Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Cloudfront edge s3 bucket password protected #14

Merged
merged 53 commits into from Sep 6, 2017
Merged

[WIP] Cloudfront edge s3 bucket password protected #14

merged 53 commits into from Sep 6, 2017

Conversation

s0enke
Copy link
Owner

@s0enke s0enke commented Aug 16, 2017
edited

superseeds #12
slightly based on #13

Vision / Story

Static website hosting is still a thing. And often, we want to protect our content e.g. with a password, for example when a website should not yet be public. While S3 provides a way to host static websites, it unfortunately offers no possibility to protect these websites with e.g. HTTP Basic Auth.
This CloudFormation template utilizes CloudFront with Origin Access Identity and Lambda@Edge to mimic a static website with basic auth password protection. Cognito userpools are used to manage users and credentials.

Target Conditions

S3 bucket not open to the world (no static website hosting option enabled)

Date Current Condition Obstacle Next Experiment/Step Expected Outcome Learned
I don't know how to protected an S3 bucket
API Gateway strips trailing slashes which makes it unusable in front of S3 buckets without static website hosting One-Click CloudFormation Termplate with CloudFront, OIA and Lambda@Edge

Fixed credentials (Basic Auth) are validated (no connection to Cognito yet)

(200 im OK fall und Object ausliefern und 401 im Non-Auth fall)

Date Current Condition Obstacle Next Experiment/Step Expected Outcome Learned
Fixed credentials (Basic Auth) are not validated Authorization Header wird nicht durchgereicht zu CdnOrigin Lambda, weil S3 Origin es nicht erlaubt Authorization in X-Authorization umschreiben in Viewer-Request funktion Authorization can be passed this way to Origin Request function
  • If Lambda functions hang, there is a good possibility it’s OOM
  • Python: How to pipe subprocess output to stdout
  • Terraform bug non interactive: # S3 Backend Initialisation Error hashicorp/terraform#12971
  • The second parameter to callback is either the request or the response. CloudFront does somehow magically determinte if we send a request or a response
08-21 U/P is passed through to Origin Request function (which is allowed to make network calls e.g. to Cognito), but u/p is not yet validated testing cycle for lambdas is too slow write a simple makefile with lambda invoke for test calls to lambda@edge functions development speeds up because cloudfront update is taken out of the test cycle
  • makefile plugin for intellij
  • lambda tail and base64 decode onliner could be a blog post
  • cloudformation deploy for idempotent stack updates
08-25 fixed U/P is not validated, target condition done

Cognito Connection (Infra via CloudFormation, and Implementation into Lambda)

Date Current Condition Obstacle Next Experiment/Step Expected Outcome Learned
08-25 No Cognito at all No Cognito userpool conneciton in Lambda@Edge implement it A manually created user in a manually created userpool can be authorized though the Lambda@edge function
  • ADMIN_NO_SRP_AUTH can be used for U/P authentication in Cognit
  • AWS Region has to be set in Edge function, it is not the same as the CFN stack region
09-05 Manually created Cognito userpool integrated Responses are cached at the Edge, so it apparently answers with a cached version even if not authorized try to forbid caching at all Forbidding caching will pass all requests to the Origin Request function
09-05 Manually created Cognito userpool integrated, but no CFN
Create Userpool via CFN and connect it it works
  • $$ to escape a $ in a Makefile
09-06 CFN Userpool integrated Subdirectories do not work, e.g. /blah/ does not lookup /blah/index.html,
Create Userpool via CFN and connect it it works
  • $$ to escape a $ in a Makefile

Parking Lot / TODO

  • Reset Numbers of Lambda Versions
  • redirects
  • /blah/ should find /blah/index.html
  • /blah should redirect to /blah/
  • Cloudfront Cache settings: make sure no authenticated response is cached and leaked to unauthenticated clients
  • Route53 optional
    • Custom SSL Cert
    • Subdomain to path mapping optionl
  • Caching optional
  • test framework, e.g. with behave
  • check if Makefile is still needed
  • cleanup and unify JS code
  • use JWT and set cookie so we don't have to make the Cognito API call every time
  • remove debug logs
  • proper logging, e.g. success / fail and proper logger usage

@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch from 33ed1a0 to 9ae9aee Compare August 16, 2017 12:21
@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch from fb46f93 to f0398c9 Compare August 18, 2017 10:03
@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch 2 times, most recently from 764763e to 71b1e44 Compare August 19, 2017 10:53
@s0enke
use better curl output method
905d126 
instead of shell redirection, use the native -o option
@s0enke
remove obsolete terraform plan command
3106abc
@s0enke
Serve OIA protected content of S3 Bucket through CloudFront
f50840b 
by using the Terraform-created OIA.
@s0enke
cdn viewer-request skeleton for password protection
1c0d849
@s0enke
make it possible to use Lambda@Edge
358426e 
by creating the CloudFront distribution with Terraform
which already supports Lambda function associations
@s0enke
make Lambda@Edge function association work
7af2271 
 - add permissions
(http://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html#lambda-edge-permissions)
 - add a function version for Lambda@Edge and use it in
   Terraform/CloudFront description
 - use shorter non-autogenerated function name because Lambda
   replication does not allow function names > 54 chars
@s0enke
export domain name for convenience
79253ce
@s0enke
remove obsolete CFN managed CloudFront
da01b6d 
since it's now managed by terraform
@s0enke
WIP
4d81190
@s0enke
move template to own folder
cee8b12
@s0enke
make both TF custom resources work simultaneously
7744284 
by using different state files.
@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch from da0842a to f1f6857 Compare August 20, 2017 20:01
@s0enke
POC: pass request header to origin viewer request function
616d4d5 
 - CloudFront with S3 origin does not allow to pass cookies
 - CloudFront with S3 origin does not allow to pass headers other than Origin, Access-Control-Request-Headers, and Access-Control-Request-Method ( http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-cors)
 - so work around that by repacking the Authentication header as X-Authentication in the viewer request function which can in turn be used in the origin request function
@s0enke s0enke mentioned this pull request Aug 20, 2017
Closed
13 tasks
@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch from f9e1c75 to 6f60202 Compare August 21, 2017 19:42
@s0enke s0enke force-pushed the cloudfront_edge_s3_bucket_password_protected branch from 1cbfb63 to d21f7cd Compare August 22, 2017 20:42
@s0enke
validate hardcoded credentials
2d4ab90 
as an intermediate step/stub to implement cognito userpools next
@s0enke
remove obsolete code
59ca2a3
@s0enke
provide simple test framework with makefile
0d6382c
@s0enke
clarify deploy target names
451ce38
@s0enke
provide targets to test the CDN protection
f1d1fe7
@s0enke
authenticate against cognito userpool
c287fb0 
instead of hardcoded credentials. enables user management via Cognito Userpools.

Next step is to create the Userpool via CloudFormation instead of a hardcoded, clicked one.
@s0enke
document steps to create a user
d68a8b2
@s0enke
cleanup obsolete files from other PR
9292922
@s0enke
fix edge caching by disabling the CDN cache
415ffaf 
requests should never be cached in order to avoid accidental leaks
@s0enke
automatically create and use userpool
4517dbc
@s0enke
provide basic test suite
b3dc4fd 
in order to begin TDD
@s0enke
emulate S3 IndexDocument feature
653eb1c
@s0enke
unify JS code indent
8832eaa
@s0enke
Copy link
Owner Author

s0enke commented Sep 6, 2017

merging initial working version. further work will be done in this project: https://github.com/s0enke/cloudformation-templates/projects/1

@s0enke s0enke merged commit 47666f5 into master Sep 6, 2017
@s0enke s0enke deleted the cloudfront_edge_s3_bucket_password_protected branch September 6, 2017 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@s0enke