From aa8e8c4df8af1410a6077218cfed1a4557abf954 Mon Sep 17 00:00:00 2001
From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com>
Date: Thu, 13 Feb 2025 17:23:45 +0100
Subject: [PATCH] add policy

---
 terragrunt/modules/rustc-ci/artifacts.tf      |  2 +-
 terragrunt/modules/rustc-ci/caches.tf         |  2 +-
 terragrunt/modules/rustc-ci/headers_policy.tf | 27 +++++++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 terragrunt/modules/rustc-ci/headers_policy.tf

diff --git a/terragrunt/modules/rustc-ci/artifacts.tf b/terragrunt/modules/rustc-ci/artifacts.tf
index 083c08d5..a88d4433 100644
--- a/terragrunt/modules/rustc-ci/artifacts.tf
+++ b/terragrunt/modules/rustc-ci/artifacts.tf
@@ -124,7 +124,7 @@ module "artifacts_cdn" {
 
   domain_name        = "ci-artifacts.rust-lang.org"
   origin_domain_name = aws_s3_bucket.artifacts.bucket_regional_domain_name
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id = aws_cloudfront_response_headers_policy.s3.id
 }
 
 data "aws_s3_bucket" "inventories" {
diff --git a/terragrunt/modules/rustc-ci/caches.tf b/terragrunt/modules/rustc-ci/caches.tf
index 253e207d..a8b9131c 100644
--- a/terragrunt/modules/rustc-ci/caches.tf
+++ b/terragrunt/modules/rustc-ci/caches.tf
@@ -108,5 +108,5 @@ module "caches_cdn" {
 
   domain_name        = "ci-caches.rust-lang.org"
   origin_domain_name = aws_s3_bucket.caches.bucket_regional_domain_name
-  response_policy_id = data.terraform_remote_state.shared.outputs.mdbook_response_policy
+  response_policy_id = aws_cloudfront_response_headers_policy.s3.id
 }
diff --git a/terragrunt/modules/rustc-ci/headers_policy.tf b/terragrunt/modules/rustc-ci/headers_policy.tf
new file mode 100644
index 00000000..8f1bb474
--- /dev/null
+++ b/terragrunt/modules/rustc-ci/headers_policy.tf
@@ -0,0 +1,27 @@
+resource "aws_cloudfront_response_headers_policy" "s3" {
+  name    = "S3StaticFiles"
+  comment = "Policy for s3 files"
+
+  security_headers_config {
+    content_type_options {
+      override = true
+    }
+    frame_options {
+      frame_option = "DENY"
+      override     = true
+    }
+    xss_protection {
+      protection = true
+      mode_block = true
+      override   = true
+    }
+    referrer_policy {
+      referrer_policy = "no-referrer"
+      override        = true
+    }
+    strict_transport_security {
+      access_control_max_age_sec = 63072000
+      override                   = true
+    }
+  }
+}