Merge branch 'main' into PRM-823

Author: NogaNHS

.github/actions/tf-plan-apply/action.yml

@@ -63,6 +63,14 @@ runs:
         aws-region: ${{ inputs.aws_region }}
         mask-aws-account-id: true
 
+    - name: Generate CloudFront function
+      run: 
+        npm ci 
+        npm run test
+        npm run build
+      working-directory: ./infrastructure/code
+      shell: bash
+
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v4
       with:

.github/workflows/automated-sonarqube-cloud-analysis.yml

@@ -21,6 +21,17 @@ jobs:
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
 
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+
+      - name: Install and test
+        working-directory: infrastructure/code
+        run: |
+          npm ci
+          npm test
+
       - name: SonarQube Cloud Scan
         uses: SonarSource/sonarqube-scan-action@v7
         env:

.gitignore

@@ -36,7 +36,9 @@ tfplan
 .idea/
 .vscode/
 venv/
+coverage/
 
 #Ignore certificates
 scripts/csrs
 scripts/keys
+infrastructure/code/dist

infrastructure/cloudfront.tf

@@ -22,15 +22,16 @@ module "cloudfront_firewall_waf_v2" {
 }
 
 resource "aws_cloudfront_distribution" "s3_presign_mask" {
-  price_class = "PriceClass_100"
-
+  price_class         = "PriceClass_100"
   aliases             = [local.cloudfront_full_domain_name]
   wait_for_deployment = false
+
   origin {
     domain_name              = module.ndr-lloyd-george-store.bucket_regional_domain_name
     origin_id                = module.ndr-lloyd-george-store.bucket_id
     origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
   }
+
   enabled         = true
   is_ipv6_enabled = true
 
@@ -42,6 +43,12 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
     cache_policy_id          = local.cloudfront_cache_policy_id
     origin_request_policy_id = local.cloudfront_viewer_policy_id
 
+    function_association {
+      # IF THIS IS EVER COPIED TO A NEW BEHAVIOR, THE FUNCTION MUST BE UPDATED TO ALLOW THE NEW PATH
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.block_invalid_urls.arn
+    }
+
     lambda_function_association {
       event_type = "origin-request"
       lambda_arn = module.edge-presign-lambda.qualified_arn
@@ -63,6 +70,12 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
     cache_policy_id          = local.cloudfront_cache_policy_id
     origin_request_policy_id = local.cloudfront_viewer_policy_id
 
+    function_association {
+      # IF THIS IS EVER COPIED TO A NEW BEHAVIOR, THE FUNCTION MUST BE UPDATED TO ALLOW THE NEW PATH
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.block_invalid_urls.arn
+    }
+
     lambda_function_association {
       event_type = "origin-request"
       lambda_arn = module.edge-presign-lambda.qualified_arn
@@ -84,6 +97,12 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
     cache_policy_id          = local.cloudfront_cache_policy_id
     origin_request_policy_id = local.cloudfront_uploader_policy_id
 
+    function_association {
+      # IF THIS IS EVER COPIED TO A NEW CLOUDFRONT [ordered_cache_behavior] BEHAVIOR, THE FUNCTION MUST BE UPDATED TO ALLOW THE NEW PATH
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.block_invalid_urls.arn
+    }
+
     lambda_function_association {
       event_type = "origin-request"
       lambda_arn = module.edge-presign-lambda.qualified_arn
@@ -102,11 +121,20 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
       locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
     }
   }
+
   web_acl_id = try(module.cloudfront_firewall_waf_v2[0].arn, "")
 
   depends_on = [aws_acm_certificate_validation.cloudfront]
 }
 
+resource "aws_cloudfront_function" "block_invalid_urls" {
+  name    = "${terraform.workspace}-block-invalid-urls"
+  runtime = "cloudfront-js-2.0"
+  comment = "Blocks invalid URL requests"
+  publish = true
+  code    = file("${path.module}/code/dist/block-invalid-urls.js")
+}
+
 resource "aws_cloudfront_origin_request_policy" "viewer" {
   count = local.is_sandbox ? 0 : 1
   name  = "${terraform.workspace}_BlockQueriesAndAllowViewer"

infrastructure/code/.gitignore

@@ -0,0 +1 @@
+node_modules

infrastructure/code/README.md

@@ -0,0 +1,35 @@
+# CloudFront Functions
+
+TypeScript source for CloudFront Functions deployed by Terraform.
+
+## Runtime constraints
+
+These functions run on CloudFront Functions 2.0 (QuickJS), which rejects:
+
+- ES modules (`import`/`export`)
+- `require()` for user code (built-ins like `crypto`, `querystring`, `buffer` only)
+- `eval`, `Function` constructor, `setTimeout`, network, filesystem
+
+So each source file under `src/` must be a flat script with a top-level
+`function handler(event)`. No imports, no exports. Types come from
+triple-slash references only.
+
+## Layout
+
+```text
+src/         TypeScript sources — one file per deployed function
+test/        Vitest suites; load the compiled artifact via node:vm
+             so tests exercise the exact script CloudFront will run
+dist/        Build output. Committed. Terraform reads from here.
+```
+
+## Commands
+
+```bash
+npm run build      compile src/ → dist/
+npm test           build then run vitest
+npm run test:watch vitest in watch mode
+```
+
+Rebuild and commit `dist/` whenever a source file changes. Terraform reads
+`dist/block-invalid-urls.js` at plan time.

infrastructure/code/dist/block-invalid-urls.js

@@ -0,0 +1,15 @@
+function handler(event) {
+    const uri = event.request.uri;
+    const allowedPattern = /^\/(review\/|upload\/)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+    if (allowedPattern.test(uri)) {
+        return event.request;
+    }
+    return {
+        statusCode: 403,
+        statusDescription: 'Forbidden',
+        headers: {
+            'content-type': { value: 'text/plain' }
+        },
+        body: 'Access Denied'
+    };
+}