def create_distribution(self): t = self.template t.add_resource( cf.Distribution( DISTRIBUTION, DistributionConfig=cf.DistributionConfig( Origins=[ cf.Origin( Id='1', DomainName=GetAtt(BUCKET, 'DomainName'), S3OriginConfig=cf.S3Origin(), ) ], Enabled=Ref('Enabled'), DefaultCacheBehavior=cf.DefaultCacheBehavior( TargetOriginId='1', ForwardedValues=cf.ForwardedValues( QueryString=False, ), ViewerProtocolPolicy='allow-all', ), ), )) t.add_output( Output('DomainName', Value=Join('', ['https://', GetAtt(DISTRIBUTION, 'DomainName')])))
def create_distribution(self): t = self.template s3_origin = cloudfront.Origin( DomainName=self.origin_bucket_url, Id="s3", CustomOriginConfig=cloudfront.CustomOrigin( HTTPPort=80, HTTPSPort=443, OriginProtocolPolicy="http-only" ), ) default_behavior = cloudfront.DefaultCacheBehavior( AllowedMethods=["GET", "HEAD"], CachedMethods=["GET", "HEAD"], ViewerProtocolPolicy="redirect-to-https", ForwardedValues=cloudfront.ForwardedValues( QueryString=True, Cookies=cloudfront.Cookies( Forward="none" ) ), MinTTL=0, MaxTTL=31536000, DefaultTTL=86400, SmoothStreaming=False, TargetOriginId="s3", ) viewer_certificate = NoValue if self.certificate_arn: viewer_certificate = cloudfront.ViewerCertificate( AcmCertificateArn=self.certificate_arn, SslSupportMethod="sni-only", ) config = cloudfront.DistributionConfig( Aliases=self.aliases, DefaultCacheBehavior=default_behavior, Comment="%s" % self.origin_bucket_url, Enabled=True, PriceClass="PriceClass_All", ViewerCertificate=viewer_certificate, Origins=[s3_origin], ) self.distribution = t.add_resource( cloudfront.Distribution( "Distribution", DistributionConfig=config, ) ) self.add_output("DistributionId", self.distribution.Ref()) self.add_output( "DomainName", self.distribution.GetAtt("DomainName") )
def add_origins(self, title, cf_origins_config): """ Create Cloudfront Origin objects and append to list of origins :param title: Title of this Cloudfront Distribution :param cf_origins_config: List of CFOrigins """ for number, origin in enumerate(cf_origins_config): created_origin = cloudfront.Origin('{0}Origin{1}'.format( title, number), DomainName=origin.domain_name, Id=origin.origin_id) if origin.origin_path: created_origin.OriginPath = origin.origin_path if origin.custom_headers: created_headers = [] for k, v in origin.custom_headers.items(): if v is not None: created_headers.append( cloudfront.OriginCustomHeader(HeaderName=k, HeaderValue=v)) created_origin.OriginCustomHeaders = created_headers # Set S3 config if origin.origin_policy['is_s3']: # Create S3Origin s3_origin_config = cloudfront.S3Origin() # Ensure variables exist if origin.origin_access_identity: s3_origin_config.OriginAccessIdentity = origin.origin_access_identity # Set S3Origin created_origin.S3OriginConfig = s3_origin_config # Set Custom config else: created_origin.DomainName = self.get_custom_reference( origin.domain_name) # Create CustomOrigin custom_origin_config = cloudfront.CustomOrigin() # Ensure variables exist if origin.http_port: custom_origin_config.HTTPPort = origin.http_port if origin.https_port: custom_origin_config.HTTPSPort = origin.https_port if origin.origin_protocol_policy: custom_origin_config.OriginProtocolPolicy = origin.origin_protocol_policy if origin.origin_ssl_protocols: custom_origin_config.OriginSSLProtocols = origin.origin_ssl_protocols # Set CustomOrigin created_origin.CustomOriginConfig = custom_origin_config self.origins.append(created_origin)
def create_cloudfront_distributions(self): blue_tile_distribution = self.add_resource( cf.Distribution( 'tileDistributionBlue', DistributionConfig=cf.DistributionConfig( Origins=[ cf.Origin(Id='tileOriginId', DomainName=Join('.', [ 'tile-cache', Ref(self.public_hosted_zone_name) ]), CustomOriginConfig=cf.CustomOrigin( OriginProtocolPolicy='http-only')) ], DefaultCacheBehavior=cf.DefaultCacheBehavior( ForwardedValues=cf.ForwardedValues(QueryString=True), TargetOriginId='tileOriginId', ViewerProtocolPolicy='allow-all'), Enabled=True))) green_tile_distribution = self.add_resource( cf.Distribution( 'tileDistributionGreen', DistributionConfig=cf.DistributionConfig( Origins=[ cf.Origin(Id='tileOriginId', DomainName=Join('.', [ 'tile-cache', Ref(self.public_hosted_zone_name) ]), CustomOriginConfig=cf.CustomOrigin( OriginProtocolPolicy='http-only')) ], DefaultCacheBehavior=cf.DefaultCacheBehavior( ForwardedValues=cf.ForwardedValues(QueryString=True), TargetOriginId='tileOriginId', ViewerProtocolPolicy='allow-all'), Enabled=True))) return blue_tile_distribution, green_tile_distribution
def distribution(self) -> cloudfront.Distribution: """Return cloudfront distribution with bucket as origin.""" origin = cloudfront.Origin( S3OriginConfig=cloudfront.S3OriginConfig(OriginAccessIdentity=Join( "", [ "origin-access-identity/cloudfront/", Ref(self.origin_access_identity), ], )), DomainName=f"{self.bucket.name}.s3.amazonaws.com", Id="S3Origin", ) cache_params = { "AllowedMethods": ["GET", "HEAD", "OPTIONS"], "CachePolicyId": Ref(self.cache_policy), "TargetOriginId": "S3Origin", "ViewerProtocolPolicy": "redirect-to-https", } if self.lambda_edge_function_arns: cache_params["LambdaFunctionAssociations"] = [ cloudfront.LambdaFunctionAssociation( EventType="viewer-request", LambdaFunctionARN=lambda_arn) for lambda_arn in self.lambda_edge_function_arns ] default_cache_behavior = cloudfront.DefaultCacheBehavior( **cache_params) return cloudfront.Distribution( name_to_id(self.name), DistributionConfig=cloudfront.DistributionConfig( Aliases=self.aliases, DefaultRootObject=self.root_object, DefaultCacheBehavior=default_cache_behavior, Enabled="True", HttpVersion="http2", Origins=[origin], ViewerCertificate=cloudfront.ViewerCertificate( AcmCertificateArn=self.certificate_arn, SslSupportMethod="sni-only", MinimumProtocolVersion="TLSv1.2_2021", ), ), )
def build(self, t): o = cloudfront.Origin(OriginPath=self.path, Id=self.get_id()) if isinstance(self.origin, s3.S3Bucket): domain_ref = t.add_parameter( Parameter(self.origin.output_bucket_url(), Type='String')) elif isinstance(self.origin, apigateway.SwaggerApiStack): domain_ref = ensure_param(t, self.origin.output_url()) elif isinstance(self.origin, elb.ELBStack): domain_ref = ensure_param(t, self.origin.output_dns_name()) else: domain_ref = t.add_parameter( Parameter('Input{}Origin'.format(self.name), Type='String')) co = cloudfront.CustomOriginConfig( OriginReadTimeout=self.origin_timeout, OriginProtocolPolicy=self.origin_proto, OriginSSLProtocols=self.ssl_protocols) o.CustomOriginConfig = co o.DomainName = Ref(domain_ref) return o
) ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( ForwardedValues=cloudfront.ForwardedValues( QueryString=False ), TargetOriginId=Join('-', ['S3', Ref(frontend_bucket)]), ViewerProtocolPolicy='redirect-to-https' ), DefaultRootObject='index.html', Enabled=True, IPV6Enabled=True, Origins=[ cloudfront.Origin( DomainName=GetAtt(frontend_bucket, 'DomainName'), Id=Join('-', ['S3', Ref(frontend_bucket)]), S3OriginConfig=cloudfront.S3Origin() ) ], ViewerCertificate=cloudfront.ViewerCertificate( AcmCertificateArn=Ref(frontend_ssl), SslSupportMethod='sni-only' ) ) ) ) backend_distribution = template.add_resource( cloudfront.Distribution( 'BackendDistribution', DistributionConfig=cloudfront.DistributionConfig(
def get_cloudfront_distribution_options( self, bucket, # type: s3.Bucket oai, # type: cloudfront.CloudFrontOriginAccessIdentity lambda_function_associations, # type: List[cloudfront.LambdaFunctionAssociation] ): # type: (...) -> Dict[str, Any] """Retrieve the options for our CloudFront distribution. Args: bucket: The bucket resource oai: The origin access identity resource. lambda_function_associations: List of Lambda Function associations. Return: The CloudFront Distribution Options. """ variables = self.get_variables() return { "Aliases": self.add_aliases(), "Origins": [ cloudfront.Origin( DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]), S3OriginConfig=cloudfront. S3OriginConfig(OriginAccessIdentity=Join( "", ["origin-access-identity/cloudfront/", oai.ref()])), Id="S3Origin", ) ], "DefaultCacheBehavior": cloudfront.DefaultCacheBehavior( AllowedMethods=["GET", "HEAD"], Compress=False, DefaultTTL="86400", ForwardedValues=cloudfront.ForwardedValues( Cookies=cloudfront.Cookies(Forward="none"), QueryString=False, ), LambdaFunctionAssociations=lambda_function_associations, TargetOriginId="S3Origin", ViewerProtocolPolicy="redirect-to-https", ), "DefaultRootObject": "index.html", "Logging": self.add_logging_bucket(), "PriceClass": variables["PriceClass"], "CustomErrorResponses": [ cloudfront.CustomErrorResponse( ErrorCode=response["ErrorCode"], ResponseCode=response["ResponseCode"], ResponsePagePath=response["ResponsePagePath"], ) for response in variables["custom_error_responses"] ], "Enabled": True, "WebACLId": self.add_web_acl(), "ViewerCertificate": self.add_acm_cert(), }
#Action=waf.Action(Type='BLOCK'), #Priority=1, #RuleId=Ref(sql_injection_rule), #), #], )) cloudfront_distribution = stack.add_resource(cloudfront.Distribution( 'visibilitycloudfront', DistributionConfig=cloudfront.DistributionConfig( WebACLId=Ref(waf), Origins=[ cloudfront.Origin( Id='apiv1', DomainName='applicationelasticlb-208988572.us-east-1.elb.amazonaws.com', CustomOriginConfig=cloudfront.CustomOrigin( HTTPPort="80", OriginProtocolPolicy="http-only", ), ), cloudfront.Origin( Id='staticv1', DomainName='cihackathon.s3.amazonaws.com', S3OriginConfig=cloudfront.S3Origin(), ), ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( TargetOriginId="staticv1", ForwardedValues=cloudfront.ForwardedValues( QueryString=False, ), ViewerProtocolPolicy="allow-all",
"ExampleDistribution", Condition=use_cert_cond, DistributionConfig=cloudfront.DistributionConfig( Comment="Example distribution for restricted access", Aliases=[domain_name], Enabled=True, IPV6Enabled=True, HttpVersion='http2', PriceClass='PriceClass_100', Origins=[ # Your usual config goes here, example: cloudfront.Origin( Id="ExampleS3", DomainName=Join( '', [Ref(example_bucket), '.s3.amazonaws.com']), S3OriginConfig=cloudfront.S3OriginConfig( OriginAccessIdentity=Join('', [ 'origin-access-identity/cloudfront/', Ref(example_bucket_oai), ])), ), ], DefaultRootObject= "index.html", # Needed for this example only, adapt to your requirements CacheBehaviors=[ # If you have additional cache behaviours, # make sure that (at least) the behaviour matching # /auth-89CE3FEF-FCF6-43B3-9DBA-7C410CAAE220/set-cookie # has the Lambda-function associated. ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( ViewerProtocolPolicy=
def cloudfront_distribution(self): if self.vars["AcmCertificateARN"]: viewer_certificate = cf.ViewerCertificate( SslSupportMethod="sni-only", MinimumProtocolVersion="TLSv1", AcmCertificateArn=self.vars["AcmCertificateARN"], ) url_prefix = 'https://' else: viewer_certificate = NoValue url_prefix = 'http://' t = self.template self.SiteCFDistribution = t.add_resource( cf.Distribution( "SiteCFDistribution", DistributionConfig=cf.DistributionConfig( Comment="S3 Distribution", Logging=cf.Logging( Prefix=self.vars["FQDNPublic"] + "/cloudfront_logs/", Bucket=self.vars["LogBucket"] + ".s3.amazonaws.com", IncludeCookies="false"), WebACLId=self.vars["WebACLId"], Origins=[ cf.Origin( S3OriginConfig=cf.S3Origin(OriginAccessIdentity=( "origin-access-identity/cloudfront/" + self.vars["OriginAccessIdentity"]), ), Id="myS3Origin", DomainName=GetAtt(self.SiteBucket, "DomainName"), OriginPath=self.vars["OriginPath"], ) ], DefaultRootObject=self.vars["DefaultRootObject"], PriceClass="PriceClass_100", Enabled="true", DefaultCacheBehavior=cf.DefaultCacheBehavior( ViewerProtocolPolicy="redirect-to-https", ForwardedValues=cf.ForwardedValues( Cookies=cf.Cookies(Forward="none"), QueryString="true"), TargetOriginId="myS3Origin", DefaultTTL=self.vars["DefaultTTL"], ), Aliases=[self.vars["FQDNPublic"]], ViewerCertificate=viewer_certificate, ), )) CloudFrontDistribution = t.add_output( Output( "CloudFrontDistribution", Description="Cloudfront distribution domainname in AWS", Value=GetAtt(self.SiteCFDistribution, "DomainName"), )) WebsiteURL = t.add_output( Output( "WebsiteURL", Description="Public URL of cloudfront hosted website", Value=url_prefix + self.vars["FQDNPublic"], ))
) ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( ForwardedValues=cloudfront.ForwardedValues( QueryString=False ), TargetOriginId=Join('-', ['S3', Ref(bucket_resource)]), ViewerProtocolPolicy='redirect-to-https' ), DefaultRootObject='index.html', Enabled=True, IPV6Enabled=True, Origins=[ cloudfront.Origin( DomainName=GetAtt(bucket_resource, 'DomainName'), Id=Join('-', ['S3', Ref(bucket_resource)]), S3OriginConfig=cloudfront.S3Origin() ) ], ViewerCertificate=cloudfront.ViewerCertificate( AcmCertificateArn=Ref(certificate_arn_parameter), SslSupportMethod='sni-only' ) ) ) ) ci_user_resource = template.add_resource( iam.User( 'CiUser', UserName=ci_user_name_variable,
# Cloudfront Distribution ### CloudfrontDistribution = t.add_resource( cloudfront.Distribution( "CloudfrontDistribution", DistributionConfig=cloudfront.DistributionConfig( Aliases=[CONFIG['DOMAIN_NAME']], Origins=[ cloudfront.Origin( Id="Origin 1", # turn `http://mybucket.s3-website-us-east-1.amazonaws.com/`y # into `mybucket.s3-website-us-east-1.amazonaws.com` DomainName=Select( 2, Split("/", GetAtt(StaticHostingPublicBucket, 'WebsiteURL'))), # S3 website hosting only serves on 80 CustomOriginConfig=cloudfront.CustomOriginConfig( HTTPPort=80, OriginProtocolPolicy='http-only', )) ], ViewerCertificate=cloudfront.ViewerCertificate( AcmCertificateArn=Ref(CloudFrontCertificate), SslSupportMethod='sni-only', ), DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( TargetOriginId="Origin 1", ForwardedValues=cloudfront.ForwardedValues(QueryString=False),
SubjectAlternativeNames=[alternate_name], DomainValidationOptions=[ DomainValidationOption(DomainName=cdn_domain, ValidationDomain=dns_domain) ], ValidationMethod='DNS', Tags=DefaultTags + Tags(Name='{}-{}'.format(env_l, app_group_l)))) # Provision the CDN Origin cdnOrigin = cf.Origin(Id='{}-{}-{}'.format(env_l, app_group_l, src_domain), DomainName=Select( 1, Split('//', GetAtt(redirectBucket, 'WebsiteURL'))), CustomOriginConfig=cf.CustomOriginConfig( HTTPPort=80, HTTPSPort=443, OriginProtocolPolicy='http-only', OriginSSLProtocols=['TLSv1.2'], )) # Provision the CDN Distribution cdnDistribution = t.add_resource( cf.Distribution( 'cdnDistribution{}'.format(src_domain.replace('.', '0')), DependsOn='cdnCertificate{}'.format(src_domain.replace('.', '0')), DistributionConfig=cf.DistributionConfig( Comment='{} - {}'.format(env, cdn_domain), Enabled=True, PriceClass='PriceClass_All',
def create_template(self): """Create template (main function called by Stacker).""" template = self.template variables = self.get_variables() template.add_version('2010-09-09') template.add_description('Static Website - Bucket and Distribution') # Conditions template.add_condition( 'AcmCertSpecified', And(Not(Equals(variables['AcmCertificateArn'].ref, '')), Not(Equals(variables['AcmCertificateArn'].ref, 'undefined')))) template.add_condition( 'AliasesSpecified', And(Not(Equals(Select(0, variables['Aliases'].ref), '')), Not(Equals(Select(0, variables['Aliases'].ref), 'undefined')))) template.add_condition( 'CFLoggingEnabled', And(Not(Equals(variables['LogBucketName'].ref, '')), Not(Equals(variables['LogBucketName'].ref, 'undefined')))) template.add_condition( 'WAFNameSpecified', And(Not(Equals(variables['WAFWebACL'].ref, '')), Not(Equals(variables['WAFWebACL'].ref, 'undefined')))) # Resources oai = template.add_resource( cloudfront.CloudFrontOriginAccessIdentity( 'OAI', CloudFrontOriginAccessIdentityConfig=cloudfront. CloudFrontOriginAccessIdentityConfig( # noqa pylint: disable=line-too-long Comment='CF access to website'))) bucket = template.add_resource( s3.Bucket( 'Bucket', AccessControl=s3.Private, LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[ s3.LifecycleRule(NoncurrentVersionExpirationInDays=90, Status='Enabled') ]), VersioningConfiguration=s3.VersioningConfiguration( Status='Enabled'), WebsiteConfiguration=s3.WebsiteConfiguration( IndexDocument='index.html', ErrorDocument='error.html'))) template.add_output( Output('BucketName', Description='Name of website bucket', Value=bucket.ref())) allowcfaccess = template.add_resource( s3.BucketPolicy( 'AllowCFAccess', Bucket=bucket.ref(), PolicyDocument=Policy( Version='2012-10-17', Statement=[ Statement( Action=[awacs.s3.GetObject], Effect=Allow, Principal=Principal( 'CanonicalUser', oai.get_att('S3CanonicalUserId')), Resource=[Join('', [bucket.get_att('Arn'), '/*'])]) ]))) cfdistribution = template.add_resource( cloudfront.Distribution( 'CFDistribution', DependsOn=allowcfaccess.title, DistributionConfig=cloudfront.DistributionConfig( Aliases=If('AliasesSpecified', variables['Aliases'].ref, NoValue), Origins=[ cloudfront.Origin( DomainName=Join( '.', [bucket.ref(), 's3.amazonaws.com']), S3OriginConfig=cloudfront.S3Origin( OriginAccessIdentity=Join( '', [ 'origin-access-identity/cloudfront/', oai.ref() ])), Id='S3Origin') ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( AllowedMethods=['GET', 'HEAD'], Compress=False, DefaultTTL='86400', ForwardedValues=cloudfront.ForwardedValues( Cookies=cloudfront.Cookies(Forward='none'), QueryString=False, ), TargetOriginId='S3Origin', ViewerProtocolPolicy='redirect-to-https'), DefaultRootObject='index.html', Logging=If( 'CFLoggingEnabled', cloudfront.Logging(Bucket=Join('.', [ variables['LogBucketName'].ref, 's3.amazonaws.com' ])), NoValue), PriceClass=variables['PriceClass'].ref, Enabled=True, WebACLId=If('WAFNameSpecified', variables['WAFWebACL'].ref, NoValue), ViewerCertificate=If( 'AcmCertSpecified', cloudfront.ViewerCertificate( AcmCertificateArn=variables['AcmCertificateArn']. ref, # noqa SslSupportMethod='sni-only'), NoValue)))) template.add_output( Output('CFDistributionId', Description='CloudFront distribution ID', Value=cfdistribution.ref())) template.add_output( Output('CFDistributionDomainName', Description='CloudFront distribution domain name', Value=cfdistribution.get_att('DomainName')))
'Statement': [{ 'Action': ['s3:GetObject'], 'Effect': 'Allow', 'Resource': root_bucket_arn, 'Principal': '*', }] })) cdn = template.add_resource( cloudfront.Distribution( 'WebsiteDistribution', DistributionConfig=cloudfront.DistributionConfig( Aliases=[Ref(domain)], Origins=[ cloudfront.Origin(Id=Ref(root_bucket), DomainName=GetAtt(root_bucket, 'DomainName'), S3OriginConfig=cloudfront.S3Origin()) ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( Compress=True, ForwardedValues=cloudfront.ForwardedValues(QueryString=False), TargetOriginId=Ref(root_bucket), ViewerProtocolPolicy='redirect-to-https'), DefaultRootObject=Ref(index_page), Enabled=True))) hosted_zone = Join('', [Ref(zone), '.']) template.add_resource( route53.RecordSetGroup('WebsiteDNSRecord', HostedZoneName=hosted_zone, Comment='Records for the root of the hosted zone',
def get_cloudfront_distribution_options( self, # type: StaticSite bucket, # type: s3.Bucket oai, # type: cloudfront.CloudFrontOriginAccessIdentity # noqa pylint: disable=line-too-long lambda_function_associations # type: List[cloudfront.LambdaFunctionAssociation] # noqa pylint: disable=line-too-long # TODO remove after dropping python 2 ): # pylint: disable=bad-continuation # type: (...) -> Dict[str, Any] """Retrieve the options for our CloudFront distribution. Keyword Args: bucket (dict): The bucket resource oai (dict): The origin access identity resource lambda_function_associations (array): The lambda function association array Return: dict: The CloudFront Distribution Options """ variables = self.get_variables() return { 'Aliases': self.add_aliases(), 'Origins': [ cloudfront.Origin( DomainName=Join('.', [bucket.ref(), 's3.amazonaws.com']), S3OriginConfig=cloudfront. S3OriginConfig(OriginAccessIdentity=Join( '', ['origin-access-identity/cloudfront/', oai.ref()])), Id='S3Origin') ], 'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior( AllowedMethods=['GET', 'HEAD'], Compress=False, DefaultTTL='86400', ForwardedValues=cloudfront.ForwardedValues( Cookies=cloudfront.Cookies(Forward='none'), QueryString=False, ), LambdaFunctionAssociations=lambda_function_associations, TargetOriginId='S3Origin', ViewerProtocolPolicy='redirect-to-https'), 'DefaultRootObject': 'index.html', 'Logging': self.add_logging_bucket(), 'PriceClass': variables['PriceClass'], 'CustomErrorResponses': [ cloudfront.CustomErrorResponse( ErrorCode=response['ErrorCode'], ResponseCode=response['ResponseCode'], ResponsePagePath=response['ResponsePagePath']) for response in variables['custom_error_responses'] ], 'Enabled': True, 'WebACLId': self.add_web_acl(), 'ViewerCertificate': self.add_acm_cert() }
def create_cloudfront_distributions(self): blue_tile_distribution = self.add_resource( cf.Distribution( 'tileDistributionBlue', DistributionConfig=cf.DistributionConfig( Origins=[ cf.Origin(Id='tileOriginId', DomainName=Join('.', [ 'blue-tiles', Ref(self.public_hosted_zone_name) ]), CustomOriginConfig=cf.CustomOrigin( OriginProtocolPolicy='http-only')) ], DefaultCacheBehavior=cf.DefaultCacheBehavior( ForwardedValues=cf.ForwardedValues(QueryString=True), TargetOriginId='tileOriginId', ViewerProtocolPolicy='allow-all'), Enabled=True))) self.add_resource( cw.Alarm('alarmTileDistributionBlueOrigin4XX', AlarmDescription='Tile distribution origin 4XXs', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=300, Threshold='20', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='4xxErrorRate', Namespace='AWS/CloudFront', Dimensions=[ cw.MetricDimension('metricDistributionId', Name='DistributionId', Value=Ref(blue_tile_distribution)), cw.MetricDimension('metricRegion', Name='Region', Value='Global') ])) self.add_resource( cw.Alarm('alarmTileDistributionBlueOrigin5XX', AlarmDescription='Tile distribution origin 5XXs', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=60, Threshold='0', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='5xxErrorRate', Namespace='AWS/CloudFront', Dimensions=[ cw.MetricDimension('metricDistributionId', Name='DistributionId', Value=Ref(blue_tile_distribution)), cw.MetricDimension('metricRegion', Name='Region', Value='Global') ])) green_tile_distribution = self.add_resource( cf.Distribution( 'tileDistributionGreen', DistributionConfig=cf.DistributionConfig( Origins=[ cf.Origin(Id='tileOriginId', DomainName=Join('.', [ 'green-tiles', Ref(self.public_hosted_zone_name) ]), CustomOriginConfig=cf.CustomOrigin( OriginProtocolPolicy='http-only')) ], DefaultCacheBehavior=cf.DefaultCacheBehavior( ForwardedValues=cf.ForwardedValues(QueryString=True), TargetOriginId='tileOriginId', ViewerProtocolPolicy='allow-all'), Enabled=True))) self.add_resource( cw.Alarm('alarmTileDistributionGreenOrigin4XX', AlarmDescription='Tile distribution origin 4XXs', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=300, Threshold='20', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='4xxErrorRate', Namespace='AWS/CloudFront', Dimensions=[ cw.MetricDimension( 'metricDistributionId', Name='DistributionId', Value=Ref(green_tile_distribution)), cw.MetricDimension('metricRegion', Name='Region', Value='Global') ])) self.add_resource( cw.Alarm('alarmTileDistributionGreenOrigin5XX', AlarmDescription='Tile distribution origin 5XXs', AlarmActions=[Ref(self.notification_topic_arn)], Statistic='Average', Period=60, Threshold='0', EvaluationPeriods=1, ComparisonOperator='GreaterThanThreshold', MetricName='5xxErrorRate', Namespace='AWS/CloudFront', Dimensions=[ cw.MetricDimension( 'metricDistributionId', Name='DistributionId', Value=Ref(green_tile_distribution)), cw.MetricDimension('metricRegion', Name='Region', Value='Global') ])) return blue_tile_distribution, green_tile_distribution
def get_distribution_options( self, bucket: s3.Bucket, oai: cloudfront.CloudFrontOriginAccessIdentity, lambda_funcs: List[cloudfront.LambdaFunctionAssociation], check_auth_lambda_version: awslambda.Version, http_headers_lambda_version: awslambda.Version, parse_auth_lambda_version: awslambda.Version, refresh_auth_lambda_version: awslambda.Version, sign_out_lambda_version: awslambda.Version, ) -> Dict[str, Any]: """Retrieve the options for our CloudFront distribution. Keyword Args: bucket: The bucket resource. oai: The origin access identity resource. lambda_funcs: List of Lambda Function associations. check_auth_lambda_version: Lambda Function Version to use. http_headers_lambda_version: Lambda Function Version to use. parse_auth_lambda_version: Lambda Function Version to use. refresh_auth_lambda_version: Lambda Function Version to use. sign_out_lambda_version: Lambda Function Version to use. Return: The CloudFront Distribution Options. """ default_cache_behavior_lambdas = lambda_funcs default_cache_behavior_lambdas.append( cloudfront.LambdaFunctionAssociation( EventType="viewer-request", LambdaFunctionARN=check_auth_lambda_version.ref(), )) default_cache_behavior_lambdas.append( cloudfront.LambdaFunctionAssociation( EventType="origin-response", LambdaFunctionARN=http_headers_lambda_version.ref(), )) return { "Aliases": self.add_aliases(), "Origins": [ cloudfront.Origin( DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]), S3OriginConfig=cloudfront. S3OriginConfig(OriginAccessIdentity=Join( "", ["origin-access-identity/cloudfront/", oai.ref()])), Id="protected-bucket", ) ], "CacheBehaviors": [ cloudfront.CacheBehavior( PathPattern=self.variables["RedirectPathSignIn"], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType="viewer-request", LambdaFunctionARN=parse_auth_lambda_version.ref(), ) ], TargetOriginId="protected-bucket", ViewerProtocolPolicy="redirect-to-https", ), cloudfront.CacheBehavior( PathPattern=self.variables["RedirectPathAuthRefresh"], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType="viewer-request", LambdaFunctionARN=refresh_auth_lambda_version.ref( ), ) ], TargetOriginId="protected-bucket", ViewerProtocolPolicy="redirect-to-https", ), cloudfront.CacheBehavior( PathPattern=self.variables["SignOutUrl"], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType="viewer-request", LambdaFunctionARN=sign_out_lambda_version.ref(), ) ], TargetOriginId="protected-bucket", ViewerProtocolPolicy="redirect-to-https", ), ], "DefaultCacheBehavior": cloudfront.DefaultCacheBehavior( AllowedMethods=["GET", "HEAD"], Compress=True, DefaultTTL="86400", ForwardedValues=cloudfront.ForwardedValues(QueryString=True), LambdaFunctionAssociations=default_cache_behavior_lambdas, TargetOriginId="protected-bucket", ViewerProtocolPolicy="redirect-to-https", ), "DefaultRootObject": "index.html", "Logging": self.add_logging_bucket(), "PriceClass": self.variables["PriceClass"], "Enabled": True, "WebACLId": self.add_web_acl(), "CustomErrorResponses": self._get_error_responses(), "ViewerCertificate": self.add_acm_cert(), }
def create_template(self): """Create template (main function called by Stacker).""" template = self.template variables = self.get_variables() template.add_version('2010-09-09') template.add_description('Static Website - Bucket and Distribution') # Conditions template.add_condition( 'AcmCertSpecified', And(Not(Equals(variables['AcmCertificateArn'].ref, '')), Not(Equals(variables['AcmCertificateArn'].ref, 'undefined')))) template.add_condition( 'AliasesSpecified', And(Not(Equals(Select(0, variables['Aliases'].ref), '')), Not(Equals(Select(0, variables['Aliases'].ref), 'undefined')))) template.add_condition( 'CFLoggingEnabled', And(Not(Equals(variables['LogBucketName'].ref, '')), Not(Equals(variables['LogBucketName'].ref, 'undefined')))) template.add_condition( 'DirectoryIndexSpecified', And(Not(Equals(variables['RewriteDirectoryIndex'].ref, '')), Not(Equals(variables['RewriteDirectoryIndex'].ref, 'undefined'))) # noqa ) template.add_condition( 'WAFNameSpecified', And(Not(Equals(variables['WAFWebACL'].ref, '')), Not(Equals(variables['WAFWebACL'].ref, 'undefined')))) # Resources oai = template.add_resource( cloudfront.CloudFrontOriginAccessIdentity( 'OAI', CloudFrontOriginAccessIdentityConfig=cloudfront. CloudFrontOriginAccessIdentityConfig( # noqa pylint: disable=line-too-long Comment='CF access to website'))) bucket = template.add_resource( s3.Bucket( 'Bucket', AccessControl=s3.Private, LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[ s3.LifecycleRule(NoncurrentVersionExpirationInDays=90, Status='Enabled') ]), VersioningConfiguration=s3.VersioningConfiguration( Status='Enabled'), WebsiteConfiguration=s3.WebsiteConfiguration( IndexDocument='index.html', ErrorDocument='error.html'))) template.add_output( Output('BucketName', Description='Name of website bucket', Value=bucket.ref())) allowcfaccess = template.add_resource( s3.BucketPolicy( 'AllowCFAccess', Bucket=bucket.ref(), PolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement( Action=[awacs.s3.GetObject], Effect=Allow, Principal=Principal( 'CanonicalUser', oai.get_att('S3CanonicalUserId')), Resource=[Join('', [bucket.get_att('Arn'), '/*'])]) ]))) cfdirectoryindexrewriterole = template.add_resource( iam.Role('CFDirectoryIndexRewriteRole', Condition='DirectoryIndexSpecified', AssumeRolePolicyDocument=PolicyDocument( Version='2012-10-17', Statement=[ Statement(Effect=Allow, Action=[awacs.sts.AssumeRole], Principal=Principal( 'Service', [ 'lambda.amazonaws.com', 'edgelambda.amazonaws.com' ])) ]), ManagedPolicyArns=[ IAM_ARN_PREFIX + 'AWSLambdaBasicExecutionRole' ])) cfdirectoryindexrewrite = template.add_resource( awslambda.Function( 'CFDirectoryIndexRewrite', Condition='DirectoryIndexSpecified', Code=awslambda.Code(ZipFile=Join( '', [ "'use strict';\n", "exports.handler = (event, context, callback) => {\n", "\n", " // Extract the request from the CloudFront event that is sent to Lambda@Edge\n", # noqa pylint: disable=line-too-long " var request = event.Records[0].cf.request;\n", " // Extract the URI from the request\n", " var olduri = request.uri;\n", " // Match any '/' that occurs at the end of a URI. Replace it with a default index\n", # noqa pylint: disable=line-too-long " var newuri = olduri.replace(/\\/$/, '\\/", variables['RewriteDirectoryIndex'].ref, "');\n", # noqa " // Log the URI as received by CloudFront and the new URI to be used to fetch from origin\n", # noqa pylint: disable=line-too-long " console.log(\"Old URI: \" + olduri);\n", " console.log(\"New URI: \" + newuri);\n", " // Replace the received URI with the URI that includes the index page\n", # noqa pylint: disable=line-too-long " request.uri = newuri;\n", " // Return to CloudFront\n", " return callback(null, request);\n", "\n", "};\n" ])), Description= 'Rewrites CF directory HTTP requests to default page', # noqa Handler='index.handler', Role=cfdirectoryindexrewriterole.get_att('Arn'), Runtime='nodejs8.10')) # Generating a unique resource name here for the Lambda version, so it # updates automatically if the lambda code changes code_hash = hashlib.md5( str(cfdirectoryindexrewrite.properties['Code']. properties['ZipFile'].to_dict()).encode() # noqa pylint: disable=line-too-long ).hexdigest() cfdirectoryindexrewritever = template.add_resource( awslambda.Version('CFDirectoryIndexRewriteVer' + code_hash, Condition='DirectoryIndexSpecified', FunctionName=cfdirectoryindexrewrite.ref())) cfdistribution = template.add_resource( cloudfront.Distribution( 'CFDistribution', DependsOn=allowcfaccess.title, DistributionConfig=cloudfront.DistributionConfig( Aliases=If('AliasesSpecified', variables['Aliases'].ref, NoValue), Origins=[ cloudfront.Origin( DomainName=Join( '.', [bucket.ref(), 's3.amazonaws.com']), S3OriginConfig=cloudfront.S3Origin( OriginAccessIdentity=Join( '', [ 'origin-access-identity/cloudfront/', oai.ref() ])), Id='S3Origin') ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( AllowedMethods=['GET', 'HEAD'], Compress=False, DefaultTTL='86400', ForwardedValues=cloudfront.ForwardedValues( Cookies=cloudfront.Cookies(Forward='none'), QueryString=False, ), LambdaFunctionAssociations=If( 'DirectoryIndexSpecified', [ cloudfront.LambdaFunctionAssociation( EventType='origin-request', LambdaFunctionARN=cfdirectoryindexrewritever .ref() # noqa ) ], NoValue), TargetOriginId='S3Origin', ViewerProtocolPolicy='redirect-to-https'), DefaultRootObject='index.html', Logging=If( 'CFLoggingEnabled', cloudfront.Logging(Bucket=Join('.', [ variables['LogBucketName'].ref, 's3.amazonaws.com' ])), NoValue), PriceClass=variables['PriceClass'].ref, Enabled=True, WebACLId=If('WAFNameSpecified', variables['WAFWebACL'].ref, NoValue), ViewerCertificate=If( 'AcmCertSpecified', cloudfront.ViewerCertificate( AcmCertificateArn=variables['AcmCertificateArn']. ref, # noqa SslSupportMethod='sni-only'), NoValue)))) template.add_output( Output('CFDistributionId', Description='CloudFront distribution ID', Value=cfdistribution.ref())) template.add_output( Output('CFDistributionDomainName', Description='CloudFront distribution domain name', Value=cfdistribution.get_att('DomainName')))
def get_distribution_options(self, bucket, # type: s3.Bucket oai, # type: cloudfront.CloudFrontOriginAccessIdentity lambda_funcs, # type: List[cloudfront.LambdaFunctionAssociation] check_auth_lambda_version, # type: awslambda.Version http_headers_lambda_version, # type: awslambda.Version parse_auth_lambda_version, # type: awslambda.Version refresh_auth_lambda_version, # type: awslambda.Version sign_out_lambda_version # type: awslambda.Version ): # noqa: E124 # type: (...) -> Dict[str, Any] """Retrieve the options for our CloudFront distribution. Keyword Args: bucket (dict): The bucket resource oai (dict): The origin access identity resource Return: dict: The CloudFront Distribution Options """ variables = self.get_variables() default_cache_behavior_lambdas = lambda_funcs default_cache_behavior_lambdas.append( cloudfront.LambdaFunctionAssociation( EventType='viewer-request', LambdaFunctionARN=check_auth_lambda_version.ref() ) ) default_cache_behavior_lambdas.append( cloudfront.LambdaFunctionAssociation( EventType='origin-response', LambdaFunctionARN=http_headers_lambda_version.ref() ) ) return { 'Aliases': self.add_aliases(), 'Origins': [ cloudfront.Origin( DomainName=Join( '.', [bucket.ref(), 's3.amazonaws.com']), S3OriginConfig=cloudfront.S3OriginConfig( OriginAccessIdentity=Join( '', ['origin-access-identity/cloudfront/', oai.ref()]) ), Id='protected-bucket' ) ], 'CacheBehaviors': [ cloudfront.CacheBehavior( PathPattern=variables['RedirectPathSignIn'], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True ), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType='viewer-request', LambdaFunctionARN=parse_auth_lambda_version.ref() ) ], TargetOriginId='protected-bucket', ViewerProtocolPolicy="redirect-to-https" ), cloudfront.CacheBehavior( PathPattern=variables['RedirectPathAuthRefresh'], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True ), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType='viewer-request', LambdaFunctionARN=refresh_auth_lambda_version.ref() ) ], TargetOriginId='protected-bucket', ViewerProtocolPolicy="redirect-to-https" ), cloudfront.CacheBehavior( PathPattern=variables['SignOutUrl'], Compress=True, ForwardedValues=cloudfront.ForwardedValues( QueryString=True ), LambdaFunctionAssociations=[ cloudfront.LambdaFunctionAssociation( EventType='viewer-request', LambdaFunctionARN=sign_out_lambda_version.ref() ) ], TargetOriginId='protected-bucket', ViewerProtocolPolicy="redirect-to-https" ), ], 'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior( AllowedMethods=['GET', 'HEAD'], Compress=True, DefaultTTL='86400', ForwardedValues=cloudfront.ForwardedValues( QueryString=True, ), LambdaFunctionAssociations=default_cache_behavior_lambdas, TargetOriginId='protected-bucket', ViewerProtocolPolicy='redirect-to-https' ), 'DefaultRootObject': 'index.html', 'Logging': self.add_logging_bucket(), 'PriceClass': variables['PriceClass'], 'Enabled': True, 'WebACLId': self.add_web_acl(), 'CustomErrorResponses': self._get_error_responses(), 'ViewerCertificate': self.add_acm_cert() }
), Tags=Tags(Name=f"{bucket}-{randomPrefix}"), ) ) if "cloudfront" in bucket: cloudfrontBucket = f"{bucket.lower()}-{randomPrefix}" cloudfront = t.add_resource( cloudfront.Distribution( "Cloudfront", DistributionConfig=cloudfront.DistributionConfig( Origins=[ cloudfront.Origin( Id="1", DomainName=f"{cloudfrontBucket}.s3-ap-southeast-2.amazonaws.com", S3OriginConfig=cloudfront.S3OriginConfig(), ) ], DefaultCacheBehavior=cloudfront.DefaultCacheBehavior( TargetOriginId="1", ForwardedValues=cloudfront.ForwardedValues(QueryString=False), ViewerProtocolPolicy="allow-all", ), Enabled=True, HttpVersion="http2", ), ) ) with open("template.yml", "w") as file:
def get_cloudfront_distribution_options( self, bucket: s3.Bucket, oai: cloudfront.CloudFrontOriginAccessIdentity, lambda_function_associations: List[ cloudfront.LambdaFunctionAssociation], ) -> Dict[str, Any]: """Retrieve the options for our CloudFront distribution. Args: bucket: The bucket resource oai: The origin access identity resource. lambda_function_associations: List of Lambda Function associations. Return: The CloudFront Distribution Options. """ if os.getenv("AWS_REGION") == "us-east-1": # use global endpoint for us-east-1 origin = Join(".", [bucket.ref(), "s3.amazonaws.com"]) else: # use reginal endpoint to avoid "temporary" redirect that can last over an hour # https://forums.aws.amazon.com/message.jspa?messageID=677452 origin = Join(".", [bucket.ref(), "s3", Region, "amazonaws.com"]) return { "Aliases": self.add_aliases(), "Origins": [ cloudfront.Origin( DomainName=origin, S3OriginConfig=cloudfront. S3OriginConfig(OriginAccessIdentity=Join( "", ["origin-access-identity/cloudfront/", oai.ref()])), Id="S3Origin", ) ], "DefaultCacheBehavior": cloudfront.DefaultCacheBehavior( AllowedMethods=["GET", "HEAD"], Compress=False, DefaultTTL="86400", ForwardedValues=cloudfront.ForwardedValues( Cookies=cloudfront.Cookies(Forward="none"), QueryString=False), LambdaFunctionAssociations=lambda_function_associations, TargetOriginId="S3Origin", ViewerProtocolPolicy="redirect-to-https", ), "DefaultRootObject": "index.html", "Logging": self.add_logging_bucket(), "PriceClass": self.variables["PriceClass"], "CustomErrorResponses": [ cloudfront.CustomErrorResponse( ErrorCode=response["ErrorCode"], ResponseCode=response["ResponseCode"], ResponsePagePath=response["ResponsePagePath"], ) for response in self.variables["custom_error_responses"] ], "Enabled": True, "WebACLId": self.add_web_acl(), "ViewerCertificate": self.add_acm_cert(), }
), TargetOriginId=Sub( '${domain}${path}', **{ 'domain': Ref(static_domain), 'path': Ref(static_path) }), ViewerProtocolPolicy='redirect-to-https', ), Enabled=True, Origins=[ cloudfront.Origin( Id=Sub( '${domain}${path}', **{ 'domain': Ref(static_domain), 'path': Ref(static_path) }), DomainName=Ref(static_domain), OriginPath=Ref(static_path), CustomOriginConfig=cloudfront.CustomOrigin( OriginProtocolPolicy='https-only'), ), cloudfront.Origin( Id=Sub( '${domain}${path}', **{ 'domain': Ref(media_domain), 'path': Ref(media_path) }), DomainName=Ref(media_domain), OriginPath=Ref(media_path), CustomOriginConfig=cloudfront.CustomOrigin( OriginProtocolPolicy='https-only'),
def render_cloudfront(context, template, origin_hostname): if not context['cloudfront']['origins']: ensure( context['full_hostname'], "A public hostname is required to be pointed at by the Cloudfront CDN" ) allowed_cnames = context['cloudfront']['subdomains'] + context[ 'cloudfront']['subdomains-without-dns'] def _cookies(cookies): if cookies: return cloudfront.Cookies(Forward='whitelist', WhitelistedNames=cookies) return cloudfront.Cookies(Forward='none') if context['cloudfront']['origins']: origins = [ cloudfront.Origin(DomainName=o['hostname'], Id=o_id, CustomOriginConfig=cloudfront.CustomOrigin( HTTPSPort=443, OriginProtocolPolicy='https-only')) for o_id, o in context['cloudfront']['origins'].items() ] origin = origins[0].Id else: origin = CLOUDFRONT_TITLE + 'Origin' origins = [ cloudfront.Origin(DomainName=origin_hostname, Id=origin, CustomOriginConfig=cloudfront.CustomOrigin( HTTPSPort=443, OriginProtocolPolicy='https-only')) ] props = { 'Aliases': allowed_cnames, 'CacheBehaviors': [], 'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior( AllowedMethods=[ 'DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT' ], CachedMethods=['GET', 'HEAD'], Compress=context['cloudfront']['compress'], DefaultTTL=context['cloudfront']['default-ttl'], TargetOriginId=origin, ForwardedValues=cloudfront.ForwardedValues( Cookies=_cookies(context['cloudfront']['cookies']), Headers=context['cloudfront'] ['headers'], # 'whitelisted' headers QueryString=True), ViewerProtocolPolicy='redirect-to-https', ), 'Enabled': True, 'HttpVersion': 'http2', 'Origins': origins, 'ViewerCertificate': cloudfront.ViewerCertificate( IamCertificateId=context['cloudfront']['certificate_id'], SslSupportMethod='sni-only') } def _cache_behavior(origin_id, pattern, headers=None, cookies=None): return cloudfront.CacheBehavior( TargetOriginId=origin_id, DefaultTTL=context['cloudfront']['default-ttl'], ForwardedValues=cloudfront.ForwardedValues( Cookies=_cookies(cookies), QueryString=False, Headers=headers if headers else []), PathPattern=pattern, ViewerProtocolPolicy='allow-all', ) if context['cloudfront']['errors']: props['Origins'].append( cloudfront.Origin( DomainName=context['cloudfront']['errors']['domain'], # TODO: constant Id=CLOUDFRONT_ERROR_ORIGIN_ID, # no advantage in using cloudfront.S3Origin for public buckets CustomOriginConfig=cloudfront.CustomOrigin( HTTPSPort=443, OriginProtocolPolicy='https-only' if context['cloudfront']['errors']['protocol'] == 'https' else 'http-only'))) props['CacheBehaviors'].append( _cache_behavior( CLOUDFRONT_ERROR_ORIGIN_ID, context['cloudfront']['errors']['pattern'], )) props['CustomErrorResponses'] = [ cloudfront.CustomErrorResponse(ErrorCode=code, ResponseCode=code, ResponsePagePath=page) for code, page in context['cloudfront']['errors']['codes'].items() ] if context['cloudfront']['logging']: props['Logging'] = cloudfront.Logging( Bucket="%s.s3.amazonaws.com" % context['cloudfront']['logging']['bucket'], Prefix="%s/" % context['stackname']) if context['cloudfront']['origins']: props['CacheBehaviors'].extend([ _cache_behavior(o_id, o['pattern'], headers=o['headers'], cookies=o['cookies']) for o_id, o in context['cloudfront']['origins'].items() if o['pattern'] ]) template.add_resource( cloudfront.Distribution( CLOUDFRONT_TITLE, DistributionConfig=cloudfront.DistributionConfig(**props))) for dns in external_dns_cloudfront(context): template.add_resource(dns)
DistributionConfig=cloudfront.DistributionConfig( Comment="Example distribution for restricted access", Aliases=[ Join('.', [Ref(param_label), Ref(param_hosted_zone_name)]) ], Enabled=True, IPV6Enabled=True, HttpVersion='http2', PriceClass='PriceClass_100', Origins=[ cloudfront.Origin( # Your usual config goes here Id="RealOrigin", DomainName="ifconfig.io", CustomOriginConfig=cloudfront.CustomOrigin( HTTPPort=80, HTTPSPort=443, OriginProtocolPolicy='https-only', OriginSSLProtocols=['TLSv1.2', 'TLSv1.1', 'TLSv1']), ), cloudfront.Origin( # You need to add this origin Id="Authorizer", DomainName=ImportValue( Sub('${' + authorizer_stack.title + '}-domain-name')), CustomOriginConfig=cloudfront.CustomOrigin( HTTPPort=80, HTTPSPort=443, OriginProtocolPolicy='https-only', OriginSSLProtocols=['TLSv1.2', 'TLSv1.1', 'TLSv1']), ),