Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

terraform: configure authn for fastly<->releases#424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
mweinelt wants to merge2 commits intomain
base:main
Choose a base branch
Loading
fromterraform-fastly-releases-authn

Conversation

@mweinelt
Copy link
Member

This happens in preparation for enabling requester pays on the S3 bucket.

  # fastly_service_vcl.releases will be updated in-place  ~ resource "fastly_service_vcl" "releases" {      ~ active_version     = 55 -> (known after apply)      ~ cloned_version     = 55 -> (known after apply)        id                 = "745rWITBeKgJklfVqQ2Sjb"        name               = "releases.nixos.org"        # (8 unchanged attributes hidden)      + snippet {          + content  = <<-EOT                # VCL snippet to authenticate Fastly<->S3 requests.                #                # https://docs.fastly.com/en/guides/amazon-s3#using-an-amazon-s3-private-bucket                                declare local var.canonicalHeaders STRING;                declare local var.signedHeaders STRING;                declare local var.canonicalRequest STRING;                declare local var.canonicalQuery STRING;                declare local var.stringToSign STRING;                declare local var.dateStamp STRING;                declare local var.signature STRING;                declare local var.scope STRING;                                if (req.method == "GET" && !req.backend.is_shield) {                  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");                  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);                  set bereq.http.x-amz-request-payer = "requester";                  set bereq.http.host = "nix-releases.s3.amazonaws.com";                  set bereq.url = querystring.remove(bereq.url);                  set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");                  set var.dateStamp = strftime({"%Y%m%d"}, now);                  set var.canonicalHeaders = ""                    "host:" bereq.http.host LF                    "x-amz-content-sha256:" bereq.http.x-amz-content-sha256 LF                    "x-amz-date:" bereq.http.x-amz-date LF                    "x-amz-request-payer:" bereq.http.x-amz-request-payer LF                  ;                  set var.canonicalQuery = "";                  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date;x-amz-request-payer";                  set var.canonicalRequest = ""                    "GET" LF                    bereq.url.path LF                    var.canonicalQuery LF                    var.canonicalHeaders LF                    var.signedHeaders LF                    digest.hash_sha256("")                  ;                                  set var.scope = var.dateStamp "/eu-west-1/s3/aws4_request";                                  set var.stringToSign = ""                    "AWS4-HMAC-SHA256" LF                    bereq.http.x-amz-date LF                    var.scope LF                    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")                  ;                                  set var.signature = digest.awsv4_hmac(                    "...",                    var.dateStamp,                    "eu-west-1",                    "s3",                    var.stringToSign                  );                                  set bereq.http.Authorization = "AWS4-HMAC-SHA256 "                    "Credential=.../" var.scope ", "                    "SignedHeaders=" var.signedHeaders ", "                    "Signature=" + regsub(var.signature,"^0x", "")                  ;                  unset bereq.http.Accept;                  unset bereq.http.Accept-Language;                  unset bereq.http.User-Agent;                  unset bereq.http.Fastly-Client-IP;                }            EOT          + name     = "Authenticate S3 requests"          + priority = 100          + type     = "miss"        }        # (15 unchanged blocks hidden)    }

@mweineltmweinelt requested a review froma team as acode ownerMay 15, 2024 00:01
@mweineltmweineltforce-pushed theterraform-fastly-releases-authn branch from5667811 to497ee05CompareMay 15, 2024 00:22
Copy link
Member

@zimbatmzimbatm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

sounds good. nit would be to rename the cache-iam local to fastly-iam since it's shared now

@mweineltmweineltforce-pushed theterraform-fastly-releases-authn branch from497ee05 to177159bCompareMay 15, 2024 07:38
This happens in preparation for enabling requester pays on the S3 bucket.
@mweineltmweineltforce-pushed theterraform-fastly-releases-authn branch from177159b to2fedaa3CompareMay 15, 2024 07:38
@mweinelt
Copy link
MemberAuthor

Okay, updated.

@mweinelt
Copy link
MemberAuthor

Currently this configuration leads to a 404 from fastly, which is likely a 403 from the S3 bucket.

More context onMatrix

@mweineltmweinelt marked this pull request as draftJanuary 12, 2025 15:19
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@zimbatmzimbatmzimbatm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mweinelt@zimbatm
[8]ページ先頭
©2009-2025 Movatter.jp