Skip to content

Commit

Permalink
fix (CloudFrontToMediStore - use cloudfront function instead of lambd…
Browse files Browse the repository at this point in the history 
…a@edge) (#296)
  • Loading branch information
@hnishar
hnishar committed Aug 9, 2021
1 parent 938ee6e commit 3fd2d00
Show file tree
Hide file tree
Showing 11 changed files with 142 additions and 857 deletions.
2 changes: 1 addition & 1 deletion source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ _Parameters_
|cloudFrontLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket as the logging bucket for the CloudFront Web Distribution.|
|cloudFrontOriginRequestPolicy|[`cloudfront.OriginRequestPolicy`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.OriginRequestPolicy.html)|Returns an instance of cloudfront.OriginRequestPolicy created by the construct for the CloudFront Web Distribution.|
|cloudFrontOriginAccessIdentity?|[`cloudfront.OriginAccessIdentity`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.OriginAccessIdentity.html)|Returns an instance of cloudfront.OriginAccessIdentity created by the construct for the CloudFront Web Distribution origin custom headers and the MediaStore Container policy.|
|edgeLambdaFunctionVersion|[`lambda.Version`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Version.html)|Returns an instance of the edge Lambda function version created by the pattern.|
|cloudFrontFunction?|[`cloudfront.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Function.html)|Returns an instance of the Cloudfront function created by the pattern.|

## Default settings

Expand Down
5 changes: 2 additions & 3 deletions source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
import * as cloudfront from '@aws-cdk/aws-cloudfront';
import * as mediastore from '@aws-cdk/aws-mediastore';
import * as s3 from '@aws-cdk/aws-s3';
import * as lambda from '@aws-cdk/aws-lambda';
import * as defaults from '@aws-solutions-constructs/core';
import { Construct, Aws} from '@aws-cdk/core';

Expand Down Expand Up @@ -55,7 +54,7 @@ export class CloudFrontToMediaStore extends Construct {
public readonly cloudFrontLoggingBucket: s3.Bucket;
public readonly cloudFrontOriginRequestPolicy: cloudfront.OriginRequestPolicy;
public readonly cloudFrontOriginAccessIdentity?: cloudfront.OriginAccessIdentity;
public readonly edgeLambdaFunctionVersion?: lambda.Version;
public readonly cloudFrontFunction?: cloudfront.Function;

/**
* @summary Constructs a new instance of CloudFrontToMediaStore class.
Expand Down Expand Up @@ -122,7 +121,7 @@ export class CloudFrontToMediaStore extends Construct {
this.mediaStoreContainer = defaults.MediaStoreContainer(this, mediaStoreProps);
}

[this.cloudFrontWebDistribution, this.cloudFrontLoggingBucket, this.cloudFrontOriginRequestPolicy, this.edgeLambdaFunctionVersion]
[this.cloudFrontWebDistribution, this.cloudFrontLoggingBucket, this.cloudFrontOriginRequestPolicy, this.cloudFrontFunction]
= defaults.CloudFrontDistributionForMediaStore(this, this.mediaStoreContainer, cloudFrontDistributionProps, props.insertHttpSecurityHeaders);
}
}
158 changes: 14 additions & 144 deletions ...onstructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,14 @@ Object {
"OPTIONS",
],
"Compress": true,
"LambdaFunctionAssociations": Array [
"FunctionAssociations": Array [
Object {
"EventType": "origin-response",
"LambdaFunctionARN": Object {
"Ref": "testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3",
"EventType": "viewer-response",
"FunctionARN": Object {
"Fn::GetAtt": Array [
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
"FunctionARN",
],
},
},
],
Expand Down Expand Up @@ -307,149 +310,16 @@ Object {
"Type": "AWS::MediaStore::Container",
},
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D": Object {
"DependsOn": Array [
"testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407",
"testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
],
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W58",
"reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.",
},
Object {
"id": "W89",
"reason": "This is not a rule for the general case, just for specific use cases/industries",
},
Object {
"id": "W92",
"reason": "Impossible for us to define the correct concurrency for clients",
},
],
},
},
"Properties": Object {
"Code": Object {
"ZipFile": "exports.handler = (event, context, callback) => { const response = event.Records[0].cf.response; const headers = response.headers; headers['x-xss-protection'] = [ { key: 'X-XSS-Protection', value: '1; mode=block' } ]; headers['x-frame-options'] = [ { key: 'X-Frame-Options', value: 'DENY' } ]; headers['x-content-type-options'] = [ { key: 'X-Content-Type-Options', value: 'nosniff' } ]; headers['strict-transport-security'] = [ { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload' } ]; headers['referrer-policy'] = [ { key: 'Referrer-Policy', value: 'same-origin' } ]; headers['content-security-policy'] = [ { key: 'Content-Security-Policy', value: \\"default-src 'none'; base-uri 'self'; img-src 'self'; script-src 'self'; style-src 'self' https:; object-src 'none'; frame-ancestors 'none'; font-src 'self' https:; form-action 'self'; manifest-src 'self'; connect-src 'self'\\" } ]; callback(null, response); };",
},
"Handler": "index.handler",
"Role": Object {
"Fn::GetAtt": Array [
"testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
"Arn",
],
},
"Runtime": "nodejs12.x",
"TracingConfig": Object {
"Mode": "Active",
},
},
"Type": "AWS::Lambda::Function",
},
"testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449": Object {
"Properties": Object {
"AssumeRolePolicyDocument": Object {
"Statement": Array [
Object {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": Object {
"Service": "lambda.amazonaws.com",
},
},
Object {
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": Object {
"Service": "edgelambda.amazonaws.com",
},
},
],
"Version": "2012-10-17",
},
"Policies": Array [
Object {
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
"Effect": "Allow",
"Resource": Object {
"Fn::Join": Array [
"",
Array [
"arn:",
Object {
"Ref": "AWS::Partition",
},
":logs:",
Object {
"Ref": "AWS::Region",
},
":",
Object {
"Ref": "AWS::AccountId",
},
":log-group:/aws/lambda/*",
],
],
},
},
],
"Version": "2012-10-17",
},
"PolicyName": "LambdaFunctionServiceRolePolicy",
},
],
},
"Type": "AWS::IAM::Role",
},
"testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407": Object {
"Metadata": Object {
"cfn_nag": Object {
"rules_to_suppress": Array [
Object {
"id": "W12",
"reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.",
},
],
},
},
"Properties": Object {
"PolicyDocument": Object {
"Statement": Array [
Object {
"Action": Array [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407",
"Roles": Array [
Object {
"Ref": "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
},
],
},
"Type": "AWS::IAM::Policy",
},
"testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3": Object {
"Properties": Object {
"FunctionName": Object {
"Ref": "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \\"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": Object {
"Comment": "SetHttpSecurityHeadersc82c7d803c8b3899ab37eeee5cc2bce7beb7673c36",
"Runtime": "cloudfront-js-1.0",
},
"Name": "SetHttpSecurityHeadersc82c7d803c8b3899ab37eeee5cc2bce7beb7673c36",
},
"Type": "AWS::Lambda::Version",
"Type": "AWS::CloudFront::Function",
},
},
}
Expand Down
37 changes: 23 additions & 14 deletions ...ns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ test('Test the default deployment pattern variables', () => {
expect(cloudFrontToMediaStore.cloudFrontLoggingBucket).not.toEqual(undefined);
expect(cloudFrontToMediaStore.cloudFrontOriginRequestPolicy).not.toEqual(undefined);
expect(cloudFrontToMediaStore.cloudFrontOriginAccessIdentity).not.toEqual(undefined);
expect(cloudFrontToMediaStore.edgeLambdaFunctionVersion).not.toEqual(undefined);
expect(cloudFrontToMediaStore.cloudFrontFunction).not.toEqual(undefined);
});

// --------------------------------------------------------------
Expand Down Expand Up @@ -135,7 +135,7 @@ test('Test the deployment without HTTP security headers', () => {
]
}
});
expect(cloudFrontToMediaStore.edgeLambdaFunctionVersion).toEqual(undefined);
expect(cloudFrontToMediaStore.cloudFrontFunction).toEqual(undefined);
});

// --------------------------------------------------------------
Expand Down Expand Up @@ -167,11 +167,14 @@ test('Test the deployment with existing MediaStore container', () => {
'OPTIONS'
],
Compress: true,
LambdaFunctionAssociations: [
FunctionAssociations: [
{
EventType: 'origin-response',
LambdaFunctionARN: {
Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
EventType: "viewer-response",
FunctionARN: {
"Fn::GetAtt": [
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
"FunctionARN"
]
}
}
],
Expand Down Expand Up @@ -303,11 +306,14 @@ test('Test the deployment with the user provided MediaStore properties', () => {
'OPTIONS'
],
Compress: true,
LambdaFunctionAssociations: [
FunctionAssociations: [
{
EventType: 'origin-response',
LambdaFunctionARN: {
Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
EventType: "viewer-response",
FunctionARN: {
"Fn::GetAtt": [
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
"FunctionARN"
]
}
}
],
Expand Down Expand Up @@ -446,11 +452,14 @@ test('Test the deployment with the user provided CloudFront properties', () => {
'HEAD'
],
Compress: true,
LambdaFunctionAssociations: [
FunctionAssociations: [
{
EventType: 'origin-response',
LambdaFunctionARN: {
Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
EventType: "viewer-response",
FunctionARN: {
"Fn::GetAtt": [
"testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
"FunctionARN"
]
}
}
],
Expand Down
Loading

0 comments on commit 3fd2d00

Please sign in to comment.