Merge branch 'do-not-index' into wasm-content-type

byerlyb20 · byerlyb20 · commit 4bf2bdb50d2d · 2025-02-11T16:26:54.000-07:00
# Conflicts:
#	s3.tf
diff --git a/domain.tf b/domain.tf
@@ -1,10 +1,40 @@
-
 variable "domain_name_zone" {
 }
 variable "domain_name" {
 }
+variable "content_security_policy" {
+  type = map(list(string))
+  default = {
+    default-src : [
+      "*",
+      "'unsafe-eval'",
+      "'wasm-unsafe-eval'",
+      "'unsafe-inline'",
+      "data:",
+      "mediastream:",
+      "blob:",
+      "filesystem:",
+      "about:",
+      "ws:",
+      "wss:",
+    ]
+    frame-src : [
+      "*",
+      "data:",
+      "blob:",
+    ]
+    form-action : [
+      "*"
+    ]
+    frame-ancestors : [
+      "*",
+      "data:",
+      "blob:",
+    ]
+  }
+}
 variable "geo_restrictions_mode" {
-  type = string
+  type    = string
   default = "none"
   validation {
     condition = contains([
@@ -20,7 +50,7 @@ variable "geo_restrictions_list" {
   default = []
 }
 variable "react_mode" {
-  type = bool
+  type    = bool
   default = false
 }
 
@@ -29,7 +59,7 @@ data "aws_route53_zone" "main" {
 }
 
 resource "aws_acm_certificate" "web" {
-  provider = aws.acm
+  provider          = aws.acm
   domain_name       = var.domain_name
   validation_method = "DNS"
 }
@@ -41,8 +71,8 @@ resource "aws_route53_record" "web" {
   ttl     = "300"
 }
 resource "aws_acm_certificate_validation" "web" {
-  provider = aws.acm
-  certificate_arn         = aws_acm_certificate.web.arn
+  provider        = aws.acm
+  certificate_arn = aws_acm_certificate.web.arn
   validation_record_fqdns = [aws_route53_record.web.fqdn]
 }
 resource "aws_route53_record" "web_cloudfront" {
@@ -64,7 +94,7 @@ resource "aws_cloudfront_origin_access_identity" "oai" {
 resource "aws_cloudfront_distribution" "main" {
   depends_on = [aws_s3_bucket.files]
   enabled             = true
-  aliases             = [var.domain_name]
+  aliases = [var.domain_name]
   default_root_object = "index.html"
 
   origin {
@@ -78,13 +108,14 @@ resource "aws_cloudfront_distribution" "main" {
     }
   }
   default_cache_behavior {
-    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
-    cached_methods         = ["GET", "HEAD", "OPTIONS"]
-    target_origin_id       = "origin-${var.domain_name}"
+    allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+    cached_methods = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id           = "origin-${var.domain_name}"
     viewer_protocol_policy = "redirect-to-https" # other options - https only, http
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.webapp_security_headers.id
 
     forwarded_values {
-      headers      = []
+      headers = []
       query_string = true
 
       cookies {
@@ -107,7 +138,7 @@ resource "aws_cloudfront_distribution" "main" {
   restrictions {
     geo_restriction {
       restriction_type = var.geo_restrictions_mode
-      locations = var.geo_restrictions_list
+      locations        = var.geo_restrictions_list
     }
   }
 
@@ -116,4 +147,39 @@ resource "aws_cloudfront_distribution" "main" {
     ssl_support_method       = "sni-only"
     minimum_protocol_version = "TLSv1.2_2018"
   }
+}
+
+resource "aws_cloudfront_response_headers_policy" "webapp_security_headers" {
+  name = "webapp-security-headers-${replace(var.domain_name, "/[^a-zA-Z0-9\\-]/", "-")}"
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+    referrer_policy {
+      referrer_policy = "same-origin"
+      override        = true
+    }
+    xss_protection {
+      mode_block = true
+      protection = true
+      override   = true
+    }
+    strict_transport_security {
+      access_control_max_age_sec = "63072000"
+      include_subdomains         = true
+      preload                    = true
+      override                   = true
+    }
+    content_security_policy {
+      content_security_policy = join("; ", [
+        for key, value in var.content_security_policy : "${key} ${join(" ", value)}"
+      ])
+      #       content_security_policy = "frame-ancestors 'self'; default-src 'self'; img-src ${var.external_media_sources}; media-src ${var.external_media_sources}; script-src 'self' ${var.external_script_sources}; style-src 'self' 'unsafe-inline'; object-src 'none'; connect-src ${var.external_connections}"
+      override = true
+    }
+  }
 }
diff --git a/s3.tf b/s3.tf
@@ -55,42 +55,53 @@ resource "aws_s3_bucket_cors_configuration" "files" {
   }
 }
 
+variable "create_robots_txt" {
+  type    = bool
+  default = true
+}
+
+resource "local_file" "robots-txt" {
+  count = var.create_robots_txt ? 1 : 0
+  content  = "User-agent: *\nDisallow: "
+  filename = "${var.dist_folder}/robots.txt"
+}
+
 locals {
   content_type_overrides = {
     "apple-app-site-association" = "application/json"
   }
   # Taken from https://github.com/hashicorp/terraform-template-dir/blob/17b81de441645a94f4db1449fc8269cd32f26fde/variables.tf
   # with some additions for file types we need to support
   known_mime_types = {
-    ".3g2"    : "video/3gpp2", 
-    ".3gp"    : "video/3gpp", 
-    ".atom"   : "application/atom+xml", 
-    ".css"    : "text/css; charset=utf-8", 
-    ".eot"    : "application/vnd.ms-fontobject", 
-    ".gif"    : "image/gif", 
-    ".htm"    : "text/html; charset=utf-8", 
-    ".html"   : "text/html; charset=utf-8", 
-    ".ico"    : "image/vnd.microsoft.icon", 
-    ".jar"    : "application/java-archive", 
-    ".jpeg"   : "image/jpeg", 
-    ".jpg"    : "image/jpeg", 
-    ".js"     : "application/javascript", 
-    ".json"   : "application/json", 
-    ".jsonld" : "application/ld+json", 
-    ".otf"    : "font/otf", 
-    ".pdf"    : "application/pdf", 
-    ".png"    : "image/png", 
-    ".rss"    : "application/rss+xml", 
-    ".svg"    : "image/svg+xml", 
-    ".swf"    : "application/x-shockwave-flash", 
-    ".ttf"    : "font/ttf", 
-    ".txt"    : "text/plain; charset=utf-8", 
-    ".weba"   : "audio/webm", 
-    ".webm"   : "video/webm", 
-    ".webp"   : "image/webp", 
-    ".woff"   : "font/woff", 
-    ".woff2"  : "font/woff2", 
-    ".xhtml"  : "application/xhtml+xml", 
+    ".3g2"    : "video/3gpp2",
+    ".3gp"    : "video/3gpp",
+    ".atom"   : "application/atom+xml",
+    ".css"    : "text/css; charset=utf-8",
+    ".eot"    : "application/vnd.ms-fontobject",
+    ".gif"    : "image/gif",
+    ".htm"    : "text/html; charset=utf-8",
+    ".html"   : "text/html; charset=utf-8",
+    ".ico"    : "image/vnd.microsoft.icon",
+    ".jar"    : "application/java-archive",
+    ".jpeg"   : "image/jpeg",
+    ".jpg"    : "image/jpeg",
+    ".js"     : "application/javascript",
+    ".json"   : "application/json",
+    ".jsonld" : "application/ld+json",
+    ".otf"    : "font/otf",
+    ".pdf"    : "application/pdf",
+    ".png"    : "image/png",
+    ".rss"    : "application/rss+xml",
+    ".svg"    : "image/svg+xml",
+    ".swf"    : "application/x-shockwave-flash",
+    ".ttf"    : "font/ttf",
+    ".txt"    : "text/plain; charset=utf-8",
+    ".weba"   : "audio/webm",
+    ".webm"   : "video/webm",
+    ".webp"   : "image/webp",
+    ".woff"   : "font/woff",
+    ".woff2"  : "font/woff2",
+    ".xhtml"  : "application/xhtml+xml",
     ".xml"    : "application/xml",
     ".wasm"   : "application/wasm"
   }
@@ -100,6 +111,7 @@ module "template_files" {
 
   base_dir   = var.dist_folder
   file_types = local.known_mime_types
+  depends_on = ["local_file.robots-txt"]
 }
 resource "aws_s3_object" "app_storage" {
   for_each     = module.template_files.files
