Add Cloudfront config using EKS load balancers as origin. #929
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This upgrades our previous Cloudfront configuration that used S3 bucket as origins and could only serve static content. This new config will be able to serve dynamic content as well. It has been successfully tested in a failover test on 30th August. Trello: https://trello.com/c/XXhD9LfI/3257-apply-cloudfront-terraform-to-production
ChrisBAshton
force-pushed
the
cloudfront
branch
from
3817bc1 to
784726e
Compare
robinjam
force-pushed
the
cloudfront
branch
from
210b235 to
35bfa27
Compare
|
Staging plan output looks good: Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_cloudfront_distribution.assets_distribution[0] will be updated in-place
~ resource "aws_cloudfront_distribution" "assets_distribution" {
id = "E2RBIQQ8CNPY8"
tags = {
"govuk_environment" = "staging"
}
+ web_acl_id = "arn:aws:wafv2:us-east-1:696911096973:global/webacl/cdn_poc_govuk/8fcb1569-44ff-4dd8-b634-748ca3e2b255"
# (20 unchanged attributes hidden)
~ default_cache_behavior {
~ default_ttl = 0 -> 86400
~ max_ttl = 0 -> 31536000
# (10 unchanged attributes hidden)
}
# (4 unchanged blocks hidden)
}
# aws_cloudfront_distribution.www_distribution[0] will be updated in-place
~ resource "aws_cloudfront_distribution" "www_distribution" {
id = "E1TA1GIAQMC2TZ"
tags = {
"govuk_environment" = "staging"
}
# (21 unchanged attributes hidden)
~ default_cache_behavior {
~ default_ttl = 0 -> 86400
~ max_ttl = 0 -> 31536000
# (11 unchanged attributes hidden)
}
# (9 unchanged blocks hidden)
}
# aws_wafv2_web_acl.cdn_poc_govuk will be imported
resource "aws_wafv2_web_acl" "cdn_poc_govuk" {
arn = "arn:aws:wafv2:us-east-1:696911096973:global/webacl/cdn_poc_govuk/8fcb1569-44ff-4dd8-b634-748ca3e2b255"
capacity = 777
id = "8fcb1569-44ff-4dd8-b634-748ca3e2b255"
lock_token = "2e3c330c-6f5d-45dc-885e-698692c00572"
name = "cdn_poc_govuk"
scope = "CLOUDFRONT"
tags = {}
tags_all = {}
token_domains = []
default_action {
block {
}
}
rule {
name = "ALLOW_EC2_EKS"
priority = 4
action {
allow {
}
}
statement {
ip_set_reference_statement {
arn = "arn:aws:wafv2:us-east-1:696911096973:global/ipset/EC2_EKS_NAT_Gateways/94286465-8456-489f-aa40-8e23f16d52ad"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "ALLOW_EC2_EKS"
sampled_requests_enabled = true
}
}
rule {
name = "ALLOW_GDS_IPS"
priority = 3
action {
allow {
}
}
statement {
ip_set_reference_statement {
arn = "arn:aws:wafv2:us-east-1:696911096973:global/ipset/cloudfront_cdn_gds/d594f8ed-8e3f-4dd9-a0e1-bb643a07eed5"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "ALLOW_GDS_IPS"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesAmazonIpReputationList"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesAnonymousIpList"
priority = 0
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAnonymousIpList"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 2
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "cdn_poc_govuk"
sampled_requests_enabled = true
}
}
Plan: 1 to import, 0 to add, 2 to change, 0 to destroy. |
This ACL already exists in staging (presumably it was created from the AWS console). We need to recreate it in production, but default to "allow" instead of "block", and omit the access control rules.
robinjam
force-pushed
the
cloudfront
branch
from
35bfa27 to
c32ae6a
Compare
|
Production plan output also looks good: Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# aws_cloudfront_distribution.assets_distribution[0] will be updated in-place
~ resource "aws_cloudfront_distribution" "assets_distribution" {
id = "E1WZQ0VC06YFM2"
tags = {
"govuk_environment" = "production"
}
+ web_acl_id = (known after apply)
# (20 unchanged attributes hidden)
~ default_cache_behavior {
~ default_ttl = 0 -> 86400
~ max_ttl = 0 -> 31536000
# (10 unchanged attributes hidden)
}
# (4 unchanged blocks hidden)
}
# aws_cloudfront_distribution.www_distribution[0] will be updated in-place
~ resource "aws_cloudfront_distribution" "www_distribution" {
id = "E31ESY2JHMP4Q"
tags = {
"govuk_environment" = "production"
}
+ web_acl_id = (known after apply)
# (20 unchanged attributes hidden)
~ default_cache_behavior {
~ default_ttl = 0 -> 86400
~ max_ttl = 0 -> 31536000
# (11 unchanged attributes hidden)
}
# (9 unchanged blocks hidden)
}
# aws_wafv2_web_acl.cdn_poc_govuk will be created
+ resource "aws_wafv2_web_acl" "cdn_poc_govuk" {
+ arn = (known after apply)
+ capacity = (known after apply)
+ id = (known after apply)
+ lock_token = (known after apply)
+ name = "cdn_poc_govuk"
+ scope = "CLOUDFRONT"
+ tags_all = (known after apply)
+ default_action {
+ allow {
}
}
+ rule {
+ name = "AWS-AWSManagedRulesAmazonIpReputationList"
+ priority = 1
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesAmazonIpReputationList"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"
+ sampled_requests_enabled = true
}
}
+ rule {
+ name = "AWS-AWSManagedRulesAnonymousIpList"
+ priority = 0
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesAnonymousIpList"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesAnonymousIpList"
+ sampled_requests_enabled = true
}
}
+ rule {
+ name = "AWS-AWSManagedRulesCommonRuleSet"
+ priority = 2
+ override_action {
+ none {}
}
+ statement {
+ managed_rule_group_statement {
+ name = "AWSManagedRulesCommonRuleSet"
+ vendor_name = "AWS"
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "AWS-AWSManagedRulesCommonRuleSet"
+ sampled_requests_enabled = true
}
}
+ visibility_config {
+ cloudwatch_metrics_enabled = true
+ metric_name = "cdn_poc_govuk"
+ sampled_requests_enabled = true
}
}
Plan: 1 to add, 2 to change, 0 to destroy. |
|
This has been applied in both staging and production now. |
robinjam
approved these changes
Sep 21, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This upgrade our previous Cloudfront configuration that used S3 bucket as origins and could only serve static content. This new config will be able to serve dynamic content as well.
Trello: https://trello.com/c/XXhD9LfI/3257-apply-cloudfront-terraform-to-production