refactor: randomly generate cloudfront origin secret from openssl

devksingh4 · devksingh4 · commit c9aa7e92680e · 2025-07-25T13:20:29.000-04:00
diff --git a/Makefile b/Makefile
@@ -32,6 +32,7 @@ docs_s3_bucket = "$(s3_bucket_prefix)-docs"
 
 
 GIT_HASH := $(shell git rev-parse --short HEAD)
+ORIGIN_SECRET := $(shell openssl rand -hex 32)
 
 .PHONY: clean
 
@@ -90,7 +91,7 @@ postdeploy:
 
 deploy_prod: check_account_prod
 	@echo "Deploying CloudFormation stack..."
-	sam deploy $(common_params) --parameter-overrides $(run_env)=prod $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
+	@sam deploy $(common_params) --parameter-overrides $(run_env)=prod $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)" CloudfrontOriginSecret="$(ORIGIN_SECRET)"
 	@echo "Deploying Terraform..."
 	$(eval MAIN_DISTRIBUTION_ID := $(shell aws cloudformation describe-stacks --stack-name $(application_key) --query "Stacks[0].Outputs[?OutputKey=='CloudfrontDistributionId'].OutputValue" --output text))
 	terraform -chdir=terraform/envs/prod init -lockfile=readonly
@@ -99,7 +100,7 @@ deploy_prod: check_account_prod
 
 deploy_dev: check_account_dev
 	@echo "Deploying CloudFormation stack..."
-	sam deploy $(common_params) --parameter-overrides $(run_env)=dev $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
+	@sam deploy $(common_params) --parameter-overrides $(run_env)=dev $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)" CloudfrontOriginSecret="$(ORIGIN_SECRET)"
 	@echo "Deploying Terraform..."
 	$(eval MAIN_DISTRIBUTION_ID := $(shell aws cloudformation describe-stacks --stack-name $(application_key) --query "Stacks[0].Outputs[?OutputKey=='CloudfrontDistributionId'].OutputValue" --output text))
 	terraform -chdir=terraform/envs/qa init -lockfile=readonly
diff --git a/cloudformation/main.yml b/cloudformation/main.yml
@@ -25,6 +25,10 @@ Parameters:
   S3BucketPrefix:
     Description: S3 bucket prefix which will ensure global uniqueness
     Type: String
+  CloudfrontOriginSecret:
+    NoEcho: true
+    Description: Value for X-Origin-Verify passed to Lambda URL from cloudfront
+    Type: String
 
 Conditions:
   IsDev: !Equals [!Ref RunEnvironment, "dev"]
@@ -220,7 +224,7 @@ Resources:
           EntraRoleArn: !GetAtt AppSecurityRoles.Outputs.EntraFunctionRoleArn
           LinkryKvArn: !GetAtt LinkryRecordsCloudfrontStore.Arn
           AWS_CRT_NODEJS_BINARY_RELATIVE_PATH: node_modules/aws-crt/dist/bin/linux-arm64-glibc/aws-crt-nodejs.node
-          ORIGIN_VERIFY_KEY: !Join ['-', ['secret', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
+          ORIGIN_VERIFY_KEY: !Ref CloudfrontOriginSecret
           NODE_OPTIONS: --enable-source-maps
       VpcConfig:
         Ipv6AllowedForDualStack: !If [ShouldAttachVpc, True, !Ref AWS::NoValue]
@@ -340,7 +344,7 @@ Resources:
               OriginProtocolPolicy: https-only
             OriginCustomHeaders:
               - HeaderName: X-Origin-Verify
-                HeaderValue: !Join ['-', ['secret', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
+                HeaderValue: !Ref CloudfrontOriginSecret
         Enabled: true
         DefaultRootObject: index.html
         Aliases:
@@ -545,7 +549,7 @@ Resources:
               OriginProtocolPolicy: https-only
             OriginCustomHeaders:
               - HeaderName: X-Origin-Verify
-                HeaderValue: !Join ['-', ['secret', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
+                HeaderValue: !Ref CloudfrontOriginSecret
         Enabled: true
         Aliases:
           - !Join
