diff --git a/locals.tf b/locals.tf index 0a6731e..9e66c17 100644 --- a/locals.tf +++ b/locals.tf @@ -28,6 +28,9 @@ locals { override = true preload = true }, var.cloudfront.hsts) + remove_headers_config = merge({ + items : [] + }, var.cloudfront.remove_headers_config) waf_logging_configuration = var.cloudfront.waf_logging_configuration cache_policy = { default_ttl = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0) diff --git a/main.tf b/main.tf index d31053b..06e12d6 100644 --- a/main.tf +++ b/main.tf @@ -217,4 +217,5 @@ module "cloudfront" { hsts = local.cloudfront.hsts waf_logging_configuration = local.cloudfront.waf_logging_configuration cache_policy = local.cloudfront.cache_policy + remove_headers_config = local.cloudfront.remove_headers_config } diff --git a/modules/cloudfront-logs/kms.tf b/modules/cloudfront-logs/kms.tf index 25c59b0..0addc89 100644 --- a/modules/cloudfront-logs/kms.tf +++ b/modules/cloudfront-logs/kms.tf @@ -4,7 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" { description = "KMS Key for ${var.log_group_name} log group" deletion_window_in_days = 10 policy = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json - enable_key_rotation = true + enable_key_rotation = true } data "aws_iam_policy_document" "cloudwatch_logs_key_policy" { diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf index 7c0668d..5146639 100644 --- a/modules/opennext-assets/s3.tf +++ b/modules/opennext-assets/s3.tf @@ -166,18 +166,18 @@ data "aws_iam_policy_document" "read_assets_bucket" { } } statement { - effect = "Deny" - actions = ["s3:*"] + effect = "Deny" + actions = ["s3:*"] resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"] condition { - test = "Bool" - values = ["false"] + test = "Bool" + values = ["false"] variable = "aws:SecureTransport" } principals { - type = "*" + type = "*" identifiers = ["*"] } } diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf index 36a1a6c..80feb01 100644 --- a/modules/opennext-cloudfront/cloudfront.tf +++ b/modules/opennext-cloudfront/cloudfront.tf @@ -146,6 +146,19 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" { } } } + dynamic "remove_headers_config" { + for_each = length(var.remove_headers_config.items) > 0 ? [true] : [] + + content { + dynamic "items" { + for_each = toset(var.remove_headers_config.items) + + content { + header = items.value + } + } + } + } } resource "aws_cloudfront_distribution" "distribution" { diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf index d3cea54..3a0a336 100644 --- a/modules/opennext-cloudfront/variables.tf +++ b/modules/opennext-cloudfront/variables.tf @@ -162,3 +162,11 @@ variable "geo_restriction" { locations = list(string) }) } + +variable "remove_headers_config" { + description = "Response header removal configuration for the CloudFront distribution" + type = object({ + items = list(string) + }) +} + diff --git a/modules/opennext-revalidation-queue/kms.tf b/modules/opennext-revalidation-queue/kms.tf index 8d6e247..80ae450 100644 --- a/modules/opennext-revalidation-queue/kms.tf +++ b/modules/opennext-revalidation-queue/kms.tf @@ -9,7 +9,7 @@ resource "aws_kms_key" "revalidation_queue_key" { description = "${var.prefix} Revalidation SQS Queue KMS Key" deletion_window_in_days = 10 - policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json + policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json enable_key_rotation = true } diff --git a/variables.tf b/variables.tf index 527a965..903a4f9 100644 --- a/variables.tf +++ b/variables.tf @@ -327,6 +327,9 @@ variable "cloudfront" { allow_origins = list(string) origin_override = bool })) + remove_headers_config = optional(object({ + items = list(string) + })) hsts = optional(object({ access_control_max_age_sec = number include_subdomains = bool