DEV: add lambda edge security headers

Author: Plata, Sergio (Colombia)

edge_lambda.yml

@@ -0,0 +1,45 @@
+Resources:
+  LambdaEdge:
+      Type: AWS::Lambda::Function
+      Properties:
+        Handler: index.handler
+        Role: !GetAtt LambdaIAMRole.Arn
+        Code:
+          ZipFile: |
+            'use strict';
+              exports.handler = (event, context, callback) => {
+                const response = event.Records[0].cf.response;
+                const headers = response.headers;
+                headers['content-security-policy'] = [{
+                  key: 'Content-Security-Policy',
+                  value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"
+                }];
+                headers['x-content-type-options'] = [{
+                  key: 'X-Content-Type-Options',
+                  value: 'nosniff'
+                }];
+                headers['x-frame-options'] = [{
+                  key: 'X-Frame-Options',
+                  value: 'SAMEORIGIN'
+                }];
+                headers['x-permitted-cross-domain-policies'] = [{
+                  key: 'X-Permitted-Cross-Domain-Policies',
+                  value: 'master-only'
+                }];
+                headers['x-xss-protection'] = [{
+                  key: 'X-XSS-Protection',
+                  value: '1; mode=block'
+                }];
+                headers['referrer-policy'] = [{
+                  key: 'Referrer-Policy',
+                  value: 'SAME-ORIGIN'
+                }];
+                headers['strict-transport-security'] = [{
+                  key: 'Strict-Transport-Security',
+                  value: 'max-age=63072000; includeSubdomains; preload'
+                }];
+                callback(null, response);
+            };
+        Runtime: ${self:provider.runtime}
+        MemorySize: 128
+        Timeout: 1

iam_role_edge.yml

@@ -0,0 +1,19 @@
+
+Resources:
+  LambdaIAMRole:
+      Type: "AWS::IAM::Role"
+      Properties:
+        AssumeRolePolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Sid: "AllowLambdaServiceToAssumeRole"
+              Effect: "Allow"
+              Action:
+                - "sts:AssumeRole"
+              Principal:
+                Service:
+                  - "lambda.amazonaws.com"
+                  - "edgelambda.amazonaws.com"
+        Path: "/"
+        ManagedPolicyArns:
+          - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

jenkins/nonprod_Jenkinsfile

@@ -27,16 +27,4 @@ node('linux') {
          }
       }
    }
-
-   stage('Zip Files && Artifactory upload') {
-			//zip dir: '', glob: '', zipFile: 'intl-co-plsv-infr-dev.zip'
-           sh 'cd ..'
-           sh 'pwd'
-           sh 'ls'
-           sh 'zip -r co-plsv-front-infr.zip . -x co-plsv-front-infr/jenkins/dev_Jenkinsfile co-plsv-front-infr/jenkins/preprod_Jenkinsfile co-plsv-front-infr/.serverless co-plsv-front-infr/.git/**'
-           sh 'pwd'
-           sh 'ls'
-			  def artifacts = ['co-plsv-front-infr.zip']		
-		     artifactoryUploadFiles files:artifacts,version:ARTIFACT_VERSION,packageType:'npm',appName:'co-plsv-infra'              
-   }
 }

jenkins/prod_Jenkinsfile

@@ -4,9 +4,9 @@ node('linux') {
    stage('Unzip Files'){
        sh 'unzip -l co-plsv-front-infr.zip'
    }
-   stage('Proceed to Prod'){
+   /*stage('Proceed to Prod'){
        input message: 'Proceed with Deploy to prod?', ok: 'Yes'
-   }
+   }**/
    stage('Preparation') {
       //git credentialsId: 'intl_gituser', url: 'https://[email protected]/scm/anpolserv/co-plsv-front-infr.git', branch: 'nonprod'
       sh 'npm --version'
@@ -18,7 +18,6 @@ node('linux') {
       sh 'ls'
    }
    stage('Build') {
-      deployToNonProd {
          withAWS(credentials:getAWSCredentialID(environment:"${env.APPENV}"), region:'us-east-1') {
             sh 'export SLS_DEBUG=true'
             sh 'dir'
@@ -28,8 +27,7 @@ node('linux') {
          }
          withSonarQubeEnv('sonarqube') {
             // TODO sh 'sonar-scanner -Dsonar.projectKey=andino-flex-mailer -Dsonar.projectName=andino-flex-mailer -Dsonar.projectVersion=0.0.1 -Dsonar.sources=src'
-         }
-      }
+         }   
    }
 
 }

jenkins/release_Jenkinsfile

@@ -0,0 +1,32 @@
+#!/usr/bin/env groovy
+@Library('utils@master') _
+import com.lmig.intl.cloud.jenkins.util.EnvConfigUtil
+def ARTIFACT_VERSION = "1.${BUILD_NUMBER}";
+node('linux') {
+     stage('Preparation') {
+      git credentialsId: 'intl_gituser', url: 'https://[email protected]/scm/anpolserv/co-plsv-front-infr.git', branch: 'master'
+      sh 'pwd'
+      sh 'ls'
+   }
+   stage('Zip Files && Artifactory upload') {
+			//zip dir: '', glob: '', zipFile: 'intl-co-plsv-infr-dev.zip'
+           sh 'cd ..'
+           sh 'pwd'
+           sh 'ls'
+           sh 'zip -r co-plsv-front-infr.zip . -x co-plsv-front-infr/jenkins/dev_Jenkinsfile co-plsv-front-infr/jenkins/nonprod_Jenkinsfile co-plsv-front-infr/.serverless co-plsv-front-infr/.git/**'
+           sh 'pwd'
+           sh 'ls'
+			  def artifacts = ['co-plsv-front-infr.zip']		
+		     artifactoryUploadFiles files:artifacts,version:ARTIFACT_VERSION,packageType:'npm',appName:'co-plsv-infr'              
+   }
+   stage('Artifactory Promoted to Prod') {
+				promoteToProd(
+					email:'[email protected]',
+					promoteArtifact: true,
+					appName:'co-plsv-infr',
+					packageType:'npm',
+					version: ARTIFACT_VERSION,
+					singleJenkinsfilePattern: true
+				){}
+		}
+}

lambd_edge_version.yml

@@ -0,0 +1,6 @@
+Resources:
+  LambdaEdgeVersion:
+      Type: AWS::Lambda::Version
+      DeletionPolicy: Retain
+      Properties:
+        FunctionName: !GetAtt LambdaEdge.Arn

serverless.yml

@@ -56,6 +56,9 @@ resources:
   - ${file(./bucketDeploy.yml)}
   - ${file(./InfrBucketDeployment.yml)}
   - ${file(./cloudfrontDeploy.yml)}
+  - ${file(./iam_role_edge.yml)}
+  - ${file(./edge_lambda.yml)}
+  - ${file(./lambd_edge_version.yml)}
 
   - Outputs:
       PLSVCloudFrontOriginAccessIdentity: