From 78711e80fe83e3b6778a4ac3b1a306ebda4470fd Mon Sep 17 00:00:00 2001 From: Thomas Judd-Cooper Date: Tue, 4 Jul 2023 11:08:53 +0100 Subject: [PATCH] Fix S3 Bucket KMS Key --- main.tf | 6 +-- modules/opennext-assets/kms.tf | 45 ----------------------- modules/opennext-assets/s3.tf | 4 +- modules/opennext-assets/variables.tf | 10 ----- modules/opennext-cloudfront/cloudfront.tf | 7 +--- modules/opennext-cloudfront/main.tf | 5 +++ 6 files changed, 11 insertions(+), 66 deletions(-) delete mode 100644 modules/opennext-assets/kms.tf diff --git a/main.tf b/main.tf index 7dda9a9..bb27a09 100644 --- a/main.tf +++ b/main.tf @@ -27,7 +27,6 @@ data "aws_region" "current" {} module "assets" { source = "./modules/opennext-assets" - aws_account_id = data.aws_caller_identity.current.account_id prefix = "${var.prefix}-assets" assets_path = "${local.opennext_abs_path}/assets" cache_path = "${local.opennext_abs_path}/cache" @@ -415,10 +414,11 @@ module "cloudfront" { logging_bucket_domain_name = module.cloudfront_logs.logs_s3_bucket.bucket_regional_domain_name assets_origin_access_identity = module.assets.cloudfront_origin_access_identity.cloudfront_access_identity_path + origins = { assets_bucket = module.assets.assets_bucket.bucket_regional_domain_name - server_function = "${module.server_function.lambda_function_url.url_id}.lambda-url.eu-west-2.on.aws" - image_optimization_function = "${module.image_optimization_function.lambda_function_url.url_id}.lambda-url.eu-west-2.on.aws" + server_function = "${module.server_function.lambda_function_url.url_id}.lambda-url.${data.aws_region.current.name}.on.aws" + image_optimization_function = "${module.image_optimization_function.lambda_function_url.url_id}.lambda-url.${data.aws_region.current.name}.on.aws" } aliases = local.cloudfront.aliases diff --git a/modules/opennext-assets/kms.tf b/modules/opennext-assets/kms.tf deleted file mode 100644 index 98136a8..0000000 --- a/modules/opennext-assets/kms.tf +++ /dev/null @@ -1,45 +0,0 @@ -data "aws_kms_key" "assets_key" { - count = var.kms_key_arn != null ? 1 : 0 - key_id = var.kms_key_arn -} - -resource "aws_kms_key" "assets_key" { - count = var.kms_key_arn == null ? 1 : 0 - - description = "${var.prefix} Assets S3 Bucket KMS Key" - deletion_window_in_days = 10 - - policy = data.aws_iam_policy_document.assets_key_policy[0].json -} - -data "aws_iam_policy_document" "assets_key_policy" { - count = var.kms_key_arn == null ? 1 : 0 - - statement { - effect = "Allow" - actions = ["kms:*"] - resources = ["*"] - - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${var.aws_account_id}:root"] - } - } - - statement { - effect = "Allow" - actions = [ - "kms:Encrypt*", - "kms:Decrypt*", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Describe*" - ] - resources = ["*"] - - principals { - type = "Service" - identifiers = ["lambda.amazonaws.com", "cloudfront.amazonaws.com"] - } - } -} diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf index 9d08fef..4055f5a 100644 --- a/modules/opennext-assets/s3.tf +++ b/modules/opennext-assets/s3.tf @@ -47,9 +47,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "assets" { bucket = aws_s3_bucket.assets.bucket rule { + apply_server_side_encryption_by_default { - kms_master_key_id = try(data.aws_kms_key.assets_key[0].arn, aws_kms_key.assets_key[0].arn) - sse_algorithm = "aws:kms" + sse_algorithm = "AES256" } } } diff --git a/modules/opennext-assets/variables.tf b/modules/opennext-assets/variables.tf index bd84e20..90a6ce3 100644 --- a/modules/opennext-assets/variables.tf +++ b/modules/opennext-assets/variables.tf @@ -44,13 +44,3 @@ variable "replication_configuration" { })) }) } - -variable "kms_key_arn" { - description = "The KMS Key ARN for the encryption of the static assets S3 bucket" - type = string - default = null -} - -variable "aws_account_id" { - type = string -} diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf index 2fd2acc..a63d635 100644 --- a/modules/opennext-cloudfront/cloudfront.tf +++ b/modules/opennext-cloudfront/cloudfront.tf @@ -20,7 +20,7 @@ EOF data "aws_cloudfront_origin_request_policy" "origin_request_policy" { count = var.origin_request_policy == null ? 1 : 0 - name = "Managed-AllViewer" + name = "Managed-AllViewerExceptHostHeader" } resource "aws_cloudfront_origin_request_policy" "origin_request_policy" { @@ -142,11 +142,6 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" { } } -provider "aws" { - alias = "global" - region = "us-east-1" -} - resource "aws_cloudfront_distribution" "distribution" { provider = aws.global price_class = "PriceClass_100" diff --git a/modules/opennext-cloudfront/main.tf b/modules/opennext-cloudfront/main.tf index fe30da3..11d541a 100644 --- a/modules/opennext-cloudfront/main.tf +++ b/modules/opennext-cloudfront/main.tf @@ -8,3 +8,8 @@ terraform { } } } + +provider "aws" { + alias = "global" + region = "us-east-1" +}