Migrated to Cloudfront Function

Lupus-Metallum · Oct 22, 2021 · 59bcc1c · 59bcc1c
1 parent 4ba4e52
commit 59bcc1c
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 106 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,20 @@
 # terraform-aws-cloudfront-security-headers
 Terraform module to create a Lambda@Edge function to add best practice security headers and support HSTS preload requirements.
+
+## Example
+``` terraform
+module "security_headers" {
+  source                             = "Lupus-Metallum/cloudfront-security-headers/aws"
+  version                            = "3.0.0"
+  name                               = "AddSecurityHeaders"
+  access_control_allow_methods       = "POST, GET, OPTIONS"
+  access_control_allow_origin        = "https://example.com"
+  content_security_policy            = "default-src 'self:'; img-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; object-src 'none'"
+  referrer_policy                    = "same-origin"
+  strict_transport_security          = "max-age=63072000; includeSubdomains; preload"
+  x_content_type_options             = "nosniff"
+  x_frame_options                    = "DENY"
+  x_xss_protection                   = "1; mode=block"
+  feature_policy                     = ""
+}
+```
diff --git a/main.tf b/main.tf
@@ -1,63 +1,11 @@
 data "aws_partition" "current" {}
 
-
-resource "aws_iam_role" "execution_role" {
-  name               = "${var.name}-execution-role"
-  assume_role_policy = <<-EOF
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Action": "sts:AssumeRole",
-        "Principal": {
-          "Service": [
-            "lambda.amazonaws.com",
-            "edgelambda.amazonaws.com"
-          ]
-        },
-        "Effect": "Allow",
-        "Sid": ""
-      }
-    ]
-  }
-  EOF
-  tags               = var.tags
-}
-
-data "aws_iam_policy_document" "execution_role" {
-  statement {
-    sid = "AllowCloudWatchLogs"
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    effect = "Allow"
-    resources = [
-      format(
-        "arn:%s:logs:*::log-group:/aws/lambda/*:*:*",
-        data.aws_partition.current.partition
-      )
-    ]
-  }
-}
-
-resource "aws_iam_policy" "execution_role" {
-  name   = "${var.name}-policy"
-  path   = "/"
-  policy = data.aws_iam_policy_document.execution_role.json
-}
-
-resource "aws_iam_role_policy_attachment" "execution_role" {
-  role       = aws_iam_role.execution_role.name
-  policy_arn = aws_iam_policy.execution_role.arn
-}
-
-data "archive_file" "this" {
-  type        = "zip"
-  output_path = "${path.module}/deploy.zip"
-  source {
-    content = templatefile("${path.module}/src/index.js.tpl", {
+resource "aws_cloudfront_function" "this" {
+  name    = var.name
+  runtime = "cloudfront-js-1.0"
+  comment = var.description
+  publish = true
+  code    = templatefile("${path.module}/src/index.js.tpl", {
       add_access_control_allow_origin    = length(var.access_control_allow_origin) > 0 ? true : false,
       access_control_allow_origin_value  = var.access_control_allow_origin,
       add_access_control_allow_methods   = length(var.access_control_allow_methods) > 0 ? true : false,
@@ -77,23 +25,4 @@ data "archive_file" "this" {
       add_feature_policy                = length(var.feature_policy) > 0 ? true : false,
       feature_policy_value              = var.feature_policy,
     })
-    filename = "index.js"
-  }
 }
-
-resource "aws_lambda_function" "this" {
-  function_name    = var.name
-  description      = var.description
-  filename         = data.archive_file.this.output_path
-  source_code_hash = data.archive_file.this.output_base64sha256
-  handler          = "index.handler"
-  runtime          = "nodejs12.x"
-  role             = aws_iam_role.execution_role.arn
-  timeout          = var.timeout
-  memory_size      = var.memory_size
-  publish          = true
-  tags             = var.tags
-  depends_on = [
-    data.archive_file.this
-  ]
-}
diff --git a/outputs.tf b/outputs.tf
@@ -1,3 +1,3 @@
-output "lambda_arn" {
-  value = aws_lambda_function.this.qualified_arn
+output "arn" {
+  value = aws_cloudfront_function.this.arn
 }
diff --git a/src/index.js.tpl b/src/index.js.tpl
@@ -1,10 +1,9 @@
-'use strict';
-exports.handler = (event, context, callback) => {
-    
-    //Get contents of response
-    const response = event.Records[0].cf.response;
-    const headers = response.headers;
+function handler(event) {
+    var response = event.response;
+    var headers = response.headers;
 
+    // Set HTTP security headers
+    // Since JavaScript doesnt allow for hyphens in variable names, we use the dict["key"] notation 
     //Set new headers 
     const addAccessControlAllowOrigin = ${add_access_control_allow_origin}
     if ( ${add_access_control_allow_origin} == true ) {
@@ -43,6 +42,6 @@ exports.handler = (event, context, callback) => {
         headers['feature-policy'] = [{key: 'Feature-Policy', value: '${feature_policy_value}'}]; 
     }
 
-    //Return modified response
-    callback(null, response);
-};
+    // Return the response to viewers 
+    return response;
+}
diff --git a/variables.tf b/variables.tf
@@ -1,9 +1,3 @@
-variable "tags" {
-  default     = {}
-  type        = map(string)
-  description = "Tags to add to resouces created by this module"
-}
-
 variable "name" {
   type        = string
   description = "Name to use for resource names created by this module"
@@ -15,18 +9,6 @@ variable "description" {
   default     = "Adds security headers for Cloudfront"
 }
 
-variable "timeout" {
-  type        = number
-  default     = 1
-  description = "Timeout to use for Lambda, defaults to 1ms"
-}
-
-variable "memory_size" {
-  type        = number
-  default     = 128
-  description = "Memory to use for Lambda, defaults to 128mb"
-}
-
 variable "access_control_allow_origin" {
   type        = string
   default     = ""