Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) #272

Merged
merged 3 commits into from
Jul 24, 2021
Merged

fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge) #272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
96e0f47
fix (CloudFrontToS3 - use cloudfront function instead of lambda@edge)…
hnishar Jul 23, 2021
b51013b
fix (generate stable functionId for the cloudfront function)
hnishar Jul 24, 2021
2595cd5
Merge branch 'main' into cloudfront-functions
hnishar Jul 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ _Parameters_
| **Name** | **Type** | **Description** |
|:-------------|:----------------|-----------------|
|cloudFrontWebDistribution|[`cloudfront.CloudFrontWebDistribution`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.CloudFrontWebDistribution.html)|Returns an instance of cloudfront.CloudFrontWebDistribution created by the construct|
|edgeLambdaFunctionVersion|[`lambda.Version`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Version.html)|Returns an instance of the edge Lambda function version created by the pattern.|
|cloudFrontFunction?|[`cloudfront.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Function.html)|Returns an instance of the Cloudfront function created by the pattern.|
|cloudFrontLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-s3-readme.html)|Returns an instance of the logging bucket for CloudFront WebDistribution.|
|s3BucketInterface|[`s3.IBucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.IBucket.html)|Returns an instance of s3.IBucket created by the construct|
|s3Bucket?|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket created by the construct. IMPORTANT: If existingBucketInterface was provided in Pattern Construct Props, this property will be `undefined`|
Expand Down
5 changes: 2 additions & 3 deletions source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@

import * as cloudfront from '@aws-cdk/aws-cloudfront';
import * as s3 from '@aws-cdk/aws-s3';
import * as lambda from '@aws-cdk/aws-lambda';
import { Construct } from '@aws-cdk/core';
import * as defaults from '@aws-solutions-constructs/core';

Expand Down Expand Up @@ -50,7 +49,7 @@ export interface CloudFrontToS3Props {

export class CloudFrontToS3 extends Construct {
public readonly cloudFrontWebDistribution: cloudfront.Distribution;
public readonly edgeLambdaFunctionVersion?: lambda.Version;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good riddance to this! :-)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now a breaking change, isn't it? Although it seems extremely unlikely that a customer has used this property.

public readonly cloudFrontFunction?: cloudfront.Function;
public readonly cloudFrontLoggingBucket?: s3.Bucket;
public readonly s3BucketInterface: s3.IBucket;
public readonly s3Bucket?: s3.Bucket;
Expand All @@ -77,7 +76,7 @@ export class CloudFrontToS3 extends Construct {
this.s3BucketInterface = props.existingBucketInterface;
}

[this.cloudFrontWebDistribution, this.edgeLambdaFunctionVersion, this.cloudFrontLoggingBucket] =
[this.cloudFrontWebDistribution, this.cloudFrontFunction, this.cloudFrontLoggingBucket] =
defaults.CloudFrontDistributionForS3(this, this.s3BucketInterface,
props.cloudFrontDistributionProps, props.insertHttpSecurityHeaders);
}
Expand Down
158 changes: 14 additions & 144 deletions ...solutions-constructs/aws-cloudfront-s3/test/__snapshots__/test.cloudfront-s3.test.js.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,14 @@ Object {
"DefaultCacheBehavior": Object {
"CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
"Compress": true,
"LambdaFunctionAssociations": Array [
"FunctionAssociations": Array [
Object {
"EventType": "origin-response",
"LambdaFunctionARN": Object {
"Ref": "testcloudfronts3SetHttpSecurityHeadersVersionF1C744BB",
"EventType": "viewer-response",
"FunctionARN": Object {
"Fn::GetAtt": Array [
"testcloudfronts3SetHttpSecurityHeaders6C5A1E69",
"FunctionARN",
],
},
},
],
Expand Down Expand Up @@ -368,149 +371,16 @@ Object {
"Type": "AWS::S3::BucketPolicy",
},
"testcloudfronts3SetHttpSecurityHeaders6C5A1E69": Object {
"DependsOn": Array [
"testcloudfronts3SetHttpSecurityHeadersServiceRoleDefaultPolicy7A7EF47A",
"testcloudfronts3SetHttpSecurityHeadersServiceRole74D1E252",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.",
},
Object {
"id": "W89",
"reason": "This is not a rule for the general case, just for specific use cases/industries",
},
Object {
"id": "W92",
"reason": "Impossible for us to define the correct concurrency for clients",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; const headers = response.headers; headers['x-xss-protection'] = [ { key: 'X-XSS-Protection', value: '1; mode=block' } ]; headers['x-frame-options'] = [ { key: 'X-Frame-Options', value: 'DENY' } ]; headers['x-content-type-options'] = [ { key: 'X-Content-Type-Options', value: 'nosniff' } ]; headers['strict-transport-security'] = [ { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload' } ]; headers['referrer-policy'] = [ { key: 'Referrer-Policy', value: 'same-origin' } ]; headers['content-security-policy'] = [ { key: 'Content-Security-Policy', value: \\"default-src 'none'; base-uri 'self'; img-src 'self'; script-src 'self'; style-src 'self' https:; object-src 'none'; frame-ancestors 'none'; font-src 'self' https:; form-action 'self'; manifest-src 'self'; connect-src 'self'\\" } ]; callback(null, response); };",
},
"Handler": "index.handler",
"Role": Object {
"Fn::GetAtt": Array [
"testcloudfronts3SetHttpSecurityHeadersServiceRole74D1E252",
"Arn",
],
},
"Runtime": "nodejs12.x",
"TracingConfig": Object {
"Mode": "Active",
},
},
"Type": "AWS::Lambda::Function",
},
"testcloudfronts3SetHttpSecurityHeadersServiceRole74D1E252": Object {
"Properties": Object {
"AssumeRolePolicyDocument": Object {
"Statement": Array [
Object {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": Object {
"Service": "lambda.amazonaws.com",
},
},
Object {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": Object {
"Service": "edgelambda.amazonaws.com",
},
},
],
"Version": "2012-10-17",
},
"Policies": Array [
Object {
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
"Effect": "Allow",
"Resource": Object {
"Fn::Join": Array [
"",
Array [
"arn:",
Object {
"Ref": "AWS::Partition",
},
":logs:",
Object {
"Ref": "AWS::Region",
},
":",
Object {
"Ref": "AWS::AccountId",
},
":log-group:/aws/lambda/*",
],
],
},
},
],
"Version": "2012-10-17",
},
"PolicyName": "LambdaFunctionServiceRolePolicy",
},
],
},
"Type": "AWS::IAM::Role",
},
"testcloudfronts3SetHttpSecurityHeadersServiceRoleDefaultPolicy7A7EF47A": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "testcloudfronts3SetHttpSecurityHeadersServiceRoleDefaultPolicy7A7EF47A",
"Roles": Array [
Object {
"Ref": "testcloudfronts3SetHttpSecurityHeadersServiceRole74D1E252",
},
],
},
"Type": "AWS::IAM::Policy",
},
"testcloudfronts3SetHttpSecurityHeadersVersionF1C744BB": Object {
"Properties": Object {
"FunctionName": Object {
"Ref": "testcloudfronts3SetHttpSecurityHeaders6C5A1E69",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \\"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": Object {
"Comment": "SetHttpSecurityHeadersc829e98c76feafa0d7fd7eb5237e54317e9ff52687",
"Runtime": "cloudfront-js-1.0",
},
"Name": "SetHttpSecurityHeadersc829e98c76feafa0d7fd7eb5237e54317e9ff52687",
},
"Type": "AWS::Lambda::Version",
"Type": "AWS::CloudFront::Function",
},
},
}
Expand Down
Loading