refactoring (cloudfront-to-s3): incorporate validateSecurityHeadersBe…

…havior into input-validation.ts
awslabs · Nov 28, 2022 · a06d186 · a06d186
1 parent eb9b230
commit a06d186
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 17 deletions.
diff --git a/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts b/source/patterns/@aws-solutions-constructs/core/lib/cloudfront-distribution-helper.ts
@@ -26,7 +26,6 @@ import { createLoggingBucket } from './s3-bucket-helper';
 import { DefaultS3Props } from './s3-bucket-defaults';
 // Note: To ensure CDKv2 compatibility, keep the import statement for Construct separate
 import { Construct } from 'constructs';
-import {ResponseHeadersPolicyProps} from "aws-cdk-lib/aws-cloudfront";
 
 // Override Cfn_Nag rule: Cloudfront TLS-1.2 rule (https://github.com/stelligent/cfn_nag/issues/384)
 function updateSecurityPolicy(cfDistribution: cloudfront.Distribution) {
@@ -70,7 +69,6 @@ export function CloudFrontDistributionForApiGateway(scope: Construct,
   cloudFrontLoggingBucketProps?: s3.BucketProps,
   responseHeadersPolicyProps?: cloudfront.ResponseHeadersPolicyProps
 ): [cloudfront.Distribution, cloudfront.Function?, s3.Bucket?] {
-  validateSecurityHeadersBehavior(httpSecurityHeaders, responseHeadersPolicyProps);
 
   const cloudfrontFunction = getCloudfrontFunction(httpSecurityHeaders, scope);
 
@@ -80,7 +78,7 @@ export function CloudFrontDistributionForApiGateway(scope: Construct,
     loggingBucket,
     httpSecurityHeaders,
     cloudfrontFunction,
-    responseHeadersPolicyProps && new cloudfront.ResponseHeadersPolicy(scope, 'ResponseHeadersPolicy', responseHeadersPolicyProps)
+    responseHeadersPolicyProps ? undefined : new cloudfront.ResponseHeadersPolicy(scope, 'ResponseHeadersPolicy', responseHeadersPolicyProps)
   );
 
   const cfprops = consolidateProps(defaultprops, cloudFrontDistributionProps);
@@ -100,8 +98,6 @@ export function CloudFrontDistributionForS3(
   cloudFrontLoggingBucketProps?: s3.BucketProps,
   responseHeadersPolicyProps?: cloudfront.ResponseHeadersPolicyProps
 ): [cloudfront.Distribution, cloudfront.Function?, s3.Bucket?] {
-  validateSecurityHeadersBehavior(httpSecurityHeaders, responseHeadersPolicyProps);
-
   const cloudfrontFunction = getCloudfrontFunction(httpSecurityHeaders, scope);
 
   const loggingBucket = getLoggingBucket(cloudFrontDistributionProps, scope, cloudFrontLoggingBucketProps);
@@ -141,7 +137,6 @@ export function CloudFrontDistributionForMediaStore(scope: Construct,
   responseHeadersPolicyProps?: cloudfront.ResponseHeadersPolicyProps
 ): [cloudfront.Distribution,
     s3.Bucket | undefined, cloudfront.OriginRequestPolicy, cloudfront.Function?] {
-  validateSecurityHeadersBehavior(httpSecurityHeaders, responseHeadersPolicyProps);
 
   let originRequestPolicy: cloudfront.OriginRequestPolicy;
 
@@ -204,17 +199,6 @@ export function CloudFrontOriginAccessIdentity(scope: Construct, comment?: strin
   });
 }
 
-function validateSecurityHeadersBehavior(
-  httpSecurityHeaders: boolean,
-  responseHeadersPolicyProps?: ResponseHeadersPolicyProps
-) {
-  if (httpSecurityHeaders && responseHeadersPolicyProps?.securityHeadersBehavior) {
-    throw new Error(
-      'responseHeadersPolicyProps.securityHeadersBehavior can only be passed if httpSecurityHeaders is set to `false`.'
-    );
-  }
-}
-
 function getLoggingBucket(
   cloudFrontDistributionProps: cloudfront.DistributionProps | any, scope: Construct,
   cloudFrontLoggingBucketProps?: s3.BucketProps

diff --git a/source/patterns/@aws-solutions-constructs/core/lib/input-validation.ts b/source/patterns/@aws-solutions-constructs/core/lib/input-validation.ts
@@ -24,6 +24,7 @@ import * as glue from 'aws-cdk-lib/aws-glue';
 import * as sagemaker from 'aws-cdk-lib/aws-sagemaker';
 import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
 import * as kms from "aws-cdk-lib/aws-kms";
+import {ResponseHeadersPolicyProps} from "aws-cdk-lib/aws-cloudfront";
 
 export interface VerifiedProps {
   readonly dynamoTableProps?: dynamodb.TableProps,
@@ -76,6 +77,9 @@ export interface VerifiedProps {
   readonly existingLoggingBucketObj?: s3.IBucket;
   readonly loggingBucketProps?: s3.BucketProps;
   readonly logS3AccessLogs?: boolean;
+
+  readonly httpSecurityHeaders?: boolean;
+  readonly responseHeadersPolicyProps?: ResponseHeadersPolicyProps;
 }
 
 export function CheckProps(propsObject: VerifiedProps | any) {
@@ -202,6 +206,11 @@ export function CheckProps(propsObject: VerifiedProps | any) {
     errorFound = true;
   }
 
+  if (propsObject.httpSecurityHeaders !== false && propsObject.responseHeadersPolicyProps?.securityHeadersBehavior) {
+    errorMessages += 'responseHeadersPolicyProps.securityHeadersBehavior can only be passed if httpSecurityHeaders is set to `false`.';
+    errorFound = true;
+  }
+
   if (errorFound) {
     throw new Error(errorMessages);
   }