From aee2020695278a4ddbb42765005ea6b55ac3cd9b Mon Sep 17 00:00:00 2001 From: Eesa Mahmood <73350153+eesa456@users.noreply.github.com> Date: Tue, 29 Aug 2023 16:48:19 +0100 Subject: [PATCH] update response header policy (#8) ## Description Remove server and opennext header from cloudfront response ## Context NDOP Pen test ## Type of changes - [x] Refactoring (non-breaking change) - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [ ] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [x] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [x] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- locals.tf | 3 +++ main.tf | 1 + modules/cloudfront-logs/kms.tf | 2 +- modules/opennext-assets/s3.tf | 10 +++++----- modules/opennext-cloudfront/cloudfront.tf | 13 +++++++++++++ modules/opennext-cloudfront/variables.tf | 8 ++++++++ modules/opennext-revalidation-queue/kms.tf | 2 +- variables.tf | 3 +++ 8 files changed, 35 insertions(+), 7 deletions(-) diff --git a/locals.tf b/locals.tf index 0a6731e..9e66c17 100644 --- a/locals.tf +++ b/locals.tf @@ -28,6 +28,9 @@ locals { override = true preload = true }, var.cloudfront.hsts) + remove_headers_config = merge({ + items : [] + }, var.cloudfront.remove_headers_config) waf_logging_configuration = var.cloudfront.waf_logging_configuration cache_policy = { default_ttl = coalesce(try(var.cloudfront.cache_policy.default_ttl, null), 0) diff --git a/main.tf b/main.tf index d31053b..06e12d6 100644 --- a/main.tf +++ b/main.tf @@ -217,4 +217,5 @@ module "cloudfront" { hsts = local.cloudfront.hsts waf_logging_configuration = local.cloudfront.waf_logging_configuration cache_policy = local.cloudfront.cache_policy + remove_headers_config = local.cloudfront.remove_headers_config } diff --git a/modules/cloudfront-logs/kms.tf b/modules/cloudfront-logs/kms.tf index 25c59b0..0addc89 100644 --- a/modules/cloudfront-logs/kms.tf +++ b/modules/cloudfront-logs/kms.tf @@ -4,7 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" { description = "KMS Key for ${var.log_group_name} log group" deletion_window_in_days = 10 policy = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json - enable_key_rotation = true + enable_key_rotation = true } data "aws_iam_policy_document" "cloudwatch_logs_key_policy" { diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf index 7c0668d..5146639 100644 --- a/modules/opennext-assets/s3.tf +++ b/modules/opennext-assets/s3.tf @@ -166,18 +166,18 @@ data "aws_iam_policy_document" "read_assets_bucket" { } } statement { - effect = "Deny" - actions = ["s3:*"] + effect = "Deny" + actions = ["s3:*"] resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"] condition { - test = "Bool" - values = ["false"] + test = "Bool" + values = ["false"] variable = "aws:SecureTransport" } principals { - type = "*" + type = "*" identifiers = ["*"] } } diff --git a/modules/opennext-cloudfront/cloudfront.tf b/modules/opennext-cloudfront/cloudfront.tf index 36a1a6c..80feb01 100644 --- a/modules/opennext-cloudfront/cloudfront.tf +++ b/modules/opennext-cloudfront/cloudfront.tf @@ -146,6 +146,19 @@ resource "aws_cloudfront_response_headers_policy" "response_headers_policy" { } } } + dynamic "remove_headers_config" { + for_each = length(var.remove_headers_config.items) > 0 ? [true] : [] + + content { + dynamic "items" { + for_each = toset(var.remove_headers_config.items) + + content { + header = items.value + } + } + } + } } resource "aws_cloudfront_distribution" "distribution" { diff --git a/modules/opennext-cloudfront/variables.tf b/modules/opennext-cloudfront/variables.tf index d3cea54..3a0a336 100644 --- a/modules/opennext-cloudfront/variables.tf +++ b/modules/opennext-cloudfront/variables.tf @@ -162,3 +162,11 @@ variable "geo_restriction" { locations = list(string) }) } + +variable "remove_headers_config" { + description = "Response header removal configuration for the CloudFront distribution" + type = object({ + items = list(string) + }) +} + diff --git a/modules/opennext-revalidation-queue/kms.tf b/modules/opennext-revalidation-queue/kms.tf index 8d6e247..80ae450 100644 --- a/modules/opennext-revalidation-queue/kms.tf +++ b/modules/opennext-revalidation-queue/kms.tf @@ -9,7 +9,7 @@ resource "aws_kms_key" "revalidation_queue_key" { description = "${var.prefix} Revalidation SQS Queue KMS Key" deletion_window_in_days = 10 - policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json + policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json enable_key_rotation = true } diff --git a/variables.tf b/variables.tf index 527a965..903a4f9 100644 --- a/variables.tf +++ b/variables.tf @@ -327,6 +327,9 @@ variable "cloudfront" { allow_origins = list(string) origin_override = bool })) + remove_headers_config = optional(object({ + items = list(string) + })) hsts = optional(object({ access_control_max_age_sec = number include_subdomains = bool