From 2fedaa3b6778a85b36a2eb761a0fefdf1645ff92 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 15 May 2024 01:26:33 +0200 Subject: [PATCH] terraform: configure authn for fastly<->releases This happens in preparation for enabling requester pays on the S3 bucket. --- terraform/cache.tf | 6 +++--- terraform/locals.tf | 4 +++- terraform/releases.tf | 14 ++++++++++++++ terraform/{cache => }/s3-authn.vcl | 0 4 files changed, 20 insertions(+), 4 deletions(-) rename terraform/{cache => }/s3-authn.vcl (100%) diff --git a/terraform/cache.tf b/terraform/cache.tf index 26ee1d5f..088853d5 100644 --- a/terraform/cache.tf +++ b/terraform/cache.tf @@ -220,11 +220,11 @@ resource "fastly_service_vcl" "cache" { name = "Authenticate S3 requests" type = "miss" priority = 100 - content = templatefile("${path.module}/cache/s3-authn.vcl", { + content = templatefile("${path.module}/s3-authn.vcl", { aws_region = aws_s3_bucket.cache.region backend_domain = aws_s3_bucket.cache.bucket_domain_name - access_key = local.cache-iam.key - secret_key = local.cache-iam.secret + access_key = local.fastly-iam.key + secret_key = local.fastly-iam.secret }) } diff --git a/terraform/locals.tf b/terraform/locals.tf index d8ba43a4..90ac5d2e 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -4,7 +4,9 @@ locals { # TLS v1.2, protocols HTTP/1.1 and HTTP/2 fastly_tls12_sni_configuration_id = "5PXBTa6c01Xoh54ylNwmVA" - cache-iam = data.terraform_remote_state.terraform-iam.outputs.cache + # Used for authenticating fastly against S3 buckets + fastly-iam = data.terraform_remote_state.terraform-iam.outputs.cache + fastlylogs = data.terraform_remote_state.terraform-iam.outputs.fastlylogs # fastlylogs = { diff --git a/terraform/releases.tf b/terraform/releases.tf index fa780251..f11d5bf4 100644 --- a/terraform/releases.tf +++ b/terraform/releases.tf @@ -181,6 +181,20 @@ resource "fastly_service_vcl" "releases" { status = 404 } + # Authenticate Fastly<->S3 requests. See Fastly documentation: + # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket + snippet { + name = "Authenticate S3 requests" + type = "miss" + priority = 100 + content = templatefile("${path.module}/s3-authn.vcl", { + aws_region = aws_s3_bucket.releases.region + backend_domain = aws_s3_bucket.releases.bucket_domain_name + access_key = local.fastly-iam.key + secret_key = local.fastly-iam.secret + }) + } + snippet { content = "set req.url = querystring.remove(req.url);" name = "Remove all query strings" diff --git a/terraform/cache/s3-authn.vcl b/terraform/s3-authn.vcl similarity index 100% rename from terraform/cache/s3-authn.vcl rename to terraform/s3-authn.vcl