Cloudfront CORS policy terraform (#1887)

* Add CORS Config for Cloudfront * Test uses dev APIs * Split header policies and use the non auth one for maps * Add capacitor * Add Android origin * https instead of http * Add localhost for old android
bcgov · May 9, 2024 · 8474745 · 8474745
1 parent fdb4f8f
commit 8474745
Showing 1 changed file with 109 additions and 1 deletion.
diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf
@@ -915,7 +915,7 @@ resource "aws_cloudfront_distribution" "wfnews_openmaps_cache" {
       }
     }
 
-    response_headers_policy_id = aws_cloudfront_response_headers_policy.cache_control_response_headers.id
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.cache_control_response_headers_no_auth_cors.id
 
     viewer_protocol_policy = "redirect-to-https"
     min_ttl                = 0
@@ -1021,6 +1021,114 @@ output "wfnews_cloudfront_nginx_url" {
 
 resource "aws_cloudfront_response_headers_policy" "cache_control_response_headers" {
   name = "cache-control-response-headers-${var.target_env}"
+  custom_headers_config {
+    items {
+      header   = "Cache-Control"
+      override = true
+      value    = "stale-while-revalidate=600"
+    }
+  }
+
+  remove_headers_config {
+    items {
+      header = "X-Forwarded-Server"
+    }
+
+    items {
+      header = "X-Forwarded-Host"
+    }
+
+    items {
+      header = "X-Host"
+    }
+  }
+}
+
+resource "aws_cloudfront_response_headers_policy" "cache_control_response_headers_no_auth_cors" {
+  name = "cache-control-response-headers-no-auth-cor-${var.target_env}"
+  cors_config {
+    access_control_allow_credentials = false
+
+    access_control_allow_headers {
+      items = ["*"]
+    }
+
+    access_control_allow_methods {
+      items = ["*"]
+    }
+
+    access_control_allow_origins {
+      items = ["*"]
+    }
+
+    access_control_max_age_sec = 300
+
+    origin_override = true
+  }
+
+  custom_headers_config {
+    items {
+      header   = "Cache-Control"
+      override = true
+      value    = "stale-while-revalidate=600"
+    }
+  }
+
+  remove_headers_config {
+    items {
+      header = "X-Forwarded-Server"
+    }
+
+    items {
+      header = "X-Forwarded-Host"
+    }
+
+    items {
+      header = "X-Host"
+    }
+  }
+}
+
+resource "aws_cloudfront_response_headers_policy" "cache_control_response_headers_auth_cors" {
+  name = "cache-control-response-headers-auth-cor-${var.target_env}"
+  cors_config {
+    access_control_allow_credentials = true
+
+    access_control_allow_headers {
+      items = [
+        "Accept",
+        "Accept-Encoding",
+        "Accept-Language",
+        "Cache-Control",
+        "Origin",
+        "Pragma",
+        "Priority",
+        "Referer",
+        "Apikey",
+        "Authorization",
+        "Content-Type"
+      ]
+    }
+
+    access_control_allow_methods {
+      items = ["GET", "POST", "PUT", "HEAD", "OPTIONS", "PATCH", "DELETE"]
+    }
+
+    access_control_allow_origins {
+      items = [
+        "capacitor://localhost",
+        "http://localhost",
+        "https://localhost",
+        "https://wfnews-client.dev.bcwildfireservices.com",
+        "https://wfnews-client.test.bcwildfireservices.com",
+        "https://wildfiresituation.nrs.gov.bc.ca"
+      ]
+    }
+
+    access_control_max_age_sec = 300
+
+    origin_override = true
+  }
 
   custom_headers_config {
     items {