From 7f13a351c0d8cf77fe127739b0796b0cf551c9d1 Mon Sep 17 00:00:00 2001 From: Gowri Date: Tue, 26 Sep 2023 16:15:58 +0930 Subject: [PATCH] DO-1531: add origin access identity and fix typo --- packages/static-hosting/lib/path-remap.ts | 2 +- packages/static-hosting/lib/static-hosting.ts | 21 ++++++++++++++----- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/packages/static-hosting/lib/path-remap.ts b/packages/static-hosting/lib/path-remap.ts index 332159c6..5b9bc9ed 100644 --- a/packages/static-hosting/lib/path-remap.ts +++ b/packages/static-hosting/lib/path-remap.ts @@ -50,7 +50,7 @@ export class PathRemapFunction extends Construct { this, `${id}-edge-function`, { - code: Code.fromAsset(join(__dirname, "edge-handlers"), { + code: Code.fromAsset(join(__dirname, "handlers"), { assetHashType: AssetHashType.OUTPUT, bundling: { command, diff --git a/packages/static-hosting/lib/static-hosting.ts b/packages/static-hosting/lib/static-hosting.ts index dc94e7da..4eaa977b 100644 --- a/packages/static-hosting/lib/static-hosting.ts +++ b/packages/static-hosting/lib/static-hosting.ts @@ -20,6 +20,7 @@ import { CacheHeaderBehavior, IResponseHeadersPolicy, LambdaEdgeEventType, + OriginAccessIdentity, } from "aws-cdk-lib/aws-cloudfront"; import { HttpOrigin, S3Origin } from "aws-cdk-lib/aws-cloudfront-origins"; import { @@ -144,6 +145,7 @@ export class StaticHosting extends Construct { const siteNameArray: Array = [siteName]; const enforceSSL = props.enforceSSL !== false; const enableStaticFileRemap = props.enableStaticFileRemap !== false; + const defaultRootObject = props.defaultRootObject ?? "/index.html"; const errorResponsePagePath = props.errorResponsePagePath ?? "/index.html"; const disableCSP = props.disableCSP === true; @@ -178,6 +180,12 @@ export class StaticHosting extends Construct { ...props.s3ExtendedProps, }); + const oai = new OriginAccessIdentity(this, "OriginAccessIdentity", { + comment: "Allow CloudFront to access S3", + }); + + bucket.grantRead(oai); + new CfnOutput(this, "Bucket", { description: "BucketName", value: bucket.bucketName, @@ -227,6 +235,8 @@ export class StaticHosting extends Construct { : undefined; if (loggingBucket) { + loggingBucket.grantWrite(oai); + new CfnOutput(this, "LoggingBucketName", { description: "CloudFront Logs", value: loggingBucket.bucketName, @@ -234,7 +244,9 @@ export class StaticHosting extends Construct { }); } - const s3Origin = new S3Origin(bucket); + const s3Origin = new S3Origin(bucket, { + originAccessIdentity: oai, + }); let backendOrigin = undefined; const originRequestPolicy = new OriginRequestPolicy( @@ -298,6 +310,7 @@ export class StaticHosting extends Construct { for (const path of props.remapBackendPaths) { additionalBehaviors[path.from] = { origin: backendOrigin, + viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS, edgeLambdas: this.createRemapBehavior(path.from, path.to), }; } @@ -334,8 +347,6 @@ export class StaticHosting extends Construct { } } - const mergedAdditionalBehaviors = {}; - // If additional behaviours are provided via props, then merge, overriding generated behaviours if required. if (props.additionalBehaviors) { Object.assign(additionalBehaviors, props.additionalBehaviors); @@ -344,7 +355,7 @@ export class StaticHosting extends Construct { const distributionProps: DistributionProps = { domainNames: domainNames, webAclId: props.webAclArn, - defaultRootObject: props.defaultRootObject, + defaultRootObject: defaultRootObject, httpVersion: HttpVersion.HTTP3, sslSupportMethod: SSLMethod.SNI, priceClass: PriceClass.PRICE_CLASS_ALL, @@ -359,7 +370,7 @@ export class StaticHosting extends Construct { props.certificateArn ), defaultBehavior: defaultBehavior, - additionalBehaviors: mergedAdditionalBehaviors, + additionalBehaviors: additionalBehaviors, errorResponses: props.enableErrorConfig ? errorResponses : [], };