diff --git a/terraform/shared/modules/cors/cors-script.sh b/terraform/shared/modules/cors/cors-script.sh new file mode 100755 index 0000000000..792db9f91a --- /dev/null +++ b/terraform/shared/modules/cors/cors-script.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +curl -L "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip -q awscliv2.zip && rm awscliv2.zip +./aws/install -i ~/usr -b ~/bin +/github/home/bin/aws --version + +cf t -o "$1" -s "$2" +SERVICE_INSTANCE_NAME=fac-public-s3; +KEY_NAME=fac-public-s3-key; +cf create-service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}"; +echo "Sleeping for CF API" +sleep 10 +S3_CREDENTIALS=$(cf service-key "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}" | tail -n +2); +export AWS_ACCESS_KEY_ID="$(echo "$S3_CREDENTIALS" | jq -r .credentials.access_key_id)"; +export AWS_SECRET_ACCESS_KEY="$(echo "$S3_CREDENTIALS" | jq -r .credentials.secret_access_key)"; +export BUCKET_NAME="$(echo "$S3_CREDENTIALS" | jq -r .credentials.bucket)"; +export AWS_DEFAULT_REGION="$(echo "$S3_CREDENTIALS" | jq -r .credentials.region)"; +echo "Bucket: $BUCKET_NAME"; +echo "INFO: Putting CORS config in bucket..." +/github/home/bin/aws s3api put-bucket-cors --bucket "$BUCKET_NAME" --cors-configuration file://"$3"; +echo "INFO: aws s3api get-bucket-cors output..." +/github/home/bin/aws s3api get-bucket-cors --bucket "$BUCKET_NAME"; +cf delete-service-key -f "${SERVICE_INSTANCE_NAME}" "${KEY_NAME}"; diff --git a/terraform/shared/modules/cors/cors.tf b/terraform/shared/modules/cors/cors.tf new file mode 100644 index 0000000000..0b6a165b29 --- /dev/null +++ b/terraform/shared/modules/cors/cors.tf @@ -0,0 +1,17 @@ +locals { + script_path = "${var.cf_space_name}-cors.json" +} +resource "null_resource" "cors_header" { + provisioner "local-exec" { + working_dir = path.module + interpreter = ["/bin/bash", "-c"] + command = "./cors-script.sh ${var.cf_org_name} ${var.cf_space_name} ${local.script_path}" + } + # https://github.com/hashicorp/terraform/issues/8266#issuecomment-454377049 + # A clever way to get this to run every time, otherwise we would be relying on + # an md5 hash, which, once this goes into the system, will rarely (if ever) + # be updated + triggers = { + always_run = "${timestamp()}" + } +} diff --git a/terraform/shared/modules/cors/dev-cors.json b/terraform/shared/modules/cors/dev-cors.json new file mode 100644 index 0000000000..c09962d061 --- /dev/null +++ b/terraform/shared/modules/cors/dev-cors.json @@ -0,0 +1,19 @@ +{ + "CORSRules": [ + { + "AllowedHeaders": [ + "Authorization" + ], + "AllowedMethods": [ + "HEAD", + "GET" + ], + "AllowedOrigins": [ + "https://fac-dev.app.cloud.gov" + ], + "ExposeHeaders": [ + "ETag" + ] + } + ] + } diff --git a/terraform/shared/modules/cors/preview-cors.json b/terraform/shared/modules/cors/preview-cors.json new file mode 100644 index 0000000000..90aa60fa37 --- /dev/null +++ b/terraform/shared/modules/cors/preview-cors.json @@ -0,0 +1,19 @@ +{ + "CORSRules": [ + { + "AllowedHeaders": [ + "Authorization" + ], + "AllowedMethods": [ + "HEAD", + "GET" + ], + "AllowedOrigins": [ + "https://fac-preview.app.cloud.gov" + ], + "ExposeHeaders": [ + "ETag" + ] + } + ] + } diff --git a/terraform/shared/modules/cors/production-cors.json b/terraform/shared/modules/cors/production-cors.json new file mode 100644 index 0000000000..d8ce983bde --- /dev/null +++ b/terraform/shared/modules/cors/production-cors.json @@ -0,0 +1,19 @@ +{ + "CORSRules": [ + { + "AllowedHeaders": [ + "Authorization" + ], + "AllowedMethods": [ + "HEAD", + "GET" + ], + "AllowedOrigins": [ + "https://app.cloud.gov" + ], + "ExposeHeaders": [ + "ETag" + ] + } + ] + } diff --git a/terraform/shared/modules/cors/staging-cors.json b/terraform/shared/modules/cors/staging-cors.json new file mode 100644 index 0000000000..4c572e5600 --- /dev/null +++ b/terraform/shared/modules/cors/staging-cors.json @@ -0,0 +1,19 @@ +{ + "CORSRules": [ + { + "AllowedHeaders": [ + "Authorization" + ], + "AllowedMethods": [ + "HEAD", + "GET" + ], + "AllowedOrigins": [ + "https://fac-staging.app.cloud.gov" + ], + "ExposeHeaders": [ + "ETag" + ] + } + ] + } diff --git a/terraform/shared/modules/cors/variables.tf b/terraform/shared/modules/cors/variables.tf new file mode 100644 index 0000000000..ead47fc3ce --- /dev/null +++ b/terraform/shared/modules/cors/variables.tf @@ -0,0 +1,12 @@ +variable "cf_org_name" { + type = string + description = "name of the organization to configure" + default = "gsa-tts-oros-fac" +} + +variable "cf_space_name" { + type = string + description = "name of the space to configure" + # No default... The calling module knows which env is for which space and we + # shouldn't assume it! +} diff --git a/terraform/shared/modules/env/cors.tf b/terraform/shared/modules/env/cors.tf new file mode 100644 index 0000000000..652cafadfd --- /dev/null +++ b/terraform/shared/modules/env/cors.tf @@ -0,0 +1,6 @@ +module "cors" { + source = "../cors" + cf_org_name = var.cf_org_name + cf_space_name = var.cf_space_name + depends_on = [module.s3-public] +} diff --git a/terraform/shared/modules/env/variables.tf b/terraform/shared/modules/env/variables.tf index dfb532a147..ce7c4d29eb 100644 --- a/terraform/shared/modules/env/variables.tf +++ b/terraform/shared/modules/env/variables.tf @@ -109,4 +109,4 @@ variable "new_relic_account_id" { variable "new_relic_api_key" { type = string description = "New Relic API key" -} \ No newline at end of file +}