Assignt cors policy to the cloudfront distribution for video streaming (#1784)

uolter · web-flow · commit 2536043c9b55 · 2025-10-29T11:38:07.000+01:00
diff --git a/.changeset/evil-jars-brush.md b/.changeset/evil-jars-brush.md
@@ -0,0 +1,5 @@
+---
+"infrastructure": patch
+---
+
+Assignt cors policy to the cloudfront distribution for video streaming
diff --git a/apps/infrastructure/src/modules/video_streaming/README.md b/apps/infrastructure/src/modules/video_streaming/README.md
@@ -24,6 +24,7 @@ No modules.
 | [aws_acm_certificate_validation.cdn_cert_validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
 | [aws_cloudfront_distribution.s3_distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_origin_access_control.video_oac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
+| [aws_cloudfront_response_headers_policy.cors_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_iam_policy.ivs_recording_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.ivs_recording_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.ivs_recording_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -37,6 +38,7 @@ No modules.
 | [aws_s3_bucket_public_access_block.ivs_recordings_pac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [random_id.suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_ivs_stream_key.channels](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ivs_stream_key) | data source |
+| [aws_route53_zone.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
diff --git a/apps/infrastructure/src/modules/video_streaming/main.tf b/apps/infrastructure/src/modules/video_streaming/main.tf
@@ -132,6 +132,8 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
     min_ttl                = 0
     default_ttl            = 3600  # Cache objects for 1 hour by default
     max_ttl                = 86400 # Cache objects for up to 24 hours
+
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.cors_policy.id
   }
 
   # Standard restrictions
@@ -157,6 +159,36 @@ resource "aws_cloudfront_distribution" "s3_distribution" {
   }
 }
 
+data "aws_route53_zone" "selected" {
+  zone_id = var.route53_zone_id
+}
+
+
+resource "aws_cloudfront_response_headers_policy" "cors_policy" {
+  name    = "cors-policy-video-streaming"
+  comment = "Cors policy for video streaming."
+
+  cors_config {
+    access_control_allow_credentials = false
+
+    access_control_allow_headers {
+      items = ["*"]
+    }
+
+
+    access_control_allow_methods {
+      items = ["GET", "HEAD"]
+    }
+
+
+    access_control_allow_origins {
+      items = ["https://${data.aws_route53_zone.selected.name}"]
+    }
+
+    origin_override = true
+  }
+}
+
 # Policy that allows CloudFront (via OAC) to read from the bucket
 resource "aws_s3_bucket_policy" "allow_cloudfront_oac" {
   bucket = aws_s3_bucket.ivs_recordings.id

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"infrastructure": patch
 +---
++
 +Assignt cors policy to the cloudfront distribution for video streaming