-| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
cache_policy_id = string
origin_request_policy_id = string
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
+| [ordered\_cache](#input\_ordered\_cache) | An ordered list of [cache behaviors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#cache-behavior-arguments) resource for this distribution.
List in order of precedence (first match wins). This is in addition to the default cache policy.
Set `target_origin_id` to `""` to specify the S3 bucket origin created by this module. | list(object({
target_origin_id = string
path_pattern = string
allowed_methods = list(string)
cached_methods = list(string)
compress = bool
trusted_signers = list(string)
trusted_key_groups = list(string)
cache_policy_id = string
origin_request_policy_id = string
viewer_protocol_policy = string
min_ttl = number
default_ttl = number
max_ttl = number
forward_query_string = bool
forward_header_values = list(string)
forward_cookies = string
lambda_function_association = list(object({
event_type = string
include_body = bool
lambda_arn = string
}))
function_association = list(object({
event_type = string
function_arn = string
}))
})) | `[]` | no |
| [origin\_bucket](#input\_origin\_bucket) | Name of an existing S3 bucket to use as the origin. If this is not provided, it will create a new s3 bucket using `var.name` and other context related inputs | `string` | `null` | no |
| [origin\_force\_destroy](#input\_origin\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no |
| [origin\_groups](#input\_origin\_groups) | List of [Origin Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin-group-arguments) to create in the distribution.
The values of `primary_origin_id` and `failover_origin_id` must correspond to origin IDs existing in `var.s3_origins` or `var.custom_origins`.
If `primary_origin_id` is set to `null` or `""`, then the origin id of the origin created by this module will be used in its place.
This is to allow for the use case of making the origin created by this module the primary origin in an origin group. | list(object({
primary_origin_id = string
failover_origin_id = string
failover_criteria = list(string)
})) | `[]` | no |
diff --git a/main.tf b/main.tf
index fe6dbe99..7163ef43 100644
--- a/main.tf
+++ b/main.tf
@@ -494,8 +494,8 @@ resource "aws_cloudfront_distribution" "default" {
cached_methods = ordered_cache_behavior.value.cached_methods
target_origin_id = ordered_cache_behavior.value.target_origin_id == "" ? local.origin_id : ordered_cache_behavior.value.target_origin_id
compress = ordered_cache_behavior.value.compress
- trusted_signers = var.trusted_signers
- trusted_key_groups = var.trusted_key_groups
+ trusted_signers = ordered_cache_behavior.value.trusted_signers
+ trusted_key_groups = ordered_cache_behavior.value.trusted_key_groups
cache_policy_id = ordered_cache_behavior.value.cache_policy_id
origin_request_policy_id = ordered_cache_behavior.value.origin_request_policy_id
diff --git a/variables.tf b/variables.tf
index 61e8739b..d6c7c06b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -358,9 +358,11 @@ variable "ordered_cache" {
target_origin_id = string
path_pattern = string
- allowed_methods = list(string)
- cached_methods = list(string)
- compress = bool
+ allowed_methods = list(string)
+ cached_methods = list(string)
+ compress = bool
+ trusted_signers = list(string)
+ trusted_key_groups = list(string)
cache_policy_id = string
origin_request_policy_id = string