Skip to content

Commit

Permalink
Manage cors headers in terraform (#4115)
Browse files Browse the repository at this point in the history
* Initial cors script test

* add depends_on

* Trying out the cors json via jsonencode

* add var

* testing

* give interpreter and working_dir

* add cf target command

* add aws

* trim space

* give proper path for aws

* force delete key

* set the actual domain

* trying decoded json

* more testing

* trying map

* Testing decoded_json local

* Testing moving the string json into module

* typo fix

* Undo the decode

* Make executable

* Test with json file

* change script_path

* add trigger

* Fix the jq

* Add env specific CORS files

* Add info statements for logs

* Add a small sleep for CF API

* Quiet unzip output

* rename resource

* Add an informational comment on why the trigger={} was added
  • Loading branch information
asteel-gsa authored Jul 26, 2024
1 parent 7f52c1a commit fc6eeda
Show file tree
Hide file tree
Showing 9 changed files with 136 additions and 1 deletion.
24 changes: 24 additions & 0 deletions terraform/shared/modules/cors/cors-script.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh

curl -L "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -q awscliv2.zip && rm awscliv2.zip
./aws/install -i ~/usr -b ~/bin
/github/home/bin/aws --version

cf t -o "$1" -s "$2"
SERVICE_INSTANCE_NAME=fac-public-s3;
KEY_NAME=fac-public-s3-key;
cf create-service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}";
echo "Sleeping for CF API"
sleep 10
S3_CREDENTIALS=$(cf service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}" | tail -n +2);
export AWS_ACCESS_KEY_ID="$(echo "$S3_CREDENTIALS" | jq -r .credentials.access_key_id)";
export AWS_SECRET_ACCESS_KEY="$(echo "$S3_CREDENTIALS" | jq -r .credentials.secret_access_key)";
export BUCKET_NAME="$(echo "$S3_CREDENTIALS" | jq -r .credentials.bucket)";
export AWS_DEFAULT_REGION="$(echo "$S3_CREDENTIALS" | jq -r .credentials.region)";
echo "Bucket: $BUCKET_NAME";
echo "INFO: Putting CORS config in bucket..."
/github/home/bin/aws s3api put-bucket-cors --bucket "$BUCKET_NAME" --cors-configuration file://"$3";
echo "INFO: aws s3api get-bucket-cors output..."
/github/home/bin/aws s3api get-bucket-cors --bucket "$BUCKET_NAME";
cf delete-service-key -f "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}";
17 changes: 17 additions & 0 deletions terraform/shared/modules/cors/cors.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
locals {
script_path = "${var.cf_space_name}-cors.json"
}
resource "null_resource" "cors_header" {
provisioner "local-exec" {
working_dir = path.module
interpreter = ["/bin/bash", "-c"]
command = "./cors-script.sh ${var.cf_org_name} ${var.cf_space_name} ${local.script_path}"
}
# https://github.com/hashicorp/terraform/issues/8266#issuecomment-454377049
# A clever way to get this to run every time, otherwise we would be relying on
# an md5 hash, which, once this goes into the system, will rarely (if ever)
# be updated
triggers = {
always_run = "${timestamp()}"
}
}
19 changes: 19 additions & 0 deletions terraform/shared/modules/cors/dev-cors.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"CORSRules": [
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"HEAD",
"GET"
],
"AllowedOrigins": [
"https://fac-dev.app.cloud.gov"
],
"ExposeHeaders": [
"ETag"
]
}
]
}
19 changes: 19 additions & 0 deletions terraform/shared/modules/cors/preview-cors.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"CORSRules": [
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"HEAD",
"GET"
],
"AllowedOrigins": [
"https://fac-preview.app.cloud.gov"
],
"ExposeHeaders": [
"ETag"
]
}
]
}
19 changes: 19 additions & 0 deletions terraform/shared/modules/cors/production-cors.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"CORSRules": [
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"HEAD",
"GET"
],
"AllowedOrigins": [
"https://app.cloud.gov"
],
"ExposeHeaders": [
"ETag"
]
}
]
}
19 changes: 19 additions & 0 deletions terraform/shared/modules/cors/staging-cors.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"CORSRules": [
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"HEAD",
"GET"
],
"AllowedOrigins": [
"https://fac-staging.app.cloud.gov"
],
"ExposeHeaders": [
"ETag"
]
}
]
}
12 changes: 12 additions & 0 deletions terraform/shared/modules/cors/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
variable "cf_org_name" {
type = string
description = "name of the organization to configure"
default = "gsa-tts-oros-fac"
}

variable "cf_space_name" {
type = string
description = "name of the space to configure"
# No default... The calling module knows which env is for which space and we
# shouldn't assume it!
}
6 changes: 6 additions & 0 deletions terraform/shared/modules/env/cors.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
module "cors" {
source = "../cors"
cf_org_name = var.cf_org_name
cf_space_name = var.cf_space_name
depends_on = [module.s3-public]
}
2 changes: 1 addition & 1 deletion terraform/shared/modules/env/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -109,4 +109,4 @@ variable "new_relic_account_id" {
variable "new_relic_api_key" {
type = string
description = "New Relic API key"
}
}

0 comments on commit fc6eeda

Please sign in to comment.