Skip to content

Commit

Permalink
skip: Merge pull request #189 from epam/upd_295
Browse files Browse the repository at this point in the history 
upd: update policy 295
  • Loading branch information
@anna-shcherbak
anna-shcherbak authored Nov 8, 2024
2 parents 5dd1fa9 + 71e9e9e commit c58c6bb
Show file tree
Hide file tree
Showing 15 changed files with 263 additions and 54 deletions.
17 changes: 4 additions & 13 deletions policies/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,9 @@ policies:
- name: ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin
comment: '010023022001'
description: |
Cloudfront origin uses not latest SSL certificate
Cloudfront origin uses deprecated version of SSL certificate
resource: aws.distribution
filters:
- and:
- type: value
key: Origins.Items[].CustomOriginConfig.OriginProtocolPolicy
value_type: swap
value: https-only
op: in
- not:
- type: value
key: Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[]
value_type: swap
value: TLSv1.2
op: in
- type: value
key: Origins.Items[?CustomOriginConfig && CustomOriginConfig.OriginProtocolPolicy!='http-only' && contains(CustomOriginConfig.OriginSslProtocols.Items, 'SSLv3')]
value: not-null
7 changes: 6 additions & 1 deletion ...form/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/green/distribution.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
resource "aws_instance" "this" {
ami = data.aws_ami.this.id
instance_type = "t2.micro"

tags = {
CustodianRule = "ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin"
ComplianceStatus = "Green"
}
}

data "aws_ami" "this" {
Expand All @@ -25,7 +30,7 @@ resource "aws_cloudfront_distribution" "this" {
origin_protocol_policy = "https-only"
http_port = "80"
https_port = "443"
origin_ssl_protocols = ["TLSv1.2"]
origin_ssl_protocols = ["TLSv1.2", "TLSv1.1"]
}
}

Expand Down
48 changes: 48 additions & 0 deletions ...aform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/green2/cloudfront.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
resource "aws_s3_bucket" "this" {
bucket = "bucket-295-red"
}

locals {
s3_origin_id = "myRedS3"
}

resource "random_integer" "this" {
min = 1
max = 10000000
}

resource "aws_cloudfront_distribution" "this" {
origin {
domain_name = aws_s3_bucket.this.bucket_regional_domain_name
origin_id = local.s3_origin_id
}

enabled = true
default_root_object = "index.html"

default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id

forwarded_values {
query_string = false

cookies {
forward = "none"
}
}

viewer_protocol_policy = "allow-all"
}

restrictions {
geo_restriction {
restriction_type = "none"
}
}

viewer_certificate {
cloudfront_default_certificate = true
}
}
20 changes: 20 additions & 0 deletions terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/green2/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}

provider "aws"{
profile = var.profile
region = var.default-region

default_tags {
tags = {
CustodianRule = "ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin"
ComplianceStatus = "Green2"
}
}
}
2 changes: 2 additions & 0 deletions ...rm/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/green2/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
profile = "c7n"
default-region = "us-east-1"
9 changes: 9 additions & 0 deletions terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/green2/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "default-region" {
type = string
description = "Default region for resources will be created"
}

variable "profile" {
type = string
description = "Profile name configured before running apply"
}
7 changes: 6 additions & 1 deletion terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red/distribution.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
resource "aws_instance" "this" {
ami = data.aws_ami.this.id
instance_type = "t2.micro"

tags = {
CustodianRule = "ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin"
ComplianceStatus = "Red"
}
}

data "aws_ami" "this" {
Expand All @@ -25,7 +30,7 @@ resource "aws_cloudfront_distribution" "this" {
origin_protocol_policy = "https-only"
http_port = "80"
https_port = "443"
origin_ssl_protocols = ["TLSv1.1"]
origin_ssl_protocols = ["SSLv3"]
}
}

Expand Down
64 changes: 64 additions & 0 deletions ...aform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red2/distribution.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
resource "aws_instance" "this" {
ami = data.aws_ami.this.id
instance_type = "t2.micro"
}

data "aws_ami" "this" {
most_recent = true
owners = ["amazon"]

filter {
name = "name"
values = ["amzn2-ami-hvm*"]
}
}

locals {
ec2_origin_id = "myEC2Origin"
}

resource "aws_cloudfront_distribution" "this" {
origin {
domain_name = aws_instance.this.public_dns
origin_id = local.ec2_origin_id
custom_origin_config {
http_port = "80"
https_port = "443"
origin_protocol_policy = "match-viewer"
origin_ssl_protocols = ["TLSv1.2", "SSLv3"]
}
}

enabled = true

default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.ec2_origin_id

forwarded_values {
query_string = false

cookies {
forward = "none"
}
}

viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}


restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}

viewer_certificate {
cloudfront_default_certificate = true
}
}
32 changes: 32 additions & 0 deletions terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red2/index.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html>
<html lang="en">

<head>
<title>Basic Web Page</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>

<style>
body {
height: 100vh;
width: 100vw;
background-color: aquamarine;
display: flex;
align-items: center;
justify-content: center;
font-weight: bold;
font-size: 42px;
font-family: mono;
}
</style>

<body>
Hello World!

<script>
console.log('Hello world!');
</script>
</body>

</html>
20 changes: 20 additions & 0 deletions terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red2/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}

provider "aws"{
profile = var.profile
region = var.default-region

default_tags {
tags = {
CustodianRule = "ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin"
ComplianceStatus = "Red"
}
}
}
2 changes: 2 additions & 0 deletions ...form/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red2/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
profile = "c7n"
default-region = "us-east-1"
9 changes: 9 additions & 0 deletions terraform/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin/red2/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "default-region" {
type = string
description = "Default region for resources will be created"
}

variable "profile" {
type = string
description = "Profile name configured before running apply"
}
36 changes: 19 additions & 17 deletions ...e_ssl_protocols_between_cloudfront_origin/placebo-red/cloudfront.ListDistributions_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,23 @@
"Marker": "",
"MaxItems": 100,
"IsTruncated": false,
"Quantity": 4,
"Quantity": 1,
"Items": [
{
"Id": "E32QEHSIE8V7TF",
"ARN": "arn:aws:cloudfront::111111111111:distribution/E32QEHSIE8V7TF",
"Id": "E3153VPXBPXF29",
"ARN": "arn:aws:cloudfront::644160558196:distribution/E3153VPXBPXF29",
"Status": "Deployed",
"LastModifiedTime": {
"__class__": "datetime",
"year": 2022,
"month": 5,
"day": 20,
"hour": 13,
"minute": 32,
"second": 12,
"microsecond": 356000
"year": 2024,
"month": 11,
"day": 7,
"hour": 20,
"minute": 33,
"second": 52,
"microsecond": 982000
},
"DomainName": "d2ohku0rzi86fg.cloudfront.net",
"DomainName": "d13h6bfmht7o6q.cloudfront.net",
"Aliases": {
"Quantity": 0
},
Expand All @@ -31,7 +31,7 @@
"Items": [
{
"Id": "myEC2Origin",
"DomainName": "ec2-3-84-182-11.compute-1.amazonaws.com",
"DomainName": "ec2-54-160-178-196.compute-1.amazonaws.com",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
Expand All @@ -43,7 +43,7 @@
"OriginSslProtocols": {
"Quantity": 1,
"Items": [
"TLSv1.1"
"SSLv3"
]
},
"OriginReadTimeout": 30,
Expand All @@ -53,7 +53,8 @@
"ConnectionTimeout": 10,
"OriginShield": {
"Enabled": false
}
},
"OriginAccessControlId": ""
}
]
},
Expand Down Expand Up @@ -135,16 +136,17 @@
"RestrictionType": "whitelist",
"Quantity": 4,
"Items": [
"US",
"CA",
"DE",
"GB",
"DE"
"US"
]
}
},
"WebACLId": "",
"HttpVersion": "HTTP2",
"IsIPV6Enabled": false
"IsIPV6Enabled": false,
"Staging": false
}
]
}
Expand Down
Loading

0 comments on commit c58c6bb

Please sign in to comment.