-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudfront_distribution.py
134 lines (123 loc) · 5.67 KB
/
cloudfront_distribution.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
from aws_cdk import (
aws_s3 as s3,
aws_cloudfront as cloudfront,
aws_cloudfront_origins as origins,
aws_certificatemanager as acm,
aws_apigatewayv2 as apigw,
RemovalPolicy,
Aws,
)
from constructs import Construct
class CloudfrontDistribution(Construct):
def __init__(
self,
scope: Construct,
id: str,
domain_name: str,
origin_type: str,
certificate: acm.Certificate,
website_s3_bucket: s3.Bucket = None,
backup_website_s3_bucket: s3.Bucket = None,
api_gateway: apigw.CfnApi = None,
**kwargs,
) -> None:
super().__init__(scope, id, **kwargs)
if origin_type == "s3":
# Create OAC for cloudfront to access S3
cf_oac = cloudfront.CfnOriginAccessControl(
self,
f"OriginAccessControl",
origin_access_control_config=cloudfront.CfnOriginAccessControl.OriginAccessControlConfigProperty(
name=f"OriginAccessControl",
origin_access_control_origin_type=origin_type,
signing_behavior="always",
signing_protocol="sigv4",
# the properties below are optional
description=f"Origin Access Control for {domain_name}.",
),
)
self.cf_distribution = cloudfront.Distribution(
self,
f"WebsiteDistribution",
default_behavior=cloudfront.BehaviorOptions(
origin=origins.OriginGroup(
primary_origin=origins.S3Origin(bucket=website_s3_bucket),
fallback_origin=origins.S3Origin(
bucket=backup_website_s3_bucket
),
),
viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
allowed_methods=cloudfront.AllowedMethods.ALLOW_GET_HEAD,
cached_methods=cloudfront.CachedMethods.CACHE_GET_HEAD,
cache_policy=cloudfront.CachePolicy.CACHING_OPTIMIZED,
response_headers_policy=cloudfront.ResponseHeadersPolicy.SECURITY_HEADERS,
),
error_responses=[
cloudfront.ErrorResponse(
http_status=404,
response_page_path="/error.html",
),
cloudfront.ErrorResponse(
http_status=403,
response_page_path="/error.html",
),
],
domain_names=[domain_name, f"www.{domain_name}"],
default_root_object="index.html",
price_class=cloudfront.PriceClass.PRICE_CLASS_100,
comment=f"Distribution for {domain_name}",
certificate=certificate,
enabled=True,
geo_restriction=cloudfront.GeoRestriction.denylist("RU"),
)
self.cf_distribution.apply_removal_policy(RemovalPolicy.DESTROY)
# Get the L1 CloudFormation resource
cfn_website_distribution = self.cf_distribution.node.default_child
# Add OAC configuration
cfn_website_distribution.add_property_override(
"DistributionConfig.Origins.0.OriginAccessControlId",
cf_oac.get_att("Id"),
)
# Remove OAI configuration
cfn_website_distribution.add_property_override(
"DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity",
"",
)
if origin_type == "http":
response_headers_policy = cloudfront.ResponseHeadersPolicy(
self,
f"ResponseHeadersPolicy",
comment=f"Response headers policy for {domain_name}",
cors_behavior=cloudfront.ResponseHeadersCorsBehavior(
access_control_allow_credentials=False,
access_control_allow_headers=["*"],
access_control_allow_methods=["POST", "OPTIONS"],
access_control_allow_origins=["*"],
origin_override=True,
),
)
# CloudFront Distribution for API Gateway
self.cf_distribution = cloudfront.Distribution(
self,
f"ContactFormIntakeDistribution",
default_behavior=cloudfront.BehaviorOptions(
origin=origins.HttpOrigin(
domain_name=f"{api_gateway.attr_api_id}.execute-api.{Aws.REGION}.amazonaws.com",
protocol_policy=cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
http_port=80,
https_port=443,
origin_id=domain_name,
),
allowed_methods=cloudfront.AllowedMethods.ALLOW_ALL,
cached_methods=cloudfront.CachedMethods.CACHE_GET_HEAD,
viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
cache_policy=cloudfront.CachePolicy.CACHING_DISABLED,
origin_request_policy=cloudfront.OriginRequestPolicy.ALL_VIEWER_EXCEPT_HOST_HEADER,
response_headers_policy=response_headers_policy,
),
domain_names=[domain_name, f"www.{domain_name}"],
certificate=certificate,
comment=f"Distribution for {domain_name}",
price_class=cloudfront.PriceClass.PRICE_CLASS_100,
geo_restriction=cloudfront.GeoRestriction.denylist("RU"),
)