def create_distribution(self):
t = self.template
t.add_resource(
cf.Distribution(
DISTRIBUTION,
DistributionConfig=cf.DistributionConfig(
Origins=[
cf.Origin(
Id='1',
DomainName=GetAtt(BUCKET, 'DomainName'),
S3OriginConfig=cf.S3Origin(),
)
],
Enabled=Ref('Enabled'),
DefaultCacheBehavior=cf.DefaultCacheBehavior(
TargetOriginId='1',
ForwardedValues=cf.ForwardedValues(
QueryString=False, ),
ViewerProtocolPolicy='allow-all',
),
),
))
t.add_output(
Output('DomainName',
Value=Join('',
['https://',
GetAtt(DISTRIBUTION, 'DomainName')])))
def create_distribution(self):
t = self.template
s3_origin = cloudfront.Origin(
DomainName=self.origin_bucket_url,
Id="s3",
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPPort=80,
HTTPSPort=443,
OriginProtocolPolicy="http-only"
),
)
default_behavior = cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
CachedMethods=["GET", "HEAD"],
ViewerProtocolPolicy="redirect-to-https",
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True,
Cookies=cloudfront.Cookies(
Forward="none"
)
),
MinTTL=0,
MaxTTL=31536000,
DefaultTTL=86400,
SmoothStreaming=False,
TargetOriginId="s3",
)
viewer_certificate = NoValue
if self.certificate_arn:
viewer_certificate = cloudfront.ViewerCertificate(
AcmCertificateArn=self.certificate_arn,
SslSupportMethod="sni-only",
)
config = cloudfront.DistributionConfig(
Aliases=self.aliases,
DefaultCacheBehavior=default_behavior,
Comment="%s" % self.origin_bucket_url,
Enabled=True,
PriceClass="PriceClass_All",
ViewerCertificate=viewer_certificate,
Origins=[s3_origin],
)
self.distribution = t.add_resource(
cloudfront.Distribution(
"Distribution",
DistributionConfig=config,
)
)
self.add_output("DistributionId", self.distribution.Ref())
self.add_output(
"DomainName",
self.distribution.GetAtt("DomainName")
)
def add_origins(self, title, cf_origins_config):
"""
Create Cloudfront Origin objects and append to list of origins
:param title: Title of this Cloudfront Distribution
:param cf_origins_config: List of CFOrigins
"""
for number, origin in enumerate(cf_origins_config):
created_origin = cloudfront.Origin('{0}Origin{1}'.format(
title, number),
DomainName=origin.domain_name,
Id=origin.origin_id)
if origin.origin_path:
created_origin.OriginPath = origin.origin_path
if origin.custom_headers:
created_headers = []
for k, v in origin.custom_headers.items():
if v is not None:
created_headers.append(
cloudfront.OriginCustomHeader(HeaderName=k,
HeaderValue=v))
created_origin.OriginCustomHeaders = created_headers
# Set S3 config
if origin.origin_policy['is_s3']:
# Create S3Origin
s3_origin_config = cloudfront.S3Origin()
# Ensure variables exist
if origin.origin_access_identity:
s3_origin_config.OriginAccessIdentity = origin.origin_access_identity
# Set S3Origin
created_origin.S3OriginConfig = s3_origin_config
# Set Custom config
else:
created_origin.DomainName = self.get_custom_reference(
origin.domain_name)
# Create CustomOrigin
custom_origin_config = cloudfront.CustomOrigin()
# Ensure variables exist
if origin.http_port:
custom_origin_config.HTTPPort = origin.http_port
if origin.https_port:
custom_origin_config.HTTPSPort = origin.https_port
if origin.origin_protocol_policy:
custom_origin_config.OriginProtocolPolicy = origin.origin_protocol_policy
if origin.origin_ssl_protocols:
custom_origin_config.OriginSSLProtocols = origin.origin_ssl_protocols
# Set CustomOrigin
created_origin.CustomOriginConfig = custom_origin_config
self.origins.append(created_origin)
def create_cloudfront_distributions(self):
blue_tile_distribution = self.add_resource(
cf.Distribution(
'tileDistributionBlue',
DistributionConfig=cf.DistributionConfig(
Origins=[
cf.Origin(Id='tileOriginId',
DomainName=Join('.', [
'tile-cache',
Ref(self.public_hosted_zone_name)
]),
CustomOriginConfig=cf.CustomOrigin(
OriginProtocolPolicy='http-only'))
],
DefaultCacheBehavior=cf.DefaultCacheBehavior(
ForwardedValues=cf.ForwardedValues(QueryString=True),
TargetOriginId='tileOriginId',
ViewerProtocolPolicy='allow-all'),
Enabled=True)))
green_tile_distribution = self.add_resource(
cf.Distribution(
'tileDistributionGreen',
DistributionConfig=cf.DistributionConfig(
Origins=[
cf.Origin(Id='tileOriginId',
DomainName=Join('.', [
'tile-cache',
Ref(self.public_hosted_zone_name)
]),
CustomOriginConfig=cf.CustomOrigin(
OriginProtocolPolicy='http-only'))
],
DefaultCacheBehavior=cf.DefaultCacheBehavior(
ForwardedValues=cf.ForwardedValues(QueryString=True),
TargetOriginId='tileOriginId',
ViewerProtocolPolicy='allow-all'),
Enabled=True)))
return blue_tile_distribution, green_tile_distribution
def distribution(self) -> cloudfront.Distribution:
"""Return cloudfront distribution with bucket as origin."""
origin = cloudfront.Origin(
S3OriginConfig=cloudfront.S3OriginConfig(OriginAccessIdentity=Join(
"",
[
"origin-access-identity/cloudfront/",
Ref(self.origin_access_identity),
],
)),
DomainName=f"{self.bucket.name}.s3.amazonaws.com",
Id="S3Origin",
)
cache_params = {
"AllowedMethods": ["GET", "HEAD", "OPTIONS"],
"CachePolicyId": Ref(self.cache_policy),
"TargetOriginId": "S3Origin",
"ViewerProtocolPolicy": "redirect-to-https",
}
if self.lambda_edge_function_arns:
cache_params["LambdaFunctionAssociations"] = [
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request", LambdaFunctionARN=lambda_arn)
for lambda_arn in self.lambda_edge_function_arns
]
default_cache_behavior = cloudfront.DefaultCacheBehavior(
**cache_params)
return cloudfront.Distribution(
name_to_id(self.name),
DistributionConfig=cloudfront.DistributionConfig(
Aliases=self.aliases,
DefaultRootObject=self.root_object,
DefaultCacheBehavior=default_cache_behavior,
Enabled="True",
HttpVersion="http2",
Origins=[origin],
ViewerCertificate=cloudfront.ViewerCertificate(
AcmCertificateArn=self.certificate_arn,
SslSupportMethod="sni-only",
MinimumProtocolVersion="TLSv1.2_2021",
),
),
)
def build(self, t):
o = cloudfront.Origin(OriginPath=self.path, Id=self.get_id())
if isinstance(self.origin, s3.S3Bucket):
domain_ref = t.add_parameter(
Parameter(self.origin.output_bucket_url(), Type='String'))
elif isinstance(self.origin, apigateway.SwaggerApiStack):
domain_ref = ensure_param(t, self.origin.output_url())
elif isinstance(self.origin, elb.ELBStack):
domain_ref = ensure_param(t, self.origin.output_dns_name())
else:
domain_ref = t.add_parameter(
Parameter('Input{}Origin'.format(self.name), Type='String'))
co = cloudfront.CustomOriginConfig(
OriginReadTimeout=self.origin_timeout,
OriginProtocolPolicy=self.origin_proto,
OriginSSLProtocols=self.ssl_protocols)
o.CustomOriginConfig = co
o.DomainName = Ref(domain_ref)
return o
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
),
TargetOriginId=Join('-', ['S3', Ref(frontend_bucket)]),
ViewerProtocolPolicy='redirect-to-https'
),
DefaultRootObject='index.html',
Enabled=True,
IPV6Enabled=True,
Origins=[
cloudfront.Origin(
DomainName=GetAtt(frontend_bucket, 'DomainName'),
Id=Join('-', ['S3', Ref(frontend_bucket)]),
S3OriginConfig=cloudfront.S3Origin()
)
],
ViewerCertificate=cloudfront.ViewerCertificate(
AcmCertificateArn=Ref(frontend_ssl),
SslSupportMethod='sni-only'
)
)
)
)
backend_distribution = template.add_resource(
cloudfront.Distribution(
'BackendDistribution',
DistributionConfig=cloudfront.DistributionConfig(
def get_cloudfront_distribution_options(
self,
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity
lambda_function_associations, # type: List[cloudfront.LambdaFunctionAssociation]
):
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Args:
bucket: The bucket resource
oai: The origin access identity resource.
lambda_function_associations: List of Lambda Function associations.
Return:
The CloudFront Distribution Options.
"""
variables = self.get_variables()
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="S3Origin",
)
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=False,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward="none"),
QueryString=False,
),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId="S3Origin",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
variables["PriceClass"],
"CustomErrorResponses": [
cloudfront.CustomErrorResponse(
ErrorCode=response["ErrorCode"],
ResponseCode=response["ResponseCode"],
ResponsePagePath=response["ResponsePagePath"],
) for response in variables["custom_error_responses"]
],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"ViewerCertificate":
self.add_acm_cert(),
}
#Action=waf.Action(Type='BLOCK'),
#Priority=1,
#RuleId=Ref(sql_injection_rule),
#),
#],
))
cloudfront_distribution = stack.add_resource(cloudfront.Distribution(
'visibilitycloudfront',
DistributionConfig=cloudfront.DistributionConfig(
WebACLId=Ref(waf),
Origins=[
cloudfront.Origin(
Id='apiv1',
DomainName='applicationelasticlb-208988572.us-east-1.elb.amazonaws.com',
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPPort="80",
OriginProtocolPolicy="http-only",
),
),
cloudfront.Origin(
Id='staticv1',
DomainName='cihackathon.s3.amazonaws.com',
S3OriginConfig=cloudfront.S3Origin(),
),
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
TargetOriginId="staticv1",
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False,
),
ViewerProtocolPolicy="allow-all",
"ExampleDistribution",
Condition=use_cert_cond,
DistributionConfig=cloudfront.DistributionConfig(
Comment="Example distribution for restricted access",
Aliases=[domain_name],
Enabled=True,
IPV6Enabled=True,
HttpVersion='http2',
PriceClass='PriceClass_100',
Origins=[
# Your usual config goes here, example:
cloudfront.Origin(
Id="ExampleS3",
DomainName=Join(
'', [Ref(example_bucket), '.s3.amazonaws.com']),
S3OriginConfig=cloudfront.S3OriginConfig(
OriginAccessIdentity=Join('', [
'origin-access-identity/cloudfront/',
Ref(example_bucket_oai),
])),
),
],
DefaultRootObject=
"index.html", # Needed for this example only, adapt to your requirements
CacheBehaviors=[
# If you have additional cache behaviours,
# make sure that (at least) the behaviour matching
# /auth-89CE3FEF-FCF6-43B3-9DBA-7C410CAAE220/set-cookie
# has the Lambda-function associated.
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ViewerProtocolPolicy=
def cloudfront_distribution(self):
if self.vars["AcmCertificateARN"]:
viewer_certificate = cf.ViewerCertificate(
SslSupportMethod="sni-only",
MinimumProtocolVersion="TLSv1",
AcmCertificateArn=self.vars["AcmCertificateARN"],
)
url_prefix = 'https://'
else:
viewer_certificate = NoValue
url_prefix = 'http://'
t = self.template
self.SiteCFDistribution = t.add_resource(
cf.Distribution(
"SiteCFDistribution",
DistributionConfig=cf.DistributionConfig(
Comment="S3 Distribution",
Logging=cf.Logging(
Prefix=self.vars["FQDNPublic"] + "/cloudfront_logs/",
Bucket=self.vars["LogBucket"] + ".s3.amazonaws.com",
IncludeCookies="false"),
WebACLId=self.vars["WebACLId"],
Origins=[
cf.Origin(
S3OriginConfig=cf.S3Origin(OriginAccessIdentity=(
"origin-access-identity/cloudfront/" +
self.vars["OriginAccessIdentity"]), ),
Id="myS3Origin",
DomainName=GetAtt(self.SiteBucket, "DomainName"),
OriginPath=self.vars["OriginPath"],
)
],
DefaultRootObject=self.vars["DefaultRootObject"],
PriceClass="PriceClass_100",
Enabled="true",
DefaultCacheBehavior=cf.DefaultCacheBehavior(
ViewerProtocolPolicy="redirect-to-https",
ForwardedValues=cf.ForwardedValues(
Cookies=cf.Cookies(Forward="none"),
QueryString="true"),
TargetOriginId="myS3Origin",
DefaultTTL=self.vars["DefaultTTL"],
),
Aliases=[self.vars["FQDNPublic"]],
ViewerCertificate=viewer_certificate,
),
))
CloudFrontDistribution = t.add_output(
Output(
"CloudFrontDistribution",
Description="Cloudfront distribution domainname in AWS",
Value=GetAtt(self.SiteCFDistribution, "DomainName"),
))
WebsiteURL = t.add_output(
Output(
"WebsiteURL",
Description="Public URL of cloudfront hosted website",
Value=url_prefix + self.vars["FQDNPublic"],
))
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
ForwardedValues=cloudfront.ForwardedValues(
QueryString=False
),
TargetOriginId=Join('-', ['S3', Ref(bucket_resource)]),
ViewerProtocolPolicy='redirect-to-https'
),
DefaultRootObject='index.html',
Enabled=True,
IPV6Enabled=True,
Origins=[
cloudfront.Origin(
DomainName=GetAtt(bucket_resource, 'DomainName'),
Id=Join('-', ['S3', Ref(bucket_resource)]),
S3OriginConfig=cloudfront.S3Origin()
)
],
ViewerCertificate=cloudfront.ViewerCertificate(
AcmCertificateArn=Ref(certificate_arn_parameter),
SslSupportMethod='sni-only'
)
)
)
)
ci_user_resource = template.add_resource(
iam.User(
'CiUser',
UserName=ci_user_name_variable,
# Cloudfront Distribution
###
CloudfrontDistribution = t.add_resource(
cloudfront.Distribution(
"CloudfrontDistribution",
DistributionConfig=cloudfront.DistributionConfig(
Aliases=[CONFIG['DOMAIN_NAME']],
Origins=[
cloudfront.Origin(
Id="Origin 1",
# turn `http://mybucket.s3-website-us-east-1.amazonaws.com/`y
# into `mybucket.s3-website-us-east-1.amazonaws.com`
DomainName=Select(
2,
Split("/",
GetAtt(StaticHostingPublicBucket,
'WebsiteURL'))),
# S3 website hosting only serves on 80
CustomOriginConfig=cloudfront.CustomOriginConfig(
HTTPPort=80,
OriginProtocolPolicy='http-only',
))
],
ViewerCertificate=cloudfront.ViewerCertificate(
AcmCertificateArn=Ref(CloudFrontCertificate),
SslSupportMethod='sni-only',
),
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
TargetOriginId="Origin 1",
ForwardedValues=cloudfront.ForwardedValues(QueryString=False),
SubjectAlternativeNames=[alternate_name],
DomainValidationOptions=[
DomainValidationOption(DomainName=cdn_domain,
ValidationDomain=dns_domain)
],
ValidationMethod='DNS',
Tags=DefaultTags +
Tags(Name='{}-{}'.format(env_l, app_group_l))))
# Provision the CDN Origin
cdnOrigin = cf.Origin(Id='{}-{}-{}'.format(env_l, app_group_l, src_domain),
DomainName=Select(
1,
Split('//', GetAtt(redirectBucket,
'WebsiteURL'))),
CustomOriginConfig=cf.CustomOriginConfig(
HTTPPort=80,
HTTPSPort=443,
OriginProtocolPolicy='http-only',
OriginSSLProtocols=['TLSv1.2'],
))
# Provision the CDN Distribution
cdnDistribution = t.add_resource(
cf.Distribution(
'cdnDistribution{}'.format(src_domain.replace('.', '0')),
DependsOn='cdnCertificate{}'.format(src_domain.replace('.', '0')),
DistributionConfig=cf.DistributionConfig(
Comment='{} - {}'.format(env, cdn_domain),
Enabled=True,
PriceClass='PriceClass_All',
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
template.add_version('2010-09-09')
template.add_description('Static Website - Bucket and Distribution')
# Conditions
template.add_condition(
'AcmCertSpecified',
And(Not(Equals(variables['AcmCertificateArn'].ref, '')),
Not(Equals(variables['AcmCertificateArn'].ref, 'undefined'))))
template.add_condition(
'AliasesSpecified',
And(Not(Equals(Select(0, variables['Aliases'].ref), '')),
Not(Equals(Select(0, variables['Aliases'].ref), 'undefined'))))
template.add_condition(
'CFLoggingEnabled',
And(Not(Equals(variables['LogBucketName'].ref, '')),
Not(Equals(variables['LogBucketName'].ref, 'undefined'))))
template.add_condition(
'WAFNameSpecified',
And(Not(Equals(variables['WAFWebACL'].ref, '')),
Not(Equals(variables['WAFWebACL'].ref, 'undefined'))))
# Resources
oai = template.add_resource(
cloudfront.CloudFrontOriginAccessIdentity(
'OAI',
CloudFrontOriginAccessIdentityConfig=cloudfront.
CloudFrontOriginAccessIdentityConfig( # noqa pylint: disable=line-too-long
Comment='CF access to website')))
bucket = template.add_resource(
s3.Bucket(
'Bucket',
AccessControl=s3.Private,
LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[
s3.LifecycleRule(NoncurrentVersionExpirationInDays=90,
Status='Enabled')
]),
VersioningConfiguration=s3.VersioningConfiguration(
Status='Enabled'),
WebsiteConfiguration=s3.WebsiteConfiguration(
IndexDocument='index.html', ErrorDocument='error.html')))
template.add_output(
Output('BucketName',
Description='Name of website bucket',
Value=bucket.ref()))
allowcfaccess = template.add_resource(
s3.BucketPolicy(
'AllowCFAccess',
Bucket=bucket.ref(),
PolicyDocument=Policy(
Version='2012-10-17',
Statement=[
Statement(
Action=[awacs.s3.GetObject],
Effect=Allow,
Principal=Principal(
'CanonicalUser',
oai.get_att('S3CanonicalUserId')),
Resource=[Join('', [bucket.get_att('Arn'), '/*'])])
])))
cfdistribution = template.add_resource(
cloudfront.Distribution(
'CFDistribution',
DependsOn=allowcfaccess.title,
DistributionConfig=cloudfront.DistributionConfig(
Aliases=If('AliasesSpecified', variables['Aliases'].ref,
NoValue),
Origins=[
cloudfront.Origin(
DomainName=Join(
'.', [bucket.ref(), 's3.amazonaws.com']),
S3OriginConfig=cloudfront.S3Origin(
OriginAccessIdentity=Join(
'', [
'origin-access-identity/cloudfront/',
oai.ref()
])),
Id='S3Origin')
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=False,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
TargetOriginId='S3Origin',
ViewerProtocolPolicy='redirect-to-https'),
DefaultRootObject='index.html',
Logging=If(
'CFLoggingEnabled',
cloudfront.Logging(Bucket=Join('.', [
variables['LogBucketName'].ref, 's3.amazonaws.com'
])), NoValue),
PriceClass=variables['PriceClass'].ref,
Enabled=True,
WebACLId=If('WAFNameSpecified', variables['WAFWebACL'].ref,
NoValue),
ViewerCertificate=If(
'AcmCertSpecified',
cloudfront.ViewerCertificate(
AcmCertificateArn=variables['AcmCertificateArn'].
ref, # noqa
SslSupportMethod='sni-only'),
NoValue))))
template.add_output(
Output('CFDistributionId',
Description='CloudFront distribution ID',
Value=cfdistribution.ref()))
template.add_output(
Output('CFDistributionDomainName',
Description='CloudFront distribution domain name',
Value=cfdistribution.get_att('DomainName')))
'Statement': [{
'Action': ['s3:GetObject'],
'Effect': 'Allow',
'Resource': root_bucket_arn,
'Principal': '*',
}]
}))
cdn = template.add_resource(
cloudfront.Distribution(
'WebsiteDistribution',
DistributionConfig=cloudfront.DistributionConfig(
Aliases=[Ref(domain)],
Origins=[
cloudfront.Origin(Id=Ref(root_bucket),
DomainName=GetAtt(root_bucket, 'DomainName'),
S3OriginConfig=cloudfront.S3Origin())
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(QueryString=False),
TargetOriginId=Ref(root_bucket),
ViewerProtocolPolicy='redirect-to-https'),
DefaultRootObject=Ref(index_page),
Enabled=True)))
hosted_zone = Join('', [Ref(zone), '.'])
template.add_resource(
route53.RecordSetGroup('WebsiteDNSRecord',
HostedZoneName=hosted_zone,
Comment='Records for the root of the hosted zone',
def get_cloudfront_distribution_options(
self, # type: StaticSite
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity # noqa pylint: disable=line-too-long
lambda_function_associations # type: List[cloudfront.LambdaFunctionAssociation] # noqa pylint: disable=line-too-long
# TODO remove after dropping python 2
): # pylint: disable=bad-continuation
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket (dict): The bucket resource
oai (dict): The origin access identity resource
lambda_function_associations (array): The lambda function association array
Return:
dict: The CloudFront Distribution Options
"""
variables = self.get_variables()
return {
'Aliases':
self.add_aliases(),
'Origins': [
cloudfront.Origin(
DomainName=Join('.', [bucket.ref(), 's3.amazonaws.com']),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
'', ['origin-access-identity/cloudfront/',
oai.ref()])),
Id='S3Origin')
],
'DefaultCacheBehavior':
cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=False,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId='S3Origin',
ViewerProtocolPolicy='redirect-to-https'),
'DefaultRootObject':
'index.html',
'Logging':
self.add_logging_bucket(),
'PriceClass':
variables['PriceClass'],
'CustomErrorResponses': [
cloudfront.CustomErrorResponse(
ErrorCode=response['ErrorCode'],
ResponseCode=response['ResponseCode'],
ResponsePagePath=response['ResponsePagePath'])
for response in variables['custom_error_responses']
],
'Enabled':
True,
'WebACLId':
self.add_web_acl(),
'ViewerCertificate':
self.add_acm_cert()
}
def create_cloudfront_distributions(self):
blue_tile_distribution = self.add_resource(
cf.Distribution(
'tileDistributionBlue',
DistributionConfig=cf.DistributionConfig(
Origins=[
cf.Origin(Id='tileOriginId',
DomainName=Join('.', [
'blue-tiles',
Ref(self.public_hosted_zone_name)
]),
CustomOriginConfig=cf.CustomOrigin(
OriginProtocolPolicy='http-only'))
],
DefaultCacheBehavior=cf.DefaultCacheBehavior(
ForwardedValues=cf.ForwardedValues(QueryString=True),
TargetOriginId='tileOriginId',
ViewerProtocolPolicy='allow-all'),
Enabled=True)))
self.add_resource(
cw.Alarm('alarmTileDistributionBlueOrigin4XX',
AlarmDescription='Tile distribution origin 4XXs',
AlarmActions=[Ref(self.notification_topic_arn)],
Statistic='Average',
Period=300,
Threshold='20',
EvaluationPeriods=1,
ComparisonOperator='GreaterThanThreshold',
MetricName='4xxErrorRate',
Namespace='AWS/CloudFront',
Dimensions=[
cw.MetricDimension('metricDistributionId',
Name='DistributionId',
Value=Ref(blue_tile_distribution)),
cw.MetricDimension('metricRegion',
Name='Region',
Value='Global')
]))
self.add_resource(
cw.Alarm('alarmTileDistributionBlueOrigin5XX',
AlarmDescription='Tile distribution origin 5XXs',
AlarmActions=[Ref(self.notification_topic_arn)],
Statistic='Average',
Period=60,
Threshold='0',
EvaluationPeriods=1,
ComparisonOperator='GreaterThanThreshold',
MetricName='5xxErrorRate',
Namespace='AWS/CloudFront',
Dimensions=[
cw.MetricDimension('metricDistributionId',
Name='DistributionId',
Value=Ref(blue_tile_distribution)),
cw.MetricDimension('metricRegion',
Name='Region',
Value='Global')
]))
green_tile_distribution = self.add_resource(
cf.Distribution(
'tileDistributionGreen',
DistributionConfig=cf.DistributionConfig(
Origins=[
cf.Origin(Id='tileOriginId',
DomainName=Join('.', [
'green-tiles',
Ref(self.public_hosted_zone_name)
]),
CustomOriginConfig=cf.CustomOrigin(
OriginProtocolPolicy='http-only'))
],
DefaultCacheBehavior=cf.DefaultCacheBehavior(
ForwardedValues=cf.ForwardedValues(QueryString=True),
TargetOriginId='tileOriginId',
ViewerProtocolPolicy='allow-all'),
Enabled=True)))
self.add_resource(
cw.Alarm('alarmTileDistributionGreenOrigin4XX',
AlarmDescription='Tile distribution origin 4XXs',
AlarmActions=[Ref(self.notification_topic_arn)],
Statistic='Average',
Period=300,
Threshold='20',
EvaluationPeriods=1,
ComparisonOperator='GreaterThanThreshold',
MetricName='4xxErrorRate',
Namespace='AWS/CloudFront',
Dimensions=[
cw.MetricDimension(
'metricDistributionId',
Name='DistributionId',
Value=Ref(green_tile_distribution)),
cw.MetricDimension('metricRegion',
Name='Region',
Value='Global')
]))
self.add_resource(
cw.Alarm('alarmTileDistributionGreenOrigin5XX',
AlarmDescription='Tile distribution origin 5XXs',
AlarmActions=[Ref(self.notification_topic_arn)],
Statistic='Average',
Period=60,
Threshold='0',
EvaluationPeriods=1,
ComparisonOperator='GreaterThanThreshold',
MetricName='5xxErrorRate',
Namespace='AWS/CloudFront',
Dimensions=[
cw.MetricDimension(
'metricDistributionId',
Name='DistributionId',
Value=Ref(green_tile_distribution)),
cw.MetricDimension('metricRegion',
Name='Region',
Value='Global')
]))
return blue_tile_distribution, green_tile_distribution
def get_distribution_options(
self,
bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity,
lambda_funcs: List[cloudfront.LambdaFunctionAssociation],
check_auth_lambda_version: awslambda.Version,
http_headers_lambda_version: awslambda.Version,
parse_auth_lambda_version: awslambda.Version,
refresh_auth_lambda_version: awslambda.Version,
sign_out_lambda_version: awslambda.Version,
) -> Dict[str, Any]:
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket: The bucket resource.
oai: The origin access identity resource.
lambda_funcs: List of Lambda Function associations.
check_auth_lambda_version: Lambda Function Version to use.
http_headers_lambda_version: Lambda Function Version to use.
parse_auth_lambda_version: Lambda Function Version to use.
refresh_auth_lambda_version: Lambda Function Version to use.
sign_out_lambda_version: Lambda Function Version to use.
Return:
The CloudFront Distribution Options.
"""
default_cache_behavior_lambdas = lambda_funcs
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=check_auth_lambda_version.ref(),
))
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType="origin-response",
LambdaFunctionARN=http_headers_lambda_version.ref(),
))
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=Join(".", [bucket.ref(), "s3.amazonaws.com"]),
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="protected-bucket",
)
],
"CacheBehaviors": [
cloudfront.CacheBehavior(
PathPattern=self.variables["RedirectPathSignIn"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=parse_auth_lambda_version.ref(),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
cloudfront.CacheBehavior(
PathPattern=self.variables["RedirectPathAuthRefresh"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=refresh_auth_lambda_version.ref(
),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
cloudfront.CacheBehavior(
PathPattern=self.variables["SignOutUrl"],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType="viewer-request",
LambdaFunctionARN=sign_out_lambda_version.ref(),
)
],
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=True,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(QueryString=True),
LambdaFunctionAssociations=default_cache_behavior_lambdas,
TargetOriginId="protected-bucket",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
self.variables["PriceClass"],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"CustomErrorResponses":
self._get_error_responses(),
"ViewerCertificate":
self.add_acm_cert(),
}
def create_template(self):
"""Create template (main function called by Stacker)."""
template = self.template
variables = self.get_variables()
template.add_version('2010-09-09')
template.add_description('Static Website - Bucket and Distribution')
# Conditions
template.add_condition(
'AcmCertSpecified',
And(Not(Equals(variables['AcmCertificateArn'].ref, '')),
Not(Equals(variables['AcmCertificateArn'].ref, 'undefined'))))
template.add_condition(
'AliasesSpecified',
And(Not(Equals(Select(0, variables['Aliases'].ref), '')),
Not(Equals(Select(0, variables['Aliases'].ref), 'undefined'))))
template.add_condition(
'CFLoggingEnabled',
And(Not(Equals(variables['LogBucketName'].ref, '')),
Not(Equals(variables['LogBucketName'].ref, 'undefined'))))
template.add_condition(
'DirectoryIndexSpecified',
And(Not(Equals(variables['RewriteDirectoryIndex'].ref, '')),
Not(Equals(variables['RewriteDirectoryIndex'].ref,
'undefined'))) # noqa
)
template.add_condition(
'WAFNameSpecified',
And(Not(Equals(variables['WAFWebACL'].ref, '')),
Not(Equals(variables['WAFWebACL'].ref, 'undefined'))))
# Resources
oai = template.add_resource(
cloudfront.CloudFrontOriginAccessIdentity(
'OAI',
CloudFrontOriginAccessIdentityConfig=cloudfront.
CloudFrontOriginAccessIdentityConfig( # noqa pylint: disable=line-too-long
Comment='CF access to website')))
bucket = template.add_resource(
s3.Bucket(
'Bucket',
AccessControl=s3.Private,
LifecycleConfiguration=s3.LifecycleConfiguration(Rules=[
s3.LifecycleRule(NoncurrentVersionExpirationInDays=90,
Status='Enabled')
]),
VersioningConfiguration=s3.VersioningConfiguration(
Status='Enabled'),
WebsiteConfiguration=s3.WebsiteConfiguration(
IndexDocument='index.html', ErrorDocument='error.html')))
template.add_output(
Output('BucketName',
Description='Name of website bucket',
Value=bucket.ref()))
allowcfaccess = template.add_resource(
s3.BucketPolicy(
'AllowCFAccess',
Bucket=bucket.ref(),
PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(
Action=[awacs.s3.GetObject],
Effect=Allow,
Principal=Principal(
'CanonicalUser',
oai.get_att('S3CanonicalUserId')),
Resource=[Join('', [bucket.get_att('Arn'), '/*'])])
])))
cfdirectoryindexrewriterole = template.add_resource(
iam.Role('CFDirectoryIndexRewriteRole',
Condition='DirectoryIndexSpecified',
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal(
'Service', [
'lambda.amazonaws.com',
'edgelambda.amazonaws.com'
]))
]),
ManagedPolicyArns=[
IAM_ARN_PREFIX + 'AWSLambdaBasicExecutionRole'
]))
cfdirectoryindexrewrite = template.add_resource(
awslambda.Function(
'CFDirectoryIndexRewrite',
Condition='DirectoryIndexSpecified',
Code=awslambda.Code(ZipFile=Join(
'',
[
"'use strict';\n",
"exports.handler = (event, context, callback) => {\n",
"\n",
" // Extract the request from the CloudFront event that is sent to Lambda@Edge\n", # noqa pylint: disable=line-too-long
" var request = event.Records[0].cf.request;\n",
" // Extract the URI from the request\n",
" var olduri = request.uri;\n",
" // Match any '/' that occurs at the end of a URI. Replace it with a default index\n", # noqa pylint: disable=line-too-long
" var newuri = olduri.replace(/\\/$/, '\\/",
variables['RewriteDirectoryIndex'].ref,
"');\n", # noqa
" // Log the URI as received by CloudFront and the new URI to be used to fetch from origin\n", # noqa pylint: disable=line-too-long
" console.log(\"Old URI: \" + olduri);\n",
" console.log(\"New URI: \" + newuri);\n",
" // Replace the received URI with the URI that includes the index page\n", # noqa pylint: disable=line-too-long
" request.uri = newuri;\n",
" // Return to CloudFront\n",
" return callback(null, request);\n",
"\n",
"};\n"
])),
Description=
'Rewrites CF directory HTTP requests to default page', # noqa
Handler='index.handler',
Role=cfdirectoryindexrewriterole.get_att('Arn'),
Runtime='nodejs8.10'))
# Generating a unique resource name here for the Lambda version, so it
# updates automatically if the lambda code changes
code_hash = hashlib.md5(
str(cfdirectoryindexrewrite.properties['Code'].
properties['ZipFile'].to_dict()).encode() # noqa pylint: disable=line-too-long
).hexdigest()
cfdirectoryindexrewritever = template.add_resource(
awslambda.Version('CFDirectoryIndexRewriteVer' + code_hash,
Condition='DirectoryIndexSpecified',
FunctionName=cfdirectoryindexrewrite.ref()))
cfdistribution = template.add_resource(
cloudfront.Distribution(
'CFDistribution',
DependsOn=allowcfaccess.title,
DistributionConfig=cloudfront.DistributionConfig(
Aliases=If('AliasesSpecified', variables['Aliases'].ref,
NoValue),
Origins=[
cloudfront.Origin(
DomainName=Join(
'.', [bucket.ref(), 's3.amazonaws.com']),
S3OriginConfig=cloudfront.S3Origin(
OriginAccessIdentity=Join(
'', [
'origin-access-identity/cloudfront/',
oai.ref()
])),
Id='S3Origin')
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=False,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward='none'),
QueryString=False,
),
LambdaFunctionAssociations=If(
'DirectoryIndexSpecified',
[
cloudfront.LambdaFunctionAssociation(
EventType='origin-request',
LambdaFunctionARN=cfdirectoryindexrewritever
.ref() # noqa
)
],
NoValue),
TargetOriginId='S3Origin',
ViewerProtocolPolicy='redirect-to-https'),
DefaultRootObject='index.html',
Logging=If(
'CFLoggingEnabled',
cloudfront.Logging(Bucket=Join('.', [
variables['LogBucketName'].ref, 's3.amazonaws.com'
])), NoValue),
PriceClass=variables['PriceClass'].ref,
Enabled=True,
WebACLId=If('WAFNameSpecified', variables['WAFWebACL'].ref,
NoValue),
ViewerCertificate=If(
'AcmCertSpecified',
cloudfront.ViewerCertificate(
AcmCertificateArn=variables['AcmCertificateArn'].
ref, # noqa
SslSupportMethod='sni-only'),
NoValue))))
template.add_output(
Output('CFDistributionId',
Description='CloudFront distribution ID',
Value=cfdistribution.ref()))
template.add_output(
Output('CFDistributionDomainName',
Description='CloudFront distribution domain name',
Value=cfdistribution.get_att('DomainName')))
def get_distribution_options(self,
bucket, # type: s3.Bucket
oai, # type: cloudfront.CloudFrontOriginAccessIdentity
lambda_funcs, # type: List[cloudfront.LambdaFunctionAssociation]
check_auth_lambda_version, # type: awslambda.Version
http_headers_lambda_version, # type: awslambda.Version
parse_auth_lambda_version, # type: awslambda.Version
refresh_auth_lambda_version, # type: awslambda.Version
sign_out_lambda_version # type: awslambda.Version
): # noqa: E124
# type: (...) -> Dict[str, Any]
"""Retrieve the options for our CloudFront distribution.
Keyword Args:
bucket (dict): The bucket resource
oai (dict): The origin access identity resource
Return:
dict: The CloudFront Distribution Options
"""
variables = self.get_variables()
default_cache_behavior_lambdas = lambda_funcs
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=check_auth_lambda_version.ref()
)
)
default_cache_behavior_lambdas.append(
cloudfront.LambdaFunctionAssociation(
EventType='origin-response',
LambdaFunctionARN=http_headers_lambda_version.ref()
)
)
return {
'Aliases': self.add_aliases(),
'Origins': [
cloudfront.Origin(
DomainName=Join(
'.',
[bucket.ref(),
's3.amazonaws.com']),
S3OriginConfig=cloudfront.S3OriginConfig(
OriginAccessIdentity=Join(
'',
['origin-access-identity/cloudfront/',
oai.ref()])
),
Id='protected-bucket'
)
],
'CacheBehaviors': [
cloudfront.CacheBehavior(
PathPattern=variables['RedirectPathSignIn'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=parse_auth_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
cloudfront.CacheBehavior(
PathPattern=variables['RedirectPathAuthRefresh'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=refresh_auth_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
cloudfront.CacheBehavior(
PathPattern=variables['SignOutUrl'],
Compress=True,
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True
),
LambdaFunctionAssociations=[
cloudfront.LambdaFunctionAssociation(
EventType='viewer-request',
LambdaFunctionARN=sign_out_lambda_version.ref()
)
],
TargetOriginId='protected-bucket',
ViewerProtocolPolicy="redirect-to-https"
),
],
'DefaultCacheBehavior': cloudfront.DefaultCacheBehavior(
AllowedMethods=['GET', 'HEAD'],
Compress=True,
DefaultTTL='86400',
ForwardedValues=cloudfront.ForwardedValues(
QueryString=True,
),
LambdaFunctionAssociations=default_cache_behavior_lambdas,
TargetOriginId='protected-bucket',
ViewerProtocolPolicy='redirect-to-https'
),
'DefaultRootObject': 'index.html',
'Logging': self.add_logging_bucket(),
'PriceClass': variables['PriceClass'],
'Enabled': True,
'WebACLId': self.add_web_acl(),
'CustomErrorResponses': self._get_error_responses(),
'ViewerCertificate': self.add_acm_cert()
}
),
Tags=Tags(Name=f"{bucket}-{randomPrefix}"),
)
)
if "cloudfront" in bucket:
cloudfrontBucket = f"{bucket.lower()}-{randomPrefix}"
cloudfront = t.add_resource(
cloudfront.Distribution(
"Cloudfront",
DistributionConfig=cloudfront.DistributionConfig(
Origins=[
cloudfront.Origin(
Id="1",
DomainName=f"{cloudfrontBucket}.s3-ap-southeast-2.amazonaws.com",
S3OriginConfig=cloudfront.S3OriginConfig(),
)
],
DefaultCacheBehavior=cloudfront.DefaultCacheBehavior(
TargetOriginId="1",
ForwardedValues=cloudfront.ForwardedValues(QueryString=False),
ViewerProtocolPolicy="allow-all",
),
Enabled=True,
HttpVersion="http2",
),
)
)
with open("template.yml", "w") as file:
def get_cloudfront_distribution_options(
self,
bucket: s3.Bucket,
oai: cloudfront.CloudFrontOriginAccessIdentity,
lambda_function_associations: List[
cloudfront.LambdaFunctionAssociation],
) -> Dict[str, Any]:
"""Retrieve the options for our CloudFront distribution.
Args:
bucket: The bucket resource
oai: The origin access identity resource.
lambda_function_associations: List of Lambda Function associations.
Return:
The CloudFront Distribution Options.
"""
if os.getenv("AWS_REGION") == "us-east-1":
# use global endpoint for us-east-1
origin = Join(".", [bucket.ref(), "s3.amazonaws.com"])
else:
# use reginal endpoint to avoid "temporary" redirect that can last over an hour
# https://forums.aws.amazon.com/message.jspa?messageID=677452
origin = Join(".", [bucket.ref(), "s3", Region, "amazonaws.com"])
return {
"Aliases":
self.add_aliases(),
"Origins": [
cloudfront.Origin(
DomainName=origin,
S3OriginConfig=cloudfront.
S3OriginConfig(OriginAccessIdentity=Join(
"", ["origin-access-identity/cloudfront/",
oai.ref()])),
Id="S3Origin",
)
],
"DefaultCacheBehavior":
cloudfront.DefaultCacheBehavior(
AllowedMethods=["GET", "HEAD"],
Compress=False,
DefaultTTL="86400",
ForwardedValues=cloudfront.ForwardedValues(
Cookies=cloudfront.Cookies(Forward="none"),
QueryString=False),
LambdaFunctionAssociations=lambda_function_associations,
TargetOriginId="S3Origin",
ViewerProtocolPolicy="redirect-to-https",
),
"DefaultRootObject":
"index.html",
"Logging":
self.add_logging_bucket(),
"PriceClass":
self.variables["PriceClass"],
"CustomErrorResponses": [
cloudfront.CustomErrorResponse(
ErrorCode=response["ErrorCode"],
ResponseCode=response["ResponseCode"],
ResponsePagePath=response["ResponsePagePath"],
) for response in self.variables["custom_error_responses"]
],
"Enabled":
True,
"WebACLId":
self.add_web_acl(),
"ViewerCertificate":
self.add_acm_cert(),
}
),
TargetOriginId=Sub(
'${domain}${path}', **{
'domain': Ref(static_domain),
'path': Ref(static_path)
}),
ViewerProtocolPolicy='redirect-to-https',
),
Enabled=True,
Origins=[
cloudfront.Origin(
Id=Sub(
'${domain}${path}', **{
'domain': Ref(static_domain),
'path': Ref(static_path)
}),
DomainName=Ref(static_domain),
OriginPath=Ref(static_path),
CustomOriginConfig=cloudfront.CustomOrigin(
OriginProtocolPolicy='https-only'),
),
cloudfront.Origin(
Id=Sub(
'${domain}${path}', **{
'domain': Ref(media_domain),
'path': Ref(media_path)
}),
DomainName=Ref(media_domain),
OriginPath=Ref(media_path),
CustomOriginConfig=cloudfront.CustomOrigin(
OriginProtocolPolicy='https-only'),
def render_cloudfront(context, template, origin_hostname):
if not context['cloudfront']['origins']:
ensure(
context['full_hostname'],
"A public hostname is required to be pointed at by the Cloudfront CDN"
)
allowed_cnames = context['cloudfront']['subdomains'] + context[
'cloudfront']['subdomains-without-dns']
def _cookies(cookies):
if cookies:
return cloudfront.Cookies(Forward='whitelist',
WhitelistedNames=cookies)
return cloudfront.Cookies(Forward='none')
if context['cloudfront']['origins']:
origins = [
cloudfront.Origin(DomainName=o['hostname'],
Id=o_id,
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'))
for o_id, o in context['cloudfront']['origins'].items()
]
origin = origins[0].Id
else:
origin = CLOUDFRONT_TITLE + 'Origin'
origins = [
cloudfront.Origin(DomainName=origin_hostname,
Id=origin,
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'))
]
props = {
'Aliases':
allowed_cnames,
'CacheBehaviors': [],
'DefaultCacheBehavior':
cloudfront.DefaultCacheBehavior(
AllowedMethods=[
'DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT'
],
CachedMethods=['GET', 'HEAD'],
Compress=context['cloudfront']['compress'],
DefaultTTL=context['cloudfront']['default-ttl'],
TargetOriginId=origin,
ForwardedValues=cloudfront.ForwardedValues(
Cookies=_cookies(context['cloudfront']['cookies']),
Headers=context['cloudfront']
['headers'], # 'whitelisted' headers
QueryString=True),
ViewerProtocolPolicy='redirect-to-https',
),
'Enabled':
True,
'HttpVersion':
'http2',
'Origins':
origins,
'ViewerCertificate':
cloudfront.ViewerCertificate(
IamCertificateId=context['cloudfront']['certificate_id'],
SslSupportMethod='sni-only')
}
def _cache_behavior(origin_id, pattern, headers=None, cookies=None):
return cloudfront.CacheBehavior(
TargetOriginId=origin_id,
DefaultTTL=context['cloudfront']['default-ttl'],
ForwardedValues=cloudfront.ForwardedValues(
Cookies=_cookies(cookies),
QueryString=False,
Headers=headers if headers else []),
PathPattern=pattern,
ViewerProtocolPolicy='allow-all',
)
if context['cloudfront']['errors']:
props['Origins'].append(
cloudfront.Origin(
DomainName=context['cloudfront']['errors']['domain'],
# TODO: constant
Id=CLOUDFRONT_ERROR_ORIGIN_ID,
# no advantage in using cloudfront.S3Origin for public buckets
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPSPort=443,
OriginProtocolPolicy='https-only'
if context['cloudfront']['errors']['protocol'] == 'https'
else 'http-only')))
props['CacheBehaviors'].append(
_cache_behavior(
CLOUDFRONT_ERROR_ORIGIN_ID,
context['cloudfront']['errors']['pattern'],
))
props['CustomErrorResponses'] = [
cloudfront.CustomErrorResponse(ErrorCode=code,
ResponseCode=code,
ResponsePagePath=page)
for code, page in context['cloudfront']['errors']['codes'].items()
]
if context['cloudfront']['logging']:
props['Logging'] = cloudfront.Logging(
Bucket="%s.s3.amazonaws.com" %
context['cloudfront']['logging']['bucket'],
Prefix="%s/" % context['stackname'])
if context['cloudfront']['origins']:
props['CacheBehaviors'].extend([
_cache_behavior(o_id,
o['pattern'],
headers=o['headers'],
cookies=o['cookies'])
for o_id, o in context['cloudfront']['origins'].items()
if o['pattern']
])
template.add_resource(
cloudfront.Distribution(
CLOUDFRONT_TITLE,
DistributionConfig=cloudfront.DistributionConfig(**props)))
for dns in external_dns_cloudfront(context):
template.add_resource(dns)
DistributionConfig=cloudfront.DistributionConfig(
Comment="Example distribution for restricted access",
Aliases=[
Join('.', [Ref(param_label),
Ref(param_hosted_zone_name)])
],
Enabled=True,
IPV6Enabled=True,
HttpVersion='http2',
PriceClass='PriceClass_100',
Origins=[
cloudfront.Origin(
# Your usual config goes here
Id="RealOrigin",
DomainName="ifconfig.io",
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPPort=80,
HTTPSPort=443,
OriginProtocolPolicy='https-only',
OriginSSLProtocols=['TLSv1.2', 'TLSv1.1', 'TLSv1']),
),
cloudfront.Origin(
# You need to add this origin
Id="Authorizer",
DomainName=ImportValue(
Sub('${' + authorizer_stack.title + '}-domain-name')),
CustomOriginConfig=cloudfront.CustomOrigin(
HTTPPort=80,
HTTPSPort=443,
OriginProtocolPolicy='https-only',
OriginSSLProtocols=['TLSv1.2', 'TLSv1.1', 'TLSv1']),
),
