Merge pull request #20 from DNXLabs/feature/dynamic_custom_error_resp…

…onse 🔧 Setup dynamic_custom_error_response
DNXLabs · Jul 3, 2023 · c014550 · c014550
2 parents bfb5090 + 57e5bea
commit c014550
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -63,6 +63,7 @@ If you have specified cloudfront_default_certificate, TLSv1 must be specified.
 | cloudfront\_origin\_read\_timeout | The amount of time, in seconds, that CloudFront waits for a response from a custom origin. The value applies both to the time that CloudFront waits for an initial response and the time that CloudFront waits for each subsequent packet. Valid values are from 4 to 60 seconds. | `number` | `30` | no |
 | cloudfront\_web\_acl\_id | Optional web acl (WAF) to attach to CloudFront | `string` | `""` | no |
 | cluster\_name | Name of existing ECS Cluster to deploy this app to | `any` | n/a | yes |
+| dynamic\_custom\_error\_response | One or more custom error response elements (multiples allowed) | <pre>list(object({<br>    error_code         = optional(number)<br>    response_code      = optional(number)<br>    response_page_path = optional(string)<br>  }))</pre> | `[]` | no |
 | dynamic\_custom\_origin\_config | Configuration for the custom origin config to be used in dynamic block | `any` | `[]` | no |
 | dynamic\_ordered\_cache\_behavior | Ordered Cache Behaviors to be used in dynamic block | `any` | `[]` | no |
 | hosted\_zone | Existing Hosted Zone domain to add hostnames as DNS records | `any` | n/a | yes |
@@ -83,6 +84,7 @@ If you have specified cloudfront_default_certificate, TLSv1 must be specified.
 
 | Name | Description |
 |------|-------------|
+| aws\_cloudfront\_origin\_access\_identity | Define cloudfront origin access identity |
 | cloudfront\_distribution\_hostname | The hostname of the CloudFront Distribution (use for DNS CNAME). |
 | cloudfront\_distribution\_id | The ID of the CloudFront Distribution. |
 | cloudfront\_zone\_id | The Zone ID of the CloudFront Distribution (use for DNS Alias). |

diff --git a/_data.tf b/_data.tf
@@ -1,3 +1,8 @@
 data "aws_iam_account_alias" "current" {
   count = var.alarm_prefix == "" ? 1 : 0
 }
+
+data "aws_s3_bucket" "selected" {
+  for_each = { for i in var.dynamic_custom_origin_config : i.origin_id => i if i.s3 }
+  bucket   = each.value.origin_id
+}
diff --git a/_outputs.tf b/_outputs.tf
@@ -12,3 +12,8 @@ output "cloudfront_zone_id" {
   description = "The Zone ID of the CloudFront Distribution (use for DNS Alias)."
   value       = aws_cloudfront_distribution.default.hosted_zone_id
 }
+
+output "aws_cloudfront_origin_access_identity" {
+  description = "Define cloudfront origin access identity"
+  value       = aws_cloudfront_origin_access_identity.default.*
+}
diff --git a/_variables.tf b/_variables.tf
@@ -10,6 +10,16 @@ variable "hostnames" {
   description = "Hostnames to create DNS record for this app that the cloudfront distribution will accept"
 }
 
+variable "dynamic_custom_error_response" {
+  description = "One or more custom error response elements (multiples allowed)"
+  type = list(object({
+    error_code         = optional(number)
+    response_code      = optional(number)
+    response_page_path = optional(string)
+  }))
+  default = []
+}
+
 variable "hostname_create" {
   description = "Create hostnames in the hosted zone passed?"
   default     = true

diff --git a/cloudfront.tf b/cloudfront.tf
@@ -1,3 +1,8 @@
+resource "aws_cloudfront_origin_access_identity" "default" {
+  for_each = { for i in var.dynamic_custom_origin_config : i.origin_id => i if i.s3 }
+  comment  = "${each.value.origin_id}-s3"
+}
+
 resource "aws_cloudfront_distribution" "default" {
   enabled             = true
   is_ipv6_enabled     = true
@@ -42,7 +47,6 @@ resource "aws_cloudfront_distribution" "default" {
       origin_keepalive_timeout = i.origin_keepalive_timeout
       origin_ssl_protocols     = lookup(i, "origin_ssl_protocols", ["SSLv3", "TLSv1.1", "TLSv1.2", "TLSv1"])
       custom_header            = lookup(i, "custom_header", null)
-      origin_access_identity   = lookup(i, "origin_access_identity", "")
     }]
 
     content {
@@ -66,10 +70,11 @@ resource "aws_cloudfront_distribution" "default" {
         value = var.alb_cloudfront_key
       }
 
+
       dynamic "s3_origin_config" {
         for_each = origin.value.s3 == true ? [1] : []
         content {
-          origin_access_identity = origin.value.origin_access_identity
+          origin_access_identity = aws_cloudfront_origin_access_identity.default[origin.value.origin_id].cloudfront_access_identity_path
         }
       }
 
@@ -163,6 +168,16 @@ resource "aws_cloudfront_distribution" "default" {
     minimum_protocol_version       = var.certificate_arn == null && var.iam_certificate_id == null ? "TLSv1.2_2018" : var.minimum_protocol_version
   }
 
+  dynamic "custom_error_response" {
+    for_each = var.dynamic_custom_error_response
+    iterator = error_response
+    content {
+      error_code         = error_response.value.error_code
+      response_code      = error_response.value.response_code
+      response_page_path = error_response.value.response_page_path
+    }
+  }
+
   restrictions {
     geo_restriction {
       restriction_type = var.restriction_type

diff --git a/s3-policy.tf b/s3-policy.tf
@@ -0,0 +1,46 @@
+data "aws_iam_policy_document" "s3_policy" {
+  for_each = { for i in var.dynamic_custom_origin_config : i.origin_id => i if i.s3 }
+
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${data.aws_s3_bucket.selected[each.value.origin_id].arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.default[each.value.origin_id].iam_arn]
+    }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = [data.aws_s3_bucket.selected[each.value.origin_id].arn]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.default[each.value.origin_id].iam_arn]
+    }
+  }
+
+  statement {
+    sid     = "ForceSSLOnlyAccess"
+    effect  = "Deny"
+    actions = ["s3:*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = [data.aws_s3_bucket.selected[each.value.origin_id].arn, "${data.aws_s3_bucket.selected[each.value.origin_id].arn}/*"]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = [false]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "s3" {
+  for_each = { for i in var.dynamic_custom_origin_config : i.origin_id => i if i.s3 }
+
+  bucket = each.value.origin_id
+  policy = data.aws_iam_policy_document.s3_policy[each.value.origin_id].json
+}