Added support for blacklisting paths for caching

README.md

@@ -153,6 +153,7 @@ Available targets:
 | attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |
 | bucket_domain_format | Format of bucket domain name | string | `%s.s3.amazonaws.com` | no |
 | cached_methods | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | list(string) | `<list>` | no |
+| caching_blacklist | Paths of objects that should never be cached for any HTTP methods | set(string) | `<list>` | no |
 | comment | Comment for the origin access identity | string | `Managed by Terraform` | no |
 | compress | Compress content for web requests that include Accept-Encoding: gzip in the request header | bool | `false` | no |
 | cors_allowed_headers | List of allowed headers for S3 bucket | list(string) | `<list>` | no |

docs/terraform.md

@@ -9,6 +9,7 @@
 | attributes | Additional attributes (e.g. `1`) | list(string) | `<list>` | no |
 | bucket_domain_format | Format of bucket domain name | string | `%s.s3.amazonaws.com` | no |
 | cached_methods | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | list(string) | `<list>` | no |
+| caching_blacklist | Paths of objects that should never be cached for any HTTP methods | set(string) | `<list>` | no |
 | comment | Comment for the origin access identity | string | `Managed by Terraform` | no |
 | compress | Compress content for web requests that include Accept-Encoding: gzip in the request header | bool | `false` | no |
 | cors_allowed_headers | List of allowed headers for S3 bucket | list(string) | `<list>` | no |

main.tf

@@ -228,6 +228,32 @@ resource "aws_cloudfront_distribution" "default" {
     }
   }
 
+  dynamic "ordered_cache_behavior" {
+    for_each = var.caching_blacklist
+    content {
+      path_pattern     = ordered_cache_behavior.value
+      allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+      cached_methods   = ["GET", "HEAD", "OPTIONS"]
+      target_origin_id = module.distribution_label.id
+      compress         = var.compress
+      trusted_signers  = var.trusted_signers
+
+      forwarded_values {
+        query_string = var.forward_query_string
+        headers      = var.forward_header_values
+
+        cookies {
+          forward = var.forward_cookies
+        }
+      }
+
+      viewer_protocol_policy = var.viewer_protocol_policy
+      default_ttl            = 0
+      min_ttl                = 0
+      max_ttl                = 0
+    }
+  }
+
   restrictions {
     geo_restriction {
       restriction_type = var.geo_restriction_type

variables.tf

@@ -220,6 +220,12 @@ variable "viewer_protocol_policy" {
   default     = "redirect-to-https"
 }
 
+variable "caching_blacklist" {
+  type        = set(string)
+  default     = []
+  description = "Paths of objects that should never be cached for any HTTP methods"
+}
+
 variable "allowed_methods" {
   type        = list(string)
   default     = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]