use new L2 constructs for FunctionUrlOrigin and S3BucketOrigin

explore-flights · Oct 22, 2024 · 1a448d2 · 1a448d2
1 parent a186bbd
commit 1a448d2
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 132 deletions.
diff --git a/cdk/lib/constructs/api-lambda-construct.ts b/cdk/lib/constructs/api-lambda-construct.ts
@@ -96,8 +96,7 @@ export class ApiLambdaConstruct extends Construct {
 
     this.functionURL = new FunctionUrl(this, 'ApiLambdaFunctionUrl', {
       function: lambda,
-      // https://github.com/pwrdrvr/lambda-url-signing check later
-      authType: FunctionUrlAuthType.NONE,
+      authType: FunctionUrlAuthType.AWS_IAM,
       invokeMode: InvokeMode.RESPONSE_STREAM,
     });
   }

diff --git a/cdk/lib/constructs/cloudfront-construct.ts b/cdk/lib/constructs/cloudfront-construct.ts
@@ -1,26 +1,29 @@
 import { Construct } from 'constructs';
 import {
+  AccessLevel,
   AllowedMethods,
-  CachePolicy, CfnOriginAccessControl,
-  Distribution, Function, FunctionCode, FunctionEventType, FunctionRuntime, HeadersFrameOption,
+  CachePolicy,
+  Distribution,
+  Function,
+  FunctionCode,
+  FunctionEventType,
+  FunctionRuntime,
+  HeadersFrameOption,
   HttpVersion,
   IDistribution,
-  OriginProtocolPolicy,
-  OriginRequestCookieBehavior,
-  OriginRequestHeaderBehavior,
   OriginRequestPolicy,
-  OriginRequestQueryStringBehavior,
   PriceClass,
   ResponseHeadersPolicy,
+  S3OriginAccessControl,
   SecurityPolicyProtocol,
+  Signing,
   ViewerProtocolPolicy
 } from 'aws-cdk-lib/aws-cloudfront';
-import { HttpOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { FunctionUrlOrigin, S3BucketOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
 import { Certificate } from 'aws-cdk-lib/aws-certificatemanager';
-import { Duration, Fn, Stack } from 'aws-cdk-lib';
+import { Duration, Stack } from 'aws-cdk-lib';
 import { IFunctionUrl } from 'aws-cdk-lib/aws-lambda';
-import { Bucket, IBucket } from 'aws-cdk-lib/aws-s3';
-import { S3OriginWithOAC } from './s3-origin-with-oac';
+import { IBucket } from 'aws-cdk-lib/aws-s3';
 
 export interface CloudfrontConstructProps {
   domain: string;
@@ -81,34 +84,14 @@ export class CloudfrontConstruct extends Construct {
     });
     // endregion
 
-    // region OriginRequestPolicy -  which headers, cookies and query params should be forwarded to the origin
-    const allExceptHostOriginRequestPolicy = new OriginRequestPolicy(this, 'AllExceptHostORP', {
-      headerBehavior: OriginRequestHeaderBehavior.denyList('Host'),
-      cookieBehavior: OriginRequestCookieBehavior.all(),
-      queryStringBehavior: OriginRequestQueryStringBehavior.all(),
-    });
-    // endregion
-
     // region origins
-    const apiLambdaOrigin = new HttpOrigin(Fn.select(2, Fn.split('/', props.apiLambdaFunctionURL.url)), {
-      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
+    const apiLambdaOrigin = new FunctionUrlOrigin(props.apiLambdaFunctionURL, {
       customHeaders: { Forwarded: `host=${props.domain};proto=https` },
       originShieldEnabled: true,
       originShieldRegion: Stack.of(this).region,
     });
     // endregion
 
-    const uiResourcesOAC = new CfnOriginAccessControl(this, 'UIResourcesOAC', {
-      originAccessControlConfig: {
-        // these names must be unique
-        name: `${this.node.path.replace('/', '-')}-UIResourcesOAC`,
-        description: 'OAC to access UI resources bucket',
-        originAccessControlOriginType: 's3',
-        signingBehavior: 'always',
-        signingProtocol: 'sigv4',
-      },
-    });
-
     this.distribution = new Distribution(this, 'Distribution', {
       priceClass: PriceClass.PRICE_CLASS_ALL,
       httpVersion: HttpVersion.HTTP2_AND_3,
@@ -126,11 +109,13 @@ export class CloudfrontConstruct extends Construct {
       ),
       minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
       defaultBehavior: {
-        origin: new S3OriginWithOAC(
-          // prevent CF from adding its OriginAccessIdentity to the BucketPolicy since we're using OriginAccessControl (see below)
-          Bucket.fromBucketName(this, 'UIResourcesBucketCopy', props.uiResourcesBucket.bucketName),
-          { oacId: uiResourcesOAC.getAtt('Id') },
-        ),
+        origin: S3BucketOrigin.withOriginAccessControl(props.uiResourcesBucket, {
+          originAccessControl: new S3OriginAccessControl(this, 'UIResourcesOAC', {
+            description: 'OAC to access UI resources bucket',
+            signing: Signing.SIGV4_ALWAYS,
+          }),
+          originAccessLevels: [AccessLevel.READ],
+        }),
         compress: true,
         viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
         allowedMethods: AllowedMethods.ALLOW_GET_HEAD,
@@ -161,7 +146,7 @@ export class CloudfrontConstruct extends Construct {
           viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
           allowedMethods: AllowedMethods.ALLOW_ALL,
           cachePolicy: CachePolicy.CACHING_DISABLED,
-          originRequestPolicy: allExceptHostOriginRequestPolicy,
+          originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
           responseHeadersPolicy: noCacheResponseHeadersPolicy,
         },
         '/auth/*': {
@@ -170,7 +155,7 @@ export class CloudfrontConstruct extends Construct {
           viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
           allowedMethods: AllowedMethods.ALLOW_ALL,
           cachePolicy: CachePolicy.CACHING_DISABLED,
-          originRequestPolicy: allExceptHostOriginRequestPolicy,
+          originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
           responseHeadersPolicy: noCacheResponseHeadersPolicy,
         },
         '/data/*': {
@@ -179,7 +164,7 @@ export class CloudfrontConstruct extends Construct {
           viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
           allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
           cachePolicy: CachePolicy.CACHING_OPTIMIZED,
-          originRequestPolicy: allExceptHostOriginRequestPolicy,
+          originRequestPolicy: OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
           responseHeadersPolicy: cacheOverridableResponseHeadersPolicy,
         },
       },

diff --git a/cdk/lib/constructs/s3-origin-with-oac.ts b/cdk/lib/constructs/s3-origin-with-oac.ts
diff --git a/cdk/lib/constructs/ui-resources-construct.ts b/cdk/lib/constructs/ui-resources-construct.ts
@@ -3,7 +3,6 @@ import { IDistribution } from 'aws-cdk-lib/aws-cloudfront';
 import { BlockPublicAccess, Bucket, BucketEncryption, IBucket } from 'aws-cdk-lib/aws-s3';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
 import { Construct } from 'constructs';
-import { CloudfrontUtil } from '../util/util';
 
 export type UIResourcesConstructProps = Record<string, unknown>;
 
@@ -22,10 +21,6 @@ export class UIResourcesConstruct extends Construct {
     });
   }
 
-  public grantRead(distribution: IDistribution, prefix: string = ''): void {
-    CloudfrontUtil.addCloudfrontOACToResourcePolicy(this.bucket, distribution, prefix, true);
-  }
-
   public deployResourcesZip(resourcesZipPath: string, distribution: IDistribution): void {
     new BucketDeployment(this, 'Deployment', {
       destinationBucket: this.bucket,

diff --git a/cdk/lib/stacks/website-stack.ts b/cdk/lib/stacks/website-stack.ts
@@ -55,7 +55,6 @@ export class WebsiteStack extends cdk.Stack {
       apiLambdaFunctionURL: api.functionURL,
     });
 
-    uiResources.grantRead(cf.distribution);
     uiResources.deployResourcesZip(props.uiResourcesZipPath, cf.distribution);
 
     this.distribution = cf.distribution;

diff --git a/cdk/lib/util/util.ts b/cdk/lib/util/util.ts