-
Notifications
You must be signed in to change notification settings - Fork 4
/
cloudfront.tf
208 lines (173 loc) · 6.29 KB
/
cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
#####################################################################################
# CLOUDFRONT
#####################################################################################
module "runtask_cloudfront" {
depends_on = [time_sleep.wait_1800_seconds]
#checkov:skip=CKV2_AWS_42:custom domain name is optional
count = local.waf_deployment
source = "terraform-aws-modules/cloudfront/aws"
version = "3.4.0"
comment = "CloudFront for run task integration: ${local.solution_prefix}"
enabled = true
price_class = "PriceClass_100"
retain_on_delete = false
wait_for_deployment = true
web_acl_id = aws_wafv2_web_acl.runtask_waf[count.index].arn
create_origin_access_control = true
origin_access_control = {
lambda_oac = {
description = "CloudFront OAC to Lambda"
origin_type = "lambda"
signing_behavior = "always"
signing_protocol = "sigv4"
}
}
origin = {
runtask_eventbridge = {
domain_name = split("/", aws_lambda_function_url.runtask_eventbridge.function_url)[2]
custom_origin_config = {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
origin_access_control = "lambda_oac"
custom_header = var.deploy_waf ? [local.cloudfront_custom_header] : null
}
}
default_cache_behavior = {
target_origin_id = "runtask_eventbridge"
viewer_protocol_policy = "https-only"
#SecurityHeadersPolicy: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html#managed-response-headers-policies-security
response_headers_policy_id = "67f7725c-6f97-4210-82d7-5512b31e9d03"
# caching disabled: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-caching-disabled
cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
origin_request_policy_id = aws_cloudfront_origin_request_policy.runtask_cloudfront[count.index].id
use_forwarded_values = false
allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
lambda_function_association = {
# This function will append header x-amz-content-sha256 to allow OAC to authenticate with Lambda Function URL
viewer-request = {
lambda_arn = aws_lambda_function.runtask_edge.qualified_arn
include_body = true
}
}
}
viewer_certificate = {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1" # change it to TLSv1.2_2021
}
tags = local.combined_tags
}
resource "aws_cloudfront_origin_request_policy" "runtask_cloudfront" {
count = local.waf_deployment
name = "${local.solution_prefix}-runtask_cloudfront_origin_request_policy"
comment = "Forward all request headers except host"
cookies_config {
cookie_behavior = "all"
}
headers_config {
header_behavior = "whitelist"
headers {
items = [
"x-tfc-task-signature",
"content-type",
"user-agent",
"x-amzn-trace-id"
]
}
}
query_strings_config {
query_string_behavior = "all"
}
}
resource "time_sleep" "wait_1800_seconds" {
# wait for CloudFront Lambda@Edge removal that can take up to 30 mins / 1800s
# before deleting the Lambda function
depends_on = [aws_lambda_function.runtask_edge]
destroy_duration = "1800s"
}
#####################################################################################
# WAF (OPTIONAL BUT RECOMMENDED)
#####################################################################################
resource "aws_wafv2_web_acl" "runtask_waf" {
count = local.waf_deployment
provider = aws.cloudfront_waf
name = "${local.solution_prefix}-runtask_waf_acl"
description = "Run task WAF with simple rate base rules"
scope = "CLOUDFRONT"
default_action {
allow {}
}
rule {
name = "rate-base-limit"
priority = 1
action {
block {}
}
statement {
rate_based_statement {
limit = local.waf_rate_limit
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${local.solution_prefix}-runtask_request_rate"
sampled_requests_enabled = true
}
}
dynamic "rule" {
for_each = var.waf_managed_rule_set
content {
name = rule.value.name
priority = rule.value.priority
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = rule.value.name
vendor_name = rule.value.vendor_name
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${local.solution_prefix}-runtask_request_${rule.value.metric_suffix}"
sampled_requests_enabled = true
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${local.solution_prefix}-runtask_waf_acl"
sampled_requests_enabled = true
}
tags = local.combined_tags
}
resource "aws_cloudwatch_log_group" "runtask_waf" {
count = local.waf_deployment
provider = aws.cloudfront_waf
name = "aws-waf-logs-${local.solution_prefix}-runtask_waf_acl"
retention_in_days = var.cloudwatch_log_group_retention
kms_key_id = aws_kms_key.runtask_waf[count.index].arn
tags = local.combined_tags
}
resource "aws_cloudwatch_log_resource_policy" "runtask_waf" {
count = local.waf_deployment
provider = aws.cloudfront_waf
policy_document = data.aws_iam_policy_document.runtask_waf_log[count.index].json
policy_name = "aws-waf-logs-${local.solution_prefix}-runtask_waf_acl"
}
resource "aws_wafv2_web_acl_logging_configuration" "runtask_waf" {
count = local.waf_deployment
provider = aws.cloudfront_waf
log_destination_configs = [aws_cloudwatch_log_group.runtask_waf[count.index].arn]
resource_arn = aws_wafv2_web_acl.runtask_waf[count.index].arn
redacted_fields {
single_header {
name = "x-tfc-task-signature"
}
}
}