diff --git a/README.md b/README.md
index b644ea3..53c40dc 100644
--- a/README.md
+++ b/README.md
@@ -145,15 +145,15 @@ No modules.
 | <a name="input_create_origin_access_identity"></a> [create\_origin\_access\_identity](#input\_create\_origin\_access\_identity) | Controls if CloudFront origin access identity should be created | `bool` | `false` | no |
 | <a name="input_create_vpc_origin"></a> [create\_vpc\_origin](#input\_create\_vpc\_origin) | If enabled, the resource for VPC origin will be created. | `bool` | `false` | no |
 | <a name="input_custom_error_response"></a> [custom\_error\_response](#input\_custom\_error\_response) | One or more custom error response elements | `any` | `{}` | no |
-| <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | `any` | `null` | no |
+| <a name="input_default_cache_behavior"></a> [default\_cache\_behavior](#input\_default\_cache\_behavior) | The default cache behavior for this distribution | <pre>object({<br/>    allowed_methods           = list(string)<br/>    cached_methods            = list(string)<br/>    cache_policy_id           = optional(string)<br/>    cache_policy_name         = optional(string) # convenience variable to lookup<br/>    compress                  = optional(bool)<br/>    default_ttl               = optional(number)<br/>    field_level_encryption_id = optional(string)<br/>    forwarded_values = optional(object({<br/>      cookies = object({<br/>        forward           = string<br/>        whitelisted_names = optional(list(string))<br/>      })<br/>      headers                 = optional(list(string))<br/>      query_string            = bool<br/>      query_string_cache_keys = optional(list(string))<br/>    }))<br/>    lambda_function_association = optional(map(object({<br/>      # event_type = map key<br/>      lambda_arn   = string<br/>      include_body = optional(bool)<br/>    })), {})<br/>    function_association = optional(map(object({<br/>      # event_type = map key<br/>      function_arn = string<br/>    })), {})<br/>    max_ttl                      = optional(number)<br/>    min_ttl                      = optional(number)<br/>    origin_request_policy_id     = optional(string)<br/>    origin_request_policy_name   = optional(string) # convenience variable to lookup<br/>    realtime_log_config_arn      = optional(string)<br/>    response_headers_policy_id   = optional(string)<br/>    response_headers_policy_name = optional(string) # convenience variable to lookup<br/>    smooth_streaming             = optional(bool)<br/>    target_origin_id             = string<br/>    trusted_key_groups           = optional(list(string))<br/>    trusted_signers              = optional(list(string))<br/>    viewer_protocol_policy       = string<br/>    grpc_config = optional(object({<br/>      enabled = bool<br/>    }))<br/>  })</pre> | n/a | yes |
 | <a name="input_default_root_object"></a> [default\_root\_object](#input\_default\_root\_object) | The object that you want CloudFront to return (for example, index.html) when an end user requests the root URL. | `string` | `null` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Whether the distribution is enabled to accept end user requests for content. | `bool` | `true` | no |
 | <a name="input_geo_restriction"></a> [geo\_restriction](#input\_geo\_restriction) | The restriction configuration for this distribution (geo\_restrictions) | `any` | `{}` | no |
 | <a name="input_http_version"></a> [http\_version](#input\_http\_version) | The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3, and http3. The default is http2. | `string` | `"http2"` | no |
 | <a name="input_is_ipv6_enabled"></a> [is\_ipv6\_enabled](#input\_is\_ipv6\_enabled) | Whether the IPv6 is enabled for the distribution. | `bool` | `null` | no |
 | <a name="input_logging_config"></a> [logging\_config](#input\_logging\_config) | The logging configuration that controls how logs are written to your distribution (maximum one). | `any` | `{}` | no |
-| <a name="input_ordered_cache_behavior"></a> [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | `any` | `[]` | no |
-| <a name="input_origin"></a> [origin](#input\_origin) | One or more origins for this distribution (multiples allowed). | `any` | `null` | no |
+| <a name="input_ordered_cache_behavior"></a> [ordered\_cache\_behavior](#input\_ordered\_cache\_behavior) | An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0. | <pre>list(object({<br/>    allowed_methods           = list(string)<br/>    cached_methods            = list(string)<br/>    cache_policy_id           = optional(string)<br/>    cache_policy_name         = optional(string) # convenience variable to lookup<br/>    compress                  = optional(bool)<br/>    default_ttl               = optional(number)<br/>    field_level_encryption_id = optional(string)<br/>    forwarded_values = optional(object({<br/>      cookies = object({<br/>        forward           = string<br/>        whitelisted_names = optional(list(string))<br/>      })<br/>      headers                 = optional(list(string))<br/>      query_string            = bool<br/>      query_string_cache_keys = optional(list(string))<br/>    }))<br/>    lambda_function_association = optional(map(object({<br/>      # event_type = map key<br/>      lambda_arn   = string<br/>      include_body = optional(bool)<br/>    })), {})<br/>    function_association = optional(map(object({<br/>      # event_type = map key<br/>      function_arn = string<br/>    })), {})<br/>    max_ttl                      = optional(number)<br/>    min_ttl                      = optional(number)<br/>    origin_request_policy_id     = optional(string)<br/>    origin_request_policy_name   = optional(string) # convenience variable to lookup<br/>    path_pattern                 = string<br/>    realtime_log_config_arn      = optional(string)<br/>    response_headers_policy_id   = optional(string)<br/>    response_headers_policy_name = optional(string) # convenience variable to lookup<br/>    smooth_streaming             = optional(bool)<br/>    target_origin_id             = string<br/>    trusted_key_groups           = optional(list(string))<br/>    trusted_signers              = optional(list(string))<br/>    viewer_protocol_policy       = string<br/>    grpc_config = optional(object({<br/>      enabled = bool<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_origin"></a> [origin](#input\_origin) | One or more origins for this distribution (multiples allowed). | <pre>map(object({<br/>    connection_attempts = optional(number)<br/>    connection_timeout  = optional(number)<br/>    custom_origin_config = optional(object({<br/>      http_port                = number<br/>      https_port               = number<br/>      origin_protocol_policy   = string<br/>      origin_ssl_protocols     = list(string)<br/>      origin_keepalive_timeout = optional(number)<br/>      origin_read_timeout      = optional(number)<br/>    }))<br/>    domain_name = string<br/>    custom_header = optional(list(object({<br/>      name  = string<br/>      value = string<br/>    })), [])<br/>    origin_access_control_id = optional(string)<br/>    origin_id                = optional(string) # If not provided, map key is used.<br/>    origin_path              = optional(string)<br/>    origin_shield = optional(object({<br/>      enabled              = bool<br/>      origin_shield_region = optional(string)<br/>    }))<br/>    s3_origin_config = optional(object({<br/>      origin_access_identity = string<br/>    }))<br/>    vpc_origin_config = optional(object({<br/>      origin_keepalive_timeout = optional(number)<br/>      origin_read_timeout      = optional(number)<br/>      vpc_origin_id            = optional(string) # If not provided, uses aws_cloudfront_vpc_origin.this[this.vpc_origin].id<br/>      vpc_origin               = optional(string) # Custom parameter to lookup against aws_cloudfront_vpc_origin.this<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_origin_access_control"></a> [origin\_access\_control](#input\_origin\_access\_control) | Map of CloudFront origin access control | <pre>map(object({<br/>    name             = optional(string)<br/>    description      = string<br/>    origin_type      = string<br/>    signing_behavior = string<br/>    signing_protocol = string<br/>  }))</pre> | <pre>{<br/>  "s3": {<br/>    "description": "",<br/>    "origin_type": "s3",<br/>    "signing_behavior": "always",<br/>    "signing_protocol": "sigv4"<br/>  }<br/>}</pre> | no |
 | <a name="input_origin_access_identities"></a> [origin\_access\_identities](#input\_origin\_access\_identities) | Map of CloudFront origin access identities (value as a comment) | `map(string)` | `{}` | no |
 | <a name="input_origin_group"></a> [origin\_group](#input\_origin\_group) | One or more origin\_group for this distribution (multiples allowed). | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index f773d7e..03654b6 100644
--- a/main.tf
+++ b/main.tf
@@ -81,36 +81,26 @@ resource "aws_cloudfront_distribution" "this" {
     for_each = var.origin
 
     content {
-      domain_name              = origin.value.domain_name
-      origin_id                = lookup(origin.value, "origin_id", origin.key)
-      origin_path              = lookup(origin.value, "origin_path", "")
-      connection_attempts      = lookup(origin.value, "connection_attempts", null)
-      connection_timeout       = lookup(origin.value, "connection_timeout", null)
-      origin_access_control_id = lookup(origin.value, "origin_access_control_id", lookup(lookup(aws_cloudfront_origin_access_control.this, lookup(origin.value, "origin_access_control", ""), {}), "id", null))
-
-      dynamic "s3_origin_config" {
-        for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]
-
-        content {
-          origin_access_identity = lookup(s3_origin_config.value, "cloudfront_access_identity_path", lookup(lookup(aws_cloudfront_origin_access_identity.this, lookup(s3_origin_config.value, "origin_access_identity", ""), {}), "cloudfront_access_identity_path", null))
-        }
-      }
+      connection_attempts = origin.value.connection_attempts
+      connection_timeout  = origin.value.connection_timeout
 
       dynamic "custom_origin_config" {
-        for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")]
+        for_each = origin.value.custom_origin_config != null ? [origin.value.custom_origin_config] : []
 
         content {
           http_port                = custom_origin_config.value.http_port
           https_port               = custom_origin_config.value.https_port
           origin_protocol_policy   = custom_origin_config.value.origin_protocol_policy
           origin_ssl_protocols     = custom_origin_config.value.origin_ssl_protocols
-          origin_keepalive_timeout = lookup(custom_origin_config.value, "origin_keepalive_timeout", null)
-          origin_read_timeout      = lookup(custom_origin_config.value, "origin_read_timeout", null)
+          origin_keepalive_timeout = custom_origin_config.value.origin_keepalive_timeout
+          origin_read_timeout      = custom_origin_config.value.origin_read_timeout
         }
       }
 
+      domain_name = origin.value.domain_name
+
       dynamic "custom_header" {
-        for_each = lookup(origin.value, "custom_header", [])
+        for_each = origin.value.custom_header
 
         content {
           name  = custom_header.value.name
@@ -118,8 +108,12 @@ resource "aws_cloudfront_distribution" "this" {
         }
       }
 
+      origin_access_control_id = origin.value.origin_access_control_id
+      origin_id                = coalesce(origin.value.origin_id, origin.key)
+      origin_path              = origin.value.origin_path
+
       dynamic "origin_shield" {
-        for_each = length(keys(lookup(origin.value, "origin_shield", {}))) == 0 ? [] : [lookup(origin.value, "origin_shield", {})]
+        for_each = origin.value.origin_shield != null ? [origin.value.origin_shield] : []
 
         content {
           enabled              = origin_shield.value.enabled
@@ -127,13 +121,22 @@ resource "aws_cloudfront_distribution" "this" {
         }
       }
 
+      dynamic "s3_origin_config" {
+        for_each = origin.value.s3_origin_config != null ? [origin.value.s3_origin_config] : []
+
+        content {
+          origin_access_identity = s3_origin_config.value.origin_access_identity
+        }
+      }
+
       dynamic "vpc_origin_config" {
-        for_each = length(keys(lookup(origin.value, "vpc_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "vpc_origin_config", {})]
+        for_each = origin.value.vpc_origin_config != null ? [origin.value.vpc_origin_config] : []
 
         content {
-          vpc_origin_id            = lookup(vpc_origin_config.value, "vpc_origin_id", lookup(lookup(aws_cloudfront_vpc_origin.this, lookup(vpc_origin_config.value, "vpc_origin", ""), {}), "id", null))
-          origin_keepalive_timeout = lookup(vpc_origin_config.value, "origin_keepalive_timeout", null)
-          origin_read_timeout      = lookup(vpc_origin_config.value, "origin_read_timeout", null)
+          vpc_origin_id = coalesce(vpc_origin_config.value.vpc_origin_id,
+          aws_cloudfront_vpc_origin.this[vpc_origin_config.value.vpc_origin].id)
+          origin_keepalive_timeout = vpc_origin_config.value.origin_keepalive_timeout
+          origin_read_timeout      = vpc_origin_config.value.origin_read_timeout
         }
       }
     }
@@ -159,132 +162,119 @@ resource "aws_cloudfront_distribution" "this" {
     }
   }
 
-  dynamic "default_cache_behavior" {
-    for_each = [var.default_cache_behavior]
-    iterator = i
+  default_cache_behavior {
+    allowed_methods = var.default_cache_behavior.allowed_methods
+    cached_methods  = var.default_cache_behavior.cached_methods
+    cache_policy_id = try(
+      data.aws_cloudfront_cache_policy.this[var.default_cache_behavior.cache_policy_name].id,
+      var.default_cache_behavior.cache_policy_id
+    )
+    compress                  = var.default_cache_behavior.compress
+    default_ttl               = var.default_cache_behavior.default_ttl
+    field_level_encryption_id = var.default_cache_behavior.field_level_encryption_id
 
-    content {
-      target_origin_id       = i.value["target_origin_id"]
-      viewer_protocol_policy = i.value["viewer_protocol_policy"]
-
-      allowed_methods           = lookup(i.value, "allowed_methods", ["GET", "HEAD", "OPTIONS"])
-      cached_methods            = lookup(i.value, "cached_methods", ["GET", "HEAD"])
-      compress                  = lookup(i.value, "compress", null)
-      field_level_encryption_id = lookup(i.value, "field_level_encryption_id", null)
-      smooth_streaming          = lookup(i.value, "smooth_streaming", null)
-      trusted_signers           = lookup(i.value, "trusted_signers", null)
-      trusted_key_groups        = lookup(i.value, "trusted_key_groups", null)
-
-      cache_policy_id            = try(i.value.cache_policy_id, data.aws_cloudfront_cache_policy.this[i.value.cache_policy_name].id, null)
-      origin_request_policy_id   = try(i.value.origin_request_policy_id, data.aws_cloudfront_origin_request_policy.this[i.value.origin_request_policy_name].id, null)
-      response_headers_policy_id = try(i.value.response_headers_policy_id, data.aws_cloudfront_response_headers_policy.this[i.value.response_headers_policy_name].id, null)
-
-      realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
-
-      min_ttl     = lookup(i.value, "min_ttl", null)
-      default_ttl = lookup(i.value, "default_ttl", null)
-      max_ttl     = lookup(i.value, "max_ttl", null)
-
-      dynamic "forwarded_values" {
-        for_each = lookup(i.value, "use_forwarded_values", true) ? [true] : []
+    dynamic "forwarded_values" {
+      for_each = var.default_cache_behavior.forwarded_values != null ? [var.default_cache_behavior.forwarded_values] : []
 
-        content {
-          query_string            = lookup(i.value, "query_string", false)
-          query_string_cache_keys = lookup(i.value, "query_string_cache_keys", [])
-          headers                 = lookup(i.value, "headers", [])
-
-          cookies {
-            forward           = lookup(i.value, "cookies_forward", "none")
-            whitelisted_names = lookup(i.value, "cookies_whitelisted_names", null)
-          }
+      content {
+        cookies {
+          forward           = forwarded_values.value.cookies.forward
+          whitelisted_names = forwarded_values.value.cookies.whitelisted_names
         }
+        headers                 = forwarded_values.value.headers
+        query_string            = forwarded_values.value.query_string
+        query_string_cache_keys = forwarded_values.value.query_string_cache_keys
       }
+    }
 
-      dynamic "lambda_function_association" {
-        for_each = lookup(i.value, "lambda_function_association", [])
-        iterator = l
+    dynamic "lambda_function_association" {
+      for_each = var.default_cache_behavior.lambda_function_association
 
-        content {
-          event_type   = l.key
-          lambda_arn   = l.value.lambda_arn
-          include_body = lookup(l.value, "include_body", null)
-        }
+      content {
+        event_type   = lambda_function_association.key
+        lambda_arn   = lambda_function_association.value.lambda_arn
+        include_body = lambda_function_association.value.include_body
       }
+    }
 
-      dynamic "function_association" {
-        for_each = lookup(i.value, "function_association", [])
-        iterator = f
+    dynamic "function_association" {
+      for_each = var.default_cache_behavior.function_association
 
-        content {
-          event_type   = f.key
-          function_arn = f.value.function_arn
-        }
+      content {
+        event_type   = function_association.key
+        function_arn = function_association.value.function_arn
       }
+    }
 
-      dynamic "grpc_config" {
-        for_each = try([i.value.grpc_config], [])
-        content {
-          enabled = grpc_config.value.enabled
-        }
+    max_ttl = var.default_cache_behavior.max_ttl
+    min_ttl = var.default_cache_behavior.min_ttl
+    origin_request_policy_id = try(
+      data.aws_cloudfront_origin_request_policy.this[var.default_cache_behavior.origin_request_policy_name].id,
+      var.default_cache_behavior.origin_request_policy_id
+    )
+    realtime_log_config_arn = var.default_cache_behavior.realtime_log_config_arn
+    response_headers_policy_id = try(
+      data.aws_cloudfront_response_headers_policy.this[var.default_cache_behavior.response_headers_policy_name].id,
+      var.default_cache_behavior.response_headers_policy_id
+    )
+    smooth_streaming       = var.default_cache_behavior.smooth_streaming
+    target_origin_id       = var.default_cache_behavior.target_origin_id
+    trusted_key_groups     = var.default_cache_behavior.trusted_key_groups
+    trusted_signers        = var.default_cache_behavior.trusted_signers
+    viewer_protocol_policy = var.default_cache_behavior.viewer_protocol_policy
+
+    dynamic "grpc_config" {
+      for_each = var.default_cache_behavior.grpc_config != null ? [var.default_cache_behavior.grpc_config] : []
+
+      content {
+        enabled = grpc_config.value.enabled
       }
     }
   }
 
+
   dynamic "ordered_cache_behavior" {
     for_each = var.ordered_cache_behavior
     iterator = i
 
     content {
-      path_pattern           = i.value["path_pattern"]
-      target_origin_id       = i.value["target_origin_id"]
-      viewer_protocol_policy = i.value["viewer_protocol_policy"]
-
-      allowed_methods           = lookup(i.value, "allowed_methods", ["GET", "HEAD", "OPTIONS"])
-      cached_methods            = lookup(i.value, "cached_methods", ["GET", "HEAD"])
-      compress                  = lookup(i.value, "compress", null)
-      field_level_encryption_id = lookup(i.value, "field_level_encryption_id", null)
-      smooth_streaming          = lookup(i.value, "smooth_streaming", null)
-      trusted_signers           = lookup(i.value, "trusted_signers", null)
-      trusted_key_groups        = lookup(i.value, "trusted_key_groups", null)
-
-      cache_policy_id            = try(i.value.cache_policy_id, data.aws_cloudfront_cache_policy.this[i.value.cache_policy_name].id, null)
-      origin_request_policy_id   = try(i.value.origin_request_policy_id, data.aws_cloudfront_origin_request_policy.this[i.value.origin_request_policy_name].id, null)
-      response_headers_policy_id = try(i.value.response_headers_policy_id, data.aws_cloudfront_response_headers_policy.this[i.value.response_headers_policy_name].id, null)
-
-      realtime_log_config_arn = lookup(i.value, "realtime_log_config_arn", null)
-
-      min_ttl     = lookup(i.value, "min_ttl", null)
-      default_ttl = lookup(i.value, "default_ttl", null)
-      max_ttl     = lookup(i.value, "max_ttl", null)
+      allowed_methods = i.value.allowed_methods
+      cached_methods  = i.value.cached_methods
+      cache_policy_id = try(
+        data.aws_cloudfront_cache_policy.this[i.value.cache_policy_name].id,
+        i.value.cache_policy_id
+      )
+      compress                  = i.value.compress
+      default_ttl               = i.value.default_ttl
+      field_level_encryption_id = i.value.field_level_encryption_id
 
       dynamic "forwarded_values" {
-        for_each = lookup(i.value, "use_forwarded_values", true) ? [true] : []
+        for_each = i.value.forwarded_values != null ? [i.value.forwarded_values] : []
 
         content {
-          query_string            = lookup(i.value, "query_string", false)
-          query_string_cache_keys = lookup(i.value, "query_string_cache_keys", [])
-          headers                 = lookup(i.value, "headers", [])
-
           cookies {
-            forward           = lookup(i.value, "cookies_forward", "none")
-            whitelisted_names = lookup(i.value, "cookies_whitelisted_names", null)
+            forward           = i.value.cookies_forward
+            whitelisted_names = i.value.cookies_whitelisted_names
           }
+          headers                 = i.value.headers
+          query_string            = i.value.query_string
+          query_string_cache_keys = i.value.query_string_cache_keys
         }
       }
 
       dynamic "lambda_function_association" {
-        for_each = lookup(i.value, "lambda_function_association", [])
+        for_each = i.value.lambda_function_association
         iterator = l
 
         content {
           event_type   = l.key
           lambda_arn   = l.value.lambda_arn
-          include_body = lookup(l.value, "include_body", null)
+          include_body = l.value.include_body
         }
       }
 
       dynamic "function_association" {
-        for_each = lookup(i.value, "function_association", [])
+        for_each = i.value.function_association
         iterator = f
 
         content {
@@ -293,8 +283,27 @@ resource "aws_cloudfront_distribution" "this" {
         }
       }
 
+      max_ttl = i.value.max_ttl
+      min_ttl = i.value.min_ttl
+      origin_request_policy_id = try(
+        data.aws_cloudfront_origin_request_policy.this[i.value.origin_request_policy_name].id,
+        i.value.origin_request_policy_id
+      )
+      path_pattern            = i.value.path_pattern
+      realtime_log_config_arn = i.value.realtime_log_config_arn
+      response_headers_policy_id = try(
+        data.aws_cloudfront_response_headers_policy.this[i.value.response_headers_policy_name].id,
+        i.value.response_headers_policy_id
+      )
+      smooth_streaming       = i.value.smooth_streaming
+      target_origin_id       = i.value.target_origin_id
+      trusted_key_groups     = i.value.trusted_key_groups
+      trusted_signers        = i.value.trusted_signers
+      viewer_protocol_policy = i.value.viewer_protocol_policy
+
       dynamic "grpc_config" {
-        for_each = try([i.value.grpc_config], [])
+        for_each = i.value.grpc_config != null ? [i.value.grpc_config] : []
+
         content {
           enabled = grpc_config.value.enabled
         }
@@ -312,7 +321,9 @@ resource "aws_cloudfront_distribution" "this" {
   }
 
   dynamic "custom_error_response" {
-    for_each = length(flatten([var.custom_error_response])[0]) > 0 ? flatten([var.custom_error_response]) : []
+    for_each = length(
+      flatten([var.custom_error_response])[0]) > 0 ? flatten([var.custom_error_response]
+    ) : []
 
     content {
       error_code = custom_error_response.value["error_code"]
@@ -348,19 +359,28 @@ resource "aws_cloudfront_monitoring_subscription" "this" {
 }
 
 data "aws_cloudfront_cache_policy" "this" {
-  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.cache_policy_name if can(v.cache_policy_name)])
+  for_each = toset([
+    for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) :
+    v.cache_policy_name if can(v.cache_policy_name) && v.cache_policy_name != null
+  ])
 
   name = each.key
 }
 
 data "aws_cloudfront_origin_request_policy" "this" {
-  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.origin_request_policy_name if can(v.origin_request_policy_name)])
+  for_each = toset([
+    for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) :
+    v.origin_request_policy_name if can(v.origin_request_policy_name) && v.origin_request_policy_name != null
+  ])
 
   name = each.key
 }
 
 data "aws_cloudfront_response_headers_policy" "this" {
-  for_each = toset([for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) : v.response_headers_policy_name if can(v.response_headers_policy_name)])
+  for_each = toset([
+    for v in concat([var.default_cache_behavior], var.ordered_cache_behavior) :
+    v.response_headers_policy_name if can(v.response_headers_policy_name) && v.response_headers_policy_name != null
+  ])
 
   name = each.key
 }
diff --git a/variables.tf b/variables.tf
index afeec33..f0d25af 100644
--- a/variables.tf
+++ b/variables.tf
@@ -122,8 +122,40 @@ variable "tags" {
 
 variable "origin" {
   description = "One or more origins for this distribution (multiples allowed)."
-  type        = any
-  default     = null
+  type = map(object({
+    connection_attempts = optional(number)
+    connection_timeout  = optional(number)
+    custom_origin_config = optional(object({
+      http_port                = number
+      https_port               = number
+      origin_protocol_policy   = string
+      origin_ssl_protocols     = list(string)
+      origin_keepalive_timeout = optional(number)
+      origin_read_timeout      = optional(number)
+    }))
+    domain_name = string
+    custom_header = optional(list(object({
+      name  = string
+      value = string
+    })), [])
+    origin_access_control_id = optional(string)
+    origin_id                = optional(string) # If not provided, map key is used.
+    origin_path              = optional(string)
+    origin_shield = optional(object({
+      enabled              = bool
+      origin_shield_region = optional(string)
+    }))
+    s3_origin_config = optional(object({
+      origin_access_identity = string
+    }))
+    vpc_origin_config = optional(object({
+      origin_keepalive_timeout = optional(number)
+      origin_read_timeout      = optional(number)
+      vpc_origin_id            = optional(string) # If not provided, uses aws_cloudfront_vpc_origin.this[this.vpc_origin].id
+      vpc_origin               = optional(string) # Custom parameter to lookup against aws_cloudfront_vpc_origin.this
+    }))
+  }))
+  default = {}
 }
 
 variable "origin_group" {
@@ -161,14 +193,96 @@ variable "custom_error_response" {
 
 variable "default_cache_behavior" {
   description = "The default cache behavior for this distribution"
-  type        = any
-  default     = null
+  type = object({
+    allowed_methods           = list(string)
+    cached_methods            = list(string)
+    cache_policy_id           = optional(string)
+    cache_policy_name         = optional(string) # convenience variable to lookup
+    compress                  = optional(bool)
+    default_ttl               = optional(number)
+    field_level_encryption_id = optional(string)
+    forwarded_values = optional(object({
+      cookies = object({
+        forward           = string
+        whitelisted_names = optional(list(string))
+      })
+      headers                 = optional(list(string))
+      query_string            = bool
+      query_string_cache_keys = optional(list(string))
+    }))
+    lambda_function_association = optional(map(object({
+      # event_type = map key
+      lambda_arn   = string
+      include_body = optional(bool)
+    })), {})
+    function_association = optional(map(object({
+      # event_type = map key
+      function_arn = string
+    })), {})
+    max_ttl                      = optional(number)
+    min_ttl                      = optional(number)
+    origin_request_policy_id     = optional(string)
+    origin_request_policy_name   = optional(string) # convenience variable to lookup
+    realtime_log_config_arn      = optional(string)
+    response_headers_policy_id   = optional(string)
+    response_headers_policy_name = optional(string) # convenience variable to lookup
+    smooth_streaming             = optional(bool)
+    target_origin_id             = string
+    trusted_key_groups           = optional(list(string))
+    trusted_signers              = optional(list(string))
+    viewer_protocol_policy       = string
+    grpc_config = optional(object({
+      enabled = bool
+    }))
+  })
 }
 
 variable "ordered_cache_behavior" {
   description = "An ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0."
-  type        = any
-  default     = []
+  type = list(object({
+    allowed_methods           = list(string)
+    cached_methods            = list(string)
+    cache_policy_id           = optional(string)
+    cache_policy_name         = optional(string) # convenience variable to lookup
+    compress                  = optional(bool)
+    default_ttl               = optional(number)
+    field_level_encryption_id = optional(string)
+    forwarded_values = optional(object({
+      cookies = object({
+        forward           = string
+        whitelisted_names = optional(list(string))
+      })
+      headers                 = optional(list(string))
+      query_string            = bool
+      query_string_cache_keys = optional(list(string))
+    }))
+    lambda_function_association = optional(map(object({
+      # event_type = map key
+      lambda_arn   = string
+      include_body = optional(bool)
+    })), {})
+    function_association = optional(map(object({
+      # event_type = map key
+      function_arn = string
+    })), {})
+    max_ttl                      = optional(number)
+    min_ttl                      = optional(number)
+    origin_request_policy_id     = optional(string)
+    origin_request_policy_name   = optional(string) # convenience variable to lookup
+    path_pattern                 = string
+    realtime_log_config_arn      = optional(string)
+    response_headers_policy_id   = optional(string)
+    response_headers_policy_name = optional(string) # convenience variable to lookup
+    smooth_streaming             = optional(bool)
+    target_origin_id             = string
+    trusted_key_groups           = optional(list(string))
+    trusted_signers              = optional(list(string))
+    viewer_protocol_policy       = string
+    grpc_config = optional(object({
+      enabled = bool
+    }))
+  }))
+  default = []
 }
 
 variable "create_monitoring_subscription" {
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 750d27e..e75731f 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -12,7 +12,7 @@ module "wrapper" {
   create_origin_access_identity   = try(each.value.create_origin_access_identity, var.defaults.create_origin_access_identity, false)
   create_vpc_origin               = try(each.value.create_vpc_origin, var.defaults.create_vpc_origin, false)
   custom_error_response           = try(each.value.custom_error_response, var.defaults.custom_error_response, {})
-  default_cache_behavior          = try(each.value.default_cache_behavior, var.defaults.default_cache_behavior, null)
+  default_cache_behavior          = try(each.value.default_cache_behavior, var.defaults.default_cache_behavior)
   default_root_object             = try(each.value.default_root_object, var.defaults.default_root_object, null)
   enabled                         = try(each.value.enabled, var.defaults.enabled, true)
   geo_restriction                 = try(each.value.geo_restriction, var.defaults.geo_restriction, {})
@@ -20,7 +20,7 @@ module "wrapper" {
   is_ipv6_enabled                 = try(each.value.is_ipv6_enabled, var.defaults.is_ipv6_enabled, null)
   logging_config                  = try(each.value.logging_config, var.defaults.logging_config, {})
   ordered_cache_behavior          = try(each.value.ordered_cache_behavior, var.defaults.ordered_cache_behavior, [])
-  origin                          = try(each.value.origin, var.defaults.origin, null)
+  origin                          = try(each.value.origin, var.defaults.origin, {})
   origin_access_control = try(each.value.origin_access_control, var.defaults.origin_access_control, {
     s3 = {
       description      = "",