Skip to content

Commit 8538fa9

Browse files
Jacob-DoetschJacob-Doetsch
authored
Merge branch 'master' into feat/graviton2-nvme-metadata
2 parents 2b32197 + 122a76d commit 8538fa9

23 files changed

Lines changed: 515 additions & 117 deletions

File tree

packages/@aws-cdk/aws-cloudfront/README.md

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,16 @@ new cloudfront.Distribution(this, 'myDist', {
109109
});
110110
```
111111

112+
However, you can customize the minimum protocol version for the certificate while creating the distribution using `minimumProtocolVersion` property.
113+
114+
```ts
115+
new cloudfront.Distribution(this, 'myDist', {
116+
defaultBehavior: { origin: new origins.S3Origin(myBucket) },
117+
domainNames: ['www.example.com'],
118+
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2016
119+
});
120+
```
121+
112122
### Multiple Behaviors & Origins
113123

114124
Each distribution has a default behavior which applies to all requests to that distribution; additional behaviors may be specified for a
@@ -236,7 +246,7 @@ You can author Node.js or Python functions in the US East (N. Virginia) region,
236246
and then execute them in AWS locations globally that are closer to the viewer,
237247
without provisioning or managing servers.
238248
Lambda@Edge functions are associated with a specific behavior and event type.
239-
Lambda@Edge can be used rewrite URLs,
249+
Lambda@Edge can be used to rewrite URLs,
240250
alter responses based on headers or cookies,
241251
or authorize requests based on headers or authorization tokens.
242252

@@ -276,6 +286,25 @@ const myFunc = new lambda.Function(this, 'MyFunction', {
276286
});
277287
```
278288

289+
If the stack is not in `us-east-1`, and you need references from different applications on the same account,
290+
you can also set a specific stack ID for each Lamba@Edge.
291+
292+
```ts
293+
const myFunc1 = new cloudfront.experimental.EdgeFunction(this, 'MyFunction1', {
294+
runtime: lambda.Runtime.NODEJS_10_X,
295+
handler: 'index.handler',
296+
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler1')),
297+
stackId: 'edge-lambda-stack-id-1'
298+
});
299+
300+
const myFunc2 = new cloudfront.experimental.EdgeFunction(this, 'MyFunction2', {
301+
runtime: lambda.Runtime.NODEJS_10_X,
302+
handler: 'index.handler',
303+
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler2')),
304+
stackId: 'edge-lambda-stack-id-2'
305+
});
306+
```
307+
279308
Lambda@Edge functions can also be associated with additional behaviors,
280309
either at or after Distribution creation time.
281310

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,16 @@ export interface DistributionProps {
206206
* @default - No custom error responses.
207207
*/
208208
readonly errorResponses?: ErrorResponse[];
209+
210+
/**
211+
* The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
212+
*
213+
* CloudFront serves your objects only to browsers or devices that support at
214+
* least the SSL version that you specify.
215+
*
216+
* @default SecurityPolicyProtocol.TLS_V1_2_2019
217+
*/
218+
readonly minimumProtocolVersion?: SecurityPolicyProtocol;
209219
}
210220

211221
/**
@@ -284,7 +294,7 @@ export class Distribution extends Resource implements IDistribution {
284294
logging: this.renderLogging(props),
285295
priceClass: props.priceClass ?? undefined,
286296
restrictions: this.renderRestrictions(props.geoRestriction),
287-
viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate) : undefined,
297+
viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate, props.minimumProtocolVersion) : undefined,
288298
webAclId: props.webAclId,
289299
},
290300
});
@@ -427,11 +437,12 @@ export class Distribution extends Resource implements IDistribution {
427437
} : undefined;
428438
}
429439

430-
private renderViewerCertificate(certificate: acm.ICertificate): CfnDistribution.ViewerCertificateProperty {
440+
private renderViewerCertificate(certificate: acm.ICertificate,
441+
minimumProtocolVersion: SecurityPolicyProtocol = SecurityPolicyProtocol.TLS_V1_2_2019) : CfnDistribution.ViewerCertificateProperty {
431442
return {
432443
acmCertificateArn: certificate.certificateArn,
433444
sslSupportMethod: SSLMethod.SNI,
434-
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019,
445+
minimumProtocolVersion: minimumProtocolVersion,
435446
};
436447
}
437448
}
@@ -600,7 +611,7 @@ export enum LambdaEdgeEventType {
600611
VIEWER_REQUEST = 'viewer-request',
601612

602613
/**
603-
* The viewer-response specifies the outgoing reponse
614+
* The viewer-response specifies the outgoing response
604615
*/
605616
VIEWER_RESPONSE = 'viewer-response',
606617
}

packages/@aws-cdk/aws-cloudfront/lib/experimental/edge-function.ts

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,14 @@ import { Construct } from 'constructs';
1616
* Properties for creating a Lambda@Edge function
1717
* @experimental
1818
*/
19-
export interface EdgeFunctionProps extends lambda.FunctionProps { }
19+
export interface EdgeFunctionProps extends lambda.FunctionProps {
20+
/**
21+
* The stack ID of Lambda@Edge function.
22+
*
23+
* @default - `edge-lambda-stack-${region}`
24+
*/
25+
readonly stackId?: string;
26+
}
2027

2128
/**
2229
* A Lambda@Edge function.
@@ -139,10 +146,10 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
139146
}
140147

141148
/** Create a support stack and function in us-east-1, and a SSM reader in-region */
142-
private createCrossRegionFunction(id: string, props: lambda.FunctionProps): FunctionConfig {
149+
private createCrossRegionFunction(id: string, props: EdgeFunctionProps): FunctionConfig {
143150
const parameterNamePrefix = 'EdgeFunctionArn';
144151
const parameterName = `${parameterNamePrefix}${id}`;
145-
const functionStack = this.edgeStack();
152+
const functionStack = this.edgeStack(props.stackId);
146153

147154
const edgeFunction = new lambda.Function(functionStack, id, props);
148155
addEdgeLambdaToRoleTrustStatement(edgeFunction.role!);
@@ -193,7 +200,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
193200
return resource.getAttString('FunctionArn');
194201
}
195202

196-
private edgeStack(): Stack {
203+
private edgeStack(stackId?: string): Stack {
197204
const stage = this.node.root;
198205
if (!stage || !Stage.isStage(stage)) {
199206
throw new Error('stacks which use EdgeFunctions must be part of a CDK app or stage');
@@ -203,7 +210,7 @@ export class EdgeFunction extends Resource implements lambda.IVersion {
203210
throw new Error('stacks which use EdgeFunctions must have an explicitly set region');
204211
}
205212

206-
const edgeStackId = `edge-lambda-stack-${region}`;
213+
const edgeStackId = stackId ?? `edge-lambda-stack-${region}`;
207214
let edgeStack = stage.node.tryFindChild(edgeStackId) as Stack;
208215
if (!edgeStack) {
209216
edgeStack = new Stack(stage, edgeStackId, {

packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
44
import * as lambda from '@aws-cdk/aws-lambda';
55
import * as s3 from '@aws-cdk/aws-s3';
66
import { App, Duration, Stack } from '@aws-cdk/core';
7-
import { CfnDistribution, Distribution, GeoRestriction, HttpVersion, IOrigin, LambdaEdgeEventType, PriceClass } from '../lib';
7+
import { CfnDistribution, Distribution, GeoRestriction, HttpVersion, IOrigin, LambdaEdgeEventType, PriceClass, SecurityPolicyProtocol } from '../lib';
88
import { defaultOrigin, defaultOriginGroup } from './test-origin';
99

1010
let app: App;
@@ -314,6 +314,27 @@ describe('certificates', () => {
314314
},
315315
});
316316
});
317+
318+
test('adding a certificate with non default security policy protocol', () => {
319+
const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
320+
new Distribution(stack, 'Dist', {
321+
defaultBehavior: { origin: defaultOrigin() },
322+
domainNames: ['www.example.com'],
323+
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2016,
324+
certificate: certificate,
325+
});
326+
327+
expect(stack).toHaveResourceLike('AWS::CloudFront::Distribution', {
328+
DistributionConfig: {
329+
ViewerCertificate: {
330+
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
331+
SslSupportMethod: 'sni-only',
332+
MinimumProtocolVersion: 'TLSv1_2016',
333+
},
334+
},
335+
});
336+
});
337+
317338
});
318339

319340
describe('custom error responses', () => {
@@ -615,7 +636,7 @@ describe('with Lambda@Edge functions', () => {
615636

616637
test('with incompatible env vars', () => {
617638
const envLambdaFunction = new lambda.Function(stack, 'EnvFunction', {
618-
runtime: lambda.Runtime.NODEJS,
639+
runtime: lambda.Runtime.NODEJS_12_X,
619640
code: lambda.Code.fromInline('whateverwithenv'),
620641
handler: 'index.handler',
621642
environment: {

packages/@aws-cdk/aws-cloudfront/test/experimental/edge-function.test.ts

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,18 @@ describe('stacks', () => {
146146
const fnStack = getFnStack();
147147
expect(fnStack).toCountResources('AWS::Lambda::Function', 2);
148148
});
149+
150+
test('can set the stack id for each function', () => {
151+
const fn1StackId = 'edge-lambda-stack-testregion-1';
152+
new cloudfront.experimental.EdgeFunction(stack, 'MyFn1', defaultEdgeFunctionProps(fn1StackId));
153+
const fn2StackId = 'edge-lambda-stack-testregion-2';
154+
new cloudfront.experimental.EdgeFunction(stack, 'MyFn2', defaultEdgeFunctionProps(fn2StackId));
155+
156+
const fn1Stack = app.node.findChild(fn1StackId) as cdk.Stack;
157+
expect(fn1Stack).toCountResources('AWS::Lambda::Function', 1);
158+
const fn2Stack = app.node.findChild(fn2StackId) as cdk.Stack;
159+
expect(fn2Stack).toCountResources('AWS::Lambda::Function', 1);
160+
});
149161
});
150162

151163
test('addAlias() creates alias in function stack', () => {
@@ -189,11 +201,12 @@ test('metric methods', () => {
189201
}
190202
});
191203

192-
function defaultEdgeFunctionProps() {
204+
function defaultEdgeFunctionProps(stackId?: string) {
193205
return {
194206
code: lambda.Code.fromInline('foo'),
195207
handler: 'index.handler',
196208
runtime: lambda.Runtime.NODEJS_12_X,
209+
stackId: stackId ?? 'edge-lambda-stack-testregion',
197210
};
198211
}
199212

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-lambda-cross-region.expected.json

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -127,6 +127,22 @@
127127
"CustomCrossRegionStringParameterReaderCustomResourceProviderRole71CD6825"
128128
]
129129
},
130+
"Lambda2ArnReader5ACFBE1F": {
131+
"Type": "Custom::CrossRegionStringParameterReader",
132+
"Properties": {
133+
"ServiceToken": {
134+
"Fn::GetAtt": [
135+
"CustomCrossRegionStringParameterReaderCustomResourceProviderHandler65B5F33A",
136+
"Arn"
137+
]
138+
},
139+
"Region": "us-east-1",
140+
"ParameterName": "EdgeFunctionArnLambda2",
141+
"RefreshToken": "8f81ceb404ac454f09648e62822d9ca9"
142+
},
143+
"UpdateReplacePolicy": "Delete",
144+
"DeletionPolicy": "Delete"
145+
},
130146
"DistB3B78991": {
131147
"Type": "AWS::CloudFront::Distribution",
132148
"Properties": {
@@ -162,6 +178,42 @@
162178
]
163179
}
164180
}
181+
},
182+
"Dist286EC08DF": {
183+
"Type": "AWS::CloudFront::Distribution",
184+
"Properties": {
185+
"DistributionConfig": {
186+
"DefaultCacheBehavior": {
187+
"CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad",
188+
"Compress": true,
189+
"LambdaFunctionAssociations": [
190+
{
191+
"EventType": "origin-request",
192+
"LambdaFunctionARN": {
193+
"Fn::GetAtt": [
194+
"Lambda2ArnReader5ACFBE1F",
195+
"FunctionArn"
196+
]
197+
}
198+
}
199+
],
200+
"TargetOriginId": "integdistributionlambdacrossregionDist2Origin14F08376D",
201+
"ViewerProtocolPolicy": "allow-all"
202+
},
203+
"Enabled": true,
204+
"HttpVersion": "http2",
205+
"IPV6Enabled": true,
206+
"Origins": [
207+
{
208+
"CustomOriginConfig": {
209+
"OriginProtocolPolicy": "https-only"
210+
},
211+
"DomainName": "www.example2.com",
212+
"Id": "integdistributionlambdacrossregionDist2Origin14F08376D"
213+
}
214+
]
215+
}
216+
}
165217
}
166218
},
167219
"Parameters": {
@@ -257,5 +309,84 @@
257309
}
258310
}
259311
}
312+
},
313+
{
314+
"Resources": {
315+
"Lambda2ServiceRole31A072E1": {
316+
"Type": "AWS::IAM::Role",
317+
"Properties": {
318+
"AssumeRolePolicyDocument": {
319+
"Statement": [
320+
{
321+
"Action": "sts:AssumeRole",
322+
"Effect": "Allow",
323+
"Principal": {
324+
"Service": "lambda.amazonaws.com"
325+
}
326+
},
327+
{
328+
"Action": "sts:AssumeRole",
329+
"Effect": "Allow",
330+
"Principal": {
331+
"Service": "edgelambda.amazonaws.com"
332+
}
333+
}
334+
],
335+
"Version": "2012-10-17"
336+
},
337+
"ManagedPolicyArns": [
338+
{
339+
"Fn::Join": [
340+
"",
341+
[
342+
"arn:",
343+
{
344+
"Ref": "AWS::Partition"
345+
},
346+
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
347+
]
348+
]
349+
}
350+
]
351+
}
352+
},
353+
"Lambda217CFB423": {
354+
"Type": "AWS::Lambda::Function",
355+
"Properties": {
356+
"Code": {
357+
"ZipFile": "foo"
358+
},
359+
"Handler": "index.handler",
360+
"Role": {
361+
"Fn::GetAtt": [
362+
"Lambda2ServiceRole31A072E1",
363+
"Arn"
364+
]
365+
},
366+
"Runtime": "nodejs10.x"
367+
},
368+
"DependsOn": [
369+
"Lambda2ServiceRole31A072E1"
370+
]
371+
},
372+
"Lambda2CurrentVersion72012B74b9eef8becb98501bc795baca3c6169c4": {
373+
"Type": "AWS::Lambda::Version",
374+
"Properties": {
375+
"FunctionName": {
376+
"Ref": "Lambda217CFB423"
377+
}
378+
}
379+
},
380+
"Lambda2Parameter3444E17A": {
381+
"Type": "AWS::SSM::Parameter",
382+
"Properties": {
383+
"Type": "String",
384+
"Value": {
385+
"Ref": "Lambda2CurrentVersion72012B74b9eef8becb98501bc795baca3c6169c4"
386+
},
387+
"Name": "EdgeFunctionArnLambda2"
388+
}
389+
}
390+
}
260391
}
261392
]

0 commit comments

Comments
 (0)