update response header policy (#8)

## Description Remove server and opennext header from cloudfront response  ## Context  NDOP Pen test ## Type of changes  - [x] Refactoring (non-breaking change) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist  - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [x] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [x] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.
nhs-england-tools · Aug 29, 2023 · aee2020 · aee2020
1 parent db95da3
commit aee2020
Show file tree

Hide file tree

Showing 8 changed files with 35 additions and 7 deletions.
diff --git a/locals.tf b/locals.tf
@@ -28,6 +28,9 @@ locals {
       override                   = true
       preload                    = true
     }, var.cloudfront.hsts)
+    remove_headers_config = merge({
+      items : []
+    }, var.cloudfront.remove_headers_config)
     waf_logging_configuration = var.cloudfront.waf_logging_configuration
     cache_policy = {
       default_ttl                   = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0)

diff --git a/main.tf b/main.tf
@@ -217,4 +217,5 @@ module "cloudfront" {
   hsts                      = local.cloudfront.hsts
   waf_logging_configuration = local.cloudfront.waf_logging_configuration
   cache_policy              = local.cloudfront.cache_policy
+  remove_headers_config     = local.cloudfront.remove_headers_config
 }
diff --git a/modules/cloudfront-logs/kms.tf b/modules/cloudfront-logs/kms.tf
@@ -4,7 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" {
   description             = "KMS Key for ${var.log_group_name} log group"
   deletion_window_in_days = 10
   policy                  = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json
-  enable_key_rotation = true
+  enable_key_rotation     = true
 }
 
 data "aws_iam_policy_document" "cloudwatch_logs_key_policy" {

diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf
@@ -166,18 +166,18 @@ data "aws_iam_policy_document" "read_assets_bucket" {
     }
   }
   statement {
-    effect = "Deny"
-    actions = ["s3:*"]
+    effect    = "Deny"
+    actions   = ["s3:*"]
     resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"]
 
     condition {
-      test = "Bool"
-      values = ["false"]
+      test     = "Bool"
+      values   = ["false"]
       variable = "aws:SecureTransport"
     }
 
     principals {
-      type = "*"
+      type        = "*"
       identifiers = ["*"]
     }
   }

diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf
@@ -146,6 +146,19 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" {
       }
     }
   }
+  dynamic "remove_headers_config" {
+    for_each = length(var.remove_headers_config.items) > 0 ? [true] : []
+
+    content {
+      dynamic "items" {
+        for_each = toset(var.remove_headers_config.items)
+
+        content {
+          header = items.value
+        }
+      }
+    }
+  }
 }
 
 resource "aws_cloudfront_distribution" "distribution" {

diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf
@@ -162,3 +162,11 @@ variable "geo_restriction" {
     locations        = list(string)
   })
 }
+
+variable "remove_headers_config" {
+  description = "Response header removal configuration for the CloudFront distribution"
+  type = object({
+    items = list(string)
+  })
+}
+
diff --git a/modules/opennext-revalidation-queue/kms.tf b/modules/opennext-revalidation-queue/kms.tf
@@ -9,7 +9,7 @@ resource "aws_kms_key" "revalidation_queue_key" {
   description             = "${var.prefix} Revalidation SQS Queue KMS Key"
   deletion_window_in_days = 10
 
-  policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json
+  policy              = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json
   enable_key_rotation = true
 }
 

diff --git a/variables.tf b/variables.tf
@@ -327,6 +327,9 @@ variable "cloudfront" {
       allow_origins     = list(string)
       origin_override   = bool
     }))
+    remove_headers_config = optional(object({
+      items = list(string)
+    }))
     hsts = optional(object({
       access_control_max_age_sec = number
       include_subdomains         = bool