Skip to content

aws.cloudfront-response-headers-policy resource

Description

ResponseHeadersPolicy manages a CloudFront response headers policy: a named set of HTTP headers a distribution adds to or removes from its responses, grouped into CORS, custom, removed, security, and server-timing configurations. CloudFront replaces the whole policy on every update rather than patching one field, so no field forces a new resource. An update or delete is guarded by the policy's current version, an ETag that the create and read both return; the ETag is an output the update and delete pass back as the IfMatch concurrency token.

Source: internal/service/cloudfront/response_headers_policy_rsrc.go:23

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.cloudfront-response-headers-policy {
    # Set input fields here.
  }
}

Inputs

name

string

required

comment

optional(string)

cors-config

optional(object) 
optional(
  object({
    access-control-allow-credentials: optional(boolean)
    access-control-allow-headers: object({
      items: list(string)
    })
    access-control-allow-methods: object({
      items: list(string)
    })
    access-control-allow-origins: object({
      items: list(string)
    })
    access-control-expose-headers: optional(
      object({
        items: list(string)
      })
    )
    access-control-max-age-sec: optional(integer)
    origin-override: optional(boolean)
  })
)

custom-headers-config

optional(object) 
optional(
  object({
    items: list(
      object({
        header: string
        value: string
        override: optional(boolean)
      })
    )
  })
)

remove-headers-config

optional(object) 
optional(
  object({
    items: list(
      object({
        header: string
      })
    )
  })
)

security-headers-config

optional(object) 
optional(
  object({
    content-security-policy: optional(
      object({
        content-security-policy: string
        override: optional(boolean)
      })
    )
    content-type-options: optional(
      object({
        override: optional(boolean)
      })
    )
    frame-options: optional(
      object({
        frame-option: string
        override: optional(boolean)
      })
    )
    referrer-policy: optional(
      object({
        referrer-policy: string
        override: optional(boolean)
      })
    )
    strict-transport-security: optional(
      object({
        access-control-max-age-sec: optional(integer)
        override: optional(boolean)
        include-subdomains: optional(boolean)
        preload: optional(boolean)
      })
    )
    xss-protection: optional(
      object({
        protection: optional(boolean)
        override: optional(boolean)
        mode-block: optional(boolean)
        report-uri: optional(string)
      })
    )
  })
)

server-timing-headers-config

optional(object) 
optional(
  object({
    enabled: optional(boolean)
    sampling-rate: optional(number)
  })
)

Input Constraints

Field combinations

At least one of cors-config, custom-headers-config, remove-headers-config, security-headers-config, or server-timing-headers-config.

Security headers config rules

security-headers-config frame-options frame-option must be DENY or SAMEORIGIN.

Rule logic
When
input.security-headers-config.frame-options != null
Require
input.security-headers-config.frame-options.frame-option == 'DENY'
|| input.security-headers-config.frame-options.frame-option == 'SAMEORIGIN'

security-headers-config referrer-policy referrer-policy must be one of no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url.

Rule logic
When
input.security-headers-config.referrer-policy != null
Require
input.security-headers-config.referrer-policy.referrer-policy == 'no-referrer'
|| input.security-headers-config.referrer-policy.referrer-policy == 'no-referrer-when-downgrade'
|| input.security-headers-config.referrer-policy.referrer-policy == 'origin'
|| input.security-headers-config.referrer-policy.referrer-policy == 'origin-when-cross-origin'
|| input.security-headers-config.referrer-policy.referrer-policy == 'same-origin'
|| input.security-headers-config.referrer-policy.referrer-policy == 'strict-origin'
|| input.security-headers-config.referrer-policy.referrer-policy == 'strict-origin-when-cross-origin'
|| input.security-headers-config.referrer-policy.referrer-policy == 'unsafe-url'

Server timing headers config rules

server-timing-headers-config sampling-rate must be between 0 and 100.

Rule logic
When
input.server-timing-headers-config.sampling-rate != null
Require
(input.server-timing-headers-config.sampling-rate == null || input.server-timing-headers-config.sampling-rate >= 0.0)
&& (input.server-timing-headers-config.sampling-rate == null || input.server-timing-headers-config.sampling-rate <= 100.0)

Outputs

id

string

etag

string