feat: Allow the managed request policy to be specified.

jamesiarmes · jamesiarmes · commit 649a201ffd3b · 2024-12-04T16:29:51.000-05:00
fix: Updated the default request policy to "AllViewer", as recommended for custom origins.
diff --git a/README.md b/README.md
@@ -50,21 +50,22 @@ these rules are spaced out to allow for custom rules to be inserted between.
 ## Inputs
 
 
-| Name               | Description                                                                                         | Type           | Default | Required |
-|--------------------|-----------------------------------------------------------------------------------------------------|----------------|---------|----------|
-| domain             | Primary domain for the distribution. The hosted zone for this domain should be in the same account. | `string`       | n/a     | yes      |
-| log_bucket         | Domain name of the S3 bucket to send logs to.                                                       | `string`       | n/a     | yes      |
-| log_group          | CloudWatch log group to send WAF logs to.                                                           | `string`       | n/a     | yes      |
-| project            | Project that these resources are supporting.                                                        | `string`       | n/a     | yes      |
-| [custom_headers]   | Custom headers to send to the origin.                                                               | `map(string)`  | `{}`    | no       |
-| environment        | The environment for the deployment.                                                                 | `string`       | `"dev"` | no       |
-| [ip_set_rules]     | Custom IP Set rules for the WAF                                                                     | `map(object)`  | `{}`    | no       |
-| [rate_limit_rules] | Rate limiting configuration for the WAF.                                                            | `map(object)`  | `{}`    | no       |
-| origin_domain      | Fully qualified domain name for the origin. Defaults to `origin.${subdomain}.${domain}`.            | `string`       | n/a     | no       |
-| passive            | Enable passive mode for the WAF, counting all requests rather than blocking.                        | `bool`         | `false` | no       |
-| subdomain          | Subdomain for the distribution. Defaults to the environment.                                        | `string`       | n/a     | no       |
-| tags               | Optional tags to be applied to all resources.                                                       | `map(string)`  | `{}`    | no       |
-| [upload_paths]     | Optional paths to allow uploads to.                                                                 | `list(object)` | `[]`    | no       |
+| Name               | Description                                                                                                               | Type           | Default       | Required |
+|--------------------|---------------------------------------------------------------------------------------------------------------------------|----------------|---------------|----------|
+| domain             | Primary domain for the distribution. The hosted zone for this domain should be in the same account.                       | `string`       | n/a           | yes      |
+| log_bucket         | Domain name of the S3 bucket to send logs to.                                                                             | `string`       | n/a           | yes      |
+| log_group          | CloudWatch log group to send WAF logs to.                                                                                 | `string`       | n/a           | yes      |
+| project            | Project that these resources are supporting.                                                                              | `string`       | n/a           | yes      |
+| [custom_headers]   | Custom headers to send to the origin.                                                                                     | `map(string)`  | `{}`          | no       |
+| environment        | The environment for the deployment.                                                                                       | `string`       | `"dev"`       | no       |
+| [ip_set_rules]     | Custom IP Set rules for the WAF                                                                                           | `map(object)`  | `{}`          | no       |
+| [rate_limit_rules] | Rate limiting configuration for the WAF.                                                                                  | `map(object)`  | `{}`          | no       |
+| origin_domain      | Fully qualified domain name for the origin. Defaults to `origin.${subdomain}.${domain}`.                                  | `string`       | n/a           | no       |
+| passive            | Enable passive mode for the WAF, counting all requests rather than blocking.                                              | `bool`         | `false`       | no       |
+| request_policy     | Managed request policy to associate with the distribution. See the [managed policies][managed-policies] for valid values. | `string`       | `"AllViewer"` | no       |
+| subdomain          | Subdomain for the distribution. Defaults to the environment.                                                              | `string`       | n/a           | no       |
+| tags               | Optional tags to be applied to all resources.                                                                             | `map(string)`  | `{}`          | no       |
+| [upload_paths]     | Optional paths to allow uploads to.                                                                                       | `list(object)` | `[]`          | no       |
 
 ### custom_headers
 
@@ -236,6 +237,7 @@ module "cloudfront_waf" {
 [ip-rules]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html
 [ip_set_rules]: #ip_set_rules
 [latest-release]: https://github.com/codeforamerica/tofu-modules-aws-cloudfront-waf/releases/latest
+[managed-policies]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html
 [rate_limit_rules]: #rate_limit_rules
 [rules-common]: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs
 [rules-inputs]: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs
diff --git a/data.tf b/data.tf
@@ -1,5 +1,5 @@
 data "aws_cloudfront_origin_request_policy" "managed_cors" {
-  name = "Managed-CORS-CustomOrigin"
+  name = "Managed-${var.request_policy}"
 }
 
 data "aws_cloudfront_response_headers_policy" "managed_cors" {
diff --git a/variables.tf b/variables.tf
@@ -15,6 +15,17 @@ variable "environment" {
   default     = "dev"
 }
 
+variable "ip_set_rules" {
+  type = map(object({
+    name     = optional(string, "")
+    action   = optional(string, "allow")
+    priority = optional(number, null)
+    arn      = string
+  }))
+  description = "Custom IP Set rules for the WAF."
+  default     = {}
+}
+
 variable "log_bucket" {
   type        = string
   description = "S3 Bucket to send logs to."
@@ -42,17 +53,6 @@ variable "project" {
   description = "Project that these resources are supporting."
 }
 
-variable "ip_set_rules" {
-  type = map(object({
-    name     = optional(string, "")
-    action   = optional(string, "allow")
-    priority = optional(number, null)
-    arn      = string
-  }))
-  description = "Custom IP Set rules for the WAF."
-  default     = {}
-}
-
 variable "rate_limit_rules" {
   type = map(object({
     name     = optional(string, "")
@@ -65,6 +65,25 @@ variable "rate_limit_rules" {
   default     = {}
 }
 
+variable "request_policy" {
+  type        = string
+  description = "Managed request policy to associate with the distribution."
+  default     = "AllViewer"
+
+  validation {
+    condition     = contains([
+        "AllViewer",
+        "AllViewerAndCloudFrontHeaders-2022-06",
+        "AllViewerExceptHostHeader",
+        "CORS-CustomOrigin",
+        "CORS-S3Origin",
+        "Elemental-MediaTailor-PersonalizedManifests",
+        "UserAgentRefererHeaders"
+      ], var.request_policy)
+    error_message = "Invalid request policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html"
+  }
+}
+
 variable "subdomain" {
   type        = string
   description = "Subdomain for the distribution. Defaults to the environment."

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`data "aws_cloudfront_origin_request_policy" "managed_cors" {`
`2`		`- name = "Managed-CORS-CustomOrigin"`
	`2`	`+ name = "Managed-${var.request_policy}"`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`data "aws_cloudfront_response_headers_policy" "managed_cors" {`