WIP

s0enke · Aug 18, 2017 · fb46f93 · fb46f93
1 parent b16e886
commit fb46f93
Showing 1 changed file with 70 additions and 2 deletions.
diff --git a/templates/cloudformation-terraform-custom-resource/template.yaml b/templates/cloudformation-terraform-custom-resource/template.yaml
@@ -172,7 +172,11 @@ Resources:
             compress = true
             lambda_function_association {
               event_type = "viewer-request"
-              lambda_arn = "${CdnViewerRequestFunctionVersion}"
+              lambda_arn = "${CdnViewerRequestFunctionVersion3}"
+            }
+            lambda_function_association {
+              event_type = "viewer-response"
+              lambda_arn = "${CdnViewerResponseFunctionVersion}"
             }
             forwarded_values {
               query_string = false
@@ -223,6 +227,7 @@ Resources:
       Code:
         ZipFile: |
           'use strict';
+          const util = require('util');
 
           let content = `
           <\!DOCTYPE html>
@@ -237,7 +242,12 @@ Resources:
           </html>
           `;
 
+          /*
+           * if (cookie) -> validate
+           */
+
           exports.handler = (event, context, callback) => {
+              console.log(util.inspect(event, { showHidden: true, depth: null }));
               const response = {
                   status: '401',
                   statusDescription: 'Unauthorized',
@@ -281,11 +291,69 @@ Resources:
       ManagedPolicyArns:
       - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
 
-  CdnViewerRequestFunctionVersion:
+  CdnViewerRequestFunctionVersion3:
     Type: "AWS::Lambda::Version"
     Properties:
       FunctionName: !Ref CdnViewerRequestFunction
 
+  CdnViewerResponseFunction:
+    Type: AWS::Lambda::Function
+    Properties:
+      FunctionName: !Sub '${AWS::StackName}-CdnViewerResponse'
+      Code:
+        ZipFile: |
+          'use strict';
+          const util = require('util');
+
+          exports.handler = (event, context, callback) => {
+              const response = event.Records[0].cf.response;
+
+              response.headers['strict-transport-security'] = [{
+                  'key': 'Strict-Transport-Security',
+                  'value': 'max-age=31536000; includeSubDomains;'
+              }];
+              response.headers['x-frame-options'] = [{
+                  'key': 'X-Frame-Options',
+                  'value': 'DENY'
+              }];
+              response.headers['cache-control'] = [{
+                  'key': 'Cache-Control',
+                  'value': 'no-store'
+              }];
+              response.headers['pragma'] = [{
+                  'key': 'Pragma',
+                  'value': 'no-cache'
+              }];
+
+              callback(null, response);
+          };
+
+      Handler: index.handler
+      Runtime: nodejs6.10
+      Timeout: 1
+      MemorySize: 128
+      Role: !GetAtt CdnViewerResponseFunctionRole.Arn
+
+  CdnViewerResponseFunctionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - lambda.amazonaws.com
+            - edgelambda.amazonaws.com
+          Action: sts:AssumeRole
+      ManagedPolicyArns:
+      - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
+
+  CdnViewerResponseFunctionVersion:
+    Type: "AWS::Lambda::Version"
+    Properties:
+      FunctionName: !Ref CdnViewerResponseFunction
+
 Outputs:
   CdnDomain:
     Description: CdnDomain