-
Notifications
You must be signed in to change notification settings - Fork 6
/
cloudfront.tf
103 lines (87 loc) · 3.35 KB
/
cloudfront.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
module "runtask_cloudfront" {
depends_on = [time_sleep.wait_1800_seconds]
#checkov:skip=CKV2_AWS_42:custom domain name is optional
count = local.waf_deployment
source = "terraform-aws-modules/cloudfront/aws"
version = "3.4.0"
comment = "CloudFront for RunTask integration: ${var.name_prefix}"
enabled = true
price_class = "PriceClass_100"
retain_on_delete = false
wait_for_deployment = true
web_acl_id = aws_wafv2_web_acl.runtask_waf[count.index].arn
create_origin_access_control = true
origin_access_control = {
lambda_oac_access_analyzer = {
description = "CloudFront OAC to Lambda AWS-IA Access Analyzer"
origin_type = "lambda"
signing_behavior = "always"
signing_protocol = "sigv4"
}
}
origin = {
runtask_eventbridge = {
domain_name = split("/", aws_lambda_function_url.runtask_eventbridge.function_url)[2]
custom_origin_config = {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1"]
}
origin_access_control = "lambda_oac_access_analyzer"
custom_header = var.deploy_waf ? [local.cloudfront_custom_header] : null
}
}
default_cache_behavior = {
target_origin_id = "runtask_eventbridge"
viewer_protocol_policy = "https-only"
#SecurityHeadersPolicy: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html#managed-response-headers-policies-security
response_headers_policy_id = "67f7725c-6f97-4210-82d7-5512b31e9d03"
# caching disabled: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-caching-disabled
cache_policy_id = "4135ea2d-6df8-44a3-9df3-4b5a84be39ad"
origin_request_policy_id = aws_cloudfront_origin_request_policy.runtask_cloudfront[count.index].id
use_forwarded_values = false
allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
lambda_function_association = {
# This function will append header x-amz-content-sha256 to allow OAC to authenticate with Lambda Function URL
viewer-request = {
lambda_arn = aws_lambda_function.runtask_edge.qualified_arn
include_body = true
}
}
}
viewer_certificate = {
cloudfront_default_certificate = true
minimum_protocol_version = "TLSv1"
}
tags = local.combined_tags
}
resource "aws_cloudfront_origin_request_policy" "runtask_cloudfront" {
count = local.waf_deployment
name = "${var.name_prefix}-runtask_cloudfront_origin_request_policy"
comment = "Forward all request headers except host"
cookies_config {
cookie_behavior = "all"
}
headers_config {
header_behavior = "whitelist"
headers {
items = [
"x-tfc-task-signature",
"content-type",
"user-agent",
"x-amzn-trace-id"
]
}
}
query_strings_config {
query_string_behavior = "all"
}
}
resource "time_sleep" "wait_1800_seconds" {
# wait for CloudFront Lambda@Edge removal that can take up to 30 mins / 1800s
# before deleting the Lambda function
depends_on = [aws_lambda_function.runtask_edge]
destroy_duration = "1800s"
}