Use a cloudfront function to inject the origin key (#229)

devksingh4 · web-flow · commit 97be701e67da · 2025-08-01T21:18:10.000-04:00
diff --git a/terraform/envs/prod/main.tf b/terraform/envs/prod/main.tf
@@ -55,7 +55,7 @@ module "dynamo" {
 }
 
 resource "random_password" "origin_verify_key" {
-  length  = 20
+  length  = 16
   special = false
   keepers = {
     force_recreation = formatdate("DD-MMM-YYYY", plantimestamp())
diff --git a/terraform/envs/qa/main.tf b/terraform/envs/qa/main.tf
@@ -57,7 +57,7 @@ module "dynamo" {
 }
 
 resource "random_password" "origin_verify_key" {
-  length  = 20
+  length  = 16
   special = false
   keepers = {
     force_recreation = formatdate("DD-MMM-YYYY", plantimestamp())
diff --git a/terraform/modules/frontend/main.tf b/terraform/modules/frontend/main.tf
@@ -100,10 +100,6 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
     }
-    custom_header {
-      name  = "X-Origin-Verify"
-      value = var.OriginVerifyKey
-    }
   }
   default_root_object = "index.html"
   aliases             = [var.CorePublicDomain]
@@ -140,6 +136,10 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
     cache_policy_id          = aws_cloudfront_cache_policy.headers_no_cookies.id
     origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
     compress                 = true
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.origin_key_injection.arn
+    }
   }
   ordered_cache_behavior {
     path_pattern             = "/api/v1/organizations"
@@ -150,6 +150,10 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
     cache_policy_id          = "658327ea-f89d-4fab-a63d-7e88639e58f6"
     origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
     compress                 = true
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.origin_key_injection.arn
+    }
   }
   ordered_cache_behavior {
     path_pattern             = "/api/*"
@@ -160,6 +164,10 @@ resource "aws_cloudfront_distribution" "app_cloudfront_distribution" {
     cache_policy_id          = aws_cloudfront_cache_policy.no_cache.id
     origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
     compress                 = true
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.origin_key_injection.arn
+    }
   }
   price_class = "PriceClass_100"
 }
@@ -176,10 +184,6 @@ resource "aws_cloudfront_distribution" "ical_cloudfront_distribution" {
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
     }
-    custom_header {
-      name  = "X-Origin-Verify"
-      value = var.OriginVerifyKey
-    }
   }
   aliases         = [var.IcalPublicDomain]
   enabled         = true
@@ -192,6 +196,10 @@ resource "aws_cloudfront_distribution" "ical_cloudfront_distribution" {
     cached_methods           = ["GET", "HEAD"]
     cache_policy_id          = aws_cloudfront_cache_policy.headers_no_cookies.id
     origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.origin_key_injection.arn
+    }
   }
   viewer_certificate {
     acm_certificate_arn      = var.CoreCertificateArn
@@ -206,6 +214,19 @@ resource "aws_cloudfront_distribution" "ical_cloudfront_distribution" {
   price_class = "PriceClass_100"
 }
 
+resource "aws_cloudfront_function" "origin_key_injection" {
+  name    = "${var.ProjectId}-origin-verification-injection"
+  comment = "Injects origin verification key into requests"
+  runtime = "cloudfront-js-2.0"
+  code    = <<EOT
+function handler(event) {
+    var request = event.request;
+    request.headers['x-origin-verify'] = { value: "${var.OriginVerifyKey}" };
+    return request;
+}
+EOT
+}
+
 resource "aws_cloudfront_function" "core_frontend_redirect" {
   name    = "${var.ProjectId}-spa-rewrite"
   comment = "Handles SPA routing by rewriting URIs to index.html"

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ module "dynamo" {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`resource "random_password" "origin_verify_key" {`
`58`		`- length = 20`
	`58`	`+ length = 16`
`59`	`59`	`special = false`
`60`	`60`	`keepers = {`
`61`	`61`	`force_recreation = formatdate("DD-MMM-YYYY", plantimestamp())`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ module "dynamo" {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`resource "random_password" "origin_verify_key" {`
`60`		`- length = 20`
	`60`	`+ length = 16`
`61`	`61`	`special = false`
`62`	`62`	`keepers = {`
`63`	`63`	`force_recreation = formatdate("DD-MMM-YYYY", plantimestamp())`