HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution. Make sure that CloudFront distribution ViewerProtocolPolicy is configured to HTTPS
1resource "aws_cloudfront_distribution" "cf" {
2 origin_group {
3 origin_id = "groupS3"
4
5 failover_criteria {
6 status_codes = [403, 404, 500, 502]
7 }
8
9 member {
10 origin_id = "primaryS3"
11 }
12
13 member {
14 origin_id = "failoverS3"
15 }
16 }
17 origin {
18 domain_name = aws_s3_bucket.statics.bucket_regional_domain_name
19 origin_id = local.s3_origin_id
20 }
21
22 enabled = true
23 is_ipv6_enabled = true
24 default_root_object = "index.html"
25 price_class = "PriceClass_100"
26
27 aliases = [data.aws_route53_zone.selected.name]
28 default_cache_behavior {
29 allowed_methods = []
30 cached_methods = []
31 target_origin_id = ""
32 # Noncompliant: `viewer_protocol_policy` is set to `allow-all`.
33 viewer_protocol_policy = "allow-all"
34 }
35 restrictions {
36 geo_restriction {
37 restriction_type = ""
38 }
39 }
40 viewer_certificate {
41 acm_certificate_arn = "aws_acm_certificate_arn"
42 minimum_protocol_version = "TLSv1.2_2018"
43 }
44 default_cache_behavior {
45 response_headers_policy_id = data.aws_cloudfront_response_headers_policy.simple_cors.id
46 }
47 web_acl_id = aws_wafv2_web_acl.waf_cloudfront
48 logging_config {
49 include_cookies = false
50 bucket = "mylogs.s3.amazonaws.com"
51 prefix = "myprefix"
52 }
53 origin {
54 domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
55 origin_id = "primaryS3"
56
57 s3_origin_config {
58 origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
59 }
60 }
61}
62resource "aws_wafv2_web_acl_logging_configuration" "pike" {
63 resource_arn = aws_wafv2_web_acl.waf_cloudfront.arn
64 log_destination_configs = ["arn:aws:logs:eu-west-2:680235478471:log-group:pike/"]
65}
66resource "aws_wafv2_web_acl" "waf_cloudfront" {
67 name = "managed-rule-example"
68 description = "Example of a managed rule."
69 scope = "REGIONAL"
70
71 default_action {
72 allow {}
73 }
74
75 rule {
76 name = "rule-1"
77 priority = 1
78
79 override_action {
80 none {}
81 }
82
83 statement {
84 managed_rule_group_statement {
85 name = "AWSManagedRulesAnonymousIpList"
86 vendor_name = "AWS"
87
88 excluded_rule {
89 name = "rule-1"
90 }
91
92 scope_down_statement {
93 geo_match_statement {
94 country_codes = ["US", "NL"]
95 }
96 }
97 }
98 }
99
100 visibility_config {
101 cloudwatch_metrics_enabled = false
102 metric_name = "friendly-rule-metric-name"
103 sampled_requests_enabled = false
104 }
105 }
106
107 rule {
108 name = "rule-2"
109 priority = 2
110
111 override_action {
112 none {}
113 }
114
115 statement {
116 managed_rule_group_statement {
117 name = "AWSManagedRulesKnownBadInputsRuleSet"
118 vendor_name = "AWS"
119
120 excluded_rule {
121 name = "SizeRestrictions_QUERYSTRING"
122 }
123
124 scope_down_statement {
125 geo_match_statement {
126 country_codes = ["US", "NL"]
127 }
128 }
129 }
130 }
131
132 visibility_config {
133 cloudwatch_metrics_enabled = false
134 metric_name = "friendly-rule-metric-name"
135 sampled_requests_enabled = false
136 }
137 }
138
139
140 tags = {
141 Tag1 = "Value1"
142 Tag2 = "Value2"
143 }
144
145 visibility_config {
146 cloudwatch_metrics_enabled = false
147 metric_name = "friendly-metric-name"
148 sampled_requests_enabled = false
149 }
150}
151data "aws_cloudfront_response_headers_policy" "simple_cors" {
152 name = "SimpleCORS"
153}
1resource "aws_cloudfront_distribution" "cf" {
2 origin_group {
3 origin_id = "groupS3"
4
5 failover_criteria {
6 status_codes = [403, 404, 500, 502]
7 }
8
9 member {
10 origin_id = "primaryS3"
11 }
12
13 member {
14 origin_id = "failoverS3"
15 }
16 }
17 origin {
18 domain_name = aws_s3_bucket.statics.bucket_regional_domain_name
19 origin_id = local.s3_origin_id
20 }
21
22 enabled = true
23 is_ipv6_enabled = true
24 default_root_object = "index.html"
25 price_class = "PriceClass_100"
26
27 aliases = [data.aws_route53_zone.selected.name]
28 default_cache_behavior {
29 allowed_methods = []
30 cached_methods = []
31 target_origin_id = ""
32 # Compliant: `viewer_protocol_policy` is set to `redirect-to-https`.
33 viewer_protocol_policy = "redirect-to-https"
34 }
35 restrictions {
36 geo_restriction {
37 restriction_type = ""
38 }
39 }
40 viewer_certificate {
41 acm_certificate_arn = "aws_acm_certificate_arn"
42 minimum_protocol_version = "TLSv1.2_2018"
43 }
44 default_cache_behavior {
45 response_headers_policy_id = data.aws_cloudfront_response_headers_policy.simple_cors.id
46 }
47 web_acl_id = aws_wafv2_web_acl.waf_cloudfront
48 logging_config {
49 include_cookies = false
50 bucket = "mylogs.s3.amazonaws.com"
51 prefix = "myprefix"
52 }
53 origin {
54 domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
55 origin_id = "primaryS3"
56
57 s3_origin_config {
58 origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
59 }
60 }
61}
62resource "aws_wafv2_web_acl_logging_configuration" "pike" {
63 resource_arn = aws_wafv2_web_acl.waf_cloudfront.arn
64 log_destination_configs = ["arn:aws:logs:eu-west-2:680235478471:log-group:pike/"]
65}
66resource "aws_wafv2_web_acl" "waf_cloudfront" {
67 name = "managed-rule-example"
68 description = "Example of a managed rule."
69 scope = "REGIONAL"
70
71 default_action {
72 allow {}
73 }
74
75 rule {
76 name = "rule-1"
77 priority = 1
78
79 override_action {
80 none {}
81 }
82
83 statement {
84 managed_rule_group_statement {
85 name = "AWSManagedRulesAnonymousIpList"
86 vendor_name = "AWS"
87
88 excluded_rule {
89 name = "rule-1"
90 }
91
92 scope_down_statement {
93 geo_match_statement {
94 country_codes = ["US", "NL"]
95 }
96 }
97 }
98 }
99
100 visibility_config {
101 cloudwatch_metrics_enabled = false
102 metric_name = "friendly-rule-metric-name"
103 sampled_requests_enabled = false
104 }
105 }
106
107 rule {
108 name = "rule-2"
109 priority = 2
110
111 override_action {
112 none {}
113 }
114
115 statement {
116 managed_rule_group_statement {
117 name = "AWSManagedRulesKnownBadInputsRuleSet"
118 vendor_name = "AWS"
119
120 excluded_rule {
121 name = "SizeRestrictions_QUERYSTRING"
122 }
123
124 scope_down_statement {
125 geo_match_statement {
126 country_codes = ["US", "NL"]
127 }
128 }
129 }
130 }
131
132 visibility_config {
133 cloudwatch_metrics_enabled = false
134 metric_name = "friendly-rule-metric-name"
135 sampled_requests_enabled = false
136 }
137 }
138
139
140 tags = {
141 Tag1 = "Value1"
142 Tag2 = "Value2"
143 }
144
145 visibility_config {
146 cloudwatch_metrics_enabled = false
147 metric_name = "friendly-metric-name"
148 sampled_requests_enabled = false
149 }
150}
151data "aws_cloudfront_response_headers_policy" "simple_cors" {
152 name = "SimpleCORS"
153}