Revert "Secureheaders"

2018-01-04 16:36:55 +00:00 · 2018-01-04 16:36:55 +00:00 · deecd00910
--- a/README.md
+++ b/README.md
@ -19,27 +19,6 @@ module "example" {
  acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/00e371ce-a96e-435b-9e76-687ad6sa8231"
 }

-```
-
-An example that enables some headers:
-```
-
-module "example" {
-  source              = "git://github.com/mozilla/partinfra-terraform-cloudfrontssl.git"
-
-  origin_domain_name  = "discourse.mozilla-community.org"
-  origin_id           = "discoursecdn"
-  alias               = "cdn.discourse.mozilla-community.org"
-  acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/00e371ce-a96e-435b-9e76-687ad6sa8231"
-
-  headers {
-        enabled = true
-        hsts-enabled = true
-        x-content-type-enabled = true
-        x-frame-options-enabled = true
-        x-xss-protection-enabled = true
-    }
-}
 ```
 ## Reference

@ -56,18 +35,6 @@ module "example" {
 | `comment`           | A comment to add to the distribution.  | no           |    |
 | `default_root_object`           | The object to return when a user requests the root URL.  | no           |  `index.html`  |
 | `compression` | Enable CloudFront to compress some files with gzip (and forward the `Accept-Encoding` header to the origin) | no | `false`
-| `headers` | A map of headers to enable (see below) | no | | |
-
-### Headers
-Add secure headers to every response, using Lambda@Edge (very basic, to be changed to allow any headers with any value to be added in the future)
-
-| Variable              | Description                                                                                | Required     | Default  |
-| -------------          |-------------                                                                               |----------    | ----- |
-| `enabled`     | Deploy a Lambda@Edge function to add headers to all responses                                                 | no          | `false` |
-| `hsts_enabled`     |`Strict-Transport-Security: max-age=63072000`                                                | no          | `false` |
-| `x-content-type-enabled`              | `X-Content-Type-Options: nosniff`                                                        | no          | `false` |
-| `x-frame-options-enabled`              | `X-Frame-Options: DENY`                                                        | no          | `false` |
-| `x-xss-protection-enabled`              | `X-XSS-Protection: 1; mode=block`                                                        | no          | `false` | |
 ## Issues

 For issue tracking we use bugzilla.mozilla.org. [Create a bug][1] on bugzilla.mozilla.org under ``Participation Infrastructure > Community Ops`` component.
--- a/headers_function.js
+++ b/headers_function.js
@ -1,13 +0,0 @@
-'use strict';
-
-exports.handler = (event, context, callback) => {
-    const response = event.Records[0].cf.response;
-    const headers = response.headers;
-
-    // See https://wiki.mozilla.org/Security/Guidelines/Web_Security
-    ${hsts ? "headers['Strict-Transport-Security'] = [{'key': 'Strict-Transport-Security', 'value': 'max-age=63072000'}];" : ""}
-    ${x-content-type ? "headers['X-Content-Type-Options'] = [{'key': 'X-Content-Type-Options', 'value': 'nosniff'}];" : ""}
-    ${x-frame-options ? "headers['X-Frame-Options'] = [{'key': 'X-Frame-Options', 'value': 'DENY'}];" : ""}
-    ${x-xss-protection ? "headers['X-XSS-Protection'] = [{'key': 'X-XSS-Protection', 'value': '1; mode=block'}];" : ""}
-    callback(null, response);
-};
--- a/lambda.tf
+++ b/lambda.tf
@ -1,70 +0,0 @@
-variable "headers" {
-    default = {
-        enabled = false
-        hsts-enabled = false
-        x-content-type-enabled = false
-        x-frame-options-enabled = false
-        x-xss-protection-enabled = false
-    }
-}
-
-data "template_file" "function" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  template = "${file("${path.module}/headers_function.js")}"
-
-  vars {
-    hsts = "${var.headers["hsts-enabled"]}"
-    x-content-type = "${var.headers["x-content-type-enabled"]}"
-    x-frame-options = "${var.headers["x-frame-options-enabled"]}"
-    x-xss-protection = "${var.headers["x-xss-protection-enabled"]}"
-  }
-}
-
-data "archive_file" "headers-function" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  type = "zip"
-  output_path = "${path.module}/.zip/headers_function.zip"
-  source {
-    filename = "index.js"
-    content = "${data.template_file.function.rendered}"
-  }
-}
-
-data "aws_iam_policy_document" "lambda-role-policy" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  statement {
-    actions = ["sts:AssumeRole"]
-    principals {
-      type = "Service"
-      identifiers = [
-        "lambda.amazonaws.com",
-        "edgelambda.amazonaws.com"
-      ]
-    }
-  }
-}
-
-resource "aws_iam_role" "headers-function" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  name = "${var.alias}-lambda"
-  assume_role_policy = "${data.aws_iam_policy_document.lambda-role-policy.json}"
-}
-
-resource "aws_iam_role_policy_attachment" "headers-function-role-policy" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  role = "${aws_iam_role.headers-function.name}"
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-resource "aws_lambda_function" "headers" {
-  count = "${var.headers["enabled"] ? 1 : 0}"
-  function_name = "${var.alias}-headers"
-  filename = "${data.archive_file.headers-function.output_path}"
-  source_code_hash = "${data.archive_file.headers-function.output_base64sha256}"
-  role = "${aws_iam_role.headers-function.arn}"
-  runtime = "nodejs6.10"
-  handler = "index.handler"
-  memory_size = 128
-  timeout = 3
-  publish = false
-}
--- a/main.tf
+++ b/main.tf
@ -24,6 +24,7 @@ variable "compression" {
  default     = false
 }

+
 resource "aws_cloudfront_distribution" "ssl_distribution" {
  origin {
    domain_name = "${var.origin_domain_name}"
@ -64,35 +65,6 @@ resource "aws_cloudfront_distribution" "ssl_distribution" {
    max_ttl                = 3600
  }

-
-  cache_behavior {
-      allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
-      cached_methods   = ["GET", "HEAD"]
-      target_origin_id = "${var.origin_id}"
-      compress         = "${var.compression}"
-      path_pattern     = "/"
-      forwarded_values {
-        query_string = false
-
-        cookies {
-          forward = "none"
-        }
-      }
-
-      viewer_protocol_policy = "redirect-to-https"
-      min_ttl                = 0
-      default_ttl            = 360
-      max_ttl                = 3600
-
-      lambda_function_association {
-          event_type = "${var.headers["enabled"] ? "viewer-response" : ""}"
-          // this currently does not work in Terraform
-          //lambda_arn = "${var.headers["enabled"] ? aws_lambda_function.headers.arn : ""}"
-          lambda_arn = "${aws_lambda_function.headers.arn}"
-
-        }
-  }
-
  restrictions {
    geo_restriction {
        restriction_type = "none"