[PLT-1418] Update web module to support DPC, leverage STS headers and cloudfront logging;#358
Merged
Conversation
mianava
force-pushed
the
mianava/PLT-1418
branch
2 times, most recently
from
fb939d3 to
9ca433e
Compare
mianava
changed the title
gsf
reviewed
Dec 16, 2025
mianava
force-pushed
the
mianava/PLT-1418
branch
from
3a579fc to
bb0a7cb
Compare
gsf
reviewed
Dec 16, 2025
| arn = string | ||
| }) | ||
| type = string | ||
| } |
Member
There was a problem hiding this comment.
I think we can drop the logging_bucket variable and instead reference platform.splunk_logging_bucket.
Contributor
Author
There was a problem hiding this comment.
Switched and pointed to the splunk_logging_bucket. Noting that the splunk_logging_bucket assignment does not include the suffix string defined in docs, just the ARN.
mianava
changed the title
mianava
force-pushed
the
mianava/PLT-1418
branch
from
f0b2c87 to
ff21375
Compare
mianava
commented
Dec 19, 2025
mianava
commented
Dec 19, 2025
…ns, provide bucket domain name instead.
mianava
commented
Dec 19, 2025
| enabled = var.enabled | ||
| http_version = "http2and3" | ||
| is_ipv6_enabled = true | ||
| price_class = "PriceClass_100" |
Contributor
Author
There was a problem hiding this comment.
Removed because the assignment gets overwritten by institutionalized templates in the AWS accounts. Geographical restrictions are preferred to this setting.
mianava
commented
Dec 19, 2025
Comment on lines
-73
to
+93
| cloudfront_default_certificate = var.certificate == null ? true : false | ||
| acm_certificate_arn = var.certificate == null ? null : var.certificate.arn | ||
| minimum_protocol_version = var.certificate == null ? null : "TLSv1.2_2021" | ||
| ssl_support_method = var.certificate == null ? null : "sni-only" | ||
| cloudfront_default_certificate = false |
Contributor
Author
There was a problem hiding this comment.
@gsf this now assumes that a certificate is already issued - as there is no longer a certificate value, just domain.
gfreeman-navapbc
approved these changes
Dec 22, 2025
juliareynolds-nava
approved these changes
Dec 22, 2025
juliareynolds-nava
pushed a commit
that referenced
this pull request
Jan 6, 2026
… cloudfront logging; (#358) ## 🎫 Ticket jira.cms.gov/browse/PLT-1418 ## 🛠 Changes This PR configures: 1) The 'web' module to configure an existing cloudfront deployment that supports STS headers, has a regional domain name ("domain_name_overwrite"). 2) The platform module to accommodate bucket logging in regional paths for Cloudfront logs passed into S3. This enables the passing of logs, by administrative AWS configuration, to an external provider. 3) Simplifies some variables into strings instead of objects. ## ℹ️ Context These changes were made to support oversight and standardization of static site management through the centralization of terraform. <!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer. - Adds a new software dependency or dependencies. - Modifies or invalidates one or more of our security controls. - Stores or transmits data that was not stored or transmitted before. - Requires additional review of security implications for other reasons. --> ## 🧪 Validation <!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. --> These changes require validation in the sandbox environment. The module source will be updated to point to this github commit hash as ref. Once the sandbox site is determined mostly unchanged, the module ref can be updated for the production site.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎫 Ticket
jira.cms.gov/browse/PLT-1418
🛠 Changes
This PR configures:
ℹ️ Context
These changes were made to support oversight and standardization of static site management through the centralization of terraform.
🧪 Validation
These changes require validation in the sandbox environment. The module source will be updated to point to this github commit hash as ref. Once the sandbox site is determined mostly unchanged, the module ref can be updated for the production site.