From 2e17795cc33e8fa5c0175733e47d5bc30a5b164c Mon Sep 17 00:00:00 2001 From: pawan kushwaha <144677445+pskushwaha1@users.noreply.github.com> Date: Thu, 16 May 2024 12:30:05 +0100 Subject: [PATCH] updating cloudfront template to new vesrion (#1622) --- ci/terraform/build.tfvars | 1 + ci/terraform/cloudfront.tf | 5 +++-- ci/terraform/staging.tfvars | 1 + ci/terraform/variables.tf | 10 +++++++++- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/ci/terraform/build.tfvars b/ci/terraform/build.tfvars index 96ae6a3a2..1dd6539dd 100644 --- a/ci/terraform/build.tfvars +++ b/ci/terraform/build.tfvars @@ -40,3 +40,4 @@ dynatrace_secret_arn = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:Dyn #cloudfront enabled flag cloudfront_auth_frontend_enabled = true cloudfront_auth_dns_enabled = true +cloudfront_WafAcl_Logdestination = "csls_cw_logs_destination_prodpython" diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf index 35617f2ae..c11dd6904 100644 --- a/ci/terraform/cloudfront.tf +++ b/ci/terraform/cloudfront.tf @@ -2,19 +2,20 @@ resource "aws_cloudformation_stack" "cloudfront" { count = var.cloudfront_auth_frontend_enabled ? 1 : 0 name = "${var.environment}-auth-fe-cloudfront" #using fixed version of cloudfron disturbution template for now - template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=r_TJE_Uw3BHA0FFMX7WE84B39D9ucuG8" + template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=._qPLI5sbnZN3T3jHF7fezX8BT6fK3j3" capabilities = ["CAPABILITY_NAMED_IAM"] parameters = { AddWWWPrefix = var.Add_WWWPrefix CloudFrontCertArn = aws_acm_certificate.cloudfront_frontend_certificate[0].arn - CloudfrontWafAcl = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn + CloudFrontWafACL = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn DistributionAlias = local.frontend_fqdn FraudHeaderEnabled = var.Fraud_Header_Enabled OriginCloakingHeader = var.auth_origin_cloakingheader PreviousOriginCloakingHeader = var.previous_auth_origin_cloakingheader StandardLoggingEnabled = true + LogDestination = var.cloudfront_WafAcl_Logdestination } tags = local.default_tags diff --git a/ci/terraform/staging.tfvars b/ci/terraform/staging.tfvars index 9ff63bb7a..31da6eb9d 100644 --- a/ci/terraform/staging.tfvars +++ b/ci/terraform/staging.tfvars @@ -5,6 +5,7 @@ redis_node_size = "cache.m4.xlarge" #cloudfront enabled flag cloudfront_auth_frontend_enabled = true cloudfront_auth_dns_enabled = true +cloudfront_WafAcl_Logdestination = "csls_cw_logs_destination_prodpython" frontend_auto_scaling_v2_enabled = true frontend_task_definition_cpu = 1024 diff --git a/ci/terraform/variables.tf b/ci/terraform/variables.tf index 3bafa3463..5fb77c9bd 100644 --- a/ci/terraform/variables.tf +++ b/ci/terraform/variables.tf @@ -279,7 +279,7 @@ variable "rate_limited_endpoints_requests_per_period" { default = 100000 } -#cloudfront varaible +#cloudfront variable variable "cloudfront_auth_frontend_enabled" { type = bool default = false @@ -304,6 +304,7 @@ variable "auth_origin_cloakingheader" { description = "This is header value for Cloufront to to verify requests are coming from the correct CloudFront distribution to ALB " } + variable "previous_auth_origin_cloakingheader" { type = string sensitive = true @@ -328,6 +329,13 @@ variable "Standard_Logging_Enabled" { description = "Enables Standard logging to push logs to S3 bucket" } +variable "cloudfront_WafAcl_Logdestination" { + type = string + default = "none" + description = "CSLS logging destinatiin for logging Cloufront CloakingOriginWebACL WAf logs " +} +#end of cloudfront variable + variable "language_toggle_enabled" { type = string default = "0"