def _cache_behavior(origin_id, pattern):
return cloudfront.CacheBehavior(
TargetOriginId=origin_id,
DefaultTTL=context['cloudfront']['default-ttl'],
ForwardedValues=cloudfront.ForwardedValues(QueryString=False),
PathPattern=pattern,
ViewerProtocolPolicy='allow-all',
)
def add_cache_behaviors(self, title, cf_cache_behavior_config):
"""
Create Cloudfront CacheBehavior objects and append to list of cache_behaviors
:param title: Title of this Cloudfront Distribution
:param cf_cache_behavior_config: list of CFCacheBehavior
"""
default_cache_behavior_count = 0
cache_behavior_count = 0
for number, cache_behavior in enumerate(cf_cache_behavior_config):
forwarded_values = cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(
Forward=cache_behavior.forward_cookies),
QueryString=cache_behavior.query_string)
if cache_behavior.forwarded_headers is not None:
forwarded_values.Headers = cache_behavior.forwarded_headers
cf_cache_behavior_params = {
'AllowedMethods': cache_behavior.allowed_methods,
'CachedMethods': cache_behavior.cached_methods,
'Compress': False,
'TargetOriginId': cache_behavior.target_origin_id,
'ForwardedValues': forwarded_values,
'TrustedSigners': cache_behavior.trusted_signers,
'ViewerProtocolPolicy': cache_behavior.viewer_protocol_policy,
'MinTTL': cache_behavior.min_ttl,
'DefaultTTL': cache_behavior.default_ttl,
'MaxTTL': cache_behavior.max_ttl,
'SmoothStreaming': False
}
if cache_behavior.is_default:
# Add default cache behavior
self.default_cache_behavior = cloudfront.DefaultCacheBehavior(
'{0}DefaultCacheBehavior'.format(title),
**cf_cache_behavior_params)
default_cache_behavior_count += 1
else:
# Append additional cache behaviors to list
cf_cache_behavior_params[
'PathPattern'] = cache_behavior.path_pattern
created_cache_behavior = cloudfront.CacheBehavior(
'{0}CacheBehavior{1}'.format(title, number),
**cf_cache_behavior_params)
self.cache_behaviors.append(created_cache_behavior)
cache_behavior_count += 1
# if there is at least one cache behavior, there must be exactly one default cache behavior
if cache_behavior_count > 0 and default_cache_behavior_count != 1:
raise CloudfrontConfigError(
'Error: cf_distribution_unit {0} must have exactly one default cache behavior.'
.format(title))
def _cache_behavior(origin_id, pattern, headers=None, cookies=None):
return cloudfront.CacheBehavior(
TargetOriginId=origin_id,
DefaultTTL=context['cloudfront']['default-ttl'],
ForwardedValues=cloudfront.ForwardedValues(
Cookies=_cookies(cookies),
QueryString=False,
Headers=headers if headers else []),
PathPattern=pattern,
ViewerProtocolPolicy='allow-all',
)
def build(self):
fw = ForwardedValues(QueryString=self.forward_querystring)
if self.forward_cookies == 'none':
fw.Cookies = Cookies(Forward='none')
elif self.forward_cookies == 'all':
fw.Cookies = Cookies(Forward='all')
else:
fw.Cookies = Cookies(Forward='whitelist',
WhitelistNames=self.cookie_list)
if len(self.querystring_list) > 0:
fw.QueryStringCacheKeys = self.querystring_list
if self.headers:
fw.Headers = self.headers
kw = {
'AllowedMethods': self.allowed_methods,
'CachedMethods': self.cache_methods,
'Compress': self.compress,
'ForwardedValues': fw,
'SmoothStreaming': self.streaming,
'TargetOriginId': self.origin_id,
}
if self.default_ttl is not None:
kw['DefaultTTL'] = self.default_ttl
if self.max_ttl is not None:
kw['MaxTTL'] = self.max_ttl
if self.min_ttl is not None:
kw['MinTTL'] = self.min_ttl
if self.force_https:
kw['ViewerProtocolPolicy'] = 'redirect-to-https'
elif self.https:
kw['ViewerProtocolPolicy'] = 'https-only'
else:
kw['ViewerProtocolPolicy'] = 'allow-all'
if self.default:
b = cloudfront.DefaultCacheBehavior(**kw)
else:
kw['PathPattern'] = self.pattern
b = cloudfront.CacheBehavior(**kw)
return b
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
TargetOriginId="staticv1",
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False,
),
ViewerProtocolPolicy="allow-all",
MinTTL=1,
MaxTTL=60,
),
CacheBehaviors=[
cloudfront.CacheBehavior(
TargetOriginId='apiv1',
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True,
),
ViewerProtocolPolicy="allow-all",
MinTTL=1,
MaxTTL=60,
PathPattern='/api/v1/*',
),
],
Enabled=True,
HttpVersion='http1.1',
),
))
stack.add_output([
Output(
"VisibilityUrl",
Value=Join("", ["http://", GetAtt(cloudfront_distribution, "DomainName")])
)
])
def get_distribution_options(self,
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity
lambda_funcs, # type: List[cloudfront.LambdaFunctionAssociation]
check_auth_lambda_version, # type: awslambda.Version
http_headers_lambda_version, # type: awslambda.Version
parse_auth_lambda_version, # type: awslambda.Version
refresh_auth_lambda_version, # type: awslambda.Version
sign_out_lambda_version # type: awslambda.Version
): # noqa: E124
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket (dict): The bucket resource
oai (dict): The origin access identity resource
Return:
dict: The CloudFront Distribution Options
"""
variables = self.get_variables()
default_cache_behavior_lambdas = lambda_funcs
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=check_auth_lambda_version.ref()
)
)
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType='origin-response',
LambdaFunctionARN=http_headers_lambda_version.ref()
)
)
return {
'Aliases': self.add_aliases(),
'Origins': [
cloudfront.Origin(
DomainName=Join(
'.',
[bucket.ref(),
's3.amazonaws.com']),
S3OriginConfig=cloudfront.S3OriginConfig(
OriginAccessIdentity=Join(
'',
['origin-access-identity/cloudfront/',
oai.ref()])
),
Id='protected-bucket'
)
],
'CacheBehaviors': [
cloudfront.CacheBehavior(
PathPattern=variables['RedirectPathSignIn'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=parse_auth_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
cloudfront.CacheBehavior(
PathPattern=variables['RedirectPathAuthRefresh'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=refresh_auth_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
cloudfront.CacheBehavior(
PathPattern=variables['SignOutUrl'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=sign_out_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
],
'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=True,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True,
),
LambdaFunctionAssociations=default_cache_behavior_lambdas,
TargetOriginId='protected-bucket',
ViewerProtocolPolicy='redirect-to-https'
),
'DefaultRootObject': 'index.html',
'Logging': self.add_logging_bucket(),
'PriceClass': variables['PriceClass'],
'Enabled': True,
'WebACLId': self.add_web_acl(),
'CustomErrorResponses': self._get_error_responses(),
'ViewerCertificate': self.add_acm_cert()
}
)
# Create the CloudFront distirbutions.
frontend_distribution = template.add_resource(
cloudfront.Distribution(
'FrontendDistribution',
DistributionConfig=cloudfront.DistributionConfig(
Aliases=[
Ref(frontend_cname)
],
CacheBehaviors=[
cloudfront.CacheBehavior(
AllowedMethods=['HEAD', 'GET'],
CachedMethods=['HEAD', 'GET'],
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
),
PathPattern='*',
TargetOriginId=Join('-', ['S3', Ref(frontend_bucket)]),
ViewerProtocolPolicy='redirect-to-https'
)
],
CustomErrorResponses=[
cloudfront.CustomErrorResponse(
ErrorCode=404,
ResponseCode=200,
ResponsePagePath='/index.html'
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
# endregion
# region Resources
distribution = template.add_resource(
cloudfront.Distribution(
'Distribution',
DistributionConfig=cloudfront.DistributionConfig(
Aliases=[Ref(domain)],
CacheBehaviors=[
cloudfront.CacheBehavior(
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
PathPattern=Ref(media_pattern),
TargetOriginId=Sub(
'${domain}${path}', **{
'domain': Ref(media_domain),
'path': Ref(media_path)
}),
ViewerProtocolPolicy='redirect-to-https',
)
],
Comment=Sub('${AWS::StackName}'),
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
TargetOriginId=Sub(
def get_distribution_options(
self,
bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity,
lambda_funcs: List[cloudfront.LambdaFunctionAssociation],
check_auth_lambda_version: awslambda.Version,
http_headers_lambda_version: awslambda.Version,
parse_auth_lambda_version: awslambda.Version,
refresh_auth_lambda_version: awslambda.Version,
sign_out_lambda_version: awslambda.Version,
) -> Dict[str, Any]:
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket: The bucket resource.
oai: The origin access identity resource.
lambda_funcs: List of Lambda Function associations.
check_auth_lambda_version: Lambda Function Version to use.
http_headers_lambda_version: Lambda Function Version to use.
parse_auth_lambda_version: Lambda Function Version to use.
refresh_auth_lambda_version: Lambda Function Version to use.
sign_out_lambda_version: Lambda Function Version to use.
Return:
The CloudFront Distribution Options.
"""
default_cache_behavior_lambdas = lambda_funcs
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=check_auth_lambda_version.ref(),
))
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType="origin-response",
LambdaFunctionARN=http_headers_lambda_version.ref(),
))
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="protected-bucket",
)
],
"CacheBehaviors": [
cloudfront.CacheBehavior(
PathPattern=self.variables["RedirectPathSignIn"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=parse_auth_lambda_version.ref(),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
cloudfront.CacheBehavior(
PathPattern=self.variables["RedirectPathAuthRefresh"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=refresh_auth_lambda_version.ref(
),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
cloudfront.CacheBehavior(
PathPattern=self.variables["SignOutUrl"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=sign_out_lambda_version.ref(),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=True,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(QueryString=True),
LambdaFunctionAssociations=default_cache_behavior_lambdas,
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
self.variables["PriceClass"],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"CustomErrorResponses":
self._get_error_responses(),
"ViewerCertificate":
self.add_acm_cert(),
}
OriginProtocolPolicy='https-only',
OriginSSLProtocols=['TLSv1.2', 'TLSv1.1', 'TLSv1']),
),
],
CacheBehaviors=[
cloudfront.CacheBehavior(
# The authorizer hijacks a set of URL-paths from your website. All paths are prefixed
# with `/auth-<UUID>/`, so they are very unlikely to collide with your content.
# Insert this as the first Behaviour.
PathPattern=Join('', [
ImportValue(
Sub('${' + authorizer_stack.title +
'}-magic-path')),
'/*',
]),
ViewerProtocolPolicy='https-only',
TargetOriginId='Authorizer',
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True,
Cookies=cloudfront.Cookies(
Forward='all', # Needed to allow Set-Cookie:-headers
),
),
MinTTL=0,
DefaultTTL=0,
MaxTTL=0,
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ViewerProtocolPolicy=
'redirect-to-https', # HTTPS required. Cookies need to be sent securely
LambdaFunctionAssociations=[