Ability to specify source directory for Lambda@Edge submodule #260
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zdmytriv
requested review from
jamengual and
joe-niland
and removed request for
a team
zdmytriv
force-pushed
the
source_dir-support
branch
from
31dd959 to
bf69589
Compare
|
/test all |
|
/test all |
|
/test all |
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
| @@ -418,7 +418,7 @@ resource "aws_cloudfront_distribution" "default" { | |||
| origin_path = var.origin_path | |||
|
|
|||
| dynamic "s3_origin_config" { | |||
| for_each = ! var.website_enabled ? [1] : [] | |||
| for_each = !var.website_enabled ? [1] : [] | |||
There was a problem hiding this comment.
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Resource: aws_cloudfront_distribution.default | Bridgecrew ID: BC_AWS_GENERAL_186 | Checkov ID: CKV2_AWS_47
How to Fix
resource "aws_cloudfront_distribution" "pass" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_access_control_id = aws_cloudfront_origin_access_control.default.id
origin_id = local.s3_origin_id
}
enabled = true
is_ipv6_enabled = true
comment = "Some comment"
default_root_object = "index.html"
aliases = ["mysite.example.com", "yoursite.example.com"]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}
price_class = "PriceClass_200"
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
tags = {
Environment = "production"
}
viewer_certificate {
cloudfront_default_certificate = true
}
web_acl_id = aws_wafv2_web_acl.pass_acl.arn
}
resource "aws_wafv2_web_acl" "pass_acl" {
name = "managed-rule-example"
description = "Example of a managed rule."
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
excluded_rule {
name = "SizeRestrictions_QUERYSTRING"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
rule {
name = "rule-2"
priority = 2
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
excluded_rule {
name = "SizeRestrictions_QUERYSTRING"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
Description
This policy identifies AWS CloudFront attached with WAFv2 WebACL which is not configured with AWS Managed Rules (AMR) for Log4j Vulnerability. As per the guidelines given by AWS, CloudFront attached with WAFv2 WebACL should be configured with AWS Managed Rules (AMR) AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j Vulnerability (CVE-2021-44228).\n\nFor more information please refer below URL,\nhttps://aws.amazon.com/security/security-bulletins/AWS-2021-006/
|
/test all |
| @@ -418,7 +418,7 @@ resource "aws_cloudfront_distribution" "default" { | |||
| origin_path = var.origin_path | |||
|
|
|||
| dynamic "s3_origin_config" { | |||
| for_each = ! var.website_enabled ? [1] : [] | |||
| for_each = !var.website_enabled ? [1] : [] | |||
There was a problem hiding this comment.
Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
Resource: module.cloudfront_s3_cdn.aws_cloudfront_distribution.default | Bridgecrew ID: BC_AWS_GENERAL_186 | Checkov ID: CKV2_AWS_47
How to Fix
resource "aws_cloudfront_distribution" "pass" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_access_control_id = aws_cloudfront_origin_access_control.default.id
origin_id = local.s3_origin_id
}
enabled = true
is_ipv6_enabled = true
comment = "Some comment"
default_root_object = "index.html"
aliases = ["mysite.example.com", "yoursite.example.com"]
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
# Cache behavior with precedence 0
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "redirect-to-https"
}
price_class = "PriceClass_200"
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
tags = {
Environment = "production"
}
viewer_certificate {
cloudfront_default_certificate = true
}
web_acl_id = aws_wafv2_web_acl.pass_acl.arn
}
resource "aws_wafv2_web_acl" "pass_acl" {
name = "managed-rule-example"
description = "Example of a managed rule."
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "rule-1"
priority = 1
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
excluded_rule {
name = "SizeRestrictions_QUERYSTRING"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
rule {
name = "rule-2"
priority = 2
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
excluded_rule {
name = "SizeRestrictions_QUERYSTRING"
}
scope_down_statement {
geo_match_statement {
country_codes = ["US", "NL"]
}
}
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-rule-metric-name"
sampled_requests_enabled = false
}
}
tags = {
Tag1 = "Value1"
Tag2 = "Value2"
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "friendly-metric-name"
sampled_requests_enabled = false
}
}
Description
This policy identifies AWS CloudFront attached with WAFv2 WebACL which is not configured with AWS Managed Rules (AMR) for Log4j Vulnerability. As per the guidelines given by AWS, CloudFront attached with WAFv2 WebACL should be configured with AWS Managed Rules (AMR) AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j Vulnerability (CVE-2021-44228).\n\nFor more information please refer below URL,\nhttps://aws.amazon.com/security/security-bulletins/AWS-2021-006/ 🎉 Fixed by commit 814dc66 - update
|
/test all |
|
/test all |
|
/test all |
zdmytriv
commented
Mar 10, 2023
| @@ -2,14 +2,15 @@ data "archive_file" "lambda_zip" { | |||
| for_each = local.functions | |||
|
|
|||
| dynamic "source" { | |||
| for_each = each.value.source | |||
| for_each = coalesce(each.value.source, []) | |||
There was a problem hiding this comment.
source might be empty list now because we source_dir as well
| filename = string | ||
| content = string | ||
| })) | ||
| }))) | ||
| source_dir = optional(string) |
There was a problem hiding this comment.
both source and source_dir are optional
| @@ -1,5 +1,5 @@ | |||
| terraform { | |||
| required_version = ">= 0.13.0" | |||
| required_version = ">= 1.3" | |||
There was a problem hiding this comment.
bumped version in order to support optional() function
| @@ -1,5 +1,5 @@ | |||
| terraform { | |||
| required_version = ">= 0.13.0" | |||
| required_version = ">= 1.3" | |||
There was a problem hiding this comment.
bumped version in order to support optional() function
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Exporting role arn so policy attachment can be added to lambda.
| @@ -52,7 +52,7 @@ locals { | |||
|
|
|||
| override_origin_bucket_policy = local.enabled && var.override_origin_bucket_policy | |||
|
|
|||
| lookup_cf_log_bucket = local.cloudfront_access_logging_enabled && ! local.cloudfront_access_log_create_bucket | |||
| lookup_cf_log_bucket = local.cloudfront_access_logging_enabled && !local.cloudfront_access_log_create_bucket | |||
There was a problem hiding this comment.
bridgecrew insisted
| @@ -4,7 +4,7 @@ locals { | |||
| # Encapsulate logic here so that it is not lost/scattered among the configuration | |||
| website_enabled = local.enabled && var.website_enabled | |||
| website_password_enabled = local.website_enabled && var.s3_website_password_enabled | |||
| s3_origin_enabled = local.enabled && ! var.website_enabled | |||
| s3_origin_enabled = local.enabled && !var.website_enabled | |||
There was a problem hiding this comment.
bridgecrew insisted
| @@ -1,5 +1,5 @@ | |||
| terraform { | |||
| required_version = ">= 0.13.0" | |||
| required_version = ">= 1.3" | |||
There was a problem hiding this comment.
bumped version in order to support optional() function
| headers['x-custom-header'] = [{ key: 'X-Custom-Header', value: 'My custom value' }]; | ||
|
|
||
| callback(null, response); | ||
| }; |
There was a problem hiding this comment.
sample index.js for the example/complete test
| handler = "index.handler" | ||
| event_type = "viewer-response" | ||
| include_body = false | ||
| }, |
There was a problem hiding this comment.
One more type of lambda@edge cloudfront function. Needed to test source_dir
max-lobur
approved these changes
Mar 10, 2023
osterman
approved these changes
Mar 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
why
Example
For example, we have the following file structure for lambda@edge submodule:
And we want the whole directory
libto be packaged.With this enhancement path to
libmight be specified like thisRelated
Closes #205