PRMP 1036 - Fix PDF Intermittence

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.66.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.62.0 |
 
 ## Modules
 

infrastructure/cloudfront.tf

@@ -1,6 +1,6 @@
 module "cloudfront-distribution-lg" {
   source             = "./modules/cloudfront/"
-  bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.amazonaws.com"
+  bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
   bucket_id          = module.ndr-lloyd-george-store.bucket_id
   qualifed_arn       = module.edge-presign-lambda.qualified_arn
   depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]

infrastructure/modules/cloudfront/README.md

@@ -19,14 +19,14 @@ No modules.
 | [aws_cloudfront_cache_policy.nocache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource |
 | [aws_cloudfront_distribution.distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_origin_access_control.cloudfront_s3_oac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
+| [aws_cloudfront_origin_request_policy.viewer_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket_domain_name"></a> [bucket\_domain\_name](#input\_bucket\_domain\_name) | Domain name to assign CloudFront distribution to | `string` | n/a | yes |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | Bucket ID to assign CloudFront distribution to | `string` | n/a | yes |
-| <a name="input_forwarding_policy"></a> [forwarding\_policy](#input\_forwarding\_policy) | Manged or custom policy for CloudFront distribution caching and forwarding | `string` | `"88a5eaf4-2fd4-4709-b370-b4c650ea3fcf"` | no |
 | <a name="input_qualifed_arn"></a> [qualifed\_arn](#input\_qualifed\_arn) | Lambda@Edge function association | `string` | n/a | yes |
 
 ## Outputs

infrastructure/modules/cloudfront/main.tf

@@ -2,7 +2,7 @@ resource "aws_cloudfront_origin_access_control" "cloudfront_s3_oac" {
   name                              = "${terraform.workspace}_cloudfront_s3_oac_policy"
   description                       = "Cloud Front S3 OAC"
   origin_access_control_origin_type = "s3"
-  signing_behavior                  = "always"
+  signing_behavior                  = "never"
   signing_protocol                  = "sigv4"
 }
 
@@ -20,10 +20,10 @@ resource "aws_cloudfront_distribution" "distribution" {
     target_origin_id         = var.bucket_id
     viewer_protocol_policy   = "redirect-to-https"
     cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
-    origin_request_policy_id = var.forwarding_policy
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer_policy.id
 
     lambda_function_association {
-      event_type = "viewer-request"
+      event_type = "origin-request"
       lambda_arn = var.qualifed_arn
     }
   }
@@ -32,12 +32,47 @@ resource "aws_cloudfront_distribution" "distribution" {
   }
   restrictions {
     geo_restriction {
-      restriction_type = "whitelist" # Restrict access to only the listed countries
-      locations        = ["GB"]      # ISO code for the United Kingdom
+      restriction_type = "whitelist"
+      locations        = ["GB"]
     }
   }
 }
 
+resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
+  name = "${terraform.workspace}_BlockQueriesAndAllowViewer"
+
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = [
+        "X-Amz-Algorithm",
+        "X-Amz-Credential",
+        "X-Amz-Date",
+        "X-Amz-Expires",
+        "X-Amz-SignedHeaders",
+        "X-Amz-Signature",
+        "X-Amz-Security-Token"
+      ]
+    }
+  }
+
+
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = [
+        "Host",
+        "CloudFront-Viewer-Country",
+        "X-Forwarded-For"
+      ]
+    }
+  }
+
+  cookies_config {
+    cookie_behavior = "none"
+  }
+}
+
 resource "aws_cloudfront_cache_policy" "nocache" {
   name        = "${terraform.workspace}_nocache_policy"
   default_ttl = 0

infrastructure/modules/cloudfront/variable.tf

@@ -11,12 +11,4 @@ variable "bucket_id" {
 variable "qualifed_arn" {
   type        = string
   description = "Lambda@Edge function association"
-}
-
-# Managed-AllViewer Policy
-# https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html
-variable "forwarding_policy" {
-  type        = string
-  default     = "88a5eaf4-2fd4-4709-b370-b4c650ea3fcf"
-  description = "Manged or custom policy for CloudFront distribution caching and forwarding"
-}
+}

infrastructure/modules/s3/main.tf

@@ -78,7 +78,7 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" {
 
     condition {
       test     = "StringEquals"
-      variable = "AWS:SourceArn"
+      variable = "aws:SourceArn"
       values   = [var.cloudfront_arn]
     }
   }

virusscanner/terraform/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.43.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.46.0 |
 
 ## Modules