updating cloudfront template to new vesrion (#1622)

govuk-one-login · May 16, 2024 · 2e17795 · 2e17795
1 parent a5e483d
commit 2e17795
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 3 deletions.
diff --git a/ci/terraform/build.tfvars b/ci/terraform/build.tfvars
@@ -40,3 +40,4 @@ dynatrace_secret_arn = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:Dyn
 #cloudfront enabled flag 
 cloudfront_auth_frontend_enabled = true
 cloudfront_auth_dns_enabled      = true
+cloudfront_WafAcl_Logdestination = "csls_cw_logs_destination_prodpython"
diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf
@@ -2,19 +2,20 @@ resource "aws_cloudformation_stack" "cloudfront" {
   count = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name  = "${var.environment}-auth-fe-cloudfront"
   #using fixed version of cloudfron disturbution template for now 
-  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=r_TJE_Uw3BHA0FFMX7WE84B39D9ucuG8"
+  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=._qPLI5sbnZN3T3jHF7fezX8BT6fK3j3"
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
     AddWWWPrefix                 = var.Add_WWWPrefix
     CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
-    CloudfrontWafAcl             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
+    CloudFrontWafACL             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
     DistributionAlias            = local.frontend_fqdn
     FraudHeaderEnabled           = var.Fraud_Header_Enabled
     OriginCloakingHeader         = var.auth_origin_cloakingheader
     PreviousOriginCloakingHeader = var.previous_auth_origin_cloakingheader
     StandardLoggingEnabled       = true
+    LogDestination               = var.cloudfront_WafAcl_Logdestination
   }
   tags = local.default_tags
 

diff --git a/ci/terraform/staging.tfvars b/ci/terraform/staging.tfvars
@@ -5,6 +5,7 @@ redis_node_size     = "cache.m4.xlarge"
 #cloudfront enabled flag 
 cloudfront_auth_frontend_enabled = true
 cloudfront_auth_dns_enabled      = true
+cloudfront_WafAcl_Logdestination = "csls_cw_logs_destination_prodpython"
 
 frontend_auto_scaling_v2_enabled                    = true
 frontend_task_definition_cpu                        = 1024

diff --git a/ci/terraform/variables.tf b/ci/terraform/variables.tf
@@ -279,7 +279,7 @@ variable "rate_limited_endpoints_requests_per_period" {
   default     = 100000
 }
 
-#cloudfront varaible 
+#cloudfront variable 
 variable "cloudfront_auth_frontend_enabled" {
   type        = bool
   default     = false
@@ -304,6 +304,7 @@ variable "auth_origin_cloakingheader" {
   description = "This is header value for Cloufront to to verify requests are coming from the correct CloudFront distribution to ALB "
 }
 
+
 variable "previous_auth_origin_cloakingheader" {
   type        = string
   sensitive   = true
@@ -328,6 +329,13 @@ variable "Standard_Logging_Enabled" {
   description = "Enables Standard logging to push logs to S3 bucket"
 }
 
+variable "cloudfront_WafAcl_Logdestination" {
+  type        = string
+  default     = "none"
+  description = "CSLS logging destinatiin for logging Cloufront CloakingOriginWebACL WAf logs "
+}
+#end of cloudfront variable 
+
 variable "language_toggle_enabled" {
   type        = string
   default     = "0"