@aws-solutions-constructs/aws-cloudfront-s3 2.47.0 → 2.48.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/.eslintignore +2 -2
  2. package/.jsii +60 -23
  3. package/README.md +7 -6
  4. package/lib/index.d.ts +1 -0
  5. package/lib/index.js +70 -8
  6. package/package.json +5 -3
  7. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.expected.json +958 -0
  8. package/test/integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.js +44 -0
  9. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.expected.json +592 -0
  10. package/test/integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.js +39 -0
  11. package/test/integ.cfts3-bucket-with-http-origin.d.ts +13 -0
  12. package/test/integ.cfts3-bucket-with-http-origin.expected.json +559 -0
  13. package/test/integ.cfts3-bucket-with-http-origin.js +44 -0
  14. package/test/integ.cfts3-cmk-encryption.expected.json +527 -0
  15. package/test/integ.cfts3-cmk-provided-as-bucket-prop.d.ts +13 -0
  16. package/test/integ.cfts3-cmk-provided-as-bucket-prop.expected.json +958 -0
  17. package/test/integ.cfts3-cmk-provided-as-bucket-prop.js +41 -0
  18. package/test/integ.cfts3-custom-headers.expected.json +307 -27
  19. package/test/integ.cfts3-custom-headers.js +6 -2
  20. package/test/integ.cfts3-custom-originPath.expected.json +307 -27
  21. package/test/integ.cfts3-custom-originPath.js +6 -2
  22. package/test/integ.cfts3-customCloudFrontLoggingBucket.expected.json +54 -23
  23. package/test/integ.cfts3-customLoggingBuckets.d.ts +13 -0
  24. package/test/{integ.cfts3-customLoggingBucket.expected.json → integ.cfts3-customLoggingBuckets.expected.json} +285 -31
  25. package/test/integ.cfts3-customLoggingBuckets.js +58 -0
  26. package/test/integ.cfts3-existing-bucket.expected.json +493 -80
  27. package/test/integ.cfts3-existing-bucket.js +2 -2
  28. package/test/integ.cfts3-no-arguments.expected.json +430 -27
  29. package/test/integ.cfts3-no-arguments.js +5 -2
  30. package/test/integ.cfts3-no-security-headers.expected.json +307 -27
  31. package/test/integ.cfts3-no-security-headers.js +5 -1
  32. package/test/test.cloudfront-s3.test.js +149 -28
  33. package/test/integ.cfts3-customCloudFrontLoggingBucket.js +0 -39
  34. package/test/integ.cfts3-customLoggingBucket.js +0 -42
  35. /package/test/{integ.cfts3-customCloudFrontLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-cmk-provided-as-existingbucket.d.ts} +0 -0
  36. /package/test/{integ.cfts3-customLoggingBucket.d.ts → integ.cfts3-bucket-encrypted-with-managed-key-provided-as-existingbucket.d.ts} +0 -0
@@ -0,0 +1,527 @@
1
+ {
2
+ "Description": "Integration Test for aws-cloudfront-s3",
3
+ "Resources": {
4
+ "cmkKey598B20B2": {
5
+ "Type": "AWS::KMS::Key",
6
+ "Properties": {
7
+ "EnableKeyRotation": true,
8
+ "KeyPolicy": {
9
+ "Statement": [
10
+ {
11
+ "Action": "kms:*",
12
+ "Effect": "Allow",
13
+ "Principal": {
14
+ "AWS": {
15
+ "Fn::Join": [
16
+ "",
17
+ [
18
+ "arn:",
19
+ {
20
+ "Ref": "AWS::Partition"
21
+ },
22
+ ":iam::",
23
+ {
24
+ "Ref": "AWS::AccountId"
25
+ },
26
+ ":root"
27
+ ]
28
+ ]
29
+ }
30
+ },
31
+ "Resource": "*"
32
+ }
33
+ ],
34
+ "Version": "2012-10-17"
35
+ }
36
+ },
37
+ "UpdateReplacePolicy": "Delete",
38
+ "DeletionPolicy": "Delete"
39
+ },
40
+ "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209": {
41
+ "Type": "AWS::S3::Bucket",
42
+ "Properties": {
43
+ "BucketEncryption": {
44
+ "ServerSideEncryptionConfiguration": [
45
+ {
46
+ "ServerSideEncryptionByDefault": {
47
+ "SSEAlgorithm": "AES256"
48
+ }
49
+ }
50
+ ]
51
+ },
52
+ "PublicAccessBlockConfiguration": {
53
+ "BlockPublicAcls": true,
54
+ "BlockPublicPolicy": true,
55
+ "IgnorePublicAcls": true,
56
+ "RestrictPublicBuckets": true
57
+ },
58
+ "VersioningConfiguration": {
59
+ "Status": "Enabled"
60
+ }
61
+ },
62
+ "UpdateReplacePolicy": "Retain",
63
+ "DeletionPolicy": "Retain",
64
+ "Metadata": {
65
+ "cfn_nag": {
66
+ "rules_to_suppress": [
67
+ {
68
+ "id": "W35",
69
+ "reason": "This S3 bucket is used as the access logging bucket for another bucket"
70
+ }
71
+ ]
72
+ }
73
+ }
74
+ },
75
+ "testcloudfronts3cmkencryptionkeyS3LoggingBucketPolicyF38CB6DD": {
76
+ "Type": "AWS::S3::BucketPolicy",
77
+ "Properties": {
78
+ "Bucket": {
79
+ "Ref": "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209"
80
+ },
81
+ "PolicyDocument": {
82
+ "Statement": [
83
+ {
84
+ "Action": "s3:*",
85
+ "Condition": {
86
+ "Bool": {
87
+ "aws:SecureTransport": "false"
88
+ }
89
+ },
90
+ "Effect": "Deny",
91
+ "Principal": {
92
+ "AWS": "*"
93
+ },
94
+ "Resource": [
95
+ {
96
+ "Fn::GetAtt": [
97
+ "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209",
98
+ "Arn"
99
+ ]
100
+ },
101
+ {
102
+ "Fn::Join": [
103
+ "",
104
+ [
105
+ {
106
+ "Fn::GetAtt": [
107
+ "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209",
108
+ "Arn"
109
+ ]
110
+ },
111
+ "/*"
112
+ ]
113
+ ]
114
+ }
115
+ ]
116
+ },
117
+ {
118
+ "Action": "s3:PutObject",
119
+ "Condition": {
120
+ "ArnLike": {
121
+ "aws:SourceArn": {
122
+ "Fn::GetAtt": [
123
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
124
+ "Arn"
125
+ ]
126
+ }
127
+ },
128
+ "StringEquals": {
129
+ "aws:SourceAccount": {
130
+ "Ref": "AWS::AccountId"
131
+ }
132
+ }
133
+ },
134
+ "Effect": "Allow",
135
+ "Principal": {
136
+ "Service": "logging.s3.amazonaws.com"
137
+ },
138
+ "Resource": {
139
+ "Fn::Join": [
140
+ "",
141
+ [
142
+ {
143
+ "Fn::GetAtt": [
144
+ "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209",
145
+ "Arn"
146
+ ]
147
+ },
148
+ "/*"
149
+ ]
150
+ ]
151
+ }
152
+ }
153
+ ],
154
+ "Version": "2012-10-17"
155
+ }
156
+ }
157
+ },
158
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2": {
159
+ "Type": "AWS::S3::Bucket",
160
+ "Properties": {
161
+ "BucketEncryption": {
162
+ "ServerSideEncryptionConfiguration": [
163
+ {
164
+ "ServerSideEncryptionByDefault": {
165
+ "SSEAlgorithm": "AES256"
166
+ }
167
+ }
168
+ ]
169
+ },
170
+ "LifecycleConfiguration": {
171
+ "Rules": [
172
+ {
173
+ "NoncurrentVersionTransitions": [
174
+ {
175
+ "StorageClass": "GLACIER",
176
+ "TransitionInDays": 90
177
+ }
178
+ ],
179
+ "Status": "Enabled"
180
+ }
181
+ ]
182
+ },
183
+ "LoggingConfiguration": {
184
+ "DestinationBucketName": {
185
+ "Ref": "testcloudfronts3cmkencryptionkeyS3LoggingBucket5CE52209"
186
+ }
187
+ },
188
+ "PublicAccessBlockConfiguration": {
189
+ "BlockPublicAcls": true,
190
+ "BlockPublicPolicy": true,
191
+ "IgnorePublicAcls": true,
192
+ "RestrictPublicBuckets": true
193
+ },
194
+ "VersioningConfiguration": {
195
+ "Status": "Enabled"
196
+ }
197
+ },
198
+ "UpdateReplacePolicy": "Retain",
199
+ "DeletionPolicy": "Retain"
200
+ },
201
+ "testcloudfronts3cmkencryptionkeyS3BucketPolicy5DF57B01": {
202
+ "Type": "AWS::S3::BucketPolicy",
203
+ "Properties": {
204
+ "Bucket": {
205
+ "Ref": "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2"
206
+ },
207
+ "PolicyDocument": {
208
+ "Statement": [
209
+ {
210
+ "Action": "s3:*",
211
+ "Condition": {
212
+ "Bool": {
213
+ "aws:SecureTransport": "false"
214
+ }
215
+ },
216
+ "Effect": "Deny",
217
+ "Principal": {
218
+ "AWS": "*"
219
+ },
220
+ "Resource": [
221
+ {
222
+ "Fn::GetAtt": [
223
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
224
+ "Arn"
225
+ ]
226
+ },
227
+ {
228
+ "Fn::Join": [
229
+ "",
230
+ [
231
+ {
232
+ "Fn::GetAtt": [
233
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
234
+ "Arn"
235
+ ]
236
+ },
237
+ "/*"
238
+ ]
239
+ ]
240
+ }
241
+ ]
242
+ },
243
+ {
244
+ "Action": "s3:GetObject",
245
+ "Effect": "Allow",
246
+ "Principal": {
247
+ "CanonicalUser": {
248
+ "Fn::GetAtt": [
249
+ "testcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin1S3OriginA6F11959",
250
+ "S3CanonicalUserId"
251
+ ]
252
+ }
253
+ },
254
+ "Resource": {
255
+ "Fn::Join": [
256
+ "",
257
+ [
258
+ {
259
+ "Fn::GetAtt": [
260
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
261
+ "Arn"
262
+ ]
263
+ },
264
+ "/*"
265
+ ]
266
+ ]
267
+ }
268
+ },
269
+ {
270
+ "Action": "s3:GetObject",
271
+ "Condition": {
272
+ "StringEquals": {
273
+ "AWS:SourceArn": {
274
+ "Fn::Join": [
275
+ "",
276
+ [
277
+ "arn:",
278
+ {
279
+ "Ref": "AWS::Partition"
280
+ },
281
+ ":cloudfront::",
282
+ {
283
+ "Ref": "AWS::AccountId"
284
+ },
285
+ ":distribution/",
286
+ {
287
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907"
288
+ }
289
+ ]
290
+ ]
291
+ }
292
+ }
293
+ },
294
+ "Effect": "Allow",
295
+ "Principal": {
296
+ "Service": "cloudfront.amazonaws.com"
297
+ },
298
+ "Resource": {
299
+ "Fn::Join": [
300
+ "",
301
+ [
302
+ {
303
+ "Fn::GetAtt": [
304
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
305
+ "Arn"
306
+ ]
307
+ },
308
+ "/*"
309
+ ]
310
+ ]
311
+ }
312
+ }
313
+ ],
314
+ "Version": "2012-10-17"
315
+ }
316
+ },
317
+ "Metadata": {
318
+ "cfn_nag": {
319
+ "rules_to_suppress": [
320
+ {
321
+ "id": "F16",
322
+ "reason": "Public website bucket policy requires a wildcard principal"
323
+ }
324
+ ]
325
+ }
326
+ }
327
+ },
328
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD": {
329
+ "Type": "AWS::S3::Bucket",
330
+ "Properties": {
331
+ "AccessControl": "LogDeliveryWrite",
332
+ "BucketEncryption": {
333
+ "ServerSideEncryptionConfiguration": [
334
+ {
335
+ "ServerSideEncryptionByDefault": {
336
+ "SSEAlgorithm": "AES256"
337
+ }
338
+ }
339
+ ]
340
+ },
341
+ "OwnershipControls": {
342
+ "Rules": [
343
+ {
344
+ "ObjectOwnership": "ObjectWriter"
345
+ }
346
+ ]
347
+ },
348
+ "PublicAccessBlockConfiguration": {
349
+ "BlockPublicAcls": true,
350
+ "BlockPublicPolicy": true,
351
+ "IgnorePublicAcls": true,
352
+ "RestrictPublicBuckets": true
353
+ },
354
+ "VersioningConfiguration": {
355
+ "Status": "Enabled"
356
+ }
357
+ },
358
+ "UpdateReplacePolicy": "Retain",
359
+ "DeletionPolicy": "Retain",
360
+ "Metadata": {
361
+ "cfn_nag": {
362
+ "rules_to_suppress": [
363
+ {
364
+ "id": "W35",
365
+ "reason": "This S3 bucket is used as the access logging bucket for CloudFront Distribution"
366
+ }
367
+ ]
368
+ }
369
+ }
370
+ },
371
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucketPolicy5E737735": {
372
+ "Type": "AWS::S3::BucketPolicy",
373
+ "Properties": {
374
+ "Bucket": {
375
+ "Ref": "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD"
376
+ },
377
+ "PolicyDocument": {
378
+ "Statement": [
379
+ {
380
+ "Action": "s3:*",
381
+ "Condition": {
382
+ "Bool": {
383
+ "aws:SecureTransport": "false"
384
+ }
385
+ },
386
+ "Effect": "Deny",
387
+ "Principal": {
388
+ "AWS": "*"
389
+ },
390
+ "Resource": [
391
+ {
392
+ "Fn::GetAtt": [
393
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
394
+ "Arn"
395
+ ]
396
+ },
397
+ {
398
+ "Fn::Join": [
399
+ "",
400
+ [
401
+ {
402
+ "Fn::GetAtt": [
403
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
404
+ "Arn"
405
+ ]
406
+ },
407
+ "/*"
408
+ ]
409
+ ]
410
+ }
411
+ ]
412
+ }
413
+ ],
414
+ "Version": "2012-10-17"
415
+ }
416
+ }
417
+ },
418
+ "testcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin1S3OriginA6F11959": {
419
+ "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
420
+ "Properties": {
421
+ "CloudFrontOriginAccessIdentityConfig": {
422
+ "Comment": "Identity for cfts3cmkencryptiontestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin10F84B155"
423
+ }
424
+ }
425
+ },
426
+ "testcloudfronts3cmkencryptionkeyCloudFrontDistribution57C8A907": {
427
+ "Type": "AWS::CloudFront::Distribution",
428
+ "Properties": {
429
+ "DistributionConfig": {
430
+ "DefaultCacheBehavior": {
431
+ "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
432
+ "Compress": true,
433
+ "TargetOriginId": "cfts3cmkencryptiontestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin10F84B155",
434
+ "ViewerProtocolPolicy": "redirect-to-https"
435
+ },
436
+ "DefaultRootObject": "index.html",
437
+ "Enabled": true,
438
+ "HttpVersion": "http2",
439
+ "IPV6Enabled": true,
440
+ "Logging": {
441
+ "Bucket": {
442
+ "Fn::GetAtt": [
443
+ "testcloudfronts3cmkencryptionkeyCloudfrontLoggingBucket7C1787CD",
444
+ "RegionalDomainName"
445
+ ]
446
+ }
447
+ },
448
+ "Origins": [
449
+ {
450
+ "DomainName": {
451
+ "Fn::GetAtt": [
452
+ "testcloudfronts3cmkencryptionkeyS3Bucket0E74E5D2",
453
+ "RegionalDomainName"
454
+ ]
455
+ },
456
+ "Id": "cfts3cmkencryptiontestcloudfronts3cmkencryptionkeyCloudFrontDistributionOrigin10F84B155",
457
+ "OriginAccessControlId": {
458
+ "Fn::GetAtt": [
459
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9",
460
+ "Id"
461
+ ]
462
+ },
463
+ "S3OriginConfig": {
464
+ "OriginAccessIdentity": ""
465
+ }
466
+ }
467
+ ]
468
+ }
469
+ },
470
+ "Metadata": {
471
+ "cfn_nag": {
472
+ "rules_to_suppress": [
473
+ {
474
+ "id": "W70",
475
+ "reason": "Since the distribution uses the CloudFront domain name, CloudFront automatically sets the security policy to TLSv1 regardless of the value of MinimumProtocolVersion"
476
+ }
477
+ ]
478
+ }
479
+ }
480
+ },
481
+ "testcloudfronts3cmkencryptionkeyCloudFrontOac4EFECBD9": {
482
+ "Type": "AWS::CloudFront::OriginAccessControl",
483
+ "Properties": {
484
+ "OriginAccessControlConfig": {
485
+ "Name": "cloudfront-default-oac-18c3b751f02",
486
+ "OriginAccessControlOriginType": "s3",
487
+ "SigningBehavior": "always",
488
+ "SigningProtocol": "sigv4"
489
+ }
490
+ }
491
+ }
492
+ },
493
+ "Parameters": {
494
+ "BootstrapVersion": {
495
+ "Type": "AWS::SSM::Parameter::Value<String>",
496
+ "Default": "/cdk-bootstrap/hnb659fds/version",
497
+ "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
498
+ }
499
+ },
500
+ "Rules": {
501
+ "CheckBootstrapVersion": {
502
+ "Assertions": [
503
+ {
504
+ "Assert": {
505
+ "Fn::Not": [
506
+ {
507
+ "Fn::Contains": [
508
+ [
509
+ "1",
510
+ "2",
511
+ "3",
512
+ "4",
513
+ "5"
514
+ ],
515
+ {
516
+ "Ref": "BootstrapVersion"
517
+ }
518
+ ]
519
+ }
520
+ ]
521
+ },
522
+ "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
523
+ }
524
+ ]
525
+ }
526
+ }
527
+ }
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3
+ *
4
+ * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
5
+ * with the License. A copy of the License is located at
6
+ *
7
+ * http://www.apache.org/licenses/LICENSE-2.0
8
+ *
9
+ * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
10
+ * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
11
+ * and limitations under the License.
12
+ */
13
+ export {};