dgrebb · dgrebb · Jan 13, 2024 · Jan 13, 2024 · Jan 13, 2024 · Jan 13, 2024
diff --git a/.github/workflows/test-lighthouse.yml b/.github/workflows/test-lighthouse.yml
@@ -78,8 +78,8 @@ jobs:
             undurl=$(echo "$u" | sed -E 's|https?://([^/]+)(/[^?#]*)?([?#]?.*)?|\2|;s|/+$||;s|/|_|g')
             automation_url="${u}?roboto"
             echo "Running Lighthouse on $u and writing report to ./$undurl"
-            pnpm lhgh $automation_url -- --output-path ./mobile_"$undurl"report.html --disable-extensions --force-prefers-reduced-motion
-            pnpm lhgh-d $automation_url -- --output-path ./desktop_"$undurl"report.html --disable-extensions --force-prefers-reduced-motion
+            pnpm lhgh $automation_url --output-path ./mobile_"$undurl"report.html --disable-extensions --force-prefers-reduced-motion
+            pnpm lhgh-d $automation_url --output-path ./desktop_"$undurl"report.html --disable-extensions --force-prefers-reduced-motion
           done <<<"$urls"
 
       - name: ⚓️ Drop Anchor

diff --git a/_ci/_utils/build.sh b/_ci/_utils/build.sh
@@ -2,6 +2,6 @@
 
 printf "\033[0;33mInstalling Node packages...\033[0m\n"
 cd front
-npm ci
+pnpm i
 printf "\033[0;32mBuilding...\033[0m\n"
-npm run build
+pnpm build
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_0_xs.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_0_xs.png
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_1_sm.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_1_sm.png
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_2_md.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_2_md.png
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_3_lg.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_3_lg.png
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_4_xl.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_4_xl.png
diff --git a/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_5_2xl.png b/_ci/backstop/bd/bitmaps_reference/gh-stg/GithubSTG_CV_0_document_5_2xl.png
diff --git a/..._reference/gh-stg/GithubSTG_Cats_-_Active_Thoughts_Category_0_viewport_0_xs.png b/..._reference/gh-stg/GithubSTG_Cats_-_Active_Thoughts_Category_0_viewport_0_xs.png
diff --git a/..._reference/gh-stg/GithubSTG_Cats_-_Active_Thoughts_Category_0_viewport_1_sm.png b/..._reference/gh-stg/GithubSTG_Cats_-_Active_Thoughts_Category_0_viewport_1_sm.png
diff --git a/...erence/gh-stg/GithubSTG_Cats_-_Mobile_-_Select_All_Category_0_viewport_0_xs.png b/...erence/gh-stg/GithubSTG_Cats_-_Mobile_-_Select_All_Category_0_viewport_0_xs.png
diff --git a/...erence/gh-stg/GithubSTG_Cats_-_Mobile_-_Select_All_Category_0_viewport_1_sm.png b/...erence/gh-stg/GithubSTG_Cats_-_Mobile_-_Select_All_Category_0_viewport_1_sm.png
diff --git a/...ackstop/bd/bitmaps_reference/gh-stg/GithubSTG_Cats_-_Mobile_0_document_0_xs.png b/...ackstop/bd/bitmaps_reference/gh-stg/GithubSTG_Cats_-_Mobile_0_document_0_xs.png
diff --git a/...ackstop/bd/bitmaps_reference/gh-stg/GithubSTG_Cats_-_Mobile_0_document_1_sm.png b/...ackstop/bd/bitmaps_reference/gh-stg/GithubSTG_Cats_-_Mobile_0_document_1_sm.png
diff --git a/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_0_md.png b/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_0_md.png
diff --git a/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_1_lg.png b/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_1_lg.png
diff --git a/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_2_xl.png b/...itmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_2_xl.png
diff --git a/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_3_2xl.png b/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Navigate_from_Post_0_document_3_2xl.png
diff --git a/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_0_md.png b/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_0_md.png
diff --git a/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_1_lg.png b/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_1_lg.png
diff --git a/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_2_xl.png b/...tmaps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_2_xl.png
diff --git a/...maps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_3_2xl.png b/...maps_reference/gh-stg/GithubSTG_Cats_-_Select_All_Category_0_viewport_3_2xl.png
diff --git a/...itmaps_reference/gh-stg/GithubSTG_Post_-_Content_Components_0_document_4_xl.png b/...itmaps_reference/gh-stg/GithubSTG_Post_-_Content_Components_0_document_4_xl.png
diff --git a/...tmaps_reference/gh-stg/GithubSTG_Post_-_Content_Components_0_document_5_2xl.png b/...tmaps_reference/gh-stg/GithubSTG_Post_-_Content_Components_0_document_5_2xl.png
diff --git a/_tf/modules/cdn/cdn.tf b/_tf/modules/cdn/cdn.tf
@@ -37,6 +37,10 @@ resource "aws_cloudfront_distribution" "this" {
   is_ipv6_enabled     = true
   default_root_object = "index.html"
 
+  tags = {
+    "domain" = "dgrebb.com"
+  }
+
   custom_error_response {
     error_code         = 404
     response_code      = 404
@@ -103,6 +107,9 @@ resource "aws_cloudfront_distribution" "this" {
     min_ttl                = 0
     default_ttl            = 3600
     max_ttl                = 86400
+
+    # Apply/Remove Headers
+    response_headers_policy_id = var.www ? aws_cloudfront_response_headers_policy.this.id : null
   }
 
   restrictions {
@@ -114,6 +121,58 @@ resource "aws_cloudfront_distribution" "this" {
   viewer_certificate {
     acm_certificate_arn      = var.cert.arn
     ssl_support_method       = "sni-only"
-    minimum_protocol_version = "TLSv1"
+    minimum_protocol_version = "TLSv1.2_2018"
+  }
+}
+
+# Security Headers Policy and Server Removal
+resource "aws_cloudfront_response_headers_policy" "this" {
+  name = "${var.dashed_domain}-security-headers-policy"
+
+  custom_headers_config {
+    items {
+      override = true
+      header   = "permissions-policy"
+      value    = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
+    }
+    items {
+      override = true
+      header   = "feature-policy"
+      value    = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
+    }
+    items {
+      override = true
+      header   = "server"
+      value    = "_"
+    }
+  }
+
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+    referrer_policy {
+      referrer_policy = "same-origin"
+      override        = true
+    }
+    xss_protection {
+      mode_block = true
+      protection = true
+      override   = true
+    }
+    strict_transport_security {
+      access_control_max_age_sec = "63072000"
+      include_subdomains         = true
+      preload                    = true
+      override                   = true
+    }
+    content_security_policy {
+      content_security_policy = "img-src 'self' https://${var.cdndomain}; frame-ancestors 'self'; frame-src 'self'; media-src 'self' https://*.${var.domain} data:; object-src 'self'; worker-src 'self';"
+      override                = true
+    }
   }
 }
diff --git a/_tf/modules/cdn/inputs.tf b/_tf/modules/cdn/inputs.tf
@@ -1,7 +1,9 @@
 variable "domain" {}
+variable "cdndomain" {}
 variable "dashed_domain" {}
 variable "bucket" {}
 variable "log_enabled" {}
 variable "log_bucket" {}
 variable "cert" {}
 variable "redirect" {}
+variable "www" {}
diff --git a/_tf/modules/network/cdn-dns/cdn-dns.tf b/_tf/modules/network/cdn-dns/cdn-dns.tf
@@ -19,16 +19,34 @@ resource "aws_acm_certificate" "wildcard" {
   }
 }
 
-resource "aws_route53_record" "this" {
+resource "aws_route53_record" "this_a" {
   allow_overwrite = true
   name            = var.domain
   type            = "A"
   zone_id         = var.zone.zone_id
+
+  alias {
+    name                   = var.distribution.domain_name
+    zone_id                = var.distribution.hosted_zone_id
+    evaluate_target_health = false
+  }
+
+  depends_on = [var.distribution]
+}
+
+resource "aws_route53_record" "this_aaaa" {
+  allow_overwrite = true
+  name            = var.domain
+  type            = "AAAA"
+  zone_id         = var.zone.zone_id
+
   alias {
     name                   = var.distribution.domain_name
     zone_id                = var.distribution.hosted_zone_id
     evaluate_target_health = false
   }
+
+  depends_on = [var.distribution]
 }
 
 resource "aws_route53_record" "wildcard_validation" {

diff --git a/_tf/modules/network/network.tf b/_tf/modules/network/network.tf
@@ -30,16 +30,36 @@ resource "aws_db_subnet_group" "this" {
 # WWW Record
 # ------------------------------------------------------------------------------
 
-resource "aws_route53_record" "www" {
+# IPV4
+resource "aws_route53_record" "www_a" {
   zone_id         = data.aws_route53_zone.main.zone_id
   name            = "www.${var.domain}"
   type            = "A"
   allow_overwrite = var.www_record_overwrite
+
+  alias {
+    name                   = var.www_cdn.domain_name
+    zone_id                = var.www_cdn.hosted_zone_id
+    evaluate_target_health = false
+  }
+
+  depends_on = [var.www_cdn]
+}
+
+# IPV6
+resource "aws_route53_record" "www_aaaa" {
+  zone_id         = data.aws_route53_zone.main.zone_id
+  name            = "www.${var.domain}"
+  type            = "AAAA"
+  allow_overwrite = var.www_record_overwrite
+
   alias {
     name                   = var.www_cdn.domain_name
     zone_id                = var.www_cdn.hosted_zone_id
     evaluate_target_health = false
   }
+
+  depends_on = [var.www_cdn]
 }
 
 # ------------------------------------------------------------------------------

diff --git a/_tf/prd/.terraform.lock.hcl b/_tf/prd/.terraform.lock.hcl
diff --git a/_tf/prd/main.tf b/_tf/prd/main.tf
@@ -15,6 +15,8 @@ module "www_cdn" {
   log_bucket    = module.www_cdn_bucket.log_bucket
   cert          = module.network.wildcard_cert
   redirect      = true
+  www           = true
+  cdndomain     = var.cdndomain
 }
 
 module "uploads_cdn" {
@@ -26,6 +28,8 @@ module "uploads_cdn" {
   log_bucket    = module.uploads_cdn_bucket.log_bucket
   cert          = module.network.uploads_cert
   redirect      = false
+  www           = false
+  cdndomain     = var.cdndomain
 }
 
 module "containers" {
@@ -132,6 +136,8 @@ module "reports_cdn" {
   log_bucket    = false
   cert          = module.network.reports_cert
   redirect      = false
+  www           = false
+  cdndomain     = var.cdndomain
 }
 
 module "reports_bucket" {

diff --git a/_tf/stg/.terraform.lock.hcl b/_tf/stg/.terraform.lock.hcl
diff --git a/_tf/stg/main.tf b/_tf/stg/main.tf
@@ -21,6 +21,8 @@ module "www_cdn" {
   log_bucket    = module.www_cdn_bucket.log_bucket
   cert          = module.network.wildcard_cert
   redirect      = false
+  www           = true
+  cdndomain     = local.cdndomain
 }
 
 module "uploads_cdn" {
@@ -32,6 +34,8 @@ module "uploads_cdn" {
   log_bucket    = module.uploads_cdn_bucket.log_bucket
   cert          = module.network.uploads_cert
   redirect      = false
+  www           = false
+  cdndomain     = local.cdndomain
 }
 
 module "containers" {
@@ -139,6 +143,8 @@ module "reports_cdn" {
   log_bucket    = false
   cert          = module.network.reports_cert
   redirect      = false
+  www           = false
+  cdndomain     = local.cdndomain
 }
 
 module "reports_bucket" {