search

riboseinc / terraform-aws-s3-cloudfront-website

Terraform module for creating a static S3 website with CloudFront with an SSL certificate (e.g., from ACM)
Apache License 2.0
74 stars 40 forks source link

Basic HTTP auth pw prompted but access granted #16

Closed mmeloni closed 5 years ago

mmeloni commented 5 years ago

I have a strange behaviour. Password are prompted but I'm able to access to my files also with a wrong pw.

terraform {
  backend "s3" {
    bucket = "***"
    key    = "terraform/terraform.tfstate"
    region = "eu-west-1"
  }
}

# AWS Region for S3 and other resources
provider "aws" {
  region = "eu-west-1"
  alias  = "main"
}

# AWS Region for Cloudfront (ACM certs only supports us-east-1)
provider "aws" {
  region = "us-east-1"
  alias = "cloudfront"
}

# Variables
variable "fqdn" {
  description = "The fully-qualified domain name of the resulting S3 website."
  default     = "*****"
}

variable "domain" {
  description = "The domain name / ."
  default     = "***"
}

# Allowed IPs that can directly access the S3 bucket
variable "allowed_ips" {
  type = "list"
  default = [ "10.0.0.0/32" ]
}

# Using this module
module "main" {
  source = "github.com/riboseinc/terraform-aws-s3-cloudfront-website"

  fqdn = "${var.fqdn}"
  ssl_certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
  allowed_ips = "${var.allowed_ips}"

  index_document = "index.html"
  error_document = "404.html"

  refer_secret = "${base64sha512("REFER-SECRET-19265125-${var.fqdn}-52865926")}"

  force_destroy = "true"

  providers {
    "aws.main" = "aws.main"
    "aws.cloudfront" = "aws.cloudfront"
  }

  # Optional WAF Web ACL ID, defaults to none.
  #web_acl_id = "${data.terraform_remote_state.site.waf-web-acl-id}"

  ### only used with module "lambda" bellow ###
  lambda_edge_enabled = "true"
  lambda_edge_arn_version = "${module.lambda.arn}:${module.lambda.version}"
}

### integrate with module terraform-aws-s3-cloudfront-website to support basic-auth
### Remember that lambda need same region as cloudfront us-west-1
module "lambda" {
  source = "git::https://github.com/riboseinc/terraform-aws-lambda-edge-authentication"

  # to define blacklist/whitelist, see https://github.com/riboseinc/terraform-aws-lambda-edge-authentication/blob/master/README.adoc
  bucketName = "****.htaccess"
  bucketKey = "config.json"
  cookieDomain = "*****"
}

# ACM Certificate generation
resource "aws_acm_certificate" "cert" {
  provider          = "aws.cloudfront"
  domain_name       = "${var.fqdn}"
  validation_method = "DNS"
}

resource "aws_route53_record" "cert_validation" {
  provider = "aws.cloudfront"
  name     = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type     = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id  = "${data.aws_route53_zone.main.id}"
  records  = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl      = 60
}

resource "aws_acm_certificate_validation" "cert" {
  provider                = "aws.cloudfront"
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

# Route 53 record for the static site

data "aws_route53_zone" "main" {
  provider     = "aws.main"
  name         = "${var.domain}"
  private_zone = false
}

resource "aws_route53_record" "web" {
  provider = "aws.main"
  zone_id  = "${data.aws_route53_zone.main.zone_id}"
  name     = "${var.fqdn}"
  type     = "A"

  alias {
    name    = "${module.main.cf_domain_name}"
    zone_id = "${module.main.cf_hosted_zone_id}"
    evaluate_target_health = false
  }
}

# Outputs

output "s3_bucket_id" {
  value = "${module.main.s3_bucket_id}"
}

output "s3_domain" {
  value = "${module.main.s3_website_endpoint}"
}

output "s3_hosted_zone_id" {
  value = "${module.main.s3_hosted_zone_id}"
}

output "cloudfront_domain" {
  value = "${module.main.cf_domain_name}"
}

output "cloudfront_hosted_zone_id" {
  value = "${module.main.cf_hosted_zone_id}"
}

output "cloudfront_distribution_id" {
  value = "${module.main.cf_distribution_id}"
}

output "route53_fqdn" {
  value = "${aws_route53_record.web.fqdn}"
}

output "acm_certificate_arn" {
  value = "${aws_acm_certificate_validation.cert.certificate_arn}"
}
ronaldtse commented 5 years ago

@mmeloni thank you for the report!

@phuonghuynh could you help verify this problem? Thanks!

phuonghuynh commented 5 years ago

@mmeloni @ronaldtse fixed in ab0f2e8 master branch.