toggle removal based on variable value and default to false

nhs-england-tools · Aug 24, 2023 · ee7a33c · ee7a33c
1 parent cd9f713
commit ee7a33c
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 11 deletions.
diff --git a/locals.tf b/locals.tf
@@ -28,6 +28,10 @@ locals {
       override                   = true
       preload                    = true
     }, var.cloudfront.hsts)
+    response_headers_to_remove = merge({
+      server   = false,
+      opennext = true
+    }, var.cloudfront.response_headers_to_remove)
     waf_logging_configuration = var.cloudfront.waf_logging_configuration
     cache_policy = {
       default_ttl                   = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0)

diff --git a/main.tf b/main.tf
@@ -208,13 +208,14 @@ module "cloudfront" {
     image_optimization_function = "${module.image_optimization_function.lambda_function_url.url_id}.lambda-url.${data.aws_region.current.name}.on.aws"
   }
 
-  aliases                   = local.cloudfront.aliases
-  acm_certificate_arn       = local.cloudfront.acm_certificate_arn
-  assets_paths              = local.cloudfront.assets_paths
-  custom_headers            = local.cloudfront.custom_headers
-  geo_restriction           = local.cloudfront.geo_restriction
-  cors                      = local.cloudfront.cors
-  hsts                      = local.cloudfront.hsts
-  waf_logging_configuration = local.cloudfront.waf_logging_configuration
-  cache_policy              = local.cloudfront.cache_policy
+  aliases                    = local.cloudfront.aliases
+  acm_certificate_arn        = local.cloudfront.acm_certificate_arn
+  assets_paths               = local.cloudfront.assets_paths
+  custom_headers             = local.cloudfront.custom_headers
+  geo_restriction            = local.cloudfront.geo_restriction
+  cors                       = local.cloudfront.cors
+  hsts                       = local.cloudfront.hsts
+  waf_logging_configuration  = local.cloudfront.waf_logging_configuration
+  cache_policy               = local.cloudfront.cache_policy
+  response_headers_to_remove = local.cloudfront.response_headers_to_remove
 }
diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf
@@ -148,11 +148,11 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" {
   }
   remove_headers_config{
     items{
-      header = "Server"
+      header = var.response_headers_to_remove.server
       }
 
     items{
-      header = "X-Opennext"
+      header = var.response_headers_to_remove.opennext
     }
   }
 }

diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf
@@ -162,3 +162,16 @@ variable "geo_restriction" {
     locations        = list(string)
   })
 }
+
+variable "response_headers_to_remove" {
+  description = "Response header removal configuration for the CloudFront distribution"
+  type = object({
+    server    = bool,
+    opennext = bool
+  })
+  default = {
+    server    = false,
+    opennext = false
+  }
+}
+
diff --git a/variables.tf b/variables.tf
@@ -327,6 +327,10 @@ variable "cloudfront" {
       allow_origins     = list(string)
       origin_override   = bool
     }))
+    response_header_to_remove = optional(object({
+      server   = bool,
+      opennext = bool
+    }))
     hsts = optional(object({
       access_control_max_age_sec = number
       include_subdomains         = bool