Add CORS support (#45)

* Add CORS support

* Replace naked domain logic

* Fix security header

* Make change backwards compatible

* Make new argument optional

* Use A record with alias for CF

* Fix default logic

* Fix target record name

* Add back missing fix

* Add path option to reverse proxy

* Attempt to fix path

* Use regex extraction instead

Author: sam-at-luther

aws-cf-reverse-proxy/main.tf

@@ -6,7 +6,19 @@ resource "random_string" "id" {
 }
 
 locals {
+
+  origin_domain = try(regex("^https?://([^/]+)", var.origin_url)[0], null)
+  origin_path   = try(regex("^https?://[^/]+(/.*)", var.origin_url)[0], null)
+
   random_id = var.random_identifier == "" ? random_string.id[0].result : var.random_identifier
+
+  app_route53_zone_name = var.app_route53_zone_name != "" ? var.app_route53_zone_name : var.app_naked_domain
+
+  target_record_name = (
+    var.app_target_domain == local.app_route53_zone_name
+    ? ""
+    : replace(var.app_target_domain, ".${local.app_route53_zone_name}", "")
+  )
 }
 
 module "luthername_site" {
@@ -22,7 +34,7 @@ module "luthername_site" {
 }
 
 data "aws_route53_zone" "site" {
-  name         = "${var.app_naked_domain}."
+  name         = "${local.app_route53_zone_name}."
   private_zone = false
 }
 
@@ -59,14 +71,14 @@ resource "aws_acm_certificate_validation" "site" {
 
 resource "aws_route53_record" "site" {
   zone_id = data.aws_route53_zone.site.zone_id
-  name    = var.app_target_domain
-  type    = "CNAME"
-  ttl     = "300"
-  records = [aws_cloudfront_distribution.site.domain_name]
-}
+  name    = local.target_record_name
+  type    = "A"
 
-locals {
-  origin_domain = replace(var.origin_url, "/(https?://)|(/)/", "")
+  alias {
+    name                   = aws_cloudfront_distribution.site.domain_name
+    zone_id                = aws_cloudfront_distribution.site.hosted_zone_id
+    evaluate_target_health = false
+  }
 }
 
 resource "aws_cloudfront_distribution" "site" {
@@ -78,6 +90,8 @@ resource "aws_cloudfront_distribution" "site" {
     origin_id   = "origin-site"
     domain_name = local.origin_domain
 
+    origin_path = local.origin_path
+
     custom_origin_config {
       origin_protocol_policy = "https-only"
       http_port              = "80"
@@ -111,6 +125,8 @@ resource "aws_cloudfront_distribution" "site" {
     viewer_protocol_policy = "redirect-to-https"
     compress               = true
 
+    response_headers_policy_id = length(var.cors_allowed_origins) > 0 ? aws_cloudfront_response_headers_policy.allow_specified_origins[0].id : null
+
     dynamic "lambda_function_association" {
       for_each = var.use_302 ? [1] : []
 
@@ -139,3 +155,33 @@ resource "aws_cloudfront_distribution" "site" {
 
   tags = module.luthername_site.tags
 }
+
+resource "aws_cloudfront_response_headers_policy" "allow_specified_origins" {
+  count = length(var.cors_allowed_origins) > 0 ? 1 : 0
+
+  name = "allow-specified-cors-origins"
+
+  cors_config {
+    access_control_allow_credentials = false
+
+    access_control_allow_headers {
+      items = ["*"]
+    }
+
+    access_control_allow_methods {
+      items = ["GET", "HEAD", "OPTIONS"]
+    }
+
+    access_control_allow_origins {
+      items = var.cors_allowed_origins
+    }
+
+    origin_override = true
+  }
+
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+  }
+}

aws-cf-reverse-proxy/tests/test1/test.tf

@@ -14,13 +14,17 @@ provider "aws" {
 }
 
 module "test" {
-  source            = "../../"
-  luther_env        = "env"
-  luther_project    = "project"
-  app_naked_domain  = "example.com"
-  app_target_domain = "target.example.com"
-  origin_url        = "origin.example.com"
-  use_302           = true
+  source         = "../../"
+  luther_env     = "env"
+  luther_project = "project"
+
+  app_target_domain     = "target.example.com"
+  app_route53_zone_name = "app.luthersystems.com"
+
+  origin_url = "origin.example.com"
+  use_302    = true
+
+  cors_allowed_origins = ["https://app.luthersystems.com"]
 
   providers = {
     aws           = aws

aws-cf-reverse-proxy/vars.tf

@@ -12,10 +12,6 @@ variable "luther_env" {
   type = string
 }
 
-variable "app_naked_domain" {
-  type = string
-}
-
 variable "app_target_domain" {
   type = string
 }
@@ -38,3 +34,21 @@ variable "random_identifier" {
   type    = string
   default = ""
 }
+
+variable "cors_allowed_origins" {
+  type        = list(string)
+  description = "List of allowed origins for CORS"
+  default     = []
+}
+
+variable "app_route53_zone_name" {
+  type        = string
+  description = "The exact Route53 zone name (e.g., app.luthersystems.com) to use for DNS validation and record creation"
+  default     = ""
+}
+
+variable "app_naked_domain" {
+  type        = string
+  description = "Renamed to `app_route53_zone`"
+  default     = ""
+}