try fix BucketPolicy deployment

explore-flights · May 4, 2024 · fede4c4 · fede4c4
1 parent f1a0d70
commit fede4c4
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 22 deletions.
diff --git a/cdk/lib/constructs/cloudfront-construct.ts b/cdk/lib/constructs/cloudfront-construct.ts
@@ -1,7 +1,7 @@
 import { Construct } from 'constructs';
 import {
   AllowedMethods,
-  CachePolicy, CfnDistribution, CfnOriginAccessControl,
+  CachePolicy, CfnOriginAccessControl,
   Distribution, Function, FunctionCode, FunctionEventType, FunctionRuntime, HeadersFrameOption,
   HttpVersion,
   IDistribution,
@@ -15,11 +15,12 @@ import {
   SecurityPolicyProtocol,
   ViewerProtocolPolicy
 } from 'aws-cdk-lib/aws-cloudfront';
-import { HttpOrigin, S3Origin } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { HttpOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
 import { Certificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { Duration, Fn, Stack } from 'aws-cdk-lib';
 import { IFunctionUrl } from 'aws-cdk-lib/aws-lambda';
-import { IBucket } from 'aws-cdk-lib/aws-s3';
+import { Bucket, IBucket } from 'aws-cdk-lib/aws-s3';
+import { S3OriginWithOAC } from './s3-origin-with-oac';
 
 export interface CloudfrontConstructProps {
   domain: string;
@@ -78,8 +79,16 @@ export class CloudfrontConstruct extends Construct {
     });
     // endregion
 
-    // region
-    // endregion
+    const uiResourcesOAC = new CfnOriginAccessControl(this, 'UIResourcesOAC', {
+      originAccessControlConfig: {
+        // these names must be unique
+        name: `${this.node.path.replace('/', '-')}-UIResourcesOAC`,
+        description: 'OAC to access UI resources bucket',
+        originAccessControlOriginType: 's3',
+        signingBehavior: 'always',
+        signingProtocol: 'sigv4',
+      },
+    });
 
     this.distribution = new Distribution(this, 'Distribution', {
       priceClass: PriceClass.PRICE_CLASS_ALL,
@@ -98,7 +107,11 @@ export class CloudfrontConstruct extends Construct {
       ),
       minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
       defaultBehavior: {
-        origin: new S3Origin(props.uiResourcesBucket),
+        origin: new S3OriginWithOAC(
+          // prevent CF from adding its OriginAccessIdentity to the BucketPolicy since we're using OriginAccessControl (see below)
+          Bucket.fromBucketName(this, 'UIResourcesBucketCopy', props.uiResourcesBucket.bucketName),
+          { oacId: uiResourcesOAC.getAtt('Id') },
+        ),
         compress: true,
         viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
         allowedMethods: AllowedMethods.ALLOW_GET_HEAD,
@@ -141,22 +154,6 @@ export class CloudfrontConstruct extends Construct {
       enableLogging: false,
       enabled: true,
     });
-
-    const uiResourcesOAC = new CfnOriginAccessControl(this, 'UIResourcesOAC', {
-      originAccessControlConfig: {
-        // these names must be unique
-        name: `${this.node.path.replace('/', '-')}-UIResourcesOAC`,
-        description: 'OAC to access UI resources bucket',
-        originAccessControlOriginType: 's3',
-        signingBehavior: 'always',
-        signingProtocol: 'sigv4',
-      },
-    });
-
-    // https://github.com/aws/aws-cdk/issues/21771
-    const cfnDistribution = this.distribution.node.defaultChild as CfnDistribution;
-    cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', uiResourcesOAC.getAtt('Id'));
-    cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity', '');
   }
 }
 

diff --git a/cdk/lib/constructs/s3-origin-with-oac.ts b/cdk/lib/constructs/s3-origin-with-oac.ts
@@ -0,0 +1,37 @@
+import { S3Origin, S3OriginProps } from 'aws-cdk-lib/aws-cloudfront-origins';
+import { IBucket } from 'aws-cdk-lib/aws-s3';
+import { Reference } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { OriginBindConfig, OriginBindOptions } from 'aws-cdk-lib/aws-cloudfront';
+
+export type S3OriginWithOACProps = S3OriginProps & {
+  oacId: Reference;
+};
+
+export class S3OriginWithOAC extends S3Origin {
+  private readonly oacId: Reference;
+
+  constructor(bucket: IBucket, props: S3OriginWithOACProps) {
+    super(bucket, props);
+    this.oacId = props.oacId;
+  }
+
+  public bind(scope: Construct, options: OriginBindOptions): OriginBindConfig {
+    const originConfig = super.bind(scope, options);
+    if (!originConfig.originProperty) {
+      throw new Error('originProperty is required');
+    }
+
+    return {
+      ...originConfig,
+      originProperty: {
+        ...originConfig.originProperty,
+        originAccessControlId: this.oacId.toString(), // Adds OAC to S3 origin config
+        s3OriginConfig: {
+          ...originConfig.originProperty.s3OriginConfig,
+          originAccessIdentity: '', // removes OAI from S3 origin config
+        },
+      },
+    };
+  }
+}