Merge pull request #16 from cookielab/cors

feat(cors): Introduce S3 CORS and CF response headers

Author: joli-sys

README.md

@@ -109,6 +109,7 @@ module "static-site" {
 | [aws_cloudfront_distribution.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_origin_access_control.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_access_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
+| [aws_cloudfront_response_headers_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_response_headers_policy) | resource |
 | [aws_iam_access_key.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_user.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
@@ -148,8 +149,11 @@ module "static-site" {
 | <a name="input_override_status_code_403"></a> [override\_status\_code\_403](#input\_override\_status\_code\_403) | Override status code for 403 error | `number` | `403` | no |
 | <a name="input_override_status_code_404"></a> [override\_status\_code\_404](#input\_override\_status\_code\_404) | Override status code for 404 error | `number` | `200` | no |
 | <a name="input_proxy_paths"></a> [proxy\_paths](#input\_proxy\_paths) | n/a | <pre>list(object({<br>    origin_domain = string<br>    path_prefix   = string<br>  }))</pre> | `[]` | no |
+| <a name="input_response_header_access_control_allow_credentials"></a> [response\_header\_access\_control\_allow\_credentials](#input\_response\_header\_access\_control\_allow\_credentials) | n/a | `bool` | `false` | no |
+| <a name="input_response_header_origin_override"></a> [response\_header\_origin\_override](#input\_response\_header\_origin\_override) | n/a | `bool` | `false` | no |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | n/a | `string` | n/a | yes |
 | <a name="input_s3_bucket_policy"></a> [s3\_bucket\_policy](#input\_s3\_bucket\_policy) | Additional S3 bucket policy | `string` | `"{}"` | no |
+| <a name="input_s3_cors_rule"></a> [s3\_cors\_rule](#input\_s3\_cors\_rule) | List of maps containing rules for Cross-Origin Resource Sharing. | <pre>list(object({<br>    allowed_headers = optional(list(string))<br>    allowed_methods = optional(list(string))<br>    allowed_origins = optional(list(string))<br>    expose_headers  = optional(list(string))<br>    max_age_seconds = optional(number)<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
 
 ## Outputs

main.tf

@@ -190,6 +190,8 @@ module "s3_bucket" {
     }
   }
 
+  cors_rule = var.s3_cors_rule
+
   tags = local.tags
 }
 
@@ -248,9 +250,10 @@ resource "aws_cloudfront_distribution" "this" {
   }
 
   default_cache_behavior {
-    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
-    cached_methods   = ["GET", "HEAD"]
-    target_origin_id = var.s3_bucket_name
+    allowed_methods            = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods             = ["GET", "HEAD"]
+    target_origin_id           = var.s3_bucket_name
+    response_headers_policy_id = length(var.s3_cors_rule) > 0 ? aws_cloudfront_response_headers_policy.this[0].id : null
 
     forwarded_values {
       query_string = false
@@ -346,6 +349,30 @@ resource "aws_route53_record" "this" {
   }
 }
 
+resource "aws_cloudfront_response_headers_policy" "this" {
+  count   = length(var.s3_cors_rule) > 0 ? 1 : 0
+  name    = "${var.s3_bucket_name} - response headers"
+  comment = "CloudFront response headers policy using S3 CORS rules"
+
+  cors_config {
+    access_control_allow_credentials = var.response_header_access_control_allow_credentials
+
+    access_control_allow_headers {
+      items = var.s3_cors_rule[0].allowed_headers
+    }
+
+    access_control_allow_methods {
+      items = var.s3_cors_rule[0].allowed_methods
+    }
+
+    access_control_allow_origins {
+      items = var.s3_cors_rule[0].allowed_origins
+    }
+
+    origin_override = var.response_header_origin_override
+  }
+}
+
 moved {
   from = aws_kms_key.this
   to   = aws_kms_key.this[0]

variables.tf

@@ -137,3 +137,25 @@ variable "aws_env_vars_suffix" {
   type        = string
   default     = ""
 }
+
+variable "s3_cors_rule" {
+  description = "List of maps containing rules for Cross-Origin Resource Sharing."
+  type = list(object({
+    allowed_headers = optional(list(string))
+    allowed_methods = optional(list(string))
+    allowed_origins = optional(list(string))
+    expose_headers  = optional(list(string))
+    max_age_seconds = optional(number)
+  }))
+  default = []
+}
+
+variable "response_header_origin_override" {
+  type    = bool
+  default = false
+}
+
+variable "response_header_access_control_allow_credentials" {
+  type    = bool
+  default = false
+}