Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage S3 CORS headers in Terraform and add them for production #1352

Closed
1 of 2 tasks
tadhg-ohiggins opened this issue Jun 27, 2023 · 7 comments · Fixed by #4115
Closed
1 of 2 tasks

Manage S3 CORS headers in Terraform and add them for production #1352

tadhg-ohiggins opened this issue Jun 27, 2023 · 7 comments · Fixed by #4115
Assignees
@asteel-gsa

Comments

@tadhg-ohiggins
Copy link
Contributor

tadhg-ohiggins commented Jun 27, 2023
edited by asteel-gsa
Loading

Background

We manually added the required CORS headers to the S3 buckets for fac-dev.app.cloud.gov and fac-staging.app.cloud.gov but should manage this with Terraform.

WE DID NOT DO THIS FOR THE PRODUCTION ENVIRONMENT. So that still needs to be set up, preferably by the Terraform process that will cover all of the environments.

We used this command to set the CORS headers:

aws s3api put-bucket-cors --bucket [BUCKET_NAME] --cors-configuration file://cors.json

where [BUCKET_NAME] is the name of the bucket for that environment. The contents of cors.json were:

{
   "CORSRules": [
      {
         "AllowedHeaders": [
            "Authorization"
         ],
         "AllowedMethods": [
            "HEAD",
            "GET"
         ],
         "AllowedOrigins": [
            "https://[ENV_DOMAIN]"
         ],
         "ExposeHeaders": [
            "ETag"
         ]
      }
   ]
}

where [ENV_DOMAIN] was fac-dev.app.cloud.gov for dev and fac-staging.app.cloud.gov for staging.

For reference, the commands for this are included below:

SERVICE_INSTANCE_NAME=fac-public-s3;
KEY_NAME=fac-public-s3-key;
cf create-service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}";
S3_CREDENTIALS=`cf service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}" | tail -n +2`;
export AWS_ACCESS_KEY_ID=`echo "${S3_CREDENTIALS}" | jq -r .access_key_id`;
export AWS_SECRET_ACCESS_KEY=`echo "${S3_CREDENTIALS}" | jq -r .secret_access_key`;
export BUCKET_NAME=`echo "${S3_CREDENTIALS}" | jq -r .bucket`;
export AWS_DEFAULT_REGION=`echo "${S3_CREDENTIALS}" | jq -r '.region'`;
echo $BUCKET_NAME;
aws s3api put-bucket-cors --bucket $BUCKET_NAME --cors-configuration file://cors.json;
aws s3api get-bucket-cors --bucket $BUCKET_NAME;
cf delete-service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}";

Acceptance Criteria (We'll know we're done when...)

  • Setting the CORS headers for the S3 buckets for each environment is handled by Terraform.
  • The CORS headers have been set for the S3 bucket for the production environment.
@tadhg-ohiggins
Copy link
Contributor Author

Also, we had to manually run cf bind-service for the private S3 bucket for both dev and staging, that should also probably be handled by terraform? Do we need a separate ticket for that?

@mogul
Copy link
Contributor

mogul commented Jun 29, 2023

Also, we had to manually run cf bind-service for the private S3 bucket for both dev and staging, that should also probably be handled by terraform? Do we need a separate ticket for that?

We should specify that in the application manifest, as we do for the public bucket.

@tadhg-ohiggins tadhg-ohiggins mentioned this issue Jun 30, 2023
Merged
@tadhg-ohiggins
Copy link
Contributor Author

tadhg-ohiggins commented Jun 30, 2023
edited
Loading

Also, we had to manually run cf bind-service for the private S3 bucket for both dev and staging, that should also probably be handled by terraform? Do we need a separate ticket for that?

We should specify that in the application manifest, as we do for the public bucket.

@mogul I added that here: #1374

@jadudm jadudm added this to the Preview testing milestone Jul 20, 2023
@mogul
Copy link
Contributor

mogul commented Jul 27, 2023
edited
Loading

Noting for later: We would do this by having a null_resource with a local-exec provisioner call a local script that basically performs the commands Tadhg listed. The null_resource will needs a depends_on for the module that creates the S3 bucket.

@mogul mogul added the SHOULD label Jul 29, 2023
@jadudm jadudm added this to FAC Sep 13, 2023
@jadudm jadudm moved this to Backlog in FAC Sep 13, 2023
@jadudm jadudm removed this from the Preview testing milestone Sep 13, 2023
@jadudm
Copy link
Contributor

jadudm commented Nov 7, 2023

@tadhg-ohiggins , is this... debt? Something we should flag as revisit and come back to?

@tadhg-ohiggins
Copy link
Contributor Author

@jadudm No, this is something that appears to still be causing problems in production, or at least there are images failing to load that report CORS errors in the browser console, so I strongly suspect those are due to this not having been done.

@jadudm
Copy link
Contributor

jadudm commented Nov 30, 2023 via email

@danswick danswick moved this from Backlog to Available in FAC May 3, 2024
@asteel-gsa asteel-gsa self-assigned this Jul 25, 2024
@asteel-gsa asteel-gsa moved this from Backlog to In Progress in FAC Jul 25, 2024
@asteel-gsa asteel-gsa linked a pull request Jul 25, 2024 that will close this issue
Manage cors headers in terraform #4115
Merged
14 tasks
@github-project-automation github-project-automation bot moved this from In Progress to Done in FAC Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asteel-gsa asteel-gsa

Labels
None yet
Projects
FAC
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Manage cors headers in terraform GSA-TTS/FAC
4 participants
@jadudm @mogul @tadhg-ohiggins @asteel-gsa