-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1 parent
28c2628
commit f8f776b
Showing
7 changed files
with
297 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Doesn't work yet - TODO | ||
# data "aws_iam_principal_policy_simulation" "state_read" { | ||
# action_names = [ | ||
# "s3:GetObject" | ||
# ] | ||
# policy_source_arn = aws_iam_role.ro.arn | ||
# resource_arns = [ | ||
# "${var.state_bucket_arn}/${var.environment}/terraform.tfstate", | ||
# ] | ||
# #resource_policy_json = data.aws_iam_policy_document.ro.json | ||
# | ||
# depends_on = [aws_iam_policy.ro] | ||
# | ||
# lifecycle { | ||
# postcondition { | ||
# condition = self.all_allowed | ||
# error_message = "state_read check failed: ${jsonencode(self.results)}" | ||
# } | ||
# } | ||
# } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
locals { | ||
ui = "${var.prefix}-ui" | ||
} | ||
|
||
resource "aws_s3_bucket" "ui" { | ||
# checkov:skip=CKV_AWS_18:Chosen not to enable access logging yet | ||
# checkov:skip=CKV2_AWS_62:No need for S3 events | ||
# checkov:skip=CKV_AWS_144:No need for cross-region replication | ||
# checkov:skip=CKV_AWS_145:AWS ley is sufficient | ||
bucket = lower(local.ui) | ||
|
||
tags = { | ||
Name = local.ui | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_policy" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
policy = data.aws_iam_policy_document.ui.json | ||
} | ||
|
||
data "aws_iam_policy_document" "ui" { | ||
statement { | ||
sid = "CDNRead" | ||
effect = "Allow" | ||
actions = ["s3:GetObject"] | ||
resources = ["${aws_s3_bucket.ui.arn}/*"] | ||
principals { | ||
type = "Service" | ||
identifiers = ["cloudfront.${data.aws_partition.current.dns_suffix}"] | ||
} | ||
condition { | ||
test = "StringEquals" | ||
variable = "aws:SourceArn" | ||
values = [aws_cloudfront_distribution.cdn.arn] | ||
} | ||
} | ||
|
||
statement { | ||
sid = "CDNList" | ||
effect = "Allow" | ||
actions = ["s3:ListBucket"] | ||
resources = [aws_s3_bucket.ui.arn] | ||
principals { | ||
type = "Service" | ||
identifiers = ["cloudfront.${data.aws_partition.current.dns_suffix}"] | ||
} | ||
condition { | ||
test = "StringEquals" | ||
variable = "aws:SourceArn" | ||
values = [aws_cloudfront_distribution.cdn.arn] | ||
} | ||
} | ||
|
||
# Block all HTTP Access | ||
statement { | ||
sid = "BlockHTTP" | ||
effect = "Deny" | ||
actions = ["s3:*"] | ||
resources = [ | ||
aws_s3_bucket.ui.arn, | ||
"${aws_s3_bucket.ui.arn}/*", | ||
] | ||
principals { | ||
type = "AWS" | ||
identifiers = ["*"] | ||
} | ||
condition { | ||
test = "Bool" | ||
variable = "aws:SecureTransport" | ||
values = ["false"] | ||
} | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_public_access_block" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
block_public_acls = true | ||
block_public_policy = true | ||
ignore_public_acls = true | ||
restrict_public_buckets = true | ||
} | ||
|
||
resource "aws_s3_bucket_ownership_controls" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
rule { | ||
object_ownership = "BucketOwnerEnforced" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_versioning" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
versioning_configuration { | ||
status = "Enabled" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_server_side_encryption_configuration" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
rule { | ||
apply_server_side_encryption_by_default { | ||
sse_algorithm = "AES256" | ||
} | ||
} | ||
} | ||
|
||
# Use recommended CORS rules for bucket behind cloudfront | ||
resource "aws_s3_bucket_cors_configuration" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
cors_rule { | ||
allowed_headers = ["*"] | ||
allowed_methods = ["GET", "HEAD"] | ||
allowed_origins = ["https://${aws_cloudfront_distribution.cdn.domain_name}"] | ||
expose_headers = ["ETag"] | ||
max_age_seconds = 3000 | ||
} | ||
} | ||
|
||
# Lifecycle to: | ||
# * Delete incomplete multipart uploads after 3 days | ||
# * Limit old versions to maximum of 5 or and age of 30 days | ||
# * Keep the current version forever | ||
resource "aws_s3_bucket_lifecycle_configuration" "ui" { | ||
bucket = aws_s3_bucket.ui.id | ||
|
||
rule { | ||
id = "expire-versions" | ||
status = "Enabled" | ||
|
||
abort_incomplete_multipart_upload { | ||
days_after_initiation = 3 | ||
} | ||
|
||
noncurrent_version_expiration { | ||
newer_noncurrent_versions = 5 | ||
noncurrent_days = 30 | ||
} | ||
|
||
expiration { | ||
expired_object_delete_marker = true | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
locals { | ||
cdn_name = "${var.prefix}-cdn" | ||
} | ||
|
||
resource "aws_cloudfront_origin_access_control" "cdn" { | ||
name = local.cdn_name | ||
description = "CDN for UI" | ||
origin_access_control_origin_type = "s3" | ||
signing_behavior = "always" | ||
signing_protocol = "sigv4" | ||
} | ||
|
||
data "aws_cloudfront_cache_policy" "cache_policy" { | ||
name = "Managed-CachingOptimized" | ||
} | ||
|
||
data "aws_cloudfront_origin_request_policy" "request_policy" { | ||
name = "Managed-CORS-S3Origin" | ||
} | ||
|
||
data "aws_cloudfront_response_headers_policy" "headers_policy" { | ||
name = "Managed-CORS-with-preflight-and-SecurityHeadersPolicy" | ||
} | ||
|
||
resource "aws_cloudfront_distribution" "cdn" { | ||
# checkov:skip=CKV2_AWS_42:Not set up custom domain yet | ||
# checkov:skip=CKV_AWS_86:Chosen not to enable access logging yet | ||
# checkov:skip=CKV2_AWS_47:Log4j is irrelvant for S3 origins | ||
# checkov:skip=CKV_AWS_310:Not enabling origin failover for S3 origin | ||
# checkov:skip=CKV_AWS_68:Not enabled WAF yet - $$$ | ||
origin { | ||
domain_name = aws_s3_bucket.ui.bucket_regional_domain_name | ||
origin_id = aws_s3_bucket.ui.id | ||
origin_access_control_id = aws_cloudfront_origin_access_control.cdn.id | ||
} | ||
|
||
enabled = true | ||
default_root_object = "index.html" | ||
#aliases - TODO Use our own DNS name | ||
|
||
default_cache_behavior { | ||
allowed_methods = ["GET", "HEAD", "OPTIONS"] | ||
cached_methods = ["GET", "HEAD"] | ||
target_origin_id = aws_s3_bucket.ui.id | ||
cache_policy_id = data.aws_cloudfront_cache_policy.cache_policy.id | ||
origin_request_policy_id = data.aws_cloudfront_origin_request_policy.request_policy.id | ||
viewer_protocol_policy = "redirect-to-https" | ||
response_headers_policy_id = data.aws_cloudfront_response_headers_policy.headers_policy.id | ||
} | ||
|
||
restrictions { | ||
geo_restriction { | ||
restriction_type = "none" | ||
} | ||
} | ||
|
||
viewer_certificate { | ||
cloudfront_default_certificate = true | ||
#minimum_protocol_version = "TLSv1.2_2021" # Not available on default certificate | ||
} | ||
|
||
#TODO - logging | ||
|
||
tags = { | ||
Name = local.cdn_name | ||
} | ||
} |