Skip to content

Commit

Permalink
feat: custom waf and other fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@leonchabbey @Tomdango
leonchabbey authored and Tomdango committed Oct 20, 2023
1 parent aee2020 commit 2a28f92
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 41 deletions.
12 changes: 8 additions & 4 deletions locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ locals {
cloudfront = {
aliases = var.cloudfront.aliases
acm_certificate_arn = var.cloudfront.acm_certificate_arn
comment = var.cloudfront.comment
assets_paths = coalesce(var.cloudfront.assets_paths, [])
custom_headers = coalesce(var.cloudfront.custom_headers, [])
geo_restriction = coalesce(try(var.cloudfront.geo_restriction, null), {
Expand All @@ -31,15 +32,15 @@ locals {
remove_headers_config = merge({
items : []
}, var.cloudfront.remove_headers_config)
waf_logging_configuration = var.cloudfront.waf_logging_configuration
cache_policy = {
default_ttl = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0)
min_ttl = coalesce(try(var.cloudfront.cache_policy.min_ttl, null), 0)
max_ttl = coalesce(try(var.cloudfront.cache_policy.max_ttl, null), 31536000)
enable_accept_encoding_brotli = try(var.cloudfront.cache_policy.enable_accept_encoding_brotli, true)
enable_accept_encoding_gzip = try(var.cloudfront.cache_policy.enable_accept_encoding_gzip, true)
enable_accept_encoding_brotli = coalesce(try(var.cloudfront.cache_policy.enable_accept_encoding_brotli, null), true)
enable_accept_encoding_gzip = coalesce(try(var.cloudfront.cache_policy.enable_accept_encoding_gzip, null), true)
cookies_config = merge({
cookie_behavior = "all"
cookie_behavior = "all",
items = []
}, try(var.cloudfront.cache_policy.cookies_config, {}))
headers_config = merge({
header_behavior = "whitelist",
Expand All @@ -51,6 +52,9 @@ locals {
}, try(var.cloudfront.cache_policy.query_strings_config, {}))
}
origin_request_policy = try(var.cloudfront.origin_request_policy, null)

custom_waf = var.cloudfront.custom_waf
waf_logging_configuration = var.cloudfront.waf_logging_configuration
}

/**
Expand Down
21 changes: 12 additions & 9 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ module "cloudfront" {
prefix = "${var.prefix}-cloudfront"
default_tags = var.default_tags

comment = local.cloudfront.comment
logging_bucket_domain_name = module.cloudfront_logs.logs_s3_bucket.bucket_regional_domain_name
assets_origin_access_identity = module.assets.cloudfront_origin_access_identity.cloudfront_access_identity_path

Expand All @@ -208,14 +209,16 @@ module "cloudfront" {
image_optimization_function = "${module.image_optimization_function.lambda_function_url.url_id}.lambda-url.${data.aws_region.current.name}.on.aws"
}

aliases = local.cloudfront.aliases
acm_certificate_arn = local.cloudfront.acm_certificate_arn
assets_paths = local.cloudfront.assets_paths
custom_headers = local.cloudfront.custom_headers
geo_restriction = local.cloudfront.geo_restriction
cors = local.cloudfront.cors
hsts = local.cloudfront.hsts
aliases = local.cloudfront.aliases
acm_certificate_arn = local.cloudfront.acm_certificate_arn
assets_paths = local.cloudfront.assets_paths
custom_headers = local.cloudfront.custom_headers
geo_restriction = local.cloudfront.geo_restriction
cors = local.cloudfront.cors
hsts = local.cloudfront.hsts
cache_policy = local.cloudfront.cache_policy
remove_headers_config = local.cloudfront.remove_headers_config

custom_waf = local.cloudfront.custom_waf
waf_logging_configuration = local.cloudfront.waf_logging_configuration
cache_policy = local.cloudfront.cache_policy
remove_headers_config = local.cloudfront.remove_headers_config
}
4 changes: 2 additions & 2 deletions modules/opennext-cloudfront/cloudfront.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,9 +166,9 @@ resource "aws_cloudfront_distribution" "distribution" {
price_class = "PriceClass_100"
enabled = true
is_ipv6_enabled = true
comment = "${var.prefix} - CloudFront Distribution for Next.js Application"
comment = coalesce(var.comment, "${var.prefix} - CloudFront Distribution for Next.js Application")
aliases = var.aliases
web_acl_id = aws_wafv2_web_acl.cloudfront_waf.arn
web_acl_id = try(var.custom_waf.arn, aws_wafv2_web_acl.cloudfront_waf[0].arn, null)

logging_config {
include_cookies = false
Expand Down
11 changes: 11 additions & 0 deletions modules/opennext-cloudfront/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ variable "default_tags" {
default = {}
}

variable "comment" {
type = string
description = "Comment to add to the CloudFront distribution"
}

variable "acm_certificate_arn" {
type = string
Expand Down Expand Up @@ -85,6 +89,13 @@ variable "hsts" {
}
}

variable "custom_waf" {
description = "ARN value for an externally created AWS WAF"
type = object({
arn = string
})
}

variable "waf_logging_configuration" {
description = "Logging Configuration for the WAF attached to CloudFront"
type = object({
Expand Down
6 changes: 4 additions & 2 deletions modules/opennext-cloudfront/waf.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
resource "aws_wafv2_web_acl" "cloudfront_waf" {
count = var.custom_waf == null ? 1 : 0

provider = aws.global
name = "${var.prefix}-waf"
scope = "CLOUDFRONT"
Expand Down Expand Up @@ -120,9 +122,9 @@ resource "aws_wafv2_web_acl" "cloudfront_waf" {
}

resource "aws_wafv2_web_acl_logging_configuration" "waf_logging" {
count = var.waf_logging_configuration == null ? 0 : 1
count = var.waf_logging_configuration == null || try(aws_wafv2_web_acl.cloudfront_waf[0], null) == null ? 0 : 1

resource_arn = aws_wafv2_web_acl.cloudfront_waf.arn
resource_arn = aws_wafv2_web_acl.cloudfront_waf[0].arn
log_destination_configs = var.waf_logging_configuration.log_destination_configs

dynamic "logging_filter" {
Expand Down
53 changes: 29 additions & 24 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,7 @@ variable "cloudfront" {
type = object({
aliases = list(string)
acm_certificate_arn = string
comment = optional(string)
assets_paths = optional(list(string))
custom_headers = optional(list(object({
header = string
Expand All @@ -336,30 +337,6 @@ variable "cloudfront" {
override = bool
preload = bool
}))
waf_logging_configuration = optional(object({
log_destination_configs = list(string)
logging_filter = optional(object({
default_behavior = string
filter = list(object({
behavior = string
requirement = string
action_condition = optional(list(object({
action = string
})))
label_name_condition = optional(list(object({
label_name = string
})))
}))
}))
redacted_fields = optional(list(object({
method = optional(bool)
query_string = optional(bool)
single_header = optional(object({
name = string
}))
uri_path = optional(bool)
})))
}))
cache_policy = optional(object({
default_ttl = optional(number)
min_ttl = optional(number)
Expand All @@ -368,6 +345,7 @@ variable "cloudfront" {
enable_accept_encoding_brotli = optional(bool)
cookies_config = optional(object({
cookie_behavior = string
items = optional(list(string))
}))
headers_config = optional(object({
header_behavior = string
Expand All @@ -391,5 +369,32 @@ variable "cloudfront" {
items = optional(list(string))
})
}))
custom_waf = optional(object({
arn = string
}))
waf_logging_configuration = optional(object({
log_destination_configs = list(string)
logging_filter = optional(object({
default_behavior = string
filter = list(object({
behavior = string
requirement = string
action_condition = optional(list(object({
action = string
})))
label_name_condition = optional(list(object({
label_name = string
})))
}))
}))
redacted_fields = optional(list(object({
method = optional(bool)
query_string = optional(bool)
single_header = optional(object({
name = string
}))
uri_path = optional(bool)
})))
}))
})
}

0 comments on commit 2a28f92

Please sign in to comment.