Skip to content

Commit

Permalink
update response header policy (#8)
Browse files Browse the repository at this point in the history
<!-- markdownlint-disable-next-line first-line-heading -->
## Description
Remove server and opennext header from cloudfront response
<!-- Describe your changes in detail. -->

## Context

<!-- Why is this change required? What problem does it solve? -->
NDOP Pen test
## Type of changes

<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply. -->

- [x] Refactoring (non-breaking change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would change existing
functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)

## Checklist

<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->

- [x] I am familiar with the [contributing
guidelines](../docs/CONTRIBUTING.md)
- [x] I have followed the code style of the project
- [x] I have added tests to cover my changes
- [x] I have updated the documentation accordingly
- [x] This PR is a result of pair or mob programming

---

## Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others
privacy, we kindly ask you to NOT including [PII (Personal Identifiable
Information) / PID (Personal Identifiable
Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public)
or any other sensitive data in this PR (Pull Request) and the codebase
changes. We will remove any PR that do contain any sensitive
information. We really appreciate your cooperation in this matter.

- [x] I confirm that neither PII/PID nor sensitive data are included in
this PR and the codebase changes.
  • Loading branch information
eesa456 authored Aug 29, 2023
1 parent db95da3 commit aee2020
Show file tree
Hide file tree
Showing 8 changed files with 35 additions and 7 deletions.
3 changes: 3 additions & 0 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ locals {
override = true
preload = true
}, var.cloudfront.hsts)
remove_headers_config = merge({
items : []
}, var.cloudfront.remove_headers_config)
waf_logging_configuration = var.cloudfront.waf_logging_configuration
cache_policy = {
default_ttl = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0)
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -217,4 +217,5 @@ module "cloudfront" {
hsts = local.cloudfront.hsts
waf_logging_configuration = local.cloudfront.waf_logging_configuration
cache_policy = local.cloudfront.cache_policy
remove_headers_config = local.cloudfront.remove_headers_config
}
2 changes: 1 addition & 1 deletion modules/cloudfront-logs/kms.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" {
description = "KMS Key for ${var.log_group_name} log group"
deletion_window_in_days = 10
policy = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json
enable_key_rotation = true
enable_key_rotation = true
}

data "aws_iam_policy_document" "cloudwatch_logs_key_policy" {
Expand Down
10 changes: 5 additions & 5 deletions modules/opennext-assets/s3.tf
Original file line number Diff line number Diff line change
Expand Up @@ -166,18 +166,18 @@ data "aws_iam_policy_document" "read_assets_bucket" {
}
}
statement {
effect = "Deny"
actions = ["s3:*"]
effect = "Deny"
actions = ["s3:*"]
resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"]

condition {
test = "Bool"
values = ["false"]
test = "Bool"
values = ["false"]
variable = "aws:SecureTransport"
}

principals {
type = "*"
type = "*"
identifiers = ["*"]
}
}
Expand Down
13 changes: 13 additions & 0 deletions modules/opennext-cloudfront/cloudfront.tf
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,19 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" {
}
}
}
dynamic "remove_headers_config" {
for_each = length(var.remove_headers_config.items) > 0 ? [true] : []

content {
dynamic "items" {
for_each = toset(var.remove_headers_config.items)

content {
header = items.value
}
}
}
}
}

resource "aws_cloudfront_distribution" "distribution" {
Expand Down
8 changes: 8 additions & 0 deletions modules/opennext-cloudfront/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,11 @@ variable "geo_restriction" {
locations = list(string)
})
}

variable "remove_headers_config" {
description = "Response header removal configuration for the CloudFront distribution"
type = object({
items = list(string)
})
}

2 changes: 1 addition & 1 deletion modules/opennext-revalidation-queue/kms.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ resource "aws_kms_key" "revalidation_queue_key" {
description = "${var.prefix} Revalidation SQS Queue KMS Key"
deletion_window_in_days = 10

policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json
policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json
enable_key_rotation = true
}

Expand Down
3 changes: 3 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,9 @@ variable "cloudfront" {
allow_origins = list(string)
origin_override = bool
}))
remove_headers_config = optional(object({
items = list(string)
}))
hsts = optional(object({
access_control_max_age_sec = number
include_subdomains = bool
Expand Down

0 comments on commit aee2020

Please sign in to comment.