Merged in dev/maxime/MPC-6453_add-auth0-to-csp (pull request elastic#799

) Added Auth0 in content-src response header for csp * added var to enable auth0 when stack_env is dev || test * add string in content-src to allow auth0 * Removed comment with ticket number Approved-by: Gabi Davar
mindw · Jul 29, 2022 · 0bd5665 · 0bd5665
1 parent 5a10889
commit 0bd5665
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/aws/ams-cluster-v1-tf/cloudfront.tf b/aws/ams-cluster-v1-tf/cloudfront.tf
@@ -62,7 +62,7 @@ resource "aws_cloudfront_response_headers_policy" "security_headers_policy" {
          "style-src 'self' https: 'unsafe-inline';",
          "frame-src *;",
          "media-src 'self' https: blob:;",
-         "connect-src https://*.engageli.com:* https://*.ingest.sentry.io https://*.engageli-${var.stack_env}.com:* wss://*.engageli.com:* wss://*.engageli-${var.stack_env}.com:* https://noembed.com:* file://* https://*.amazonaws.com:* wss://*.amazonaws.com:* https://*.cloudfront.net:* https://*.miro.com:*;",
+         "connect-src https://*.engageli.com:* https://*.ingest.sentry.io https://*.engageli-${var.stack_env}.com:* wss://*.engageli.com:* wss://*.engageli-${var.stack_env}.com:* https://noembed.com:* file://* https://*.amazonaws.com:* wss://*.amazonaws.com:* https://*.cloudfront.net:* https://*.miro.com:*${var.cf_enable_auth0_csp_csrc ? " https://*.auth0.com/:*": ""};",
          "base-uri 'none';"
        ]
       )

diff --git a/aws/ams-cluster-v1-tf/variables.tf b/aws/ams-cluster-v1-tf/variables.tf
@@ -372,6 +372,12 @@ variable "cf_enabled" {
   default     = true
 }
 
+variable "cf_enable_auth0_csp_csrc" {
+  description = "Set auth0 in csp content-src response header"
+  type = bool
+  default = contains(["dev", "test"], var.stack_env)
+}
+
 variable "cf_price_class" {
   description = "Price Class determines what edge locations are included"
   type        = string