Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

terraform: configure authn for fastly<->releases #424

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

mweinelt
Copy link
Member

This happens in preparation for enabling requester pays on the S3 bucket.

  # fastly_service_vcl.releases will be updated in-place
  ~ resource "fastly_service_vcl" "releases" {
      ~ active_version     = 55 -> (known after apply)
      ~ cloned_version     = 55 -> (known after apply)
        id                 = "745rWITBeKgJklfVqQ2Sjb"
        name               = "releases.nixos.org"
        # (8 unchanged attributes hidden)

      + snippet {
          + content  = <<-EOT
                # VCL snippet to authenticate Fastly<->S3 requests.
                #
                # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket
                
                declare local var.canonicalHeaders STRING;
                declare local var.signedHeaders STRING;
                declare local var.canonicalRequest STRING;
                declare local var.canonicalQuery STRING;
                declare local var.stringToSign STRING;
                declare local var.dateStamp STRING;
                declare local var.signature STRING;
                declare local var.scope STRING;
                
                if (req.method == "GET" && !req.backend.is_shield) {
                  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
                  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
                  set bereq.http.x-amz-request-payer = "requester";
                  set bereq.http.host = "nix-releases.s3.amazonaws.com";
                  set bereq.url = querystring.remove(bereq.url);
                  set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
                  set var.dateStamp = strftime({"%Y%m%d"}, now);
                  set var.canonicalHeaders = ""
                    "host:" bereq.http.host LF
                    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF
                    "x-amz-date:" bereq.http.x-amz-date LF
                    "x-amz-request-payer:" bereq.http.x-amz-request-payer LF
                  ;
                  set var.canonicalQuery = "";
                  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date;x-amz-request-payer";
                  set var.canonicalRequest = ""
                    "GET" LF
                    bereq.url.path LF
                    var.canonicalQuery LF
                    var.canonicalHeaders LF
                    var.signedHeaders LF
                    digest.hash_sha256("")
                  ;
                
                  set var.scope = var.dateStamp "/eu-west-1/s3/aws4_request";
                
                  set var.stringToSign = ""
                    "AWS4-HMAC-SHA256" LF
                    bereq.http.x-amz-date LF
                    var.scope LF
                    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
                  ;
                
                  set var.signature = digest.awsv4_hmac(
                    "...",
                    var.dateStamp,
                    "eu-west-1",
                    "s3",
                    var.stringToSign
                  );
                
                  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "
                    "Credential=.../" var.scope ", "
                    "SignedHeaders=" var.signedHeaders ", "
                    "Signature=" + regsub(var.signature,"^0x", "")
                  ;
                  unset bereq.http.Accept;
                  unset bereq.http.Accept-Language;
                  unset bereq.http.User-Agent;
                  unset bereq.http.Fastly-Client-IP;
                }
            EOT
          + name     = "Authenticate S3 requests"
          + priority = 100
          + type     = "miss"
        }

        # (15 unchanged blocks hidden)
    }

@mweinelt mweinelt requested a review from a team as a code owner May 15, 2024 00:01
@mweinelt mweinelt force-pushed the terraform-fastly-releases-authn branch from 5667811 to 497ee05 Compare May 15, 2024 00:22
Copy link
Member

@zimbatm zimbatm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good. nit would be to rename the cache-iam local to fastly-iam since it's shared now

@mweinelt mweinelt force-pushed the terraform-fastly-releases-authn branch from 497ee05 to 177159b Compare May 15, 2024 07:38
This happens in preparation for enabling requester pays on the S3 bucket.
@mweinelt mweinelt force-pushed the terraform-fastly-releases-authn branch from 177159b to 2fedaa3 Compare May 15, 2024 07:38
@mweinelt
Copy link
Member Author

Okay, updated.

@mweinelt
Copy link
Member Author

Currently this configuration leads to a 404 from fastly, which is likely a 403 from the S3 bucket.

More context on Matrix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants