Add support for additional S3 CORS origins (#76)

mdeeks · web-flow · commit 3ddbb5610b75 · 2025-07-08T12:23:38.000-07:00
diff --git a/main.tf b/main.tf
@@ -118,6 +118,7 @@ module "services" {
   api_handler_reserved_concurrent_executions = var.api_handler_reserved_concurrent_executions
   ai_proxy_reserved_concurrent_executions    = var.ai_proxy_reserved_concurrent_executions
   whitelisted_origins                        = var.whitelisted_origins
+  s3_additional_allowed_origins              = var.s3_additional_allowed_origins
   outbound_rate_limit_window_minutes         = var.outbound_rate_limit_window_minutes
   outbound_rate_limit_max_requests           = var.outbound_rate_limit_max_requests
   custom_domain                              = var.custom_domain
diff --git a/modules/services/s3.tf b/modules/services/s3.tf
@@ -4,6 +4,8 @@ locals {
     "https://*.braintrust.dev",
     "https://*.preview.braintrust.dev"
   ]
+
+  all_origins = concat(local.default_origins, var.s3_additional_allowed_origins)
 }
 
 resource "aws_s3_bucket" "code_bundle_bucket" {
@@ -37,7 +39,7 @@ resource "aws_s3_bucket_cors_configuration" "code_bundle_bucket" {
   cors_rule {
     allowed_headers = ["*"]
     allowed_methods = ["PUT"]
-    allowed_origins = local.default_origins
+    allowed_origins = local.all_origins
     max_age_seconds = 3600
   }
 }
@@ -78,7 +80,7 @@ resource "aws_s3_bucket_cors_configuration" "lambda_responses_bucket" {
   cors_rule {
     allowed_headers = ["*"]
     allowed_methods = ["GET", "HEAD"]
-    allowed_origins = local.default_origins
+    allowed_origins = local.all_origins
     max_age_seconds = 3600
   }
 }
diff --git a/modules/services/variables.tf b/modules/services/variables.tf
@@ -138,6 +138,12 @@ variable "whitelisted_origins" {
   description = "List of origins to whitelist for CORS"
 }
 
+variable "s3_additional_allowed_origins" {
+  type        = list(string)
+  description = "Additional origins to allow for S3 bucket CORS configuration. Supports a wildcard in the domain name."
+  default     = []
+}
+
 variable "outbound_rate_limit_max_requests" {
   type        = number
   description = "The maximum number of requests per user allowed in the time frame specified by OutboundRateLimitMaxRequests. Setting to 0 will disable rate limits"
diff --git a/variables.tf b/variables.tf
@@ -209,6 +209,12 @@ variable "whitelisted_origins" {
   default     = []
 }
 
+variable "s3_additional_allowed_origins" {
+  description = "Additional origins to allow for S3 bucket CORS configuration. Supports a wildcard in the domain name."
+  type        = list(string)
+  default     = []
+}
+
 variable "outbound_rate_limit_max_requests" {
   description = "The maximum number of requests per user allowed in the time frame specified by OutboundRateLimitMaxRequests. Setting to 0 will disable rate limits"
   type        = number

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ locals {`
`4`	`4`	`"https://*.braintrust.dev",`
`5`	`5`	`"https://*.preview.braintrust.dev"`
`6`	`6`	`]`
	`7`	`+`
	`8`	`+ all_origins = concat(local.default_origins, var.s3_additional_allowed_origins)`
`7`	`9`	`}`
`8`	`10`
`9`	`11`	`resource "aws_s3_bucket" "code_bundle_bucket" {`
`@@ -37,7 +39,7 @@ resource "aws_s3_bucket_cors_configuration" "code_bundle_bucket" {`
`37`	`39`	`cors_rule {`
`38`	`40`	`allowed_headers = ["*"]`
`39`	`41`	`allowed_methods = ["PUT"]`
`40`		`- allowed_origins = local.default_origins`
	`42`	`+ allowed_origins = local.all_origins`
`41`	`43`	`max_age_seconds = 3600`
`42`	`44`	`}`
`43`	`45`	`}`
`@@ -78,7 +80,7 @@ resource "aws_s3_bucket_cors_configuration" "lambda_responses_bucket" {`
`78`	`80`	`cors_rule {`
`79`	`81`	`allowed_headers = ["*"]`
`80`	`82`	`allowed_methods = ["GET", "HEAD"]`
`81`		`- allowed_origins = local.default_origins`
	`83`	`+ allowed_origins = local.all_origins`
`82`	`84`	`max_age_seconds = 3600`
`83`	`85`	`}`
`84`	`86`	`}`