Provide initial functionality

.github/dependabot.yml

@@ -35,12 +35,4 @@ updates:
     package-ecosystem: terraform
     schedule:
       interval: weekly
-
-  - directory: /examples/basic_usage
-    ignore:
-      # Managed by cisagov/skeleton-tf-module
-      - dependency-name: hashicorp/aws
-    package-ecosystem: terraform
-    schedule:
-      interval: weekly
 version: 2

.gitignore

@@ -2,6 +2,10 @@
 # Files already tracked by Git are not affected.
 # See: https://git-scm.com/docs/gitignore
 
+## Project Specific ##
+add_security_headers.zip
+lambda_build.zip
+
 ## Python ##
 __pycache__
 .mypy_cache

add_security_headers/index.js

@@ -0,0 +1,47 @@
+exports.handler = (event, context, callback) => {
+  /* Get contents of response */
+  const response = event.Records[0].cf.response;
+  const headers = response.headers;
+
+  /* Add security headers */
+  headers["strict-transport-security"] = [
+    {
+      key: "Strict-Transport-Security",
+      value: "max-age=31536000; includeSubdomains; preload",
+    },
+  ];
+  headers["content-security-policy"] = [
+    {
+      key: "Content-Security-Policy",
+      value:
+        "default-src 'none'; img-src 'none'; script-src 'none'; style-src 'none'; object-src 'none'",
+    },
+  ];
+  headers["x-content-type-options"] = [
+    {
+      key: "X-Content-Type-Options",
+      value: "nosniff",
+    },
+  ];
+  headers["x-frame-options"] = [
+    {
+      key: "X-Frame-Options",
+      value: "DENY",
+    },
+  ];
+  headers["x-xss-protection"] = [
+    {
+      key: "X-XSS-Protection",
+      value: "1; mode=block",
+    },
+  ];
+  headers["referrer-policy"] = [
+    {
+      key: "Referrer-Policy",
+      value: "same-origin",
+    },
+  ];
+
+  /* Return the modified response */
+  callback(null, response);
+};

backend.tf

@@ -0,0 +1,10 @@
+terraform {
+  backend "s3" {
+    encrypt        = true
+    bucket         = "cisa-cool-terraform-state"
+    dynamodb_table = "terraform-state-lock"
+    profile        = "cool-terraform-backend"
+    region         = "us-east-1"
+    key            = "publish-egress-ip-terraform/terraform.tfstate"
+  }
+}

cloudfront.tf

@@ -0,0 +1,145 @@
+# ------------------------------------------------------------------------------
+# The CloudFront distribution and related S3/Lambda resources that allow us to
+# use an HTTPS endpoint, which S3 websites do not support natively.
+# ------------------------------------------------------------------------------
+
+locals {
+  # bucket origin id
+  s3_origin_id = "S3-${aws_s3_bucket.egress_info.id}"
+}
+
+data "aws_acm_certificate" "rules_cert" {
+  # This certificate must exist prior to applying this Terraform.
+  # For an example, see cisagov/cool-dns-cyber.dhs.gov/acm_rules_vm.tf
+  provider = aws.deploy
+
+  domain      = var.domain
+  most_recent = true
+  statuses    = ["ISSUED"]
+  types       = ["AMAZON_ISSUED"]
+}
+
+# An S3 bucket where artifacts for the Lambda@Edge can be stored
+resource "aws_s3_bucket" "lambda_at_edge" {
+  provider = aws.deploy
+
+  bucket_prefix = "publish-egress-ip-lambda-at-edge-"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "lambda_at_edge" {
+  provider = aws.deploy
+
+  bucket = aws_s3_bucket.lambda_at_edge.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "lambda_at_edge" {
+  provider = aws.deploy
+
+  bucket = aws_s3_bucket.lambda_at_edge.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+# This blocks ANY public access to the bucket or the objects it
+# contains, even if misconfigured to allow public access.
+resource "aws_s3_bucket_public_access_block" "lambda_artifact_bucket" {
+  provider = aws.deploy
+
+  block_public_acls       = true
+  block_public_policy     = true
+  bucket                  = aws_s3_bucket.lambda_at_edge.id
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# A Lambda@Edge for injecting security headers
+module "security_header_lambda" {
+  providers = {
+    aws = aws.deploy
+  }
+
+  source  = "transcend-io/lambda-at-edge/aws"
+  version = "0.5.0"
+
+  description            = "Adds HSTS and other security headers to the response."
+  lambda_code_source_dir = "${path.root}/add_security_headers"
+  name                   = "add_security_headers"
+  # nodejs18.x appears to be the latest supported runtime until we move beyond
+  # version 4.9 of the Terraform AWS provider.
+  runtime            = "nodejs18.x"
+  s3_artifact_bucket = aws_s3_bucket.lambda_at_edge.id
+}
+
+resource "aws_cloudfront_distribution" "rules_s3_distribution" {
+  provider = aws.deploy
+
+  aliases             = [var.domain]
+  comment             = "Created by cisagov/publish-egress-ip-terraform."
+  default_root_object = var.root_object
+  enabled             = true
+  is_ipv6_enabled     = true
+  price_class         = "PriceClass_100"
+
+  custom_error_response {
+    error_caching_min_ttl = 30
+    error_code            = 403
+    response_code         = 200
+    response_page_path    = "/${var.root_object}"
+  }
+
+  custom_error_response {
+    error_caching_min_ttl = 30
+    error_code            = 404
+    response_code         = 200
+    response_page_path    = "/${var.root_object}"
+  }
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+    compress               = true
+    default_ttl            = 30
+    max_ttl                = 30
+    min_ttl                = 0
+    target_origin_id       = local.s3_origin_id
+    viewer_protocol_policy = "redirect-to-https"
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+
+    lambda_function_association {
+      # Inject security headers via Lambda@Edge
+      event_type   = "origin-response"
+      include_body = false
+      lambda_arn   = module.security_header_lambda.arn
+    }
+  }
+
+  origin {
+    domain_name = aws_s3_bucket.egress_info.bucket_regional_domain_name
+    origin_id   = local.s3_origin_id
+  }
+
+  restrictions {
+    geo_restriction {
+      locations        = ["AS", "GU", "MP", "PR", "US", "VI"]
+      restriction_type = "whitelist"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = data.aws_acm_certificate.rules_cert.arn
+    minimum_protocol_version = "TLSv1.1_2016"
+    ssl_support_method       = "sni-only"
+  }
+}