terraform-aws-modules · bryantbiggs · Nov 29, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/README.md b/README.md
diff --git a/docs/UPGRADE-6.0.md b/docs/UPGRADE-6.0.md
@@ -0,0 +1,196 @@
+# Upgrade from v5.x to v6.x
+
+If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-cloudfront/tree/master/examples) directory:
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- AWS provider `v6.20` is now minimum supported version
+- Support for `aws_cloudfront_origin_access_identity` has been removed in favor of `aws_cloudfront_origin_access_control`
+
+## Additional changes
+
+### Added
+
+- None
+
+### Modified
+
+- Variable definitions now contain detailed `object` types in place of the previously used any type
+- `is_ipv6_enabled` now defaults to `true` if not specified
+- `default_cache_behavior.compress` and `ordered_cache_behavior.compress` now default to `true`
+- `origin.origin_ssl_protocols` now defaults to `["TLSv1.2"]`
+- `vpc_origin.origin_ssl_protocols.items` now defaults to `["TLSv1.2"]`
+- `vpc_origin_timeouts` is now embedded under `vpc_origin`
+- `viewer_certificate.minimum_protocol_version` now defaults to `"TLSv1.2_2025"`
+- See the the `Before vs After` examples below for more details on variable type definition changes
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `create_origin_access_identity`
+    - `origin_access_identities`
+    - `create_origin_access_control`
+    - `create_vpc_origin`
+    - `vpc_origin_timeouts` - use `timeouts` block within `vpc_origin` variable instead
+    - `create_response_headers_policy`
+    - `create_cloudfront_function`
+
+2. Renamed variables:
+
+    - `create_distribution` -> `create`
+
+3. Added variables:
+
+    - `anycast_ip_list_id`
+
+4. Removed outputs:
+
+    - `cloudfront_vpc_origin_ids`
+    - `cloudfront_origin_access_controls_ids`
+    - `cloudfront_origin_access_identities`
+    - `cloudfront_origin_access_identity_ids`
+    - `cloudfront_origin_access_identity_iam_arns`
+    - `cloudfront_distribution_tags`
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - `cloudfront_vpc_origins`
+
+## Upgrade Migrations
+
+### Before 5.x Example
+
+```hcl
+module "cloudfront" {
+  source  = "terraform-aws-modules/cloudfront/aws/"
+  version = "~> 5.0"
+
+  # Truncated for brevity ...
+
+  create_vpc_origin = true
+  vpc_origin = {
+    ec2 = {
+      arn                    = module.ec2.arn
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols = {
+        items    = ["TLSv1.2"]
+        quantity = 1
+      }
+    }
+  }
+
+  vpc_origin_timeouts = {
+    create = "20m"
+    update = "20m"
+    delete = "20m"
+  }
+
+  origin = {
+    s3 = {
+      domain_name = module.s3.bucket_regional_domain_name
+      s3_origin_config = {
+        origin_access_identity = "s3_bucket_one"
+      }
+
+      custom_header = [
+        {
+          name  = "X-Forwarded-Scheme"
+          value = "https"
+        },
+        {
+          name  = "X-Frame-Options"
+          value = "SAMEORIGIN"
+        }
+      ]
+    }
+  }
+
+  origin_group = {
+    group_one = {
+      failover_status_codes      = [403, 404, 500, 502]
+      primary_member_origin_id   = "appsync" # Not shown
+      secondary_member_origin_id = "s3"
+    }
+  }
+
+  geo_restriction = {
+    restriction_type = "whitelist"
+    locations        = ["NO", "UA", "US", "GB"]
+  }
+}
+```
+
+### After 6.x Example
+
+```hcl
+module "cloudfront" {
+  source  = "terraform-aws-modules/cloudfront/aws/"
+  version = "~> 6.0"
+
+  # Truncated for brevity ...
+
+  vpc_origin = {
+    ec2 = {
+      arn                    = module.ec2.arn
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols = {
+        items    = ["TLSv1.2"]
+        quantity = 1
+      }
+
+      timeouts = {
+        create = "20m"
+        update = "20m"
+        delete = "20m"
+      }
+    }
+  }
+
+  origin = {
+    s3 = {
+      domain_name = module.s3.bucket_regional_domain_name
+      s3_origin_config = {
+        origin_access_control_key = "s3_bucket_one"
+      }
+
+      custom_header = {
+        "X-Forwarded-Scheme" = "https"
+        "X-Frame-Options"    = "SAMEORIGIN"
+      }
+    }
+  }
+
+  origin_group = {
+    group-one = {
+      failover_criteria = {
+        status_codes = [403, 404, 500, 502]
+      }
+      member = [
+        { origin_id = "appsync" }, # Not shown
+        { origin_id = "s3" }
+      ]
+    }
+  }
+
+  restrictions = {
+    geo_restriction = {
+      restriction_type = "whitelist"
+      locations        = ["NO", "UA", "US", "GB"]
+    }
+  }
+}
+```
+
+### State Changes
+
+None
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -1,18 +1,6 @@
 # Complete CloudFront Distribution
 
-Configuration in this directory creates CloudFront distribution which demos such capabilities:
-
-- access logging
-- origins and origin groups
-- caching behaviours
-- Origin Access Identities (with S3 bucket policy)
-- Origin Access Control (recommended over OAI)
-- Lambda@Edge
-- CloudFront Functions
-- Response Headers Policies
-- ACM certificate
-- Route53 record
-- VPC Origins
+Configuration in this directory creates CloudFront distribution which demonstrates nearly all features supported by this module.
 
 ## Usage
 
@@ -32,17 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.100 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.20 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.100 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.20 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
@@ -54,16 +40,16 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 8.0 |
 | <a name="module_log_bucket"></a> [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
 | <a name="module_records"></a> [records](#module\_records) | terraform-aws-modules/route53/aws//modules/records | ~> 5.0 |
-| <a name="module_s3_one"></a> [s3\_one](#module\_s3\_one) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
+| <a name="module_s3"></a> [s3](#module\_s3) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_cloudfront_function.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
-| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -87,8 +73,9 @@ No inputs.
 | <a name="output_cloudfront_distribution_last_modified_time"></a> [cloudfront\_distribution\_last\_modified\_time](#output\_cloudfront\_distribution\_last\_modified\_time) | The date and time the distribution was last modified. |
 | <a name="output_cloudfront_distribution_status"></a> [cloudfront\_distribution\_status](#output\_cloudfront\_distribution\_status) | The current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system. |
 | <a name="output_cloudfront_distribution_trusted_signers"></a> [cloudfront\_distribution\_trusted\_signers](#output\_cloudfront\_distribution\_trusted\_signers) | List of nested attributes for active trusted signers, if the distribution is set up to serve private content with signed URLs |
-| <a name="output_cloudfront_origin_access_identities"></a> [cloudfront\_origin\_access\_identities](#output\_cloudfront\_origin\_access\_identities) | The origin access identities created |
-| <a name="output_cloudfront_origin_access_identity_iam_arns"></a> [cloudfront\_origin\_access\_identity\_iam\_arns](#output\_cloudfront\_origin\_access\_identity\_iam\_arns) | The IAM arns of the origin access identities created |
-| <a name="output_cloudfront_origin_access_identity_ids"></a> [cloudfront\_origin\_access\_identity\_ids](#output\_cloudfront\_origin\_access\_identity\_ids) | The IDS of the origin access identities created |
-| <a name="output_cloudfront_vpc_origin_ids"></a> [cloudfront\_vpc\_origin\_ids](#output\_cloudfront\_vpc\_origin\_ids) | The IDS of the VPC origin created |
+| <a name="output_cloudfront_functions"></a> [cloudfront\_functions](#output\_cloudfront\_functions) | The CloudFront Functions created |
+| <a name="output_cloudfront_monitoring_subscription_id"></a> [cloudfront\_monitoring\_subscription\_id](#output\_cloudfront\_monitoring\_subscription\_id) | The ID of the CloudFront monitoring subscription, which corresponds to the `distribution_id`. |
+| <a name="output_cloudfront_origin_access_controls"></a> [cloudfront\_origin\_access\_controls](#output\_cloudfront\_origin\_access\_controls) | The origin access controls created |
+| <a name="output_cloudfront_response_headers_policies"></a> [cloudfront\_response\_headers\_policies](#output\_cloudfront\_response\_headers\_policies) | The response headers policies created |
+| <a name="output_cloudfront_vpc_origins"></a> [cloudfront\_vpc\_origins](#output\_cloudfront\_vpc\_origins) | The IDS of the VPC origin created |
 <!-- END_TF_DOCS -->