Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 AccessDenied for static website #175

Open
mrsufgi opened this issue Jul 6, 2021 · 9 comments
Open

403 AccessDenied for static website #175

mrsufgi opened this issue Jul 6, 2021 · 9 comments
Labels
bug 🐛 An issue with the system

Comments

@mrsufgi
Copy link

mrsufgi commented Jul 6, 2021

Describe the Bug

Using the module with

  dns_alias_enabled       = true
  website_enabled         = true
  versioning_enabled      = true
  allow_ssl_requests_only = true

Resources created OK, but I get access denied on every resource on the website (with or without cloudfront)

Expected Behavior

Should not happen if we access the website from CloudFront URL.

Steps to Reproduce

module "cdn" {
  source = "cloudposse/cloudfront-s3-cdn/aws"

  version                   = "0.73.0"
  enabled                   = var.enabled
  aliases                   = ["${var.name}.${var.parent_zone_name}"] // TODO: strip "production" from cnames
  dns_alias_enabled         = true
  website_enabled           = true
  versioning_enabled        = true
  parent_zone_id            = var.parent_zone_id
  namespace                 = var.namespace
  environment               = var.environment
  name                      = var.name
  allow_ssl_requests_only   = true # NOTE: breaking access from cloudfront, maybe needs redirection to HTTPS
  deployment_principal_arns = {}

  minimum_protocol_version = "TLSv1"
  acm_certificate_arn      = var.acm_certificate_arn
}

Working around it is just disabling SSL (allow_ssl_requests_only = false)

Cheers :)
@mrsufgi mrsufgi added the bug 🐛 An issue with the system label Jul 6, 2021
@robvadai
Copy link

robvadai commented Jul 24, 2021
edited

I had the same issue. I believe because the policy enforces SSL (HTTPS) connection but it does not create (and assign) a certificate to the bucket. So the HTTPS request just hangs given no SSL certificate available.

Documentation should be updated for this.
Or if allow_ssl_requests_only = true (current default behaviour!) then the module should create a certificate too and set it up for the bucket.

@flypenguin
Copy link

flypenguin commented Jul 26, 2021
edited

I should have looked here earlier, this literally cost me hours ... 🙄 . Anyway, me too. Example configuration available in this gist, beautiful HTTP 403 - even with certificate configured according to the examples in the module readme.

@flypenguin
Copy link

is there a known working version (ping @robvadai, @mrsufgi)? I want to move forward, and I failed at fixing it myself. this is a rather complicated module, and also my first contact with cloudfront and all the policy stuff (up until now I just published an S3 webpage endpoint).

@emyller
Copy link
Contributor

emyller commented Aug 6, 2021

The latest version works well, although you must set allow_ssl_requests_only = false. This parameter only disables TLS at S3 static-website level -- Cloudfront should still have its own TLS configuration given your ACM certificate.

emyller added a commit to emyller/terraform-aws-cloudfront-s3-cdn that referenced this issue Aug 6, 2021
@emyller
Disable SSL-only policy if ACM certificate given
4a04e35 
Addresses cloudposse#175
@emyller emyller mentioned this issue Aug 6, 2021
Closed
@flypenguin
Copy link

yup, with allow_ssl_requests_only = false it works with v0.74.0 ... this is pretty great :) . it might run with v0.73.0 as well if you add this parameter. i had no changes for a terraform plan run after upgrading the module version and before adding the parameter.

@sebastianmacarescu sebastianmacarescu mentioned this issue Aug 23, 2021
Open
@rberger
Copy link

rberger commented Mar 10, 2022

Needed to add the
allow_ssl_requests_only = falseallow_ssl_requests_only = false
to make it work with version = "0.82.3"
Maybe should be in the docs?

@grifante
Copy link

According to the AWS docs: " If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration."

The module could ignore allow_ssl_requests_only when using a static website. This could prevent big problems

@jbouse
Copy link

jbouse commented May 8, 2023

Yeah, I ran into this with v0.88.0, and it wasn't until I realized the issue was that the bucket policy was trying to enforce TLS and then that setting allow_ssl_requests_only = false was needed when website_enabled = true. With the s3_website_password_enabled variable set to true, this does restrict access to the S3 bucket website and enforces it to go through Cloudfront but I agree that if website_enabled == true then allow_ssl_requests_only being ignored and treated as false would prevent this significant issue that would potentially cause an unexpected outage of a website.

Having the policy enforce TLS when using as a bucket (ie- website_enabled = false) does make sense as the bucket can be accessed via HTTPS but the S3 certificate just doesn't handle it when running as a static website.

@mranawake
Copy link

Issue exists on v0.92.0 as well. Adding allow_ssl_requests_only = false solves it. As @jbouse mentioned above, s3_website_password_enabled = true is recommended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable SSL-only policy if ACM certificate given emyller/terraform-aws-cloudfront-s3-cdn
8 participants
@emyller @rberger @jbouse @mranawake @flypenguin @grifante @mrsufgi @robvadai