Skip to content

Add CORS support #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sam-at-luther merged 12 commits into from
Apr 8, 2025
Merged

Add CORS support #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d3b24d2
Add CORS support
sam-at-luther Apr 7, 2025
6345de8
Replace naked domain logic
sam-at-luther Apr 7, 2025
2910a42
Fix security header
sam-at-luther Apr 7, 2025
2a44ecc
Make change backwards compatible
sam-at-luther Apr 7, 2025
43aaa8c
Make new argument optional
sam-at-luther Apr 7, 2025
84b8f34
Use A record with alias for CF
sam-at-luther Apr 7, 2025
e10e973
Fix default logic
sam-at-luther Apr 7, 2025
6b1f7b1
Fix target record name
sam-at-luther Apr 7, 2025
c158e4c
Add back missing fix
sam-at-luther Apr 7, 2025
234dfa2
Add path option to reverse proxy
sam-at-luther Apr 7, 2025
c9f97b8
Attempt to fix path
sam-at-luther Apr 7, 2025
c0282a1
Use regex extraction instead
sam-at-luther Apr 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 54 additions & 8 deletions aws-cf-reverse-proxy/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,19 @@ resource "random_string" "id" {
}

locals {

origin_domain = try(regex("^https?://([^/]+)", var.origin_url)[0], null)
origin_path = try(regex("^https?://[^/]+(/.*)", var.origin_url)[0], null)

random_id = var.random_identifier == "" ? random_string.id[0].result : var.random_identifier

app_route53_zone_name = var.app_route53_zone_name != "" ? var.app_route53_zone_name : var.app_naked_domain

target_record_name = (
var.app_target_domain == local.app_route53_zone_name
? ""
: replace(var.app_target_domain, ".${local.app_route53_zone_name}", "")
)
}

module "luthername_site" {
Expand All @@ -22,7 +34,7 @@ module "luthername_site" {
}

data "aws_route53_zone" "site" {
name = "${var.app_naked_domain}."
name = "${local.app_route53_zone_name}."
private_zone = false
}

Expand Down Expand Up @@ -59,14 +71,14 @@ resource "aws_acm_certificate_validation" "site" {

resource "aws_route53_record" "site" {
zone_id = data.aws_route53_zone.site.zone_id
name = var.app_target_domain
type = "CNAME"
ttl = "300"
records = [aws_cloudfront_distribution.site.domain_name]
}
name = local.target_record_name
type = "A"

locals {
origin_domain = replace(var.origin_url, "/(https?://)|(/)/", "")
alias {
name = aws_cloudfront_distribution.site.domain_name
zone_id = aws_cloudfront_distribution.site.hosted_zone_id
evaluate_target_health = false
}
}

resource "aws_cloudfront_distribution" "site" {
Expand All @@ -78,6 +90,8 @@ resource "aws_cloudfront_distribution" "site" {
origin_id = "origin-site"
domain_name = local.origin_domain

origin_path = local.origin_path

custom_origin_config {
origin_protocol_policy = "https-only"
http_port = "80"
Expand Down Expand Up @@ -111,6 +125,8 @@ resource "aws_cloudfront_distribution" "site" {
viewer_protocol_policy = "redirect-to-https"
compress = true

response_headers_policy_id = length(var.cors_allowed_origins) > 0 ? aws_cloudfront_response_headers_policy.allow_specified_origins[0].id : null

dynamic "lambda_function_association" {
for_each = var.use_302 ? [1] : []

Expand Down Expand Up @@ -139,3 +155,33 @@ resource "aws_cloudfront_distribution" "site" {

tags = module.luthername_site.tags
}

resource "aws_cloudfront_response_headers_policy" "allow_specified_origins" {
count = length(var.cors_allowed_origins) > 0 ? 1 : 0

name = "allow-specified-cors-origins"

cors_config {
access_control_allow_credentials = false

access_control_allow_headers {
items = ["*"]
}

access_control_allow_methods {
items = ["GET", "HEAD", "OPTIONS"]
}

access_control_allow_origins {
items = var.cors_allowed_origins
}

origin_override = true
}

security_headers_config {
content_type_options {
override = true
}
}
}
18 changes: 11 additions & 7 deletions aws-cf-reverse-proxy/tests/test1/test.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,17 @@ provider "aws" {
}

module "test" {
source = "../../"
luther_env = "env"
luther_project = "project"
app_naked_domain = "example.com"
app_target_domain = "target.example.com"
origin_url = "origin.example.com"
use_302 = true
source = "../../"
luther_env = "env"
luther_project = "project"

app_target_domain = "target.example.com"
app_route53_zone_name = "app.luthersystems.com"

origin_url = "origin.example.com"
use_302 = true

cors_allowed_origins = ["https://app.luthersystems.com"]

providers = {
aws = aws
Expand Down
22 changes: 18 additions & 4 deletions aws-cf-reverse-proxy/vars.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@ variable "luther_env" {
type = string
}

variable "app_naked_domain" {
type = string
}

variable "app_target_domain" {
type = string
}
Expand All @@ -38,3 +34,21 @@ variable "random_identifier" {
type = string
default = ""
}

variable "cors_allowed_origins" {
type = list(string)
description = "List of allowed origins for CORS"
default = []
}

variable "app_route53_zone_name" {
type = string
description = "The exact Route53 zone name (e.g., app.luthersystems.com) to use for DNS validation and record creation"
default = ""
}

variable "app_naked_domain" {
type = string
description = "Renamed to `app_route53_zone`"
default = ""
}