From ee7a33cd20938175d0e85b95918f244ce569cb85 Mon Sep 17 00:00:00 2001
From: eesa456 <eesa.mahmood1@nhs.net>
Date: Thu, 24 Aug 2023 10:05:52 +0100
Subject: [PATCH] toggle removal based on variable value and default to false

---
 locals.tf                                 |  4 ++++
 main.tf                                   | 19 ++++++++++---------
 modules/opennext-cloudfront/cloudfront.tf |  4 ++--
 modules/opennext-cloudfront/variables.tf  | 13 +++++++++++++
 variables.tf                              |  4 ++++
 5 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/locals.tf b/locals.tf
index 0a6731e..b184db7 100644
--- a/locals.tf
+++ b/locals.tf
@@ -28,6 +28,10 @@ locals {
       override                   = true
       preload                    = true
     }, var.cloudfront.hsts)
+    response_headers_to_remove = merge({
+      server   = false,
+      opennext = true
+    }, var.cloudfront.response_headers_to_remove)
     waf_logging_configuration = var.cloudfront.waf_logging_configuration
     cache_policy = {
       default_ttl                   = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0)
diff --git a/main.tf b/main.tf
index d31053b..47e0fd1 100644
--- a/main.tf
+++ b/main.tf
@@ -208,13 +208,14 @@ module "cloudfront" {
     image_optimization_function = "${module.image_optimization_function.lambda_function_url.url_id}.lambda-url.${data.aws_region.current.name}.on.aws"
   }
 
-  aliases                   = local.cloudfront.aliases
-  acm_certificate_arn       = local.cloudfront.acm_certificate_arn
-  assets_paths              = local.cloudfront.assets_paths
-  custom_headers            = local.cloudfront.custom_headers
-  geo_restriction           = local.cloudfront.geo_restriction
-  cors                      = local.cloudfront.cors
-  hsts                      = local.cloudfront.hsts
-  waf_logging_configuration = local.cloudfront.waf_logging_configuration
-  cache_policy              = local.cloudfront.cache_policy
+  aliases                    = local.cloudfront.aliases
+  acm_certificate_arn        = local.cloudfront.acm_certificate_arn
+  assets_paths               = local.cloudfront.assets_paths
+  custom_headers             = local.cloudfront.custom_headers
+  geo_restriction            = local.cloudfront.geo_restriction
+  cors                       = local.cloudfront.cors
+  hsts                       = local.cloudfront.hsts
+  waf_logging_configuration  = local.cloudfront.waf_logging_configuration
+  cache_policy               = local.cloudfront.cache_policy
+  response_headers_to_remove = local.cloudfront.response_headers_to_remove
 }
diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf
index bf36ad8..dd80a3b 100644
--- a/modules/opennext-cloudfront/cloudfront.tf
+++ b/modules/opennext-cloudfront/cloudfront.tf
@@ -148,11 +148,11 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" {
   }
   remove_headers_config{
     items{
-      header = "Server"
+      header = var.response_headers_to_remove.server
       }
 
     items{
-      header = "X-Opennext"
+      header = var.response_headers_to_remove.opennext
     }
   }
 }
diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf
index d3cea54..fcf7cd3 100644
--- a/modules/opennext-cloudfront/variables.tf
+++ b/modules/opennext-cloudfront/variables.tf
@@ -162,3 +162,16 @@ variable "geo_restriction" {
     locations        = list(string)
   })
 }
+
+variable "response_headers_to_remove" {
+  description = "Response header removal configuration for the CloudFront distribution"
+  type = object({
+    server    = bool,
+    opennext = bool
+  })
+  default = {
+    server    = false,
+    opennext = false
+  }
+}
+
diff --git a/variables.tf b/variables.tf
index 527a965..f1ce6d4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -327,6 +327,10 @@ variable "cloudfront" {
       allow_origins     = list(string)
       origin_override   = bool
     }))
+    response_header_to_remove = optional(object({
+      server   = bool,
+      opennext = bool
+    }))
     hsts = optional(object({
       access_control_max_age_sec = number
       include_subdomains         = bool