feat(cloudfront-origins): customize origin access identity in s3origin

Adds support for passing in a identity as it is possible in the CloudFrontWebDistribution closes #9859
aws · Oct 6, 2020 · 960f7ba · 960f7ba
1 parent 2e93863
commit 960f7ba
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/README.md b/packages/@aws-cdk/aws-cloudfront-origins/README.md
@@ -32,7 +32,7 @@ The above will treat the bucket differently based on if `IBucket.isWebsite` is s
 treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and
 CloudFront's redirect and error handling will be used. In the latter case, the Origin wil create an origin access identity and grant it access to the
 underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront
-URLs and not S3 URLs directly.
+URLs and not S3 URLs directly. Alternatively, a custom origin access identity can be passed to the S3 origin in the properties.
 
 ## ELBv2 Load Balancer
 

diff --git a/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts b/packages/@aws-cdk/aws-cloudfront-origins/lib/s3-origin.ts
@@ -16,6 +16,12 @@ export interface S3OriginProps {
  * @default '/'
  */
  readonly originPath?: string;
+ /**
+ * An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
+ *
+ * @default - An Origin Access Identity will be created.
+ */
+ readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity;
 }
 
 /**
@@ -50,10 +56,13 @@ export class S3Origin implements cloudfront.IOrigin {
  * Contains additional logic around bucket permissions and origin access identities.
  */
 class S3BucketOrigin extends cloudfront.OriginBase {
- private originAccessIdentity!: cloudfront.OriginAccessIdentity;
+ private originAccessIdentity!: cloudfront.IOriginAccessIdentity;
 
- constructor(private readonly bucket: s3.IBucket, props: S3OriginProps) {
+ constructor(private readonly bucket: s3.IBucket, { originAccessIdentity, ...props }: S3OriginProps) {
  super(bucket.bucketRegionalDomainName, props);
+ if (originAccessIdentity) {
+ this.originAccessIdentity = originAccessIdentity;
+ }
  }
 
  public bind(scope: cdk.Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {

diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.expected.json
@@ -0,0 +1,58 @@
+{
+ "Resources": {
+ "Bucket83908E77": {
+ "Type": "AWS::S3::Bucket",
+ "UpdateReplacePolicy": "Retain",
+ "DeletionPolicy": "Retain"
+ },
+ "OriginAccessIdentityDF1E3CAC": {
+ "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
+ "Properties": {
+ "CloudFrontOriginAccessIdentityConfig": {
+ "Comment": "Identity for bucket provided by test"
+ }
+ }
+ },
+ "Distribution830FAC52": {
+ "Type": "AWS::CloudFront::Distribution",
+ "Properties": {
+ "DistributionConfig": {
+ "DefaultCacheBehavior": {
+ "ForwardedValues": {
+ "QueryString": false
+ },
+ "TargetOriginId": "cloudfronts3originDistributionOrigin1741C4E95",
+ "ViewerProtocolPolicy": "allow-all"
+ },
+ "Enabled": true,
+ "HttpVersion": "http2",
+ "IPV6Enabled": true,
+ "Origins": [
+ {
+ "DomainName": {
+ "Fn::GetAtt": [
+ "Bucket83908E77",
+ "RegionalDomainName"
+ ]
+ },
+ "Id": "cloudfronts3originDistributionOrigin1741C4E95",
+ "S3OriginConfig": {
+ "OriginAccessIdentity": {
+ "Fn::Join": [
+ "",
+ [
+ "origin-access-identity/cloudfront/",
+ {
+ "Ref": "OriginAccessIdentityDF1E3CAC"
+ }
+ ]
+ ]
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
+}
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/integ.s3-origin-oai.ts
@@ -0,0 +1,18 @@
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import * as s3 from '@aws-cdk/aws-s3';
+import * as cdk from '@aws-cdk/core';
+import * as origins from '../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oai');
+
+const bucket = new s3.Bucket(stack, 'Bucket');
+const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+ comment: 'Identity for bucket provided by test',
+});
+new cloudfront.Distribution(stack, 'Distribution', {
+ defaultBehavior: { origin: new origins.S3Origin(bucket, { originAccessIdentity }) },
+});
+
+app.synth();
diff --git a/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts b/packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts
@@ -30,7 +30,7 @@ describe('With bucket', () => {
  });
  });
 
- test('can customize properties', () => {
+ test('can customize originPath property', () => {
  const bucket = new s3.Bucket(stack, 'Bucket');
 
  const origin = new S3Origin(bucket, { originPath: '/assets' });
@@ -46,6 +46,23 @@ describe('With bucket', () => {
  });
  });
 
+ test('can customize OriginAccessIdentity property', () => {
+ const bucket = new s3.Bucket(stack, 'Bucket');
+
+ const originAccessIdentity = new cloudfront.OriginAccessIdentity(stack, 'OriginAccessIdentity', {
+ comment: 'Identity for bucket provided by test',
+ });
+
+ const origin = new S3Origin(bucket, { originAccessIdentity });
+ new cloudfront.Distribution(stack, 'Dist', { defaultBehavior: { origin } });
+
+ expect(stack).toHaveResourceLike('AWS::CloudFront::CloudFrontOriginAccessIdentity', {
+ CloudFrontOriginAccessIdentityConfig: {
+ Comment: 'Identity for bucket provided by test',
+ },
+ });
+ });
+
  test('creates an OriginAccessIdentity and grants read permissions on the bucket', () => {
  const bucket = new s3.Bucket(stack, 'Bucket');