initial commit

Author: necipallef

.gitignore

@@ -0,0 +1,40 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Ignore IDE
+.idea/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Fingerprint
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,138 @@
+## How to Install
+
+### Using a new CloudFront distribution
+
+1. Create a new directory `mkdir fingerprint_integration` and go inside `cd fingerprint_integration`
+2. Create a file `touch fingerprint.tf` and add below content, do not forget to replace placeholders (`AGENT_DOWNLOAD_PATH_HERE`, `RESULT_PATH_HERE`, `PROXY_SECRET_HERE`):
+     ```terraform
+     module "fingerprint_cloudfront_integration" {
+       source = "[email protected]:necipallef/terraform-module-proxy-lambda.git/?ref=v0.7.1"
+     
+       fpjs_agent_download_path = "AGENT_DOWNLOAD_PATH_HERE"
+       fpjs_get_result_path     = "RESULT_PATH_HERE"
+       fpjs_shared_secret   = "PROXY_SECRET_HERE"
+     }
+     ```
+3. Create a file called `cloudfront_distribution.tf` and add below content (feel free to make any changes that makes sense for your setup):
+   ```terraform
+
+    resource "aws_cloudfront_distribution" "fpjs_cloudfront_distribution" {
+      comment = "Fingerprint distribution (created via Terraform)"
+    
+      origin {
+        domain_name = module.fingerprint_cloudfront_integration.fpjs_origin_name
+        origin_id   = module.fingerprint_cloudfront_integration.fpjs_origin_id
+        custom_origin_config {
+          origin_protocol_policy = "https-only"
+          http_port              = 80
+          https_port             = 443
+          origin_ssl_protocols   = ["TLSv1.2"]
+        }
+        custom_header {
+          name  = "FPJS_SECRET_NAME"
+          value = module.fingerprint_cloudfront_integration.fpjs_secret_manager_arn
+        }
+      }
+    
+      enabled = true
+    
+      http_version = "http1.1"
+    
+      price_class = "PriceClass_100"
+    
+      default_cache_behavior {
+        allowed_methods          = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+        cached_methods           = ["GET", "HEAD"]
+        cache_policy_id          = module.fingerprint_cloudfront_integration.fpjs_cache_policy_id
+        origin_request_policy_id = module.fingerprint_cloudfront_integration.fpjs_origin_request_policy_id
+        target_origin_id         = module.fingerprint_cloudfront_integration.fpjs_origin_id
+        viewer_protocol_policy   = "https-only"
+        compress                 = true
+    
+        lambda_function_association {
+          event_type   = "origin-request"
+          lambda_arn   = module.fingerprint_cloudfront_integration.fpjs_proxy_lambda_arn
+          include_body = true
+        }
+      }
+    
+      viewer_certificate {
+        cloudfront_default_certificate = true
+      }
+    
+      restrictions {
+        geo_restriction {
+          restriction_type = "none"
+        }
+      }
+    }
+   ```
+   If you wish to connect a custom domain for first-party benefits, consider changing `viewer_certificate` field accordingly. Refer to [official documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) by HashiCorp for further customization.
+4. Run `terraform init`
+5. Run `terraform plan`, if all looks good run `terraform apply`
+
+### Using existing CloudFront distribution
+
+1. Create a file called `fingerprint.tf` and add below content, do not forget to replace placeholders (`AGENT_DOWNLOAD_PATH_HERE`, `RESULT_PATH_HERE`, `PROXY_SECRET_HERE`):
+    ```terraform
+    module "fingerprint_cloudfront_integration" {
+        source = "[email protected]:necipallef/terraform-module-proxy-lambda.git/?ref=v0.7.1"
+
+        fpjs_agent_download_path = "AGENT_DOWNLOAD_PATH_HERE"
+        fpjs_get_result_path     = "RESULT_PATH_HERE"
+        fpjs_shared_secret   = "PROXY_SECRET_HERE"
+    }
+    ```
+2. Go to your CloudFront distribution block and add below content, do not forget to replace placeholders (`YOUR_INTEGRATION_PATH_HERE`):
+    ```terraform
+    resource "aws_cloudfront_distribution" "cloudfront_dist" {
+      // more code here
+    
+      #region fingerprint start
+    
+      origin {
+        domain_name = module.fingerprint_cloudfront_integration.fpjs_origin_name
+        origin_id   = module.fingerprint_cloudfront_integration.fpjs_origin_id
+        custom_origin_config {
+          origin_protocol_policy = "https-only"
+          http_port              = 80
+          https_port             = 443
+          origin_ssl_protocols   = ["TLSv1.2"]
+        }
+        custom_header {
+          name  = "FPJS_SECRET_NAME"
+          value = module.fingerprint_cloudfront_integration.fpjs_secret_manager_arn
+        }
+      }
+    
+      ordered_cache_behavior {
+        path_pattern = "YOUR_INTEGRATION_PATH_HERE/*"
+    
+        allowed_methods          = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+        cached_methods           = ["GET", "HEAD"]
+        cache_policy_id          = module.fingerprint_cloudfront_integration.fpjs_cache_policy_id
+        origin_request_policy_id = module.fingerprint_cloudfront_integration.fpjs_origin_request_policy_id
+        target_origin_id         = module.fingerprint_cloudfront_integration.fpjs_origin_id
+        viewer_protocol_policy   = "https-only"
+        compress                 = true
+    
+        lambda_function_association {
+          event_type   = "origin-request"
+          lambda_arn   = module.fingerprint_cloudfront_integration.fpjs_proxy_lambda_arn
+          include_body = true
+        }
+      }
+    
+      #endregion
+    
+      // more code here
+    }
+    ```
+3. Run `terraform plan`, if all looks good run `terraform apply`
+
+> [!NOTE]
+> If your project doesn't use `hashicorp/random` module, then you will need to run `terraform init -upgrade`.
+
+## Todo
+- [ ] create a public repo on company account with name `terraform-aws-fingerprint-cloudfront-integration`
+- [ ] publish on Hashicorp account

main.tf

@@ -0,0 +1,130 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.57.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.6.2"
+    }
+  }
+}
+
+resource "random_id" "integration_id" {
+  byte_length = 6
+}
+
+locals {
+  integration_id = random_id.integration_id.hex
+}
+
+# region cache policy
+
+resource "aws_cloudfront_cache_policy" "fpjs_procdn" {
+  name        = "FingerprintProCDNCachePolicy-${local.integration_id}"
+  default_ttl = 180
+  max_ttl     = 180
+  min_ttl     = 0
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "whitelist"
+      query_strings {
+        items = ["version", "loaderVersion"]
+      }
+    }
+
+    enable_accept_encoding_brotli = true
+    enable_accept_encoding_gzip   = true
+  }
+}
+
+# endregion
+
+# region proxy lambda
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+    sid    = "AllowAwsToAssumeRole"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy" "fpjs_proxy_lambda" {
+  name = "AWSSecretAccess"
+  role = aws_iam_role.fpjs_proxy_lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "secretsmanager:GetSecretValue",
+        ]
+        Effect   = "Allow"
+        Resource = aws_secretsmanager_secret.fpjs_proxy_lambda_secret.arn
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role" "fpjs_proxy_lambda" {
+  name               = "fingerprint-pro-lambda-role-${local.integration_id}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data "aws_s3_object" "fpjs_integration_s3_bucket" {
+  bucket = "fingerprint-pro-cloudfront-integration"
+  key    = "v2/lambda_latest.zip"
+}
+
+resource "aws_lambda_function" "fpjs_proxy_lambda" {
+  s3_bucket        = data.aws_s3_object.fpjs_integration_s3_bucket.bucket
+  s3_key           = data.aws_s3_object.fpjs_integration_s3_bucket.key
+  function_name    = "fingerprint-pro-cloudfront-lambda-${local.integration_id}"
+  role             = aws_iam_role.fpjs_proxy_lambda.arn
+  handler          = "fingerprintjs-pro-cloudfront-lambda-function.handler"
+  source_code_hash = data.aws_s3_object.fpjs_integration_s3_bucket.etag
+
+  runtime = "nodejs20.x"
+
+  publish = true
+}
+
+# endregion
+
+# region secrets manager
+
+resource "aws_secretsmanager_secret" "fpjs_proxy_lambda_secret" {
+  name        = "fingerprint-pro-cloudfront-integration-settings-secret-${local.integration_id}"
+  description = "AWS Secret with a custom Fingerprint integration settings (created via Terraform)"
+}
+
+resource "aws_secretsmanager_secret_version" "fpjs_proxy_lambda_secret" {
+  secret_id = aws_secretsmanager_secret.fpjs_proxy_lambda_secret.id
+  secret_string = jsonencode(
+    {
+      fpjs_get_result_path     = var.fpjs_get_result_path
+      fpjs_agent_download_path = var.fpjs_agent_download_path
+      fpjs_pre_shared_secret   = var.fpjs_shared_secret
+    }
+  )
+}
+
+# endregion

outputs.tf

@@ -0,0 +1,31 @@
+output "fpjs_cache_policy_id" {
+  value       = aws_cloudfront_cache_policy.fpjs_procdn.id
+  description = "Fingerprint integration cache policy id"
+}
+
+output "fpjs_proxy_lambda_arn" {
+  value       = aws_lambda_function.fpjs_proxy_lambda.qualified_arn
+  description = "Fingerprint integration proxy lambda ARN"
+}
+
+output "fpjs_secret_manager_arn" {
+  value       = aws_secretsmanager_secret.fpjs_proxy_lambda_secret.arn
+  description = "Fingerprint secrets integration manager secret ARN"
+}
+
+# constants
+
+output "fpjs_origin_name" {
+  value       = "fpcdn.io"
+  description = "Fingerprint Pro CDN origin domain name"
+}
+
+output "fpjs_origin_id" {
+  value       = "fpcdn.io"
+  description = "Fingerprint Pro CDN origin domain id"
+}
+
+output "fpjs_origin_request_policy_id" {
+  value       = "216adef6-5c7f-47e4-b989-5492eafa07d3" # Default AllViewer policy
+  description = "Fingerprint Pro CDN origin request policy id"
+}

variables.tf

@@ -0,0 +1,30 @@
+variable "fpjs_get_result_path" {
+  type        = string
+  description = "request path used to send identification requests (aka FPJS_GET_RESULT_PATH)"
+
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_get_result_path))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
+}
+
+variable "fpjs_agent_download_path" {
+  type        = string
+  description = "request path used to send ProCDN requests (aka FPJS_AGENT_DOWNLOAD_PATH)"
+
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_agent_download_path))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
+}
+
+variable "fpjs_shared_secret" {
+  type        = string
+  sensitive   = true
+  description = "shared secret created on the Fingerprint dashboard (aka FPJS_PRE_SHARED_SECRET)"
+
+  validation {
+    condition     = can(regex("^([a-zA-Z0-9\\-])+$", var.fpjs_shared_secret))
+    error_message = "value should only consist of alphanumeric values and dashes"
+  }
+}