add policy

rust-lang · Feb 13, 2025 · aa8e8c4 · aa8e8c4
1 parent 4d9e8e6
commit aa8e8c4
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/terragrunt/modules/rustc-ci/artifacts.tf b/terragrunt/modules/rustc-ci/artifacts.tf
@@ -124,7 +124,7 @@ module "artifacts_cdn" {
 
   domain_name        = "ci-artifacts.rust-lang.org"
   origin_domain_name = aws_s3_bucket.artifacts.bucket_regional_domain_name
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id = aws_cloudfront_response_headers_policy.s3.id
 }
 
 data "aws_s3_bucket" "inventories" {

diff --git a/terragrunt/modules/rustc-ci/caches.tf b/terragrunt/modules/rustc-ci/caches.tf
@@ -108,5 +108,5 @@ module "caches_cdn" {
 
   domain_name        = "ci-caches.rust-lang.org"
   origin_domain_name = aws_s3_bucket.caches.bucket_regional_domain_name
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id = aws_cloudfront_response_headers_policy.s3.id
 }
diff --git a/terragrunt/modules/rustc-ci/headers_policy.tf b/terragrunt/modules/rustc-ci/headers_policy.tf
@@ -0,0 +1,27 @@
+resource "aws_cloudfront_response_headers_policy" "s3" {
+  name    = "S3StaticFiles"
+  comment = "Policy for s3 files"
+
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+    xss_protection {
+      protection = true
+      mode_block = true
+      override   = true
+    }
+    referrer_policy {
+      referrer_policy = "no-referrer"
+      override        = true
+    }
+    strict_transport_security {
+      access_control_max_age_sec = 63072000
+      override                   = true
+    }
+  }
+}