Add parameterised geo-restriction, fix open-next.zip path

nhs-england-tools · Jul 14, 2023 · 6848adc · 6848adc
1 parent 7beb660
commit 6848adc
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 5 deletions.
diff --git a/.github/workflows/cicd-pipeline.yaml b/.github/workflows/cicd-pipeline.yaml
@@ -175,7 +175,7 @@ jobs:
           name: example-app-opennext-build
 
       - name: Unzip Build Artifacts to .open-next folder
-        run: unzip -q -d example/.open-next example-app-opennext-build/open-next.zip
+        run: unzip -q -d example/.open-next open-next.zip
 
       - name: Run Terraform Init
         run: terraform -chdir=example/terraform init

diff --git a/locals.tf b/locals.tf
@@ -11,6 +11,7 @@ locals {
     acm_certificate_arn = var.cloudfront.acm_certificate_arn
     assets_paths        = coalesce(var.cloudfront.assets_paths, [])
     custom_headers      = coalesce(var.cloudfront.custom_headers, [])
+    geo_restriction     = try(var.cloudfront.geo_restriction, null)
     cors = merge({
       allow_credentials = false,
       allow_headers     = ["*"],

diff --git a/main.tf b/main.tf
@@ -212,6 +212,7 @@ module "cloudfront" {
   acm_certificate_arn       = local.cloudfront.acm_certificate_arn
   assets_paths              = local.cloudfront.assets_paths
   custom_headers            = local.cloudfront.custom_headers
+  geo_restriction           = local.cloudfront.geo_restriction
   cors                      = local.cloudfront.cors
   hsts                      = local.cloudfront.hsts
   waf_logging_configuration = local.cloudfront.waf_logging_configuration

diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf
@@ -169,10 +169,13 @@ resource "aws_cloudfront_distribution" "distribution" {
   }
 
   restrictions {
-    geo_restriction {
-      restriction_type = "whitelist"
-      # TODO: Remove US location after implementing GitHub Self-Hosted runners
-      locations = ["GB", "US"]
+    dynamic "geo_restriction" {
+      for_each = var.geo_restriction != null ? [true] : []
+
+      content {
+        restriction_type = var.geo_restriction.restriction_type
+        locations        = var.geo_restriction.whitelist
+      }
     }
   }
 

diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf
@@ -152,3 +152,12 @@ variable "cache_policy" {
     })
   })
 }
+
+variable "geo_restriction" {
+  description = "The georestriction configuration for the CloudFront distribution"
+  type = object({
+    restriction_type = string
+    locations        = list(string)
+  })
+  default = null
+}
diff --git a/variables.tf b/variables.tf
@@ -316,6 +316,10 @@ variable "cloudfront" {
       override = bool
       value    = string
     })))
+    geo_restriction = optional(object({
+      restriction_type = string
+      locations        = list(string)
+    }))
     cors = optional(object({
       allow_credentials = bool,
       allow_headers     = list(string)