How to implement Cache Distribution pattern using Terraform

Cache Distribution pattern using Terraform

Cache Distribution pattern is Place the cache data of the content distributed from the content distribution source (origin) to the location located all over the world. By doing so, you will be distributing content geographically closer to the user, and you can resolve geographical / physical constraints. When this pattern is applied, the distance between the user and the content is shortened, so that the response to the user can be improved.


Using AWS ‘CloudFront, you can use cash servers (edge ​​servers) around the world.

  • Decide the origin server to serve as the content delivery source, and place the content.
  • Set up CloudFront to use the origin server. When setting, DNS name of “” (xxxx part is generated randomly) is issued.
  • You can use this automatically issued DNS name, but you can also use your own domain name. In that case, set the DNS name of the issued CloudFront in the CNAME record of the DNS name of the origin server.

To Know More About Terraform: Terraform

Issues to be solved

With the spread of computers and mobile devices, more people have come to access content on the Internet from more areas. Further, image and moving image data are of higher quality and the amount of data is also very large.

From the user experience point of view, it is required to deliver data to users more quickly and stably, but with current technology, for example, accessing a server on the east coast of the United States from Japan will result in a communication delay of at least 200 milliseconds Is generated. For this reason, if there is only one source of content, the user experience gets worse.


  • A better user experience can be provided for geographically separated users.
  • Since file download processing can be distributed, there is also load distribution effect.
  • By using an existing server (server other than EC 2 such as on-line and hosting) as an origin server, it is possible to apply patterns while taking advantage of existing servers.
  • As an origin server, S3 can also be used directly as an origin.
  • When you want to deliver a limited area, you can deliver only the target area by using CloudFront’s area limited function

Implementation of Cache Distribution pattern using Terraform

Let’s put static content of Origin on S3 and distribute that cache on CloudFront.

To Know More About Terraform: Terraform


Code explanation

  1. aws_cloudfront_origin_access_identity

In this case, we will set up not to directly access the endpoint of S3, so we will create an origin access identity. To restrict access to the S3 bucket using the origin access identity, the following entry written by our company is helpful.

  1. template_file

Bucket policy is being created from template. Variables on Terraform ${variable}can be expanded by embedding them in a template in the form and rendering them.

  1. aws_s3_bucket

Create a bucket in S3. Static Website Hosting function is enabled, ACL is public-read in, the bucket policy for the bucket to create s3:GetObject will not be allowed to. In order to let you access content only from CloudFront, specify the ID of the origin access identity in Principle.

  1. aws_s3_bucket_object

Upload index.html to the created bucket.

  1. aws_cloudfront_distribution

Finally, lets create a CloudFront. Details are detailed in the document, but the correspondence table with the case where CloudFront was created in the management console is described below.

Setting on Terraform Value on Terraform Settings on the management console Value on the management console
enabled true Distribution State Enabled
comment us-west-2-cloudfront-resource-demo Comment us-west-2-cloudfront-resource-demo
default_root_object index.html Default Root Object index.html
price_class PriceClass_200 Price Class Use Only US, Europe and Asia
retain_on_delete true N / A (Terraform specific function) N/A
origin – domain_name Origin Domain Name
origin – origin_id us-west-2-cloudfront-resource-demo Origin ID us-west-2-cloudfront-resource-demo
origin – s3_origin_config – origin_access_identity origin-access-identity/cloudfront/ABC123 Origin Access Identity origin-access-identity/cloudfront/ABC123
default_cache_behavior – allowed_methods [“GET”, “HEAD”] Allowed HTTP Methods GET, HEAD
default_cache_behavior – cached_methods [“GET”, “HEAD”] Cached HTTP Methods GET, HEAD (Cached by default)
default_cache_behavior – target_origin_id us-west-2-cloudfront-resource-demo Origin us-west-2-cloudfront-resource-demo
default_cache_behavior – forwarded_values – query_string false Forward Headers None (Improves Caching)
default_cache_behavior – forwarded_values – cookies – forward none Forward Cookies None (Improves Caching)
default_cache_behavior – viewer_protocol_policy allow-all Viewer Protocol Policy HTTP and HTTPS
default_cache_behavior – min_ttl 0 Minimum TTL 0
default_cache_behavior – default_ttl 3600 Default TTL 3600
default_cache_behavior – max_ttl 86400 Maximum TTL 86400
restrictions – geo_restriction – restriction_type whitelist Restriction Type Whitelist
restrictions – geo_restriction – locations [“US”, “CA”, “IN”, “GB”, “DE”, “JP”] Countries CA — CANADA
viewer_certificate – cloudfront_default_certificate true SSL Certificate Default CloudFront Certificate (*

Let’s Run,

First we will set up the origin content. Since this is a test purpose this time, I will just install a simple HTML.

# echo 'Hello, World!' > index.html

Run Terraform with your AWS <access_key> & <secret_key>

# terraform plan -var access_key=<access_key> -var secret_key=<secret_key> 
# terraform apply -var access_key=<access_key> -var secret_key=<secret_key>

It takes about 15 – 20 minutes for CloudFront’s State to become deployed. Let’s access CloudFront’s domain when deployed. <cloudfront-domain-name> Please modify it to suit your own environment. It is successful if you can access both HTTP / HTTPS as follows

# curl http://<cloudfront-domain-name>
Hello World!

# curl https://<cloudfront-domain-name>
Hello World!

Conversely, if you go directly to the endpoint of S3 and return 403 as below, you can confirm that the bucket policy is working as intended.

# curl <s3-website-endpoint>
<head><title>403 Forbidden</title></head>
<h1>403 Forbidden</h1>
<li>Code: AccessDenied</li>
<li>Message: Access Denied</li>
<li>RequestId: ABC123</li>
<li>HostId: ABC123</li>
 To Know More About Terraform: Terraform