def _get_error_responses(self):
"""Return error response based on site stack variables.
When custom_error_responses are defined return those, if running
in NonSPAMode return nothing, or return the standard error responses
for a SPA.
"""
variables = self.get_variables()
if variables['custom_error_responses']:
return [
cloudfront.CustomErrorResponse(
ErrorCode=response['ErrorCode'],
ResponseCode=response['ResponseCode'],
ResponsePagePath=response['ResponsePagePath']
) for response in variables['custom_error_responses']
]
if variables['NonSPAMode']:
return []
return [
cloudfront.CustomErrorResponse(
ErrorCode=404,
ResponseCode=200,
ResponsePagePath='/index.html'
)
]
def _get_error_responses(self) -> List[cloudfront.CustomErrorResponse]:
"""Return error response based on site stack variables.
When custom_error_responses are defined return those, if running
in NonSPAMode return nothing, or return the standard error responses
for a SPA.
"""
if self.variables["custom_error_responses"]:
return [
cloudfront.CustomErrorResponse(
ErrorCode=response["ErrorCode"],
ResponseCode=response["ResponseCode"],
ResponsePagePath=response["ResponsePagePath"],
) for response in self.variables["custom_error_responses"]
]
if self.variables["NonSPAMode"]:
return []
return [
cloudfront.CustomErrorResponse(ErrorCode=404,
ResponseCode=200,
ResponsePagePath="/index.html")
]
def add_errors(self, **kwargs):
err = cloudfront.CustomErrorResponse()
err.ErrorCachingMinTTL = kwargs.get('ttl', 300)
if kwargs.get('ErrorCode'):
err.ErrorCode = kwargs.get('ErrorCode')
if kwargs.get('ResponseCode'):
err.ResponseCode = kwargs.get('ResponseCode')
if kwargs.get('ResponsePagePath'):
err.ResponsePagePath = kwargs.get('ResponsePagePath')
self.errors.append(err)
def render_cloudfront(context, template, origin_hostname):
if not context['cloudfront']['origins']:
ensure(
context['full_hostname'],
"A public hostname is required to be pointed at by the Cloudfront CDN"
)
allowed_cnames = context['cloudfront']['subdomains'] + context[
'cloudfront']['subdomains-without-dns']
def _cookies(cookies):
if cookies:
return cloudfront.Cookies(Forward='whitelist',
WhitelistedNames=cookies)
return cloudfront.Cookies(Forward='none')
if context['cloudfront']['origins']:
origins = [
cloudfront.Origin(DomainName=o['hostname'],
Id=o_id,
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'))
for o_id, o in context['cloudfront']['origins'].items()
]
origin = origins[0].Id
else:
origin = CLOUDFRONT_TITLE + 'Origin'
origins = [
cloudfront.Origin(DomainName=origin_hostname,
Id=origin,
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'))
]
props = {
'Aliases':
allowed_cnames,
'CacheBehaviors': [],
'DefaultCacheBehavior':
cloudfront.DefaultCacheBehavior(
AllowedMethods=[
'DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT'
],
CachedMethods=['GET', 'HEAD'],
Compress=context['cloudfront']['compress'],
DefaultTTL=context['cloudfront']['default-ttl'],
TargetOriginId=origin,
ForwardedValues=cloudfront.ForwardedValues(
Cookies=_cookies(context['cloudfront']['cookies']),
Headers=context['cloudfront']
['headers'], # 'whitelisted' headers
QueryString=True),
ViewerProtocolPolicy='redirect-to-https',
),
'Enabled':
True,
'HttpVersion':
'http2',
'Origins':
origins,
'ViewerCertificate':
cloudfront.ViewerCertificate(
IamCertificateId=context['cloudfront']['certificate_id'],
SslSupportMethod='sni-only')
}
def _cache_behavior(origin_id, pattern, headers=None, cookies=None):
return cloudfront.CacheBehavior(
TargetOriginId=origin_id,
DefaultTTL=context['cloudfront']['default-ttl'],
ForwardedValues=cloudfront.ForwardedValues(
Cookies=_cookies(cookies),
QueryString=False,
Headers=headers if headers else []),
PathPattern=pattern,
ViewerProtocolPolicy='allow-all',
)
if context['cloudfront']['errors']:
props['Origins'].append(
cloudfront.Origin(
DomainName=context['cloudfront']['errors']['domain'],
# TODO: constant
Id=CLOUDFRONT_ERROR_ORIGIN_ID,
# no advantage in using cloudfront.S3Origin for public buckets
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'
if context['cloudfront']['errors']['protocol'] == 'https'
else 'http-only')))
props['CacheBehaviors'].append(
_cache_behavior(
CLOUDFRONT_ERROR_ORIGIN_ID,
context['cloudfront']['errors']['pattern'],
))
props['CustomErrorResponses'] = [
cloudfront.CustomErrorResponse(ErrorCode=code,
ResponseCode=code,
ResponsePagePath=page)
for code, page in context['cloudfront']['errors']['codes'].items()
]
if context['cloudfront']['logging']:
props['Logging'] = cloudfront.Logging(
Bucket="%s.s3.amazonaws.com" %
context['cloudfront']['logging']['bucket'],
Prefix="%s/" % context['stackname'])
if context['cloudfront']['origins']:
props['CacheBehaviors'].extend([
_cache_behavior(o_id,
o['pattern'],
headers=o['headers'],
cookies=o['cookies'])
for o_id, o in context['cloudfront']['origins'].items()
if o['pattern']
])
template.add_resource(
cloudfront.Distribution(
CLOUDFRONT_TITLE,
DistributionConfig=cloudfront.DistributionConfig(**props)))
for dns in external_dns_cloudfront(context):
template.add_resource(dns)
def get_cloudfront_distribution_options(
self,
bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity,
lambda_function_associations: List[
cloudfront.LambdaFunctionAssociation],
) -> Dict[str, Any]:
"""Retrieve the options for our CloudFront distribution.
Args:
bucket: The bucket resource
oai: The origin access identity resource.
lambda_function_associations: List of Lambda Function associations.
Return:
The CloudFront Distribution Options.
"""
if os.getenv("AWS_REGION") == "us-east-1":
# use global endpoint for us-east-1
origin = Join(".", [bucket.ref(), "s3.amazonaws.com"])
else:
# use reginal endpoint to avoid "temporary" redirect that can last over an hour
# https://forums.aws.amazon.com/message.jspa?messageID=677452
origin = Join(".", [bucket.ref(), "s3", Region, "amazonaws.com"])
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=origin,
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="S3Origin",
)
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=False,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward="none"),
QueryString=False),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId="S3Origin",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
self.variables["PriceClass"],
"CustomErrorResponses": [
cloudfront.CustomErrorResponse(
ErrorCode=response["ErrorCode"],
ResponseCode=response["ResponseCode"],
ResponsePagePath=response["ResponsePagePath"],
) for response in self.variables["custom_error_responses"]
],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"ViewerCertificate":
self.add_acm_cert(),
}
def get_cloudfront_distribution_options(
self, # type: StaticSite
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity # noqa pylint: disable=line-too-long
lambda_function_associations # type: List[cloudfront.LambdaFunctionAssociation] # noqa pylint: disable=line-too-long
# TODO remove after dropping python 2
): # pylint: disable=bad-continuation
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket (dict): The bucket resource
oai (dict): The origin access identity resource
lambda_function_associations (array): The lambda function association array
Return:
dict: The CloudFront Distribution Options
"""
variables = self.get_variables()
return {
'Aliases':
self.add_aliases(),
'Origins': [
cloudfront.Origin(
DomainName=Join('.', [bucket.ref(), 's3.amazonaws.com']),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
'', ['origin-access-identity/cloudfront/',
oai.ref()])),
Id='S3Origin')
],
'DefaultCacheBehavior':
cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=False,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId='S3Origin',
ViewerProtocolPolicy='redirect-to-https'),
'DefaultRootObject':
'index.html',
'Logging':
self.add_logging_bucket(),
'PriceClass':
variables['PriceClass'],
'CustomErrorResponses': [
cloudfront.CustomErrorResponse(
ErrorCode=response['ErrorCode'],
ResponseCode=response['ResponseCode'],
ResponsePagePath=response['ResponsePagePath'])
for response in variables['custom_error_responses']
],
'Enabled':
True,
'WebACLId':
self.add_web_acl(),
'ViewerCertificate':
self.add_acm_cert()
}
CacheBehaviors=[
cloudfront.CacheBehavior(
AllowedMethods=['HEAD', 'GET'],
CachedMethods=['HEAD', 'GET'],
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
),
PathPattern='*',
TargetOriginId=Join('-', ['S3', Ref(frontend_bucket)]),
ViewerProtocolPolicy='redirect-to-https'
)
],
CustomErrorResponses=[
cloudfront.CustomErrorResponse(
ErrorCode=404,
ResponseCode=200,
ResponsePagePath='/index.html'
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
),
TargetOriginId=Join('-', ['S3', Ref(frontend_bucket)]),
ViewerProtocolPolicy='redirect-to-https'
),
DefaultRootObject='index.html',
Enabled=True,
IPV6Enabled=True,
Origins=[
cloudfront.Origin(
CachedMethods=['GET', 'HEAD'],
ViewerProtocolPolicy='redirect-to-https',
TargetOriginId='{}-{}-{}'.format(env_l, app_group_l,
src_domain),
ForwardedValues=cf.ForwardedValues(
Headers=["Accept-Encoding"],
QueryString=True,
),
MinTTL=0,
MaxTTL=int(max_ttl[0]),
DefaultTTL=int(default_ttl[0]),
SmoothStreaming=False,
Compress=True),
CustomErrorResponses=[
cf.CustomErrorResponse(
ErrorCachingMinTTL='0',
ErrorCode='403',
),
cf.CustomErrorResponse(
ErrorCachingMinTTL='0',
ErrorCode='404',
),
cf.CustomErrorResponse(
ErrorCachingMinTTL='0',
ErrorCode='500',
),
cf.CustomErrorResponse(
ErrorCachingMinTTL='0',
ErrorCode='501',
),
cf.CustomErrorResponse(
ErrorCachingMinTTL='0',
def get_cloudfront_distribution_options(
self,
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity
lambda_function_associations, # type: List[cloudfront.LambdaFunctionAssociation]
):
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Args:
bucket: The bucket resource
oai: The origin access identity resource.
lambda_function_associations: List of Lambda Function associations.
Return:
The CloudFront Distribution Options.
"""
variables = self.get_variables()
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="S3Origin",
)
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=False,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward="none"),
QueryString=False,
),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId="S3Origin",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
variables["PriceClass"],
"CustomErrorResponses": [
cloudfront.CustomErrorResponse(
ErrorCode=response["ErrorCode"],
ResponseCode=response["ResponseCode"],
ResponsePagePath=response["ResponsePagePath"],
) for response in variables["custom_error_responses"]
],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"ViewerCertificate":
self.add_acm_cert(),
}
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
template.set_version('2010-09-09')
template.set_description('Static Website - Bucket and Distribution')
# Conditions
template.add_condition(
'AcmCertSpecified',
And(Not(Equals(variables['AcmCertificateArn'].ref, '')),
Not(Equals(variables['AcmCertificateArn'].ref, 'undefined')))
)
template.add_condition(
'AliasesSpecified',
And(Not(Equals(Select(0, variables['Aliases'].ref), '')),
Not(Equals(Select(0, variables['Aliases'].ref), 'undefined')))
)
template.add_condition(
'CFLoggingEnabled',
And(Not(Equals(variables['LogBucketName'].ref, '')),
Not(Equals(variables['LogBucketName'].ref, 'undefined')))
)
template.add_condition(
'DirectoryIndexSpecified',
And(Not(Equals(variables['RewriteDirectoryIndex'].ref, '')),
Not(Equals(variables['RewriteDirectoryIndex'].ref, 'undefined'))) # noqa
)
template.add_condition(
'WAFNameSpecified',
And(Not(Equals(variables['WAFWebACL'].ref, '')),
Not(Equals(variables['WAFWebACL'].ref, 'undefined')))
)
# Resources
oai = template.add_resource(
cloudfront.CloudFrontOriginAccessIdentity(
'OAI',
CloudFrontOriginAccessIdentityConfig=cloudfront.CloudFrontOriginAccessIdentityConfig( # noqa pylint: disable=line-too-long
Comment='CF access to website'
)
)
)
bucket = template.add_resource(
s3.Bucket(
'Bucket',
AccessControl=s3.Private,
LifecycleConfiguration=s3.LifecycleConfiguration(
Rules=[
s3.LifecycleRule(
NoncurrentVersionExpirationInDays=90,
Status='Enabled'
)
]
),
VersioningConfiguration=s3.VersioningConfiguration(
Status='Enabled'
),
WebsiteConfiguration=s3.WebsiteConfiguration(
IndexDocument='index.html',
ErrorDocument='error.html'
)
)
)
template.add_output(Output(
'BucketName',
Description='Name of website bucket',
Value=bucket.ref()
))
allowcfaccess = template.add_resource(
s3.BucketPolicy(
'AllowCFAccess',
Bucket=bucket.ref(),
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Action=[awacs.s3.GetObject],
Effect=Allow,
Principal=Principal(
'CanonicalUser',
oai.get_att('S3CanonicalUserId')
),
Resource=[
Join('', [bucket.get_att('Arn'),
'/*'])
]
)
]
)
)
)
cfdirectoryindexrewriterole = template.add_resource(
iam.Role(
'CFDirectoryIndexRewriteRole',
Condition='DirectoryIndexSpecified',
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',
['lambda.amazonaws.com',
'edgelambda.amazonaws.com'])
)
]
),
ManagedPolicyArns=[
IAM_ARN_PREFIX + 'AWSLambdaBasicExecutionRole'
]
)
)
cfdirectoryindexrewrite = template.add_resource(
awslambda.Function(
'CFDirectoryIndexRewrite',
Condition='DirectoryIndexSpecified',
Code=awslambda.Code(
ZipFile=Join(
'',
["'use strict';\n",
"exports.handler = (event, context, callback) => {\n",
"\n",
" // Extract the request from the CloudFront event that is sent to Lambda@Edge\n", # noqa pylint: disable=line-too-long
" var request = event.Records[0].cf.request;\n",
" // Extract the URI from the request\n",
" var olduri = request.uri;\n",
" // Match any '/' that occurs at the end of a URI. Replace it with a default index\n", # noqa pylint: disable=line-too-long
" var newuri = olduri.replace(/\\/$/, '\\/",
variables['RewriteDirectoryIndex'].ref,
"');\n", # noqa
" // Log the URI as received by CloudFront and the new URI to be used to fetch from origin\n", # noqa pylint: disable=line-too-long
" console.log(\"Old URI: \" + olduri);\n",
" console.log(\"New URI: \" + newuri);\n",
" // Replace the received URI with the URI that includes the index page\n", # noqa pylint: disable=line-too-long
" request.uri = newuri;\n",
" // Return to CloudFront\n",
" return callback(null, request);\n",
"\n",
"};\n"]
)
),
Description='Rewrites CF directory HTTP requests to default page', # noqa
Handler='index.handler',
Role=cfdirectoryindexrewriterole.get_att('Arn'),
Runtime='nodejs8.10'
)
)
# Generating a unique resource name here for the Lambda version, so it
# updates automatically if the lambda code changes
code_hash = hashlib.md5(
str(cfdirectoryindexrewrite.properties['Code'].properties['ZipFile'].to_dict()).encode() # noqa pylint: disable=line-too-long
).hexdigest()
cfdirectoryindexrewritever = template.add_resource(
awslambda.Version(
'CFDirectoryIndexRewriteVer' + code_hash,
Condition='DirectoryIndexSpecified',
FunctionName=cfdirectoryindexrewrite.ref()
)
)
# If custom associations defined, use them
if variables['lambda_function_associations']:
lambda_function_associations = [
cloudfront.LambdaFunctionAssociation(
EventType=x['type'],
LambdaFunctionARN=x['arn']
) for x in variables['lambda_function_associations']
]
else: # otherwise fallback to pure CFN condition
lambda_function_associations = If(
'DirectoryIndexSpecified',
[cloudfront.LambdaFunctionAssociation(
EventType='origin-request',
LambdaFunctionARN=cfdirectoryindexrewritever.ref()
)],
NoValue
)
cf_dist_opts = {
'Aliases': If(
'AliasesSpecified',
variables['Aliases'].ref,
NoValue
),
'Origins': [
get_cf_origin_class()(
DomainName=Join(
'.',
[bucket.ref(),
's3.amazonaws.com']),
S3OriginConfig=get_s3_origin_conf_class()(
OriginAccessIdentity=Join(
'',
['origin-access-identity/cloudfront/',
oai.ref()])
),
Id='S3Origin'
)
],
'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=False,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId='S3Origin',
ViewerProtocolPolicy='redirect-to-https'
),
'DefaultRootObject': 'index.html',
'Logging': If(
'CFLoggingEnabled',
cloudfront.Logging(
Bucket=Join('.',
[variables['LogBucketName'].ref,
's3.amazonaws.com'])
),
NoValue
),
'PriceClass': variables['PriceClass'].ref,
'Enabled': True,
'WebACLId': If(
'WAFNameSpecified',
variables['WAFWebACL'].ref,
NoValue
),
'ViewerCertificate': If(
'AcmCertSpecified',
cloudfront.ViewerCertificate(
AcmCertificateArn=variables['AcmCertificateArn'].ref,
SslSupportMethod='sni-only'
),
NoValue
)
}
# If custom error responses defined, use them
if variables['custom_error_responses']:
cf_dist_opts['CustomErrorResponses'] = [
cloudfront.CustomErrorResponse(
**x
) for x in variables['custom_error_responses']
]
cfdistribution = template.add_resource(
get_cf_distribution_class()(
'CFDistribution',
DependsOn=allowcfaccess.title,
DistributionConfig=get_cf_distro_conf_class()(
**cf_dist_opts
)
)
)
template.add_output(Output(
'CFDistributionId',
Description='CloudFront distribution ID',
Value=cfdistribution.ref()
))
template.add_output(
Output(
'CFDistributionDomainName',
Description='CloudFront distribution domain name',
Value=cfdistribution.get_att('DomainName')
)
)