Restrict allowed origin in CORS rules for static and media S3 buckets (…

…#3130)
refinery-platform · Dec 5, 2018 · 42634ad · 42634ad
1 parent 179a796
commit 42634ad
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/deployment/terraform/live/main.tf b/deployment/terraform/live/main.tf
@@ -52,6 +52,8 @@ locals {
 module "object_storage" {
   source           = "../modules/s3"
   bucket_name_base = "${local.s3_bucket_name_base}"
+  origin_protocol  = "${var.ssl_certificate_id == "" ? "http" : "https"}"
+  origin_domain    = "${var.site_domain}"
   tags             = "${local.tags}"
 }
 

diff --git a/deployment/terraform/modules/s3/main.tf b/deployment/terraform/modules/s3/main.tf
@@ -24,22 +24,21 @@ PUBLIC_ACCESS
   cors_rule {
     allowed_headers = ["Authorization"]
     allowed_methods = ["GET"]
-    allowed_origins = ["*"]
+    allowed_origins = ["${var.origin_protocol}://${var.origin_domain}"]
     expose_headers  = ["ETag"]
     max_age_seconds = 3000
   }
 }
 
 resource "aws_s3_bucket" "uploaded_files" {
-  acl           = "private"
   bucket        = "${var.bucket_name_base}-upload"
   force_destroy = true
   tags          = "${var.tags}"
 
   cors_rule {
     allowed_headers = ["*"]
     allowed_methods = ["PUT", "POST", "DELETE"]
-    allowed_origins = ["*"]
+    allowed_origins = ["${var.origin_protocol}://${var.origin_domain}"]
     expose_headers  = ["ETag"]
     max_age_seconds = 3000
   }

diff --git a/deployment/terraform/modules/s3/vars.tf b/deployment/terraform/modules/s3/vars.tf
@@ -2,6 +2,15 @@
 variable "bucket_name_base" {
   description = "Prefix for the Refinery Platform S3 buckets"
 }
+
+variable "origin_protocol" {
+  description = "URL protocol for CORS origin config"
+}
+
+variable "origin_domain" {
+  description = "URL domain for CORS origin config"
+}
+
 variable "tags" {
   type        = "map"
   description = "Resource tags"