Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow the managed request policy to be specified. (GYR1-621) #16

Merged
merged 2 commits into from
Dec 4, 2024
Merged

feat: Allow the managed request policy to be specified. (GYR1-621) #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
649a201
feat: Allow the managed request policy to be specified.
jamesiarmes Dec 4, 2024
a45fc51
fix: Updated formatting.
jamesiarmes Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 17 additions & 15 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,21 +50,22 @@ these rules are spaced out to allow for custom rules to be inserted between.
## Inputs


| Name | Description | Type | Default | Required |
|--------------------|-----------------------------------------------------------------------------------------------------|----------------|---------|----------|
| domain | Primary domain for the distribution. The hosted zone for this domain should be in the same account. | `string` | n/a | yes |
| log_bucket | Domain name of the S3 bucket to send logs to. | `string` | n/a | yes |
| log_group | CloudWatch log group to send WAF logs to. | `string` | n/a | yes |
| project | Project that these resources are supporting. | `string` | n/a | yes |
| [custom_headers] | Custom headers to send to the origin. | `map(string)` | `{}` | no |
| environment | The environment for the deployment. | `string` | `"dev"` | no |
| [ip_set_rules] | Custom IP Set rules for the WAF | `map(object)` | `{}` | no |
| [rate_limit_rules] | Rate limiting configuration for the WAF. | `map(object)` | `{}` | no |
| origin_domain | Fully qualified domain name for the origin. Defaults to `origin.${subdomain}.${domain}`. | `string` | n/a | no |
| passive | Enable passive mode for the WAF, counting all requests rather than blocking. | `bool` | `false` | no |
| subdomain | Subdomain for the distribution. Defaults to the environment. | `string` | n/a | no |
| tags | Optional tags to be applied to all resources. | `map(string)` | `{}` | no |
| [upload_paths] | Optional paths to allow uploads to. | `list(object)` | `[]` | no |
| Name | Description | Type | Default | Required |
|--------------------|---------------------------------------------------------------------------------------------------------------------------|----------------|---------------|----------|
| domain | Primary domain for the distribution. The hosted zone for this domain should be in the same account. | `string` | n/a | yes |
| log_bucket | Domain name of the S3 bucket to send logs to. | `string` | n/a | yes |
| log_group | CloudWatch log group to send WAF logs to. | `string` | n/a | yes |
| project | Project that these resources are supporting. | `string` | n/a | yes |
| [custom_headers] | Custom headers to send to the origin. | `map(string)` | `{}` | no |
| environment | The environment for the deployment. | `string` | `"dev"` | no |
| [ip_set_rules] | Custom IP Set rules for the WAF | `map(object)` | `{}` | no |
| [rate_limit_rules] | Rate limiting configuration for the WAF. | `map(object)` | `{}` | no |
| origin_domain | Fully qualified domain name for the origin. Defaults to `origin.${subdomain}.${domain}`. | `string` | n/a | no |
| passive | Enable passive mode for the WAF, counting all requests rather than blocking. | `bool` | `false` | no |
| request_policy | Managed request policy to associate with the distribution. See the [managed policies][managed-policies] for valid values. | `string` | `"AllViewer"` | no |
| subdomain | Subdomain for the distribution. Defaults to the environment. | `string` | n/a | no |
| tags | Optional tags to be applied to all resources. | `map(string)` | `{}` | no |
| [upload_paths] | Optional paths to allow uploads to. | `list(object)` | `[]` | no |

### custom_headers

Expand Down Expand Up @@ -236,6 +237,7 @@ module "cloudfront_waf" {
[ip-rules]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html
[ip_set_rules]: #ip_set_rules
[latest-release]: https://github.com/codeforamerica/tofu-modules-aws-cloudfront-waf/releases/latest
[managed-policies]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html
[rate_limit_rules]: #rate_limit_rules
[rules-common]: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs
[rules-inputs]: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs
Expand Down
2 changes: 1 addition & 1 deletion data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
data "aws_cloudfront_origin_request_policy" "managed_cors" {
name = "Managed-CORS-CustomOrigin"
name = "Managed-${var.request_policy}"
}

data "aws_cloudfront_response_headers_policy" "managed_cors" {
Expand Down
41 changes: 30 additions & 11 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,17 @@ variable "environment" {
default = "dev"
}

variable "ip_set_rules" {
type = map(object({
name = optional(string, "")
action = optional(string, "allow")
priority = optional(number, null)
arn = string
}))
description = "Custom IP Set rules for the WAF."
default = {}
}

variable "log_bucket" {
type = string
description = "S3 Bucket to send logs to."
Expand Down Expand Up @@ -42,17 +53,6 @@ variable "project" {
description = "Project that these resources are supporting."
}

variable "ip_set_rules" {
type = map(object({
name = optional(string, "")
action = optional(string, "allow")
priority = optional(number, null)
arn = string
}))
description = "Custom IP Set rules for the WAF."
default = {}
}

variable "rate_limit_rules" {
type = map(object({
name = optional(string, "")
Expand All @@ -65,6 +65,25 @@ variable "rate_limit_rules" {
default = {}
}

variable "request_policy" {
type = string
description = "Managed request policy to associate with the distribution."
default = "AllViewer"

validation {
condition = contains([
"AllViewer",
"AllViewerAndCloudFrontHeaders-2022-06",
"AllViewerExceptHostHeader",
"CORS-CustomOrigin",
"CORS-S3Origin",
"Elemental-MediaTailor-PersonalizedManifests",
"UserAgentRefererHeaders"
], var.request_policy)
error_message = "Invalid request policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html"
}
}

variable "subdomain" {
type = string
description = "Subdomain for the distribution. Defaults to the environment."
Expand Down
Loading