@aws-solutions-constructs/aws-cloudfront-apigateway-lambda 2.0.0-rc.1 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/.jsii +270 -1084
  2. package/README.md +5 -8
  3. package/lib/index.d.ts +10 -4
  4. package/lib/index.js +5 -3
  5. package/package.json +11 -11
  6. package/test/integ.customCloudfrontLoggingBucket.d.ts +13 -0
  7. package/test/integ.customCloudfrontLoggingBucket.expected.json +858 -0
  8. package/test/integ.customCloudfrontLoggingBucket.js +39 -0
  9. package/test/integ.no-arguments.d.ts +1 -1
  10. package/test/integ.no-arguments.expected.json +10 -11
  11. package/test/integ.no-arguments.js +3 -3
  12. package/test/integ.override-behavior.d.ts +1 -1
  13. package/test/integ.override-behavior.expected.json +10 -11
  14. package/test/integ.override-behavior.js +3 -3
  15. package/test/test.cloudfront-apigateway-lambda.test.d.ts +1 -1
  16. package/test/test.cloudfront-apigateway-lambda.test.js +75 -13
package/test/integ.customCloudfrontLoggingBucket.expected.json ADDED
@@ -0,0 +1,858 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-apigateway-lambda custom Cloudfront Logging Bucket",
3
+ "Resources": {
4
+ "cfapigwlambdaLambdaFunctionServiceRole9B40D826": {
5
+ "Type": "AWS::IAM::Role",
6
+ "Properties": {
7
+ "AssumeRolePolicyDocument": {
8
+ "Statement": [
9
+ {
10
+ "Action": "sts:AssumeRole",
11
+ "Effect": "Allow",
12
+ "Principal": {
13
+ "Service": "lambda.amazonaws.com"
14
+ }
15
+ }
16
+ ],
17
+ "Version": "2012-10-17"
18
+ },
19
+ "Policies": [
20
+ {
21
+ "PolicyDocument": {
22
+ "Statement": [
23
+ {
24
+ "Action": [
25
+ "logs:CreateLogGroup",
26
+ "logs:CreateLogStream",
27
+ "logs:PutLogEvents"
28
+ ],
29
+ "Effect": "Allow",
30
+ "Resource": {
31
+ "Fn::Join": [
32
+ "",
33
+ [
34
+ "arn:",
35
+ {
36
+ "Ref": "AWS::Partition"
37
+ },
38
+ ":logs:",
39
+ {
40
+ "Ref": "AWS::Region"
41
+ },
42
+ ":",
43
+ {
44
+ "Ref": "AWS::AccountId"
45
+ },
46
+ ":log-group:/aws/lambda/*"
47
+ ]
48
+ ]
49
+ }
50
+ }
51
+ ],
52
+ "Version": "2012-10-17"
53
+ },
54
+ "PolicyName": "LambdaFunctionServiceRolePolicy"
55
+ }
56
+ ]
57
+ }
58
+ },
59
+ "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB": {
60
+ "Type": "AWS::IAM::Policy",
61
+ "Properties": {
62
+ "PolicyDocument": {
63
+ "Statement": [
64
+ {
65
+ "Action": [
66
+ "xray:PutTraceSegments",
67
+ "xray:PutTelemetryRecords"
68
+ ],
69
+ "Effect": "Allow",
70
+ "Resource": "*"
71
+ }
72
+ ],
73
+ "Version": "2012-10-17"
74
+ },
75
+ "PolicyName": "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB",
76
+ "Roles": [
77
+ {
78
+ "Ref": "cfapigwlambdaLambdaFunctionServiceRole9B40D826"
79
+ }
80
+ ]
81
+ },
82
+ "Metadata": {
83
+ "cfn_nag": {
84
+ "rules_to_suppress": [
85
+ {
86
+ "id": "W12",
87
+ "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC."
88
+ }
89
+ ]
90
+ }
91
+ }
92
+ },
93
+ "cfapigwlambdaLambdaFunction10C09D31": {
94
+ "Type": "AWS::Lambda::Function",
95
+ "Properties": {
96
+ "Code": {
97
+ "S3Bucket": {
98
+ "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
99
+ },
100
+ "S3Key": "42a35bbf0dec9ef0ac5b0dde87e71a1b8929e8d2d178dd09ccfb2c928ec0198c.zip"
101
+ },
102
+ "Role": {
103
+ "Fn::GetAtt": [
104
+ "cfapigwlambdaLambdaFunctionServiceRole9B40D826",
105
+ "Arn"
106
+ ]
107
+ },
108
+ "Environment": {
109
+ "Variables": {
110
+ "AWS_NODEJS_CONNECTION_REUSE_ENABLED": "1"
111
+ }
112
+ },
113
+ "Handler": "index.handler",
114
+ "Runtime": "nodejs14.x",
115
+ "TracingConfig": {
116
+ "Mode": "Active"
117
+ }
118
+ },
119
+ "DependsOn": [
120
+ "cfapigwlambdaLambdaFunctionServiceRoleDefaultPolicy388158BB",
121
+ "cfapigwlambdaLambdaFunctionServiceRole9B40D826"
122
+ ],
123
+ "Metadata": {
124
+ "cfn_nag": {
125
+ "rules_to_suppress": [
126
+ {
127
+ "id": "W58",
128
+ "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions."
129
+ },
130
+ {
131
+ "id": "W89",
132
+ "reason": "This is not a rule for the general case, just for specific use cases/industries"
133
+ },
134
+ {
135
+ "id": "W92",
136
+ "reason": "Impossible for us to define the correct concurrency for clients"
137
+ }
138
+ ]
139
+ }
140
+ }
141
+ },
142
+ "cfapigwlambdaApiAccessLogGroup16C73450": {
143
+ "Type": "AWS::Logs::LogGroup",
144
+ "UpdateReplacePolicy": "Retain",
145
+ "DeletionPolicy": "Retain",
146
+ "Metadata": {
147
+ "cfn_nag": {
148
+ "rules_to_suppress": [
149
+ {
150
+ "id": "W86",
151
+ "reason": "Retention period for CloudWatchLogs LogGroups are set to 'Never Expire' to preserve customer data indefinitely"
152
+ },
153
+ {
154
+ "id": "W84",
155
+ "reason": "By default CloudWatchLogs LogGroups data is encrypted using the CloudWatch server-side encryption keys (AWS Managed Keys)"
156
+ }
157
+ ]
158
+ }
159
+ }
160
+ },
161
+ "cfapigwlambdaLambdaRestApi775C255B": {
162
+ "Type": "AWS::ApiGateway::RestApi",
163
+ "Properties": {
164
+ "EndpointConfiguration": {
165
+ "Types": [
166
+ "REGIONAL"
167
+ ]
168
+ },
169
+ "Name": "LambdaRestApi"
170
+ }
171
+ },
172
+ "cfapigwlambdaLambdaRestApiDeployment33C24C7D5b6eb6dc887b9e8b9bde9a765f4aacbb": {
173
+ "Type": "AWS::ApiGateway::Deployment",
174
+ "Properties": {
175
+ "RestApiId": {
176
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
177
+ },
178
+ "Description": "Automatically created by the RestApi construct"
179
+ },
180
+ "DependsOn": [
181
+ "cfapigwlambdaLambdaRestApiproxyANY68181290",
182
+ "cfapigwlambdaLambdaRestApiproxy6A768910",
183
+ "cfapigwlambdaLambdaRestApiANY81C176E9"
184
+ ],
185
+ "Metadata": {
186
+ "cfn_nag": {
187
+ "rules_to_suppress": [
188
+ {
189
+ "id": "W45",
190
+ "reason": "ApiGateway has AccessLogging enabled in AWS::ApiGateway::Stage resource, but cfn_nag checkes for it in AWS::ApiGateway::Deployment resource"
191
+ }
192
+ ]
193
+ }
194
+ }
195
+ },
196
+ "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011": {
197
+ "Type": "AWS::ApiGateway::Stage",
198
+ "Properties": {
199
+ "RestApiId": {
200
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
201
+ },
202
+ "AccessLogSetting": {
203
+ "DestinationArn": {
204
+ "Fn::GetAtt": [
205
+ "cfapigwlambdaApiAccessLogGroup16C73450",
206
+ "Arn"
207
+ ]
208
+ },
209
+ "Format": "{\"requestId\":\"$context.requestId\",\"ip\":\"$context.identity.sourceIp\",\"user\":\"$context.identity.user\",\"caller\":\"$context.identity.caller\",\"requestTime\":\"$context.requestTime\",\"httpMethod\":\"$context.httpMethod\",\"resourcePath\":\"$context.resourcePath\",\"status\":\"$context.status\",\"protocol\":\"$context.protocol\",\"responseLength\":\"$context.responseLength\"}"
210
+ },
211
+ "DeploymentId": {
212
+ "Ref": "cfapigwlambdaLambdaRestApiDeployment33C24C7D5b6eb6dc887b9e8b9bde9a765f4aacbb"
213
+ },
214
+ "MethodSettings": [
215
+ {
216
+ "DataTraceEnabled": false,
217
+ "HttpMethod": "*",
218
+ "LoggingLevel": "INFO",
219
+ "ResourcePath": "/*"
220
+ }
221
+ ],
222
+ "StageName": "prod",
223
+ "TracingEnabled": true
224
+ }
225
+ },
226
+ "cfapigwlambdaLambdaRestApiproxy6A768910": {
227
+ "Type": "AWS::ApiGateway::Resource",
228
+ "Properties": {
229
+ "ParentId": {
230
+ "Fn::GetAtt": [
231
+ "cfapigwlambdaLambdaRestApi775C255B",
232
+ "RootResourceId"
233
+ ]
234
+ },
235
+ "PathPart": "{proxy+}",
236
+ "RestApiId": {
237
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
238
+ }
239
+ }
240
+ },
241
+ "cfapigwlambdaLambdaRestApiproxyANYApiPermissioncustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANYproxyA3ACBFF5": {
242
+ "Type": "AWS::Lambda::Permission",
243
+ "Properties": {
244
+ "Action": "lambda:InvokeFunction",
245
+ "FunctionName": {
246
+ "Fn::GetAtt": [
247
+ "cfapigwlambdaLambdaFunction10C09D31",
248
+ "Arn"
249
+ ]
250
+ },
251
+ "Principal": "apigateway.amazonaws.com",
252
+ "SourceArn": {
253
+ "Fn::Join": [
254
+ "",
255
+ [
256
+ "arn:",
257
+ {
258
+ "Ref": "AWS::Partition"
259
+ },
260
+ ":execute-api:",
261
+ {
262
+ "Ref": "AWS::Region"
263
+ },
264
+ ":",
265
+ {
266
+ "Ref": "AWS::AccountId"
267
+ },
268
+ ":",
269
+ {
270
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
271
+ },
272
+ "/",
273
+ {
274
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
275
+ },
276
+ "/*/*"
277
+ ]
278
+ ]
279
+ }
280
+ }
281
+ },
282
+ "cfapigwlambdaLambdaRestApiproxyANYApiPermissionTestcustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANYproxyAF2D9C87": {
283
+ "Type": "AWS::Lambda::Permission",
284
+ "Properties": {
285
+ "Action": "lambda:InvokeFunction",
286
+ "FunctionName": {
287
+ "Fn::GetAtt": [
288
+ "cfapigwlambdaLambdaFunction10C09D31",
289
+ "Arn"
290
+ ]
291
+ },
292
+ "Principal": "apigateway.amazonaws.com",
293
+ "SourceArn": {
294
+ "Fn::Join": [
295
+ "",
296
+ [
297
+ "arn:",
298
+ {
299
+ "Ref": "AWS::Partition"
300
+ },
301
+ ":execute-api:",
302
+ {
303
+ "Ref": "AWS::Region"
304
+ },
305
+ ":",
306
+ {
307
+ "Ref": "AWS::AccountId"
308
+ },
309
+ ":",
310
+ {
311
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
312
+ },
313
+ "/test-invoke-stage/*/*"
314
+ ]
315
+ ]
316
+ }
317
+ }
318
+ },
319
+ "cfapigwlambdaLambdaRestApiproxyANY68181290": {
320
+ "Type": "AWS::ApiGateway::Method",
321
+ "Properties": {
322
+ "HttpMethod": "ANY",
323
+ "ResourceId": {
324
+ "Ref": "cfapigwlambdaLambdaRestApiproxy6A768910"
325
+ },
326
+ "RestApiId": {
327
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
328
+ },
329
+ "AuthorizationType": "NONE",
330
+ "Integration": {
331
+ "IntegrationHttpMethod": "POST",
332
+ "Type": "AWS_PROXY",
333
+ "Uri": {
334
+ "Fn::Join": [
335
+ "",
336
+ [
337
+ "arn:",
338
+ {
339
+ "Ref": "AWS::Partition"
340
+ },
341
+ ":apigateway:",
342
+ {
343
+ "Ref": "AWS::Region"
344
+ },
345
+ ":lambda:path/2015-03-31/functions/",
346
+ {
347
+ "Fn::GetAtt": [
348
+ "cfapigwlambdaLambdaFunction10C09D31",
349
+ "Arn"
350
+ ]
351
+ },
352
+ "/invocations"
353
+ ]
354
+ ]
355
+ }
356
+ }
357
+ },
358
+ "Metadata": {
359
+ "cfn_nag": {
360
+ "rules_to_suppress": [
361
+ {
362
+ "id": "W59",
363
+ "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication"
364
+ }
365
+ ]
366
+ }
367
+ }
368
+ },
369
+ "cfapigwlambdaLambdaRestApiANYApiPermissioncustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANY3C46A898": {
370
+ "Type": "AWS::Lambda::Permission",
371
+ "Properties": {
372
+ "Action": "lambda:InvokeFunction",
373
+ "FunctionName": {
374
+ "Fn::GetAtt": [
375
+ "cfapigwlambdaLambdaFunction10C09D31",
376
+ "Arn"
377
+ ]
378
+ },
379
+ "Principal": "apigateway.amazonaws.com",
380
+ "SourceArn": {
381
+ "Fn::Join": [
382
+ "",
383
+ [
384
+ "arn:",
385
+ {
386
+ "Ref": "AWS::Partition"
387
+ },
388
+ ":execute-api:",
389
+ {
390
+ "Ref": "AWS::Region"
391
+ },
392
+ ":",
393
+ {
394
+ "Ref": "AWS::AccountId"
395
+ },
396
+ ":",
397
+ {
398
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
399
+ },
400
+ "/",
401
+ {
402
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
403
+ },
404
+ "/*/"
405
+ ]
406
+ ]
407
+ }
408
+ }
409
+ },
410
+ "cfapigwlambdaLambdaRestApiANYApiPermissionTestcustomCloudfrontLoggingBucketcfapigwlambdaLambdaRestApi1C5998E7ANY2F5B90FD": {
411
+ "Type": "AWS::Lambda::Permission",
412
+ "Properties": {
413
+ "Action": "lambda:InvokeFunction",
414
+ "FunctionName": {
415
+ "Fn::GetAtt": [
416
+ "cfapigwlambdaLambdaFunction10C09D31",
417
+ "Arn"
418
+ ]
419
+ },
420
+ "Principal": "apigateway.amazonaws.com",
421
+ "SourceArn": {
422
+ "Fn::Join": [
423
+ "",
424
+ [
425
+ "arn:",
426
+ {
427
+ "Ref": "AWS::Partition"
428
+ },
429
+ ":execute-api:",
430
+ {
431
+ "Ref": "AWS::Region"
432
+ },
433
+ ":",
434
+ {
435
+ "Ref": "AWS::AccountId"
436
+ },
437
+ ":",
438
+ {
439
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
440
+ },
441
+ "/test-invoke-stage/*/"
442
+ ]
443
+ ]
444
+ }
445
+ }
446
+ },
447
+ "cfapigwlambdaLambdaRestApiANY81C176E9": {
448
+ "Type": "AWS::ApiGateway::Method",
449
+ "Properties": {
450
+ "HttpMethod": "ANY",
451
+ "ResourceId": {
452
+ "Fn::GetAtt": [
453
+ "cfapigwlambdaLambdaRestApi775C255B",
454
+ "RootResourceId"
455
+ ]
456
+ },
457
+ "RestApiId": {
458
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
459
+ },
460
+ "AuthorizationType": "NONE",
461
+ "Integration": {
462
+ "IntegrationHttpMethod": "POST",
463
+ "Type": "AWS_PROXY",
464
+ "Uri": {
465
+ "Fn::Join": [
466
+ "",
467
+ [
468
+ "arn:",
469
+ {
470
+ "Ref": "AWS::Partition"
471
+ },
472
+ ":apigateway:",
473
+ {
474
+ "Ref": "AWS::Region"
475
+ },
476
+ ":lambda:path/2015-03-31/functions/",
477
+ {
478
+ "Fn::GetAtt": [
479
+ "cfapigwlambdaLambdaFunction10C09D31",
480
+ "Arn"
481
+ ]
482
+ },
483
+ "/invocations"
484
+ ]
485
+ ]
486
+ }
487
+ }
488
+ },
489
+ "Metadata": {
490
+ "cfn_nag": {
491
+ "rules_to_suppress": [
492
+ {
493
+ "id": "W59",
494
+ "reason": "AWS::ApiGateway::Method AuthorizationType is set to 'NONE' because API Gateway behind CloudFront does not support AWS_IAM authentication"
495
+ }
496
+ ]
497
+ }
498
+ }
499
+ },
500
+ "cfapigwlambdaLambdaRestApiUsagePlan11CE9748": {
501
+ "Type": "AWS::ApiGateway::UsagePlan",
502
+ "Properties": {
503
+ "ApiStages": [
504
+ {
505
+ "ApiId": {
506
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
507
+ },
508
+ "Stage": {
509
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
510
+ },
511
+ "Throttle": {}
512
+ }
513
+ ]
514
+ }
515
+ },
516
+ "cfapigwlambdaLambdaRestApiCloudWatchRole76F5ABDF": {
517
+ "Type": "AWS::IAM::Role",
518
+ "Properties": {
519
+ "AssumeRolePolicyDocument": {
520
+ "Statement": [
521
+ {
522
+ "Action": "sts:AssumeRole",
523
+ "Effect": "Allow",
524
+ "Principal": {
525
+ "Service": "apigateway.amazonaws.com"
526
+ }
527
+ }
528
+ ],
529
+ "Version": "2012-10-17"
530
+ },
531
+ "Policies": [
532
+ {
533
+ "PolicyDocument": {
534
+ "Statement": [
535
+ {
536
+ "Action": [
537
+ "logs:CreateLogGroup",
538
+ "logs:CreateLogStream",
539
+ "logs:DescribeLogGroups",
540
+ "logs:DescribeLogStreams",
541
+ "logs:PutLogEvents",
542
+ "logs:GetLogEvents",
543
+ "logs:FilterLogEvents"
544
+ ],
545
+ "Effect": "Allow",
546
+ "Resource": {
547
+ "Fn::Join": [
548
+ "",
549
+ [
550
+ "arn:",
551
+ {
552
+ "Ref": "AWS::Partition"
553
+ },
554
+ ":logs:",
555
+ {
556
+ "Ref": "AWS::Region"
557
+ },
558
+ ":",
559
+ {
560
+ "Ref": "AWS::AccountId"
561
+ },
562
+ ":*"
563
+ ]
564
+ ]
565
+ }
566
+ }
567
+ ],
568
+ "Version": "2012-10-17"
569
+ },
570
+ "PolicyName": "LambdaRestApiCloudWatchRolePolicy"
571
+ }
572
+ ]
573
+ }
574
+ },
575
+ "cfapigwlambdaLambdaRestApiAccountB2390110": {
576
+ "Type": "AWS::ApiGateway::Account",
577
+ "Properties": {
578
+ "CloudWatchRoleArn": {
579
+ "Fn::GetAtt": [
580
+ "cfapigwlambdaLambdaRestApiCloudWatchRole76F5ABDF",
581
+ "Arn"
582
+ ]
583
+ }
584
+ },
585
+ "DependsOn": [
586
+ "cfapigwlambdaLambdaRestApi775C255B"
587
+ ]
588
+ },
589
+ "cfapigwlambdaCloudFrontToApiGatewaySetHttpSecurityHeadersE20F2933": {
590
+ "Type": "AWS::CloudFront::Function",
591
+ "Properties": {
592
+ "Name": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f",
593
+ "AutoPublish": true,
594
+ "FunctionCode": "function handler(event) { var response = event.response; var headers = response.headers; headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'}; headers['content-security-policy'] = { value: \"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\"}; headers['x-content-type-options'] = { value: 'nosniff'}; headers['x-frame-options'] = {value: 'DENY'}; headers['x-xss-protection'] = {value: '1; mode=block'}; return response; }",
595
+ "FunctionConfig": {
596
+ "Comment": "SetHttpSecurityHeadersc8273ed23dc12ef2b23814ad425355213a41659e4f",
597
+ "Runtime": "cloudfront-js-1.0"
598
+ }
599
+ }
600
+ },
601
+ "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2": {
602
+ "Type": "AWS::S3::Bucket",
603
+ "Properties": {
604
+ "AccessControl": "LogDeliveryWrite",
605
+ "BucketEncryption": {
606
+ "ServerSideEncryptionConfiguration": [
607
+ {
608
+ "ServerSideEncryptionByDefault": {
609
+ "SSEAlgorithm": "AES256"
610
+ }
611
+ }
612
+ ]
613
+ },
614
+ "PublicAccessBlockConfiguration": {
615
+ "BlockPublicAcls": true,
616
+ "BlockPublicPolicy": true,
617
+ "IgnorePublicAcls": true,
618
+ "RestrictPublicBuckets": true
619
+ },
620
+ "VersioningConfiguration": {
621
+ "Status": "Enabled"
622
+ }
623
+ },
624
+ "UpdateReplacePolicy": "Delete",
625
+ "DeletionPolicy": "Delete",
626
+ "Metadata": {
627
+ "cfn_nag": {
628
+ "rules_to_suppress": [
629
+ {
630
+ "id": "W35",
631
+ "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution"
632
+ }
633
+ ]
634
+ }
635
+ }
636
+ },
637
+ "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucketPolicy416A95E3": {
638
+ "Type": "AWS::S3::BucketPolicy",
639
+ "Properties": {
640
+ "Bucket": {
641
+ "Ref": "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2"
642
+ },
643
+ "PolicyDocument": {
644
+ "Statement": [
645
+ {
646
+ "Action": "s3:*",
647
+ "Condition": {
648
+ "Bool": {
649
+ "aws:SecureTransport": "false"
650
+ }
651
+ },
652
+ "Effect": "Deny",
653
+ "Principal": {
654
+ "AWS": "*"
655
+ },
656
+ "Resource": [
657
+ {
658
+ "Fn::GetAtt": [
659
+ "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2",
660
+ "Arn"
661
+ ]
662
+ },
663
+ {
664
+ "Fn::Join": [
665
+ "",
666
+ [
667
+ {
668
+ "Fn::GetAtt": [
669
+ "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2",
670
+ "Arn"
671
+ ]
672
+ },
673
+ "/*"
674
+ ]
675
+ ]
676
+ }
677
+ ]
678
+ }
679
+ ],
680
+ "Version": "2012-10-17"
681
+ }
682
+ }
683
+ },
684
+ "cfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionF8B75200": {
685
+ "Type": "AWS::CloudFront::Distribution",
686
+ "Properties": {
687
+ "DistributionConfig": {
688
+ "DefaultCacheBehavior": {
689
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
690
+ "Compress": true,
691
+ "FunctionAssociations": [
692
+ {
693
+ "EventType": "viewer-response",
694
+ "FunctionARN": {
695
+ "Fn::GetAtt": [
696
+ "cfapigwlambdaCloudFrontToApiGatewaySetHttpSecurityHeadersE20F2933",
697
+ "FunctionARN"
698
+ ]
699
+ }
700
+ }
701
+ ],
702
+ "TargetOriginId": "customCloudfrontLoggingBucketcfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionOrigin1C90DACBB",
703
+ "ViewerProtocolPolicy": "redirect-to-https"
704
+ },
705
+ "Enabled": true,
706
+ "HttpVersion": "http2",
707
+ "IPV6Enabled": true,
708
+ "Logging": {
709
+ "Bucket": {
710
+ "Fn::GetAtt": [
711
+ "cfapigwlambdaCloudFrontToApiGatewayCloudfrontLoggingBucket2E8E3DC2",
712
+ "RegionalDomainName"
713
+ ]
714
+ }
715
+ },
716
+ "Origins": [
717
+ {
718
+ "CustomOriginConfig": {
719
+ "OriginProtocolPolicy": "https-only",
720
+ "OriginSSLProtocols": [
721
+ "TLSv1.2"
722
+ ]
723
+ },
724
+ "DomainName": {
725
+ "Fn::Select": [
726
+ 0,
727
+ {
728
+ "Fn::Split": [
729
+ "/",
730
+ {
731
+ "Fn::Select": [
732
+ 1,
733
+ {
734
+ "Fn::Split": [
735
+ "://",
736
+ {
737
+ "Fn::Join": [
738
+ "",
739
+ [
740
+ "https://",
741
+ {
742
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
743
+ },
744
+ ".execute-api.",
745
+ {
746
+ "Ref": "AWS::Region"
747
+ },
748
+ ".",
749
+ {
750
+ "Ref": "AWS::URLSuffix"
751
+ },
752
+ "/",
753
+ {
754
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
755
+ },
756
+ "/"
757
+ ]
758
+ ]
759
+ }
760
+ ]
761
+ }
762
+ ]
763
+ }
764
+ ]
765
+ }
766
+ ]
767
+ },
768
+ "Id": "customCloudfrontLoggingBucketcfapigwlambdaCloudFrontToApiGatewayCloudFrontDistributionOrigin1C90DACBB",
769
+ "OriginPath": {
770
+ "Fn::Join": [
771
+ "",
772
+ [
773
+ "/",
774
+ {
775
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
776
+ }
777
+ ]
778
+ ]
779
+ }
780
+ }
781
+ ]
782
+ }
783
+ },
784
+ "Metadata": {
785
+ "cfn_nag": {
786
+ "rules_to_suppress": [
787
+ {
788
+ "id": "W70",
789
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
790
+ }
791
+ ]
792
+ }
793
+ }
794
+ }
795
+ },
796
+ "Outputs": {
797
+ "cfapigwlambdaLambdaRestApiEndpoint1004A97F": {
798
+ "Value": {
799
+ "Fn::Join": [
800
+ "",
801
+ [
802
+ "https://",
803
+ {
804
+ "Ref": "cfapigwlambdaLambdaRestApi775C255B"
805
+ },
806
+ ".execute-api.",
807
+ {
808
+ "Ref": "AWS::Region"
809
+ },
810
+ ".",
811
+ {
812
+ "Ref": "AWS::URLSuffix"
813
+ },
814
+ "/",
815
+ {
816
+ "Ref": "cfapigwlambdaLambdaRestApiDeploymentStageprod83104011"
817
+ },
818
+ "/"
819
+ ]
820
+ ]
821
+ }
822
+ }
823
+ },
824
+ "Parameters": {
825
+ "BootstrapVersion": {
826
+ "Type": "AWS::SSM::Parameter::Value<String>",
827
+ "Default": "/cdk-bootstrap/hnb659fds/version",
828
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
829
+ }
830
+ },
831
+ "Rules": {
832
+ "CheckBootstrapVersion": {
833
+ "Assertions": [
834
+ {
835
+ "Assert": {
836
+ "Fn::Not": [
837
+ {
838
+ "Fn::Contains": [
839
+ [
840
+ "1",
841
+ "2",
842
+ "3",
843
+ "4",
844
+ "5"
845
+ ],
846
+ {
847
+ "Ref": "BootstrapVersion"
848
+ }
849
+ ]
850
+ }
851
+ ]
852
+ },
853
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
854
+ }
855
+ ]
856
+ }
857
+ }
858
+ }