feat(origins): added optional origin_shield section for additional origins

[atimofeev]

what

Added origin_shield configuration block to s3_origins and custom_origins.

why

We should be able to enable origin_shield for selected additional origins.

references

closes #341

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The changes introduce support for configuring the CloudFront Origin Shield feature for both custom and S3 origins within the aws_cloudfront_distribution resource. This is achieved by adding an optional origin_shield configuration to the respective origin variables and dynamically including the corresponding block in the resource if specified.

Changes

Files Changed	Change Summary
main.tf	Adds a dynamic origin_shield block to custom and S3 origins within the CloudFront distribution resource.
variables.tf	Extends custom_origins and s3_origins variables to include optional origin_shield configuration object.

Assessment against linked issues

Objective	Addressed	Explanation
Allow origin_shield configuration for custom_origins and s3_origins (Issue #341)	✅

Assessment against linked issues: Out-of-scope changes

No out-of-scope changes were found.

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Commit Unit Tests in branch custom-origin-shield
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[atimofeev]

How do I properly regenerate README.md? I can't figure this out from inline comments, which mention cloudposse/build-harness

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9a65f7e and 5de57d3.

📒 Files selected for processing (2)

• main.tf (2 hunks)
• variables.tf (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (1)

variables.tf (1)

467-471: Ensure Terraform version supports optional type syntax.
The use of optional(object({...}), null) requires Terraform ≥1.5.0. Please confirm that your module’s required_version constraint (e.g., in versions.tf) is updated to include Terraform 1.5.0 or newer to avoid breaking users on earlier versions.

[coderabbitai]

🛠️ Refactor suggestion

Add fallback for unset origin_shield.region.
If origin_shield.enabled = true but region remains null, downstream will configure origin_shield_region = null, which is invalid. Consider defaulting region to the computed local.origin_shield_region when it’s not provided.

🤖 Prompt for AI Agents

In variables.tf around lines 489 to 493, the origin_shield.region can be null
even when origin_shield.enabled is true, causing invalid downstream
configuration. Modify the code to provide a fallback so that if
origin_shield.region is null and origin_shield.enabled is true,
origin_shield.region defaults to local.origin_shield_region. This ensures a
valid region value is always set when origin_shield is enabled.

[coderabbitai]

🛠️ Refactor suggestion

Apply region fallback and filter disabled shields for custom origins.
Only include the block when enabled is true and coalesce a null region to local.origin_shield_region:

-for_each = origin.value.origin_shield != null ? [origin.value.origin_shield] : []
+for_each = origin.value.origin_shield.enabled ? [origin.value.origin_shield] : []

 content {
   enabled = origin_shield.value.enabled
-  origin_shield_region = origin_shield.value.region
+  origin_shield_region = coalesce(origin_shield.value.region, local.origin_shield_region)
 }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In main.tf around lines 574 to 580, the dynamic block for origin_shield should
only be included if the shield is enabled. Update the for_each expression to
filter out any origin_shield where enabled is false, and use a coalesce function
to set origin_shield_region to local.origin_shield_region if the region is null.
This ensures the block is conditionally included and applies the correct region
fallback.

[coderabbitai]

🛠️ Refactor suggestion

Apply region fallback and filter disabled shields for S3 origins.
Mirror the custom‐origin logic: only render when enabled is true and fallback null region:

-for_each = origin.value.origin_shield != null ? [origin.value.origin_shield] : []
+for_each = origin.value.origin_shield.enabled ? [origin.value.origin_shield] : []

 content {
   enabled = origin_shield.value.enabled
-  origin_shield_region = origin_shield.value.region
+  origin_shield_region = coalesce(origin_shield.value.region, local.origin_shield_region)
 }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In main.tf around lines 601 to 607, the origin_shield block should only be
rendered if origin_shield is enabled and the region should fallback to null if
not set. Update the for_each condition to filter out disabled origin_shield
entries and modify the origin_shield_region assignment to use a fallback to null
when the region is not specified, matching the custom-origin logic.

[atimofeev]

While improvements provided by AI are reasonable, I believe that this also should be implemented in upstream module cloudposse/terraform-aws-cloudfront-cdn, as I replicated code from that repo.