@aws-solutions-constructs/aws-cloudfront-s3 2.46.0 → 2.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/.eslintignore +2 -2
  2. package/.jsii +61 -24
  3. package/README.md +7 -6
  4. package/lib/index.d.ts +1 -0
  5. package/lib/index.js +70 -8
  6. package/package.json +7 -5
  7. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json +958 -0
  8. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js +44 -0
  9. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json +592 -0
  10. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +39 -0
  11. package/test/integ.cfts3-bucket-with-http-origin.d.ts +13 -0
  12. package/test/integ.cfts3-bucket-with-http-origin.expected.json +559 -0
  13. package/test/integ.cfts3-bucket-with-http-origin.js +44 -0
  14. package/test/integ.cfts3-cmk-encryption.expected.json +527 -0
  15. package/test/integ.cfts3-cmk-provided-as-bucket-prop.d.ts +13 -0
  16. package/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json +958 -0
  17. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js +41 -0
  18. package/test/integ.cfts3-custom-headers.expected.json +307 -27
  19. package/test/integ.cfts3-custom-headers.js +6 -2
  20. package/test/integ.cfts3-custom-originPath.expected.json +307 -27
  21. package/test/integ.cfts3-custom-originPath.js +6 -2
  22. package/test/integ.cfts3-customCloudFrontLoggingBucket.expected.json +54 -23
  23. package/test/integ.cfts3-customLoggingBuckets.d.ts +13 -0
  24. package/test/{integ.cfts3-customLoggingBucket.expected.json → integ.cfts3-customLoggingBuckets.expected.json} +285 -31
  25. package/test/integ.cfts3-customLoggingBuckets.js +58 -0
  26. package/test/integ.cfts3-existing-bucket.expected.json +493 -80
  27. package/test/integ.cfts3-existing-bucket.js +2 -2
  28. package/test/integ.cfts3-no-arguments.expected.json +430 -27
  29. package/test/integ.cfts3-no-arguments.js +5 -2
  30. package/test/integ.cfts3-no-security-headers.expected.json +307 -27
  31. package/test/integ.cfts3-no-security-headers.js +5 -1
  32. package/test/test.cloudfront-s3.test.js +149 -28
  33. package/test/integ.cfts3-customCloudFrontLoggingBucket.js +0 -39
  34. package/test/integ.cfts3-customLoggingBucket.js +0 -42
  35. /package/test/{integ.cfts3-customCloudFrontLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.d.ts} +0 -0
  36. /package/test/{integ.cfts3-customLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.d.ts} +0 -0
@@ -0,0 +1,44 @@
1
+ "use strict";
2
+ /**
3
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4
+ *
5
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
6
+ * with the License. A copy of the License is located at
7
+ *
8
+ * http://www.apache.org/licenses/LICENSE-2.0
9
+ *
10
+ * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
11
+ * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
12
+ * and limitations under the License.
13
+ */
14
+ Object.defineProperty(exports, "__esModule", { value: true });
15
+ // Imports
16
+ const aws_cdk_lib_1 = require("aws-cdk-lib");
17
+ const lib_1 = require("../lib");
18
+ const core_1 = require("@aws-solutions-constructs/core");
19
+ const aws_s3_1 = require("aws-cdk-lib/aws-s3");
20
+ // Setup
21
+ const app = new aws_cdk_lib_1.App();
22
+ const stack = new aws_cdk_lib_1.Stack(app, core_1.generateIntegStackName(__filename));
23
+ stack.node.setContext("@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy", true);
24
+ stack.templateOptions.description = 'Integration Test for aws-cloudfront-s3';
25
+ // Definitions
26
+ const encryptionKey = new aws_cdk_lib_1.aws_kms.Key(stack, 'cmkKey', {
27
+ enableKeyRotation: true,
28
+ removalPolicy: aws_cdk_lib_1.RemovalPolicy.DESTROY
29
+ });
30
+ const existingBucketObj = core_1.buildS3Bucket(stack, {
31
+ bucketProps: {
32
+ encryption: aws_s3_1.BucketEncryption.KMS,
33
+ encryptionKey
34
+ }
35
+ }, 'existing-s3-bucket-encrypted-with-cmk').bucket;
36
+ const props = {
37
+ existingBucketObj,
38
+ insertHttpSecurityHeaders: false
39
+ };
40
+ new lib_1.CloudFrontToS3(stack, 'test-cloudfront-s3-cmk-encryption-key', props);
41
+ core_1.suppressAutoDeleteHandlerWarnings(stack);
42
+ // Synth
43
+ app.synth();
44
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW50ZWcuY2Z0czMtYnVja2V0LWVuY3J5cHRlZC13aXRoLWNtay1wcm92aWRlZC1hcy1leGlzdGluZ2J1Y2tldC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbImludGVnLmNmdHMzLWJ1Y2tldC1lbmNyeXB0ZWQtd2l0aC1jbWstcHJvdmlkZWQtYXMtZXhpc3RpbmdidWNrZXQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IjtBQUFBOzs7Ozs7Ozs7OztHQVdHOztBQUVILFVBQVU7QUFDViw2Q0FBaUU7QUFDakUsZ0NBQTZEO0FBQzdELHlEQUEwSDtBQUMxSCwrQ0FBc0Q7QUFFdEQsUUFBUTtBQUNSLE1BQU0sR0FBRyxHQUFHLElBQUksaUJBQUcsRUFBRSxDQUFDO0FBQ3RCLE1BQU0sS0FBSyxHQUFHLElBQUksbUJBQUssQ0FBQyxHQUFHLEVBQUUsNkJBQXNCLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQztBQUNqRSxLQUFLLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxpREFBaUQsRUFBRSxJQUFJLENBQUMsQ0FBQztBQUMvRSxLQUFLLENBQUMsZUFBZSxDQUFDLFdBQVcsR0FBRyx3Q0FBd0MsQ0FBQztBQUU3RSxjQUFjO0FBQ2QsTUFBTSxhQUFhLEdBQUcsSUFBSSxxQkFBTyxDQUFDLEdBQUcsQ0FBQyxLQUFLLEVBQUUsUUFBUSxFQUFFO0lBQ3JELGlCQUFpQixFQUFFLElBQUk7SUFDdkIsYUFBYSxFQUFFLDJCQUFhLENBQUMsT0FBTztDQUNyQyxDQUFDLENBQUM7QUFFSCxNQUFNLGlCQUFpQixHQUFHLG9CQUFhLENBQUMsS0FBSyxFQUFFO0lBQzdDLFdBQVcsRUFBRTtRQUNYLFVBQVUsRUFBRSx5QkFBZ0IsQ0FBQyxHQUFHO1FBQ2hDLGFBQWE7S0FDZDtDQUNGLEVBQUUsdUNBQXVDLENBQUMsQ0FBQyxNQUFNLENBQUM7QUFFbkQsTUFBTSxLQUFLLEdBQXdCO0lBQ2pDLGlCQUFpQjtJQUNqQix5QkFBeUIsRUFBRSxLQUFLO0NBQ2pDLENBQUM7QUFFRixJQUFJLG9CQUFjLENBQUMsS0FBSyxFQUFFLHVDQUF1QyxFQUFFLEtBQUssQ0FBQyxDQUFDO0FBRTFFLHdDQUFpQyxDQUFDLEtBQUssQ0FBQyxDQUFDO0FBRXpDLFFBQVE7QUFDUixHQUFHLENBQUMsS0FBSyxFQUFFLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqICBDb3B5cmlnaHQgQW1hem9uLmNvbSwgSW5jLiBvciBpdHMgYWZmaWxpYXRlcy4gQWxsIFJpZ2h0cyBSZXNlcnZlZC5cbiAqXG4gKiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uIDIuMCAodGhlIFwiTGljZW5zZVwiKS4gWW91IG1heSBub3QgdXNlIHRoaXMgZmlsZSBleGNlcHQgaW4gY29tcGxpYW5jZVxuICogIHdpdGggdGhlIExpY2Vuc2UuIEEgY29weSBvZiB0aGUgTGljZW5zZSBpcyBsb2NhdGVkIGF0XG4gKlxuICogICAgICBodHRwOi8vd3d3LmFwYWNoZS5vcmcvbGljZW5zZXMvTElDRU5TRS0yLjBcbiAqXG4gKiAgb3IgaW4gdGhlICdsaWNlbnNlJyBmaWxlIGFjY29tcGFueWluZyB0aGlzIGZpbGUuIFRoaXMgZmlsZSBpcyBkaXN0cmlidXRlZCBvbiBhbiAnQVMgSVMnIEJBU0lTLCBXSVRIT1VUIFdBUlJBTlRJRVNcbiAqICBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBleHByZXNzIG9yIGltcGxpZWQuIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZyBwZXJtaXNzaW9uc1xuICogIGFuZCBsaW1pdGF0aW9ucyB1bmRlciB0aGUgTGljZW5zZS5cbiAqL1xuXG4vLyBJbXBvcnRzXG5pbXBvcnQgeyBBcHAsIFN0YWNrLCBSZW1vdmFsUG9saWN5LCBhd3Nfa21zIH0gZnJvbSBcImF3cy1jZGstbGliXCI7XG5pbXBvcnQgeyBDbG91ZEZyb250VG9TMywgQ2xvdWRGcm9udFRvUzNQcm9wcyB9IGZyb20gXCIuLi9saWJcIjtcbmltcG9ydCB7IGJ1aWxkUzNCdWNrZXQsIGdlbmVyYXRlSW50ZWdTdGFja05hbWUsIHN1cHByZXNzQXV0b0RlbGV0ZUhhbmRsZXJXYXJuaW5ncyB9IGZyb20gJ0Bhd3Mtc29sdXRpb25zLWNvbnN0cnVjdHMvY29yZSc7XG5pbXBvcnQgeyBCdWNrZXRFbmNyeXB0aW9uIH0gZnJvbSBcImF3cy1jZGstbGliL2F3cy1zM1wiO1xuXG4vLyBTZXR1cFxuY29uc3QgYXBwID0gbmV3IEFwcCgpO1xuY29uc3Qgc3RhY2sgPSBuZXcgU3RhY2soYXBwLCBnZW5lcmF0ZUludGVnU3RhY2tOYW1lKF9fZmlsZW5hbWUpKTtcbnN0YWNrLm5vZGUuc2V0Q29udGV4dChcIkBhd3MtY2RrL2F3cy1zMzpzZXJ2ZXJBY2Nlc3NMb2dzVXNlQnVja2V0UG9saWN5XCIsIHRydWUpO1xuc3RhY2sudGVtcGxhdGVPcHRpb25zLmRlc2NyaXB0aW9uID0gJ0ludGVncmF0aW9uIFRlc3QgZm9yIGF3cy1jbG91ZGZyb250LXMzJztcblxuLy8gRGVmaW5pdGlvbnNcbmNvbnN0IGVuY3J5cHRpb25LZXkgPSBuZXcgYXdzX2ttcy5LZXkoc3RhY2ssICdjbWtLZXknLCB7XG4gIGVuYWJsZUtleVJvdGF0aW9uOiB0cnVlLFxuICByZW1vdmFsUG9saWN5OiBSZW1vdmFsUG9saWN5LkRFU1RST1lcbn0pO1xuXG5jb25zdCBleGlzdGluZ0J1Y2tldE9iaiA9IGJ1aWxkUzNCdWNrZXQoc3RhY2ssIHtcbiAgYnVja2V0UHJvcHM6IHtcbiAgICBlbmNyeXB0aW9uOiBCdWNrZXRFbmNyeXB0aW9uLktNUyxcbiAgICBlbmNyeXB0aW9uS2V5XG4gIH1cbn0sICdleGlzdGluZy1zMy1idWNrZXQtZW5jcnlwdGVkLXdpdGgtY21rJykuYnVja2V0O1xuXG5jb25zdCBwcm9wczogQ2xvdWRGcm9udFRvUzNQcm9wcyA9IHtcbiAgZXhpc3RpbmdCdWNrZXRPYmosXG4gIGluc2VydEh0dHBTZWN1cml0eUhlYWRlcnM6IGZhbHNlXG59O1xuXG5uZXcgQ2xvdWRGcm9udFRvUzMoc3RhY2ssICd0ZXN0LWNsb3VkZnJvbnQtczMtY21rLWVuY3J5cHRpb24ta2V5JywgcHJvcHMpO1xuXG5zdXBwcmVzc0F1dG9EZWxldGVIYW5kbGVyV2FybmluZ3Moc3RhY2spO1xuXG4vLyBTeW50aFxuYXBwLnN5bnRoKCk7XG4iXX0=
@@ -0,0 +1,592 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-s3",
3
+ "Resources": {
4
+ "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7": {
5
+ "Type": "AWS::S3::Bucket",
6
+ "Properties": {
7
+ "BucketEncryption": {
8
+ "ServerSideEncryptionConfiguration": [
9
+ {
10
+ "ServerSideEncryptionByDefault": {
11
+ "SSEAlgorithm": "AES256"
12
+ }
13
+ }
14
+ ]
15
+ },
16
+ "PublicAccessBlockConfiguration": {
17
+ "BlockPublicAcls": true,
18
+ "BlockPublicPolicy": true,
19
+ "IgnorePublicAcls": true,
20
+ "RestrictPublicBuckets": true
21
+ },
22
+ "VersioningConfiguration": {
23
+ "Status": "Enabled"
24
+ }
25
+ },
26
+ "UpdateReplacePolicy": "Retain",
27
+ "DeletionPolicy": "Retain",
28
+ "Metadata": {
29
+ "cfn_nag": {
30
+ "rules_to_suppress": [
31
+ {
32
+ "id": "W35",
33
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
34
+ }
35
+ ]
36
+ }
37
+ }
38
+ },
39
+ "existings3bucketencryptedwiths3managedkeyS3LoggingBucketPolicy4358229C": {
40
+ "Type": "AWS::S3::BucketPolicy",
41
+ "Properties": {
42
+ "Bucket": {
43
+ "Ref": "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7"
44
+ },
45
+ "PolicyDocument": {
46
+ "Statement": [
47
+ {
48
+ "Action": "s3:*",
49
+ "Condition": {
50
+ "Bool": {
51
+ "aws:SecureTransport": "false"
52
+ }
53
+ },
54
+ "Effect": "Deny",
55
+ "Principal": {
56
+ "AWS": "*"
57
+ },
58
+ "Resource": [
59
+ {
60
+ "Fn::GetAtt": [
61
+ "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7",
62
+ "Arn"
63
+ ]
64
+ },
65
+ {
66
+ "Fn::Join": [
67
+ "",
68
+ [
69
+ {
70
+ "Fn::GetAtt": [
71
+ "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7",
72
+ "Arn"
73
+ ]
74
+ },
75
+ "/*"
76
+ ]
77
+ ]
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "Action": "s3:PutObject",
83
+ "Condition": {
84
+ "ArnLike": {
85
+ "aws:SourceArn": {
86
+ "Fn::GetAtt": [
87
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A",
88
+ "Arn"
89
+ ]
90
+ }
91
+ },
92
+ "StringEquals": {
93
+ "aws:SourceAccount": {
94
+ "Ref": "AWS::AccountId"
95
+ }
96
+ }
97
+ },
98
+ "Effect": "Allow",
99
+ "Principal": {
100
+ "Service": "logging.s3.amazonaws.com"
101
+ },
102
+ "Resource": {
103
+ "Fn::Join": [
104
+ "",
105
+ [
106
+ {
107
+ "Fn::GetAtt": [
108
+ "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7",
109
+ "Arn"
110
+ ]
111
+ },
112
+ "/*"
113
+ ]
114
+ ]
115
+ }
116
+ }
117
+ ],
118
+ "Version": "2012-10-17"
119
+ }
120
+ }
121
+ },
122
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A": {
123
+ "Type": "AWS::S3::Bucket",
124
+ "Properties": {
125
+ "BucketEncryption": {
126
+ "ServerSideEncryptionConfiguration": [
127
+ {
128
+ "ServerSideEncryptionByDefault": {
129
+ "SSEAlgorithm": "AES256"
130
+ }
131
+ }
132
+ ]
133
+ },
134
+ "LifecycleConfiguration": {
135
+ "Rules": [
136
+ {
137
+ "NoncurrentVersionTransitions": [
138
+ {
139
+ "StorageClass": "GLACIER",
140
+ "TransitionInDays": 90
141
+ }
142
+ ],
143
+ "Status": "Enabled"
144
+ }
145
+ ]
146
+ },
147
+ "LoggingConfiguration": {
148
+ "DestinationBucketName": {
149
+ "Ref": "existings3bucketencryptedwiths3managedkeyS3LoggingBucketF861F6B7"
150
+ }
151
+ },
152
+ "PublicAccessBlockConfiguration": {
153
+ "BlockPublicAcls": true,
154
+ "BlockPublicPolicy": true,
155
+ "IgnorePublicAcls": true,
156
+ "RestrictPublicBuckets": true
157
+ },
158
+ "VersioningConfiguration": {
159
+ "Status": "Enabled"
160
+ }
161
+ },
162
+ "UpdateReplacePolicy": "Retain",
163
+ "DeletionPolicy": "Retain"
164
+ },
165
+ "existings3bucketencryptedwiths3managedkeyS3BucketPolicyFDA85248": {
166
+ "Type": "AWS::S3::BucketPolicy",
167
+ "Properties": {
168
+ "Bucket": {
169
+ "Ref": "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A"
170
+ },
171
+ "PolicyDocument": {
172
+ "Statement": [
173
+ {
174
+ "Action": "s3:*",
175
+ "Condition": {
176
+ "Bool": {
177
+ "aws:SecureTransport": "false"
178
+ }
179
+ },
180
+ "Effect": "Deny",
181
+ "Principal": {
182
+ "AWS": "*"
183
+ },
184
+ "Resource": [
185
+ {
186
+ "Fn::GetAtt": [
187
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A",
188
+ "Arn"
189
+ ]
190
+ },
191
+ {
192
+ "Fn::Join": [
193
+ "",
194
+ [
195
+ {
196
+ "Fn::GetAtt": [
197
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A",
198
+ "Arn"
199
+ ]
200
+ },
201
+ "/*"
202
+ ]
203
+ ]
204
+ }
205
+ ]
206
+ },
207
+ {
208
+ "Action": "s3:GetObject",
209
+ "Condition": {
210
+ "StringEquals": {
211
+ "AWS:SourceArn": {
212
+ "Fn::Join": [
213
+ "",
214
+ [
215
+ "arn:aws:cloudfront::",
216
+ {
217
+ "Ref": "AWS::AccountId"
218
+ },
219
+ ":distribution/",
220
+ {
221
+ "Ref": "testcloudfronts3managedkeyCloudFrontDistributionE6431C62"
222
+ }
223
+ ]
224
+ ]
225
+ }
226
+ }
227
+ },
228
+ "Effect": "Allow",
229
+ "Principal": {
230
+ "Service": "cloudfront.amazonaws.com"
231
+ },
232
+ "Resource": {
233
+ "Fn::Join": [
234
+ "",
235
+ [
236
+ {
237
+ "Fn::GetAtt": [
238
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A",
239
+ "Arn"
240
+ ]
241
+ },
242
+ "/*"
243
+ ]
244
+ ]
245
+ }
246
+ }
247
+ ],
248
+ "Version": "2012-10-17"
249
+ }
250
+ },
251
+ "Metadata": {
252
+ "cfn_nag": {
253
+ "rules_to_suppress": [
254
+ {
255
+ "id": "F16",
256
+ "reason": "Public website bucket policy requires a wildcard principal"
257
+ }
258
+ ]
259
+ }
260
+ }
261
+ },
262
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955": {
263
+ "Type": "AWS::S3::Bucket",
264
+ "Properties": {
265
+ "BucketEncryption": {
266
+ "ServerSideEncryptionConfiguration": [
267
+ {
268
+ "ServerSideEncryptionByDefault": {
269
+ "SSEAlgorithm": "AES256"
270
+ }
271
+ }
272
+ ]
273
+ },
274
+ "OwnershipControls": {
275
+ "Rules": [
276
+ {
277
+ "ObjectOwnership": "ObjectWriter"
278
+ }
279
+ ]
280
+ },
281
+ "PublicAccessBlockConfiguration": {
282
+ "BlockPublicAcls": true,
283
+ "BlockPublicPolicy": true,
284
+ "IgnorePublicAcls": true,
285
+ "RestrictPublicBuckets": true
286
+ },
287
+ "VersioningConfiguration": {
288
+ "Status": "Enabled"
289
+ }
290
+ },
291
+ "UpdateReplacePolicy": "Retain",
292
+ "DeletionPolicy": "Retain",
293
+ "Metadata": {
294
+ "cfn_nag": {
295
+ "rules_to_suppress": [
296
+ {
297
+ "id": "W35",
298
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
299
+ }
300
+ ]
301
+ }
302
+ }
303
+ },
304
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLogPolicy08C15592": {
305
+ "Type": "AWS::S3::BucketPolicy",
306
+ "Properties": {
307
+ "Bucket": {
308
+ "Ref": "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955"
309
+ },
310
+ "PolicyDocument": {
311
+ "Statement": [
312
+ {
313
+ "Action": "s3:*",
314
+ "Condition": {
315
+ "Bool": {
316
+ "aws:SecureTransport": "false"
317
+ }
318
+ },
319
+ "Effect": "Deny",
320
+ "Principal": {
321
+ "AWS": "*"
322
+ },
323
+ "Resource": [
324
+ {
325
+ "Fn::GetAtt": [
326
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955",
327
+ "Arn"
328
+ ]
329
+ },
330
+ {
331
+ "Fn::Join": [
332
+ "",
333
+ [
334
+ {
335
+ "Fn::GetAtt": [
336
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955",
337
+ "Arn"
338
+ ]
339
+ },
340
+ "/*"
341
+ ]
342
+ ]
343
+ }
344
+ ]
345
+ },
346
+ {
347
+ "Action": "s3:PutObject",
348
+ "Condition": {
349
+ "ArnLike": {
350
+ "aws:SourceArn": {
351
+ "Fn::GetAtt": [
352
+ "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7",
353
+ "Arn"
354
+ ]
355
+ }
356
+ },
357
+ "StringEquals": {
358
+ "aws:SourceAccount": {
359
+ "Ref": "AWS::AccountId"
360
+ }
361
+ }
362
+ },
363
+ "Effect": "Allow",
364
+ "Principal": {
365
+ "Service": "logging.s3.amazonaws.com"
366
+ },
367
+ "Resource": {
368
+ "Fn::Join": [
369
+ "",
370
+ [
371
+ {
372
+ "Fn::GetAtt": [
373
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955",
374
+ "Arn"
375
+ ]
376
+ },
377
+ "/*"
378
+ ]
379
+ ]
380
+ }
381
+ }
382
+ ],
383
+ "Version": "2012-10-17"
384
+ }
385
+ }
386
+ },
387
+ "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7": {
388
+ "Type": "AWS::S3::Bucket",
389
+ "Properties": {
390
+ "AccessControl": "LogDeliveryWrite",
391
+ "BucketEncryption": {
392
+ "ServerSideEncryptionConfiguration": [
393
+ {
394
+ "ServerSideEncryptionByDefault": {
395
+ "SSEAlgorithm": "AES256"
396
+ }
397
+ }
398
+ ]
399
+ },
400
+ "LoggingConfiguration": {
401
+ "DestinationBucketName": {
402
+ "Ref": "testcloudfronts3managedkeyCloudfrontLoggingBucketAccessLog09A44955"
403
+ }
404
+ },
405
+ "OwnershipControls": {
406
+ "Rules": [
407
+ {
408
+ "ObjectOwnership": "ObjectWriter"
409
+ }
410
+ ]
411
+ },
412
+ "PublicAccessBlockConfiguration": {
413
+ "BlockPublicAcls": true,
414
+ "BlockPublicPolicy": true,
415
+ "IgnorePublicAcls": true,
416
+ "RestrictPublicBuckets": true
417
+ },
418
+ "VersioningConfiguration": {
419
+ "Status": "Enabled"
420
+ }
421
+ },
422
+ "UpdateReplacePolicy": "Retain",
423
+ "DeletionPolicy": "Retain"
424
+ },
425
+ "testcloudfronts3managedkeyCloudfrontLoggingBucketPolicy8952C83B": {
426
+ "Type": "AWS::S3::BucketPolicy",
427
+ "Properties": {
428
+ "Bucket": {
429
+ "Ref": "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7"
430
+ },
431
+ "PolicyDocument": {
432
+ "Statement": [
433
+ {
434
+ "Action": "s3:*",
435
+ "Condition": {
436
+ "Bool": {
437
+ "aws:SecureTransport": "false"
438
+ }
439
+ },
440
+ "Effect": "Deny",
441
+ "Principal": {
442
+ "AWS": "*"
443
+ },
444
+ "Resource": [
445
+ {
446
+ "Fn::GetAtt": [
447
+ "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7",
448
+ "Arn"
449
+ ]
450
+ },
451
+ {
452
+ "Fn::Join": [
453
+ "",
454
+ [
455
+ {
456
+ "Fn::GetAtt": [
457
+ "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7",
458
+ "Arn"
459
+ ]
460
+ },
461
+ "/*"
462
+ ]
463
+ ]
464
+ }
465
+ ]
466
+ }
467
+ ],
468
+ "Version": "2012-10-17"
469
+ }
470
+ }
471
+ },
472
+ "testcloudfronts3managedkeyCloudFrontOac1422B0A1": {
473
+ "Type": "AWS::CloudFront::OriginAccessControl",
474
+ "Properties": {
475
+ "OriginAccessControlConfig": {
476
+ "Description": "Origin access control provisioned by aws-cloudfront-s3",
477
+ "Name": {
478
+ "Fn::Join": [
479
+ "",
480
+ [
481
+ "aws-cloudfront-s3-testd-key-",
482
+ {
483
+ "Fn::Select": [
484
+ 2,
485
+ {
486
+ "Fn::Split": [
487
+ "/",
488
+ {
489
+ "Ref": "AWS::StackId"
490
+ }
491
+ ]
492
+ }
493
+ ]
494
+ }
495
+ ]
496
+ ]
497
+ },
498
+ "OriginAccessControlOriginType": "s3",
499
+ "SigningBehavior": "always",
500
+ "SigningProtocol": "sigv4"
501
+ }
502
+ }
503
+ },
504
+ "testcloudfronts3managedkeyCloudFrontDistributionE6431C62": {
505
+ "Type": "AWS::CloudFront::Distribution",
506
+ "Properties": {
507
+ "DistributionConfig": {
508
+ "DefaultCacheBehavior": {
509
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
510
+ "Compress": true,
511
+ "TargetOriginId": "cfts3bucketencryptedwithmanagedkeyprovidedasexistingbuckettestcloudfronts3managedkeyCloudFrontDistributionOrigin17C5092B4",
512
+ "ViewerProtocolPolicy": "redirect-to-https"
513
+ },
514
+ "DefaultRootObject": "index.html",
515
+ "Enabled": true,
516
+ "HttpVersion": "http2",
517
+ "IPV6Enabled": true,
518
+ "Logging": {
519
+ "Bucket": {
520
+ "Fn::GetAtt": [
521
+ "testcloudfronts3managedkeyCloudfrontLoggingBucket4F6525D7",
522
+ "RegionalDomainName"
523
+ ]
524
+ }
525
+ },
526
+ "Origins": [
527
+ {
528
+ "DomainName": {
529
+ "Fn::GetAtt": [
530
+ "existings3bucketencryptedwiths3managedkeyS3BucketA8C4BE9A",
531
+ "RegionalDomainName"
532
+ ]
533
+ },
534
+ "Id": "cfts3bucketencryptedwithmanagedkeyprovidedasexistingbuckettestcloudfronts3managedkeyCloudFrontDistributionOrigin17C5092B4",
535
+ "OriginAccessControlId": {
536
+ "Fn::GetAtt": [
537
+ "testcloudfronts3managedkeyCloudFrontOac1422B0A1",
538
+ "Id"
539
+ ]
540
+ },
541
+ "S3OriginConfig": {}
542
+ }
543
+ ]
544
+ }
545
+ },
546
+ "Metadata": {
547
+ "cfn_nag": {
548
+ "rules_to_suppress": [
549
+ {
550
+ "id": "W70",
551
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
552
+ }
553
+ ]
554
+ }
555
+ }
556
+ }
557
+ },
558
+ "Parameters": {
559
+ "BootstrapVersion": {
560
+ "Type": "AWS::SSM::Parameter::Value<String>",
561
+ "Default": "/cdk-bootstrap/hnb659fds/version",
562
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
563
+ }
564
+ },
565
+ "Rules": {
566
+ "CheckBootstrapVersion": {
567
+ "Assertions": [
568
+ {
569
+ "Assert": {
570
+ "Fn::Not": [
571
+ {
572
+ "Fn::Contains": [
573
+ [
574
+ "1",
575
+ "2",
576
+ "3",
577
+ "4",
578
+ "5"
579
+ ],
580
+ {
581
+ "Ref": "BootstrapVersion"
582
+ }
583
+ ]
584
+ }
585
+ ]
586
+ },
587
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
588
+ }
589
+ ]
590
+ }
591
+ }
592
+ }
@@ -0,0 +1,39 @@
1
+ "use strict";
2
+ /**
3
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
4
+ *
5
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
6
+ * with the License. A copy of the License is located at
7
+ *
8
+ * http://www.apache.org/licenses/LICENSE-2.0
9
+ *
10
+ * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
11
+ * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
12
+ * and limitations under the License.
13
+ */
14
+ Object.defineProperty(exports, "__esModule", { value: true });
15
+ // Imports
16
+ const aws_cdk_lib_1 = require("aws-cdk-lib");
17
+ const lib_1 = require("../lib");
18
+ const core_1 = require("@aws-solutions-constructs/core");
19
+ const aws_s3_1 = require("aws-cdk-lib/aws-s3");
20
+ // Setup
21
+ const app = new aws_cdk_lib_1.App();
22
+ const stack = new aws_cdk_lib_1.Stack(app, core_1.generateIntegStackName(__filename));
23
+ stack.node.setContext("@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy", true);
24
+ stack.templateOptions.description = 'Integration Test for aws-cloudfront-s3';
25
+ // Definitions
26
+ const existingBucketObj = core_1.buildS3Bucket(stack, {
27
+ bucketProps: {
28
+ encryption: aws_s3_1.BucketEncryption.S3_MANAGED
29
+ }
30
+ }, 'existing-s3-bucket-encrypted-with-s3-managed-key').bucket;
31
+ const props = {
32
+ existingBucketObj,
33
+ insertHttpSecurityHeaders: false
34
+ };
35
+ new lib_1.CloudFrontToS3(stack, 'test-cloudfront-s3-managed-key', props);
36
+ core_1.suppressAutoDeleteHandlerWarnings(stack);
37
+ // Synth
38
+ app.synth();
39
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW50ZWcuY2Z0czMtYnVja2V0LWVuY3J5cHRlZC13aXRoLW1hbmFnZWQta2V5LXByb3ZpZGVkLWFzLWV4aXN0aW5nYnVja2V0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiaW50ZWcuY2Z0czMtYnVja2V0LWVuY3J5cHRlZC13aXRoLW1hbmFnZWQta2V5LXByb3ZpZGVkLWFzLWV4aXN0aW5nYnVja2V0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQTs7Ozs7Ozs7Ozs7R0FXRzs7QUFFSCxVQUFVO0FBQ1YsNkNBQXlDO0FBQ3pDLGdDQUE2RDtBQUM3RCx5REFBMEg7QUFDMUgsK0NBQXNEO0FBRXRELFFBQVE7QUFDUixNQUFNLEdBQUcsR0FBRyxJQUFJLGlCQUFHLEVBQUUsQ0FBQztBQUN0QixNQUFNLEtBQUssR0FBRyxJQUFJLG1CQUFLLENBQUMsR0FBRyxFQUFFLDZCQUFzQixDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUM7QUFDakUsS0FBSyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsaURBQWlELEVBQUUsSUFBSSxDQUFDLENBQUM7QUFDL0UsS0FBSyxDQUFDLGVBQWUsQ0FBQyxXQUFXLEdBQUcsd0NBQXdDLENBQUM7QUFFN0UsY0FBYztBQUNkLE1BQU0saUJBQWlCLEdBQUcsb0JBQWEsQ0FBQyxLQUFLLEVBQUU7SUFDN0MsV0FBVyxFQUFFO1FBQ1gsVUFBVSxFQUFFLHlCQUFnQixDQUFDLFVBQVU7S0FDeEM7Q0FDRixFQUFFLGtEQUFrRCxDQUFDLENBQUMsTUFBTSxDQUFDO0FBRTlELE1BQU0sS0FBSyxHQUF3QjtJQUNqQyxpQkFBaUI7SUFDakIseUJBQXlCLEVBQUUsS0FBSztDQUNqQyxDQUFDO0FBRUYsSUFBSSxvQkFBYyxDQUFDLEtBQUssRUFBRSxnQ0FBZ0MsRUFBRSxLQUFLLENBQUMsQ0FBQztBQUVuRSx3Q0FBaUMsQ0FBQyxLQUFLLENBQUMsQ0FBQztBQUV6QyxRQUFRO0FBQ1IsR0FBRyxDQUFDLEtBQUssRUFBRSxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiLyoqXG4gKiAgQ29weXJpZ2h0IEFtYXpvbi5jb20sIEluYy4gb3IgaXRzIGFmZmlsaWF0ZXMuIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogIExpY2Vuc2VkIHVuZGVyIHRoZSBBcGFjaGUgTGljZW5zZSwgVmVyc2lvbiAyLjAgKHRoZSBcIkxpY2Vuc2VcIikuIFlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2VcbiAqICB3aXRoIHRoZSBMaWNlbnNlLiBBIGNvcHkgb2YgdGhlIExpY2Vuc2UgaXMgbG9jYXRlZCBhdFxuICpcbiAqICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wXG4gKlxuICogIG9yIGluIHRoZSAnbGljZW5zZScgZmlsZSBhY2NvbXBhbnlpbmcgdGhpcyBmaWxlLiBUaGlzIGZpbGUgaXMgZGlzdHJpYnV0ZWQgb24gYW4gJ0FTIElTJyBCQVNJUywgV0lUSE9VVCBXQVJSQU5USUVTXG4gKiAgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZXhwcmVzcyBvciBpbXBsaWVkLiBTZWUgdGhlIExpY2Vuc2UgZm9yIHRoZSBzcGVjaWZpYyBsYW5ndWFnZSBnb3Zlcm5pbmcgcGVybWlzc2lvbnNcbiAqICBhbmQgbGltaXRhdGlvbnMgdW5kZXIgdGhlIExpY2Vuc2UuXG4gKi9cblxuLy8gSW1wb3J0c1xuaW1wb3J0IHsgQXBwLCBTdGFjayB9IGZyb20gXCJhd3MtY2RrLWxpYlwiO1xuaW1wb3J0IHsgQ2xvdWRGcm9udFRvUzMsIENsb3VkRnJvbnRUb1MzUHJvcHMgfSBmcm9tIFwiLi4vbGliXCI7XG5pbXBvcnQgeyBidWlsZFMzQnVja2V0LCBnZW5lcmF0ZUludGVnU3RhY2tOYW1lLCBzdXBwcmVzc0F1dG9EZWxldGVIYW5kbGVyV2FybmluZ3MgfSBmcm9tICdAYXdzLXNvbHV0aW9ucy1jb25zdHJ1Y3RzL2NvcmUnO1xuaW1wb3J0IHsgQnVja2V0RW5jcnlwdGlvbiB9IGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtczNcIjtcblxuLy8gU2V0dXBcbmNvbnN0IGFwcCA9IG5ldyBBcHAoKTtcbmNvbnN0IHN0YWNrID0gbmV3IFN0YWNrKGFwcCwgZ2VuZXJhdGVJbnRlZ1N0YWNrTmFtZShfX2ZpbGVuYW1lKSk7XG5zdGFjay5ub2RlLnNldENvbnRleHQoXCJAYXdzLWNkay9hd3MtczM6c2VydmVyQWNjZXNzTG9nc1VzZUJ1Y2tldFBvbGljeVwiLCB0cnVlKTtcbnN0YWNrLnRlbXBsYXRlT3B0aW9ucy5kZXNjcmlwdGlvbiA9ICdJbnRlZ3JhdGlvbiBUZXN0IGZvciBhd3MtY2xvdWRmcm9udC1zMyc7XG5cbi8vIERlZmluaXRpb25zXG5jb25zdCBleGlzdGluZ0J1Y2tldE9iaiA9IGJ1aWxkUzNCdWNrZXQoc3RhY2ssIHtcbiAgYnVja2V0UHJvcHM6IHtcbiAgICBlbmNyeXB0aW9uOiBCdWNrZXRFbmNyeXB0aW9uLlMzX01BTkFHRURcbiAgfVxufSwgJ2V4aXN0aW5nLXMzLWJ1Y2tldC1lbmNyeXB0ZWQtd2l0aC1zMy1tYW5hZ2VkLWtleScpLmJ1Y2tldDtcblxuY29uc3QgcHJvcHM6IENsb3VkRnJvbnRUb1MzUHJvcHMgPSB7XG4gIGV4aXN0aW5nQnVja2V0T2JqLFxuICBpbnNlcnRIdHRwU2VjdXJpdHlIZWFkZXJzOiBmYWxzZVxufTtcblxubmV3IENsb3VkRnJvbnRUb1MzKHN0YWNrLCAndGVzdC1jbG91ZGZyb250LXMzLW1hbmFnZWQta2V5JywgcHJvcHMpO1xuXG5zdXBwcmVzc0F1dG9EZWxldGVIYW5kbGVyV2FybmluZ3Moc3RhY2spO1xuXG4vLyBTeW50aFxuYXBwLnN5bnRoKCk7XG4iXX0=