feat(static-site): cors config

Script47 · Script47 · commit 3c535efad886 · 2026-03-18T23:29:51.000Z
diff --git a/static-site/README.md b/static-site/README.md
@@ -16,21 +16,29 @@ See `variables.tf` for the full argument reference.
 
 ```hcl
 module "static_site" {
-  source      = "github.com/script47/aws-tf-modules/static-site"
+  source = "github.com/script47/aws-tf-modules/static-site"
 
   bucket_name = "example.org"
   hosted_zone = "my-hosted-zone"
-  domains     = ["example.org"]
+  domains = ["example.org"]
 
   geo_restriction = {
-    type      = "none"
+    type = "none"
     locations = []
   }
 
   viewer_certificate = {
     minimum_protocol_version = "TLSv1.2_2025"
   }
 
+  cors_config = {
+    access_control_allow_credentials = false
+    access_control_allow_headers     = ["*"]
+    access_control_allow_methods     = ["GET", "HEAD", "OPTIONS"]
+    access_control_allow_origins     = ["*"]
+    origin_override                  = true
+  }
+
   tags = {
     Project     = "my-project"
     Service     = "my-service"
diff --git a/static-site/cloudfront.tf b/static-site/cloudfront.tf
@@ -79,6 +79,24 @@ resource "aws_cloudfront_response_headers_policy" "cloudfront" {
   name    = "cf-resp-hdrs-${local.primary_domain_normalised}"
   comment = "Response headers policy for ${local.primary_domain}"
 
+  cors_config {
+    access_control_allow_credentials = var.cors_config.access_control_allow_credentials
+
+    access_control_allow_headers {
+      items = var.cors_config.access_control_allow_headers
+    }
+
+    access_control_allow_methods {
+      items = var.cors_config.access_control_allow_methods
+    }
+
+    access_control_allow_origins {
+      items = var.cors_config.access_control_allow_origins
+    }
+
+    origin_override = var.cors_config.origin_override
+  }
+
   security_headers_config {
     content_type_options {
       override = true
@@ -102,4 +120,4 @@ resource "aws_cloudfront_response_headers_policy" "cloudfront" {
   }
 
   provider = aws.default
-}
+}
diff --git a/static-site/variables.tf b/static-site/variables.tf
@@ -42,6 +42,18 @@ variable "viewer_certificate" {
   description = "Viewer certificate configuration for the CloudFront distribution"
 }
 
+variable "cors_config" {
+  description = "Optional CORS configuration for CloudFront response headers policy"
+  type = object({
+    access_control_allow_credentials = optional(bool, false)
+    access_control_allow_headers     = optional(list(string), ["*"])
+    access_control_allow_methods     = optional(list(string), ["GET", "HEAD", "OPTIONS"])
+    access_control_allow_origins     = optional(list(string), ["*"])
+    origin_override                  = optional(bool, true)
+  })
+  default = {}
+}
+
 variable "tags" {
   type        = map(string)
   description = "The tags to apply to all resources created"
