Skip to content

Commit

Permalink
merge: alignment with #1037
Browse files Browse the repository at this point in the history
  • Loading branch information
@hayesry
hayesry committed Dec 8, 2023
1 parent 01a834e commit 372a244
Show file tree
Hide file tree
Showing 15 changed files with 133 additions and 2,177 deletions.
45 changes: 0 additions & 45 deletions source/patterns/@aws-solutions-constructs/aws-cloudfront-s3/lib/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import { Provider } from 'aws-cdk-lib/custom-resources';
import { IKey } from 'aws-cdk-lib/aws-kms';
import { Code, Runtime } from 'aws-cdk-lib/aws-lambda';
import { Effect, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
import * as log from 'npmlog';

/**
* @summary The properties for the CloudFrontToS3 Construct
Expand Down Expand Up @@ -114,14 +113,6 @@ export class CloudFrontToS3 extends Construct {
constructor(scope: Construct, id: string, props: CloudFrontToS3Props) {
super(scope, id);

// Issue a printed warning regarding the creation of an orphaned OAI. This
// can and should be removed once the CDK fixes that behavior.
// Style the log output
log.prefixStyle.bold = true;
log.prefixStyle.fg = 'red';
log.enableColor();
log.warn('AWS_SOLUTIONS_CONSTRUCTS_WARNING: ', message);

// All our tests are based upon this behavior being on, so we're setting
// context here rather than assuming the client will set it
this.node.setContext("@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy", true);
Expand Down Expand Up @@ -237,42 +228,6 @@ export class CloudFrontToS3 extends Construct {
})
}
});
// const lambdaHandler = new Function(this, 'KmsKeyPolicyUpdateLambda', {
// runtime: Runtime.NODEJS_18_X,
// handler: 'index.handler',
// description: 'kms-key-policy-updater',
// code: Code.fromAsset(`${__dirname}/custom-resources/kms-key-policy-updater`),
// role: new Role(this, 'KmsKeyPolicyUpdateLambdaRole', {
// assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
// description: 'Role to update kms key policy to allow cloudfront access',
// inlinePolicies: {
// KmsPolicy: new PolicyDocument({
// statements: [
// new PolicyStatement({
// actions: ['kms:PutKeyPolicy', 'kms:GetKeyPolicy', 'kms:DescribeKey'],
// effect: Effect.ALLOW,
// resources: [ encryptionKey.keyArn ]
// })
// ]
// }),
// CWLogsPolicy: new PolicyDocument({
// statements: [
// new PolicyStatement({
// actions: ['logs:CreateLogGroup'],
// effect: Effect.ALLOW,
// resources: [ `arn:${Aws.PARTITION}:logs:${Aws.REGION}:${Aws.ACCOUNT_ID}:*` ]
// })
// ]
// })
// }
// })
// });

// lambdaHandler.addToRolePolicy(new PolicyStatement({
// actions: ['logs:CreateLogStream', 'logs:PutLogEvents'],
// effect: Effect.ALLOW,
// resources: [ `arn:${Aws.PARTITION}:logs:${Aws.REGION}:${Aws.ACCOUNT_ID}:log-group:/aws/lambda/*:*` ]
// }));

const kmsKeyPolicyUpdateProvider = new Provider(this, 'KmsKeyPolicyUpdateProvider', {
onEventHandler: lambdaHandler
Expand Down
6 changes: 3 additions & 3 deletions ...nt-s3/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,7 +490,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c44c5bd93",
"Name": "cloudfront-default-oac-18c478ad319",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down Expand Up @@ -667,7 +667,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "83f558ef4a157664ec5e7d6b58d4b131dc53d864700c5c981434adfd62399eda.zip"
"S3Key": "d65f90611efee0c3ab721963c6e9a3ff045ae5ce004b0c2dac9a60919a0ece37.zip"
},
"Description": "kms-key-policy-updater",
"Handler": "index.handler",
Expand Down Expand Up @@ -1023,7 +1023,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip"
"S3Key": "0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0.zip"
},
"Environment": {
"Variables": {
Expand Down
4 changes: 2 additions & 2 deletions ...st/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,7 +448,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c44cb5acb",
"Name": "cloudfront-default-oac-18c478ff42f",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down Expand Up @@ -627,7 +627,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip"
"S3Key": "0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0.zip"
},
"Environment": {
"Variables": {
Expand Down
6 changes: 3 additions & 3 deletions ...s-constructs/aws-cloudfront-s3/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,7 +490,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c44d06628",
"Name": "cloudfront-default-oac-18c4796564e",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down Expand Up @@ -667,7 +667,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "83f558ef4a157664ec5e7d6b58d4b131dc53d864700c5c981434adfd62399eda.zip"
"S3Key": "d65f90611efee0c3ab721963c6e9a3ff045ae5ce004b0c2dac9a60919a0ece37.zip"
},
"Description": "kms-key-policy-updater",
"Handler": "index.handler",
Expand Down Expand Up @@ -1023,7 +1023,7 @@
"S3Bucket": {
"Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
},
"S3Key": "9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd.zip"
"S3Key": "0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0.zip"
},
"Environment": {
"Variables": {
Expand Down
2 changes: 1 addition & 1 deletion ...@aws-solutions-constructs/aws-cloudfront-s3/test/integ.cfts3-custom-headers.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -689,7 +689,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c44db3eaa",
"Name": "cloudfront-default-oac-18c479b703f",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down
2 changes: 1 addition & 1 deletion ...s-solutions-constructs/aws-cloudfront-s3/test/integ.cfts3-custom-originPath.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -658,7 +658,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c44e3a1ac",
"Name": "cloudfront-default-oac-18c47a0478f",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down
12 changes: 6 additions & 6 deletions ...stomCloudFrontLoggingBucket.expected.json → ...stomCloudFrontLoggingBucket.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -355,10 +355,10 @@
"AutoPublish": true,
"FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
"FunctionConfig": {
"Comment": "SetHttpSecurityHeadersc88d4d30b2e66a3bd009aa7f11e35596ee70824ece",
"Comment": "SetHttpSecurityHeadersc853f5cf48adabb9680b666a0c549e9b779fe54127",
"Runtime": "cloudfront-js-1.0"
},
"Name": "SetHttpSecurityHeadersc88d4d30b2e66a3bd009aa7f11e35596ee70824ece"
"Name": "SetHttpSecurityHeadersc853f5cf48adabb9680b666a0c549e9b779fe54127"
}
},
"testcloudfronts3CloudfrontLoggingBucket985C0FE8": {
Expand Down Expand Up @@ -519,7 +519,7 @@
"Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties": {
"CloudFrontOriginAccessIdentityConfig": {
"Comment": "Identity for customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD"
"Comment": "Identity for cfts3customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin18A4ECB64"
}
}
},
Expand All @@ -541,7 +541,7 @@
}
}
],
"TargetOriginId": "customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD",
"TargetOriginId": "cfts3customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin18A4ECB64",
"ViewerProtocolPolicy": "redirect-to-https"
},
"DefaultRootObject": "index.html",
Expand All @@ -564,7 +564,7 @@
"RegionalDomainName"
]
},
"Id": "customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin115B4D0FD",
"Id": "cfts3customCloudFrontLoggingBuckettestcloudfronts3CloudFrontDistributionOrigin18A4ECB64",
"OriginAccessControlId": {
"Fn::GetAtt": [
"testcloudfronts3CloudFrontOac7A951AA6",
Expand Down Expand Up @@ -593,7 +593,7 @@
"Type": "AWS::CloudFront::OriginAccessControl",
"Properties": {
"OriginAccessControlConfig": {
"Name": "cloudfront-default-oac-18c452b2f6c",
"Name": "cloudfront-default-oac-18c47a5477b",
"OriginAccessControlOriginType": "s3",
"SigningBehavior": "always",
"SigningProtocol": "sigv4"
Expand Down
Loading

0 comments on commit 372a244

Please sign in to comment.