resource "aws_cloudfront_origin_access_control" "s3_oac" {
  name                              = "s3_oac_${random_string.bucket_random.result}"
  description                       = "S3 OAC Policy"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

locals {
  seoul_s3_origin_id = "seoul_S3Origin"
  alb_origin_id = "alb-origin"
}

data "aws_s3_bucket" "seoul_bucket" {
  bucket = aws_s3_bucket.source.bucket
  provider = aws.seoul
}

resource "aws_cloudfront_distribution" "cf_dist" {
  origin {
    domain_name              = data.aws_s3_bucket.seoul_bucket.bucket_regional_domain_name
    origin_access_control_id = aws_cloudfront_origin_access_control.s3_oac.id
    origin_id                = local.seoul_s3_origin_id
  }

  enabled             = true
  is_ipv6_enabled     = false
  comment             = "CloudFront For S3, ALB"
  default_root_object = "static/index.html"

  default_cache_behavior {
    cache_policy_id  = "658327ea-f89d-4fab-a63d-7e88639e58f6"
    target_origin_id = local.seoul_s3_origin_id

    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]

    compress = true
    viewer_protocol_policy = "https-only"
  }

  price_class = "PriceClass_All"

  restrictions {
    geo_restriction {
      restriction_type = "none"
      locations        = []
    }
  }

  tags = {
    Name = "hrdkorea-cdn"
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}
output "cloudfront_arn" {
  value = aws_cloudfront_distribution.cf_dist.arn
}

• Console