From 49f1541ad6e23d7d224ac06d4497568954985e55 Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 1 Jul 2021 00:15:41 -0700 Subject: [PATCH 1/4] Fix for issue #252 mediastore policy bug found in the aws-cloudfront-mediastore module --- .../aws-cloudfront-mediastore/lib/index.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts index 0fa56b960..a1bfb7553 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts @@ -95,9 +95,11 @@ export class CloudFrontToMediaStore extends Construct { ], Resource: `arn:${Aws.PARTITION}:mediastore:${Aws.REGION}:${Aws.ACCOUNT_ID}:container/${Aws.STACK_NAME}/*`, Condition: { + StringEquals: { + 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName + }, Bool: { - 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName, - 'aws:SecureTransport': 'true' + 'aws:SecureTransport': 'true' } } }] From 7906c782c018d6f2c56b5c6e3079b15673b200b3 Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 1 Jul 2021 00:19:10 -0700 Subject: [PATCH 2/4] Fix for issue #252 mediastore policy bug updated the integ.default.expected.json file for new policy output. Tested deploying and see that requests to MediaStore are not allowed directly, only requests to CloudFront now make it to MediaStore. How it should be working I presume. --- .../test/integ.default.expected.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json index e0aba7aac..d8f30adfe 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.default.expected.json @@ -71,11 +71,11 @@ { "Ref": "AWS::StackName" }, - "/*\",\"Condition\":{\"Bool\":{\"aws:UserAgent\":\"", + "/*\",\"Condition\":{\"StringEquals\":{\"aws:UserAgent\":\"", { "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0" }, - "\",\"aws:SecureTransport\":\"true\"}}}]}" + "\"},\"Bool\":{\"aws:SecureTransport\":\"true\"}}}]}" ] ] } From 59dabb56048c408ae5d6aa1d1f39bb371df0a5ac Mon Sep 17 00:00:00 2001 From: eggoynes <40248820+eggoynes@users.noreply.github.com> Date: Thu, 1 Jul 2021 09:14:38 -0700 Subject: [PATCH 3/4] Update index.ts Fix indent spaces. --- .../aws-cloudfront-mediastore/lib/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts index a1bfb7553..de23dd844 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts @@ -96,10 +96,10 @@ export class CloudFrontToMediaStore extends Construct { Resource: `arn:${Aws.PARTITION}:mediastore:${Aws.REGION}:${Aws.ACCOUNT_ID}:container/${Aws.STACK_NAME}/*`, Condition: { StringEquals: { - 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName + 'aws:UserAgent': this.cloudFrontOriginAccessIdentity.originAccessIdentityName }, Bool: { - 'aws:SecureTransport': 'true' + 'aws:SecureTransport': 'true' } } }] From 3c9b6f725b0635eb2df28b25f4b6d669f36cd962 Mon Sep 17 00:00:00 2001 From: Eddie Goynes Date: Thu, 1 Jul 2021 11:51:21 -0700 Subject: [PATCH 4/4] Updated integ tests --- .../test/__snapshots__/cloudfront-mediastore.test.js.snap | 4 ++-- .../test/integ.withoutHttpSecurityHeaders.expected.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap index ee460ed8a..fb1973c85 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap @@ -285,11 +285,11 @@ Object { Object { "Ref": "AWS::StackName", }, - "/*\\",\\"Condition\\":{\\"Bool\\":{\\"aws:UserAgent\\":\\"", + "/*\\",\\"Condition\\":{\\"StringEquals\\":{\\"aws:UserAgent\\":\\"", Object { "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0", }, - "\\",\\"aws:SecureTransport\\":\\"true\\"}}}]}", + "\\"},\\"Bool\\":{\\"aws:SecureTransport\\":\\"true\\"}}}]}", ], ], }, diff --git a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json index ae0a5df0d..b33ab06ff 100644 --- a/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json +++ b/source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/integ.withoutHttpSecurityHeaders.expected.json @@ -71,11 +71,11 @@ { "Ref": "AWS::StackName" }, - "/*\",\"Condition\":{\"Bool\":{\"aws:UserAgent\":\"", + "/*\",\"Condition\":{\"StringEquals\":{\"aws:UserAgent\":\"", { "Ref": "testcloudfrontmediastoreCloudFrontOriginAccessIdentity966405A0" }, - "\",\"aws:SecureTransport\":\"true\"}}}]}" + "\"},\"Bool\":{\"aws:SecureTransport\":\"true\"}}}]}" ] ] }