@infoxchange/make-it-so 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function.4 → 2.11.0-internal-testing-vdt-199-add-auth-token-verify-function-2.2

package/src/lib/site/support.ts

@@ -15,6 +15,21 @@ import { CloudFrontTarget } from "aws-cdk-lib/aws-route53-targets";
 import { convertToBase62Hash } from "../utils/hash.js";
 import { type DistributionDomainProps } from "sst/constructs/Distribution.js";
 import type { Plan as SSTPlan } from "sst/constructs/SsrSite.js";
+import {
+  SiteOidcAuth,
+  type AddToSiteProps as SiteOidcAuthAddToSiteProps,
+} from "../../cdk-constructs/SiteOidcAuth/index.js";
+
+type SharedExtendedSiteProps = {
+  customDomain?: string | ExtendedCustomDomains;
+  auth?: {
+    oidc: {
+      issuerUrl: string;
+      clientId: string;
+      scope: string;
+    };
+  } & SiteOidcAuthAddToSiteProps;
+};
 
 export type ExtendedCustomDomains = DistributionDomainProps & {
   isIxManagedDomain?: boolean;
@@ -23,36 +38,35 @@ export type ExtendedCustomDomains = DistributionDomainProps & {
 export type ExtendedNextjsSiteProps = Omit<
   NextjsSiteProps,
   "customDomain" | "environment"
-> & {
-  customDomain?: string | ExtendedCustomDomains;
-  /**
-   * An object with the key being the environment variable name. The value can either be the environment variable value
-   * as a string or as an object with `buildtime` and/or `runtime` properties where the values of `buildtime` and
-   * `runtime` is the environment variable value that will be used during that step.
-   *
-   * @example
-   * ```js
-   * environment: {
-   *   USER_POOL_CLIENT: auth.cognitoUserPoolClient.userPoolClientId,
-   *   NODE_OPTIONS: {
-   *     buildtime: "--max-old-space-size=4096",
-   *   },
-   *   API_URL: {
-   *     buildtime: "https://external.domain",
-   *     runtime: "https://internal.domain",
-   *   },
-   * },
-   * ```
-   */
-  environment?: Record<
-    string,
-    string | { buildtime?: string; runtime?: string }
-  >;
-};
+> &
+  SharedExtendedSiteProps & {
+    /**
+     * An object with the key being the environment variable name. The value can either be the environment variable value
+     * as a string or as an object with `buildtime` and/or `runtime` properties where the values of `buildtime` and
+     * `runtime` is the environment variable value that will be used during that step.
+     *
+     * @example
+     * ```js
+     * environment: {
+     *   USER_POOL_CLIENT: auth.cognitoUserPoolClient.userPoolClientId,
+     *   NODE_OPTIONS: {
+     *     buildtime: "--max-old-space-size=4096",
+     *   },
+     *   API_URL: {
+     *     buildtime: "https://external.domain",
+     *     runtime: "https://internal.domain",
+     *   },
+     * },
+     * ```
+     */
+    environment?: Record<
+      string,
+      string | { buildtime?: string; runtime?: string }
+    >;
+  };
 
-export type ExtendedStaticSiteProps = Omit<StaticSiteProps, "customDomain"> & {
-  customDomain?: string | ExtendedCustomDomains;
-};
+export type ExtendedStaticSiteProps = Omit<StaticSiteProps, "customDomain"> &
+  SharedExtendedSiteProps;
 
 export function setupCustomDomain<
   Props extends ExtendedStaticSiteProps | ExtendedNextjsSiteProps,
@@ -386,3 +400,40 @@ export function getAlternativeDomains<
   }
   return [];
 }
+
+export function processAuthProps<
+  SiteType extends "StaticSite" | "SsrSite",
+  Props extends SiteType extends "StaticSite"
+    ? ExtendedStaticSiteProps
+    : ExtendedNextjsSiteProps,
+>(
+  scope: Construct,
+  id: string,
+  siteType: SiteType,
+  props: Readonly<Props>,
+): Props {
+  if (!props.auth) return props;
+  const { oidc, ...otherAuthProps } = props.auth;
+  const auth = new SiteOidcAuth(scope, `${id}-SiteOidcAuth`, {
+    oidcIssuerUrl: oidc.issuerUrl,
+    oidcClientId: oidc.clientId,
+    oidcScope: oidc.scope,
+  });
+  if (siteType === "StaticSite") {
+    return auth.addToStaticSiteProps(
+      scope,
+      props as ExtendedStaticSiteProps,
+      otherAuthProps,
+    ) as Props;
+  } else if (siteType === "SsrSite") {
+    return auth.addToSsrSiteProps(
+      scope,
+      props as ExtendedNextjsSiteProps,
+      otherAuthProps,
+    ) as Props;
+  }
+  siteType satisfies never;
+  throw new Error(
+    `Unsupported site type ${siteType} when processing auth prop.`,
+  );
+}

package/dist/cdk-constructs/CloudFrontOidcAuth/auth-check.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=auth-check.d.ts.map

package/dist/cdk-constructs/CloudFrontOidcAuth/auth-check.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-check.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/auth-check.ts"],"names":[],"mappings":""}

package/dist/cdk-constructs/CloudFrontOidcAuth/auth-route.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-route.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/auth-route.ts"],"names":[],"mappings":"AAyBA,eAAO,MAAM,OAAO,4CAiCnB,CAAC"}

package/dist/cdk-constructs/CloudFrontOidcAuth/index.d.ts

@@ -1,27 +0,0 @@
-import { Construct } from "constructs";
-import { BaseSiteCdkDistributionProps } from "sst/constructs/BaseSite.js";
-type ConstructScope = ConstructorParameters<typeof Construct>[0];
-type ConstructId = ConstructorParameters<typeof Construct>[1];
-type Mutable<T> = {
-    -readonly [P in keyof T]: T[P];
-};
-type Props = {
-    oidcIssuerUrl: string;
-    oidcClientId: string;
-    oidcScope: string;
-};
-export declare class CloudFrontOidcAuth extends Construct {
-    readonly oidcIssuerUrl: string;
-    readonly oidcClientId: string;
-    readonly oidcScope: string;
-    readonly id: string;
-    constructor(scope: ConstructScope, id: ConstructId, props: Props);
-    addToDistributionDefinition<DistributionProps extends BaseSiteCdkDistributionProps>(scope: ConstructScope, { distributionDefinition, prefix, }: {
-        distributionDefinition: Mutable<DistributionProps>;
-        prefix?: string;
-    }): Mutable<DistributionProps>;
-    private getFunctionAssociation;
-    private getAuthBehaviorOptions;
-}
-export {};
-//# sourceMappingURL=index.d.ts.map

package/dist/cdk-constructs/CloudFrontOidcAuth/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cdk-constructs/CloudFrontOidcAuth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AASvC,OAAO,EAAE,4BAA4B,EAAE,MAAM,4BAA4B,CAAC;AAI1E,KAAK,cAAc,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACjE,KAAK,WAAW,GAAG,qBAAqB,CAAC,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9D,KAAK,OAAO,CAAC,CAAC,IAAI;IAChB,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAC/B,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,qBAAa,kBAAmB,SAAQ,SAAS;IAC/C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAER,KAAK,EAAE,cAAc,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK;IAQhE,2BAA2B,CACzB,iBAAiB,SAAS,4BAA4B,EAEtD,KAAK,EAAE,cAAc,EACrB,EACE,sBAAsB,EACtB,MAAgB,GACjB,EAAE;QAAE,sBAAsB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAwC5E,OAAO,CAAC,sBAAsB;IAgI9B,OAAO,CAAC,sBAAsB;CA8E/B"}

package/dist/cdk-constructs/CloudFrontOidcAuth/index.js

@@ -1,198 +0,0 @@
-import { Construct } from "constructs";
-import SecretsManager from "aws-cdk-lib/aws-secretsmanager";
-import CloudFront from "aws-cdk-lib/aws-cloudfront";
-import CDK from "aws-cdk-lib";
-import CdkCustomResources from "aws-cdk-lib/custom-resources";
-import Lambda from "aws-cdk-lib/aws-lambda";
-import * as SST from "sst/constructs";
-import { Config as SSTInternalConfig } from "sst/config.js";
-import CloudFrontOrigins from "aws-cdk-lib/aws-cloudfront-origins";
-import path from "node:path";
-import fs from "node:fs";
-export class CloudFrontOidcAuth extends Construct {
-    oidcIssuerUrl;
-    oidcClientId;
-    oidcScope;
-    id;
-    constructor(scope, id, props) {
-        super(scope, id);
-        this.oidcIssuerUrl = props.oidcIssuerUrl;
-        this.oidcClientId = props.oidcClientId;
-        this.oidcScope = props.oidcScope;
-        this.id = id;
-    }
-    addToDistributionDefinition(scope, { distributionDefinition, prefix = "/auth", }) {
-        prefix = prefix.replace(/\/$/, ""); // Remove trailing slash from prefix if it has one
-        const updatedDistributionDefinition = { ...distributionDefinition };
-        const behaviourName = `${prefix.replace(/^\//g, "")}/*`;
-        updatedDistributionDefinition.additionalBehaviors =
-            updatedDistributionDefinition.additionalBehaviors
-                ? { ...updatedDistributionDefinition.additionalBehaviors }
-                : {};
-        if (updatedDistributionDefinition.additionalBehaviors[behaviourName]) {
-            throw new Error(`Behavior for prefix ${prefix} already exists in distribution definition`);
-        }
-        const jwtSecret = new SecretsManager.Secret(this, `${this.id}JwtSecret`, {
-            description: "JWT Signing Secret",
-            generateSecretString: {
-                passwordLength: 32,
-                excludePunctuation: true,
-                includeSpace: false,
-                requireEachIncludedType: true,
-            },
-            // Secret is only used for sessions so it's safe to delete on stack removal
-            removalPolicy: CDK.RemovalPolicy.DESTROY,
-        });
-        updatedDistributionDefinition.defaultBehavior = {
-            ...updatedDistributionDefinition.defaultBehavior,
-            functionAssociations: [
-                ...(updatedDistributionDefinition.defaultBehavior
-                    ?.functionAssociations || []),
-                this.getFunctionAssociation(scope, jwtSecret, prefix),
-            ],
-        };
-        updatedDistributionDefinition.additionalBehaviors[behaviourName] =
-            this.getAuthBehaviorOptions(scope, jwtSecret, prefix);
-        return updatedDistributionDefinition;
-    }
-    getFunctionAssociation(scope, jwtSecret, authRoutePrefix) {
-        const cfKeyValueStore = new CloudFront.KeyValueStore(scope, `${this.id}CFKeyValueStore`);
-        const kvStoreId = cfKeyValueStore.keyValueStoreId; // Your KV store ID
-        const key = "jwt-secret";
-        const kvsArn = `arn:aws:cloudfront::${CDK.Stack.of(this).account}:key-value-store/${kvStoreId}`;
-        // Updating the KVM requires a valid ETag to be provided in the IfMatch parameter so we first must fetch the ETag
-        const getEtag = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetKVStoreEtag`, {
-            installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
-            onUpdate: {
-                // Since there's no onCreate, onUpdate will be called for CREATE events
-                service: "@aws-sdk/client-cloudfront-keyvaluestore",
-                action: "describeKeyValueStore",
-                parameters: { KvsARN: kvsArn },
-                // We include a timestamp in the physicalResourceId to ensure we fetch the latest etag on every update
-                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-etag-${Date.now()}`),
-            },
-            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-                resources: [kvsArn],
-            }),
-        });
-        const etag = getEtag.getResponseField("ETag");
-        // An annoying limitation of CloudFormation is that it won't resolve dynamic references for secrets when
-        // used as a parameter to a custom resource. To get around this we manually resolve it with another custom
-        // resource. Note this won't result in the secret being exposed in CloudFormation templates but it will
-        // be visible in the CloudWatch logs of the custom resource lambda. In our case that is acceptable.
-        // https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/341
-        const secretValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}GetSecret`, {
-            // There's no real benefit of fetching the latest sdk our case for the cost of a longer execution time
-            installLatestAwsSdk: false,
-            // Since there's no onCreate, onUpdate will be called for CREATE events
-            onUpdate: {
-                service: "@aws-sdk/client-secrets-manager",
-                action: "getSecretValue",
-                parameters: {
-                    SecretId: jwtSecret.secretArn,
-                },
-                // We include a timestamp in the physicalResourceId to ensure we fetch the latest secret value on every update
-                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${this.id}GetSecret-${Date.now()}`),
-            },
-            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-                resources: [jwtSecret.secretArn],
-            }),
-        });
-        // Now we can actually update the KVS with the secret value
-        const putKeyValue = new CdkCustomResources.AwsCustomResource(this, `${this.id}PutKeyValue`, {
-            installLatestAwsSdk: false, // No real benefit in our case for the cost of a longer execution time
-            onUpdate: {
-                // Since there's no onCreate, onUpdate will be called for CREATE events
-                service: "@aws-sdk/client-cloudfront-keyvaluestore",
-                action: "putKey",
-                parameters: {
-                    KvsARN: kvsArn,
-                    Key: key,
-                    Value: secretValue.getResponseField("SecretString"),
-                    IfMatch: etag,
-                },
-                physicalResourceId: CdkCustomResources.PhysicalResourceId.of(`${kvStoreId}-${key}`),
-            },
-            policy: CdkCustomResources.AwsCustomResourcePolicy.fromSdkCalls({
-                resources: [kvsArn],
-            }),
-        });
-        // putKey in the @aws-sdk/client-cloudfront-keyvaluestore package requires @aws-sdk/signature-v4-crt to be imported
-        // as well. But AwsCustomResource doesn't give us direct access to the underlying Lambda function so we inject a
-        // NODE_OPTIONS env var to import on start. At some point AwsCustomResource will presumably switch to a later node
-        // version and we might need to update this to '--import=' instead of '--require='.
-        const fn = putKeyValue.node.findChild("Provider");
-        if (!(fn instanceof Lambda.SingletonFunction)) {
-            throw new Error("Could not find the underlying Lambda function of the AwsCustomResource");
-        }
-        fn.addEnvironment("NODE_OPTIONS", "--require=@aws-sdk/signature-v4-crt");
-        const authCheckFunction = new CloudFront.Function(scope, `${this.id}AuthCheckFunction`, {
-            code: CloudFront.FunctionCode.fromInline(fs
-                .readFileSync(path.join(import.meta.dirname, "auth-check.js"), "utf8")
-                .replace("__placeholder-for-jwt-secret-key__", key)
-                .replace("__placeholder-for-auth-route-prefix__", authRoutePrefix)),
-            runtime: CloudFront.FunctionRuntime.JS_2_0,
-            keyValueStore: cfKeyValueStore,
-        });
-        return {
-            function: authCheckFunction,
-            eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
-        };
-    }
-    getAuthBehaviorOptions(scope, jwtSecret, prefix) {
-        const authRouteFunction = new SST.Function(scope, `${this.id}AuthRouteFunction`, {
-            runtime: "nodejs20.x",
-            handler: path.join(import.meta.dirname, "auth-route.handler"),
-            environment: {
-                OIDC_ISSUER_URL: this.oidcIssuerUrl,
-                OIDC_CLIENT_ID: this.oidcClientId,
-                OIDC_SCOPE: this.oidcScope,
-                JWT_SECRET: jwtSecret.secretValue.toString(),
-            },
-        });
-        // authRouteFunction uses SST's AuthHandler construct which is normally run inside a lambda that's
-        // created by SST's Auth construct. AuthHandler expects certain environment variables to be set
-        // by the Auth construct so we have to set them ourselves here to keep it happy.
-        const envVarName = SSTInternalConfig.envFor({
-            type: "Auth",
-            id: "id", // It seems like the env var will still be found no matter what this value is
-            prop: "prefix",
-        });
-        authRouteFunction.addEnvironment(envVarName, prefix);
-        const authRouteFunctionUrl = authRouteFunction.addFunctionUrl({
-            authType: Lambda.FunctionUrlAuthType.NONE,
-        });
-        const forwardHostHeaderCfFunction = new CloudFront.Function(scope, `${this.id}ForwardHostHeaderFunction`, {
-            code: CloudFront.FunctionCode.fromInline(`
-        function handler(event) {
-          const request = event.request;
-          request.headers["x-forwarded-host"] = { value: request.headers.host.value };
-          return request;
-        }
-      `),
-            runtime: CloudFront.FunctionRuntime.JS_2_0,
-        });
-        return {
-            origin: new CloudFrontOrigins.HttpOrigin(CDK.Fn.parseDomainName(authRouteFunctionUrl.url)),
-            allowedMethods: CloudFront.AllowedMethods.ALLOW_ALL,
-            cachePolicy: new CloudFront.CachePolicy(scope, `${this.id}AllowAllCookiesPolicy`, {
-                cachePolicyName: `${this.id}-AllowAllCookiesPolicy`,
-                comment: "Cache policy that forwards all cookies",
-                defaultTtl: CDK.Duration.seconds(1),
-                minTtl: CDK.Duration.seconds(1),
-                maxTtl: CDK.Duration.seconds(1),
-                cookieBehavior: CloudFront.CacheCookieBehavior.all(),
-                headerBehavior: CloudFront.CacheHeaderBehavior.allowList("X-Forwarded-Host"),
-                queryStringBehavior: CloudFront.CacheQueryStringBehavior.all(),
-                enableAcceptEncodingGzip: true,
-                enableAcceptEncodingBrotli: true,
-            }),
-            functionAssociations: [
-                {
-                    function: forwardHostHeaderCfFunction,
-                    eventType: CloudFront.FunctionEventType.VIEWER_REQUEST,
-                },
-            ],
-        };
-    }
-}

package/src/cdk-constructs/CloudFrontOidcAuth/cloudfront.d.ts

@@ -1,245 +0,0 @@
-// NOTE: once this is no longer needed we can remove typeRoots from tsconfig.json as well
-
-// This is a copy of @types/aws-cloudfront-function but with optional kvsId in kvs() function. We can't just modify the
-// kvs type since we can't modify the default export without messing up the rest of the types. Which is why we
-// unfortunately have to duplicate the whole file here.
-// But once https://github.com/DefinitelyTyped/DefinitelyTyped/issues/73959 is sorted we can get rid of this.
-
-declare namespace AWSCloudFrontFunction {
-  interface Event {
-    version: "1.0";
-    context: Context;
-    viewer: Viewer;
-    request: Request;
-    response: Response;
-  }
-
-  interface Context {
-    distributionDomainName: string;
-    distributionId: string;
-    eventType: "viewer-request" | "viewer-response";
-    requestId: string;
-  }
-
-  interface Viewer {
-    ip: string;
-  }
-
-  interface Request {
-    method: string;
-    uri: string;
-    querystring: ValueObject;
-    headers: ValueObject;
-    cookies: ValueObject;
-  }
-
-  interface Response {
-    statusCode: number;
-    statusDescription?: string;
-    headers?: ValueObject;
-    cookies?: ResponseCookie;
-    body?: string | ResponseBody;
-  }
-
-  interface ResponseBody {
-    data: string;
-    encoding: "text" | "base64";
-  }
-
-  interface ValueObject {
-    [name: string]: {
-      value: string;
-      multiValue?: Array<{
-        value: string;
-      }>;
-    };
-  }
-
-  interface ResponseCookie {
-    [name: string]: {
-      value: string;
-      attributes: string;
-      multiValue?: Array<{
-        value: string;
-        attributes: string;
-      }>;
-    };
-  }
-}
-
-declare module "cloudfront" {
-  /**
-   * Retrieves a reference to a CloudFront Key-Value Store (KVS) by its ID.
-   * @param kvsId The identifier of the KVS to use.
-   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-custom-methods.html
-   */
-  function kvs(kvsId?: string): KVStore;
-
-  interface KVStore {
-    /**
-     * Retrieve a value from the store.
-     * @param key Key to retrieve.
-     * @throws If key does not exist.
-     */
-    get(key: string): Promise<string>;
-    get(key: string, options: { format: "string" }): Promise<string>;
-    get(key: string, options: { format: "bytes" }): Promise<Uint8Array>;
-    get(key: string, options: { format: "json" }): Promise<unknown>;
-
-    /**
-     * Check if the key exists in the store.
-     * @param key Key to check.
-     */
-    exists(key: string): Promise<boolean>;
-
-    /**
-     * Retrieve metadata about the key-value store.
-     */
-    meta(): Promise<{
-      creationDateTime: string;
-      lastUpdatedDateTime: string;
-      keyCount: number;
-    }>;
-  }
-
-  interface OriginAccessControlConfig {
-    enabled: boolean;
-    signingBehavior: "always" | "never" | "no-override";
-    signingProtocol: "sigv4";
-    originType: "s3" | "mediapackagev2" | "mediastore" | "lambda";
-  }
-
-  interface OriginShield {
-    enabled: boolean;
-    region: string;
-  }
-
-  interface Timeouts {
-    /**
-     * Max time (seconds) to wait for a response or next packet. (1–60)
-     */
-    readTimeout?: number;
-
-    /**
-     * Max time (seconds) to keep the connection alive after response. (1–60)
-     */
-    keepAliveTimeout?: number;
-
-    /**
-     * Max time (seconds) to wait for connection establishment. (1–10)
-     */
-    connectionTimeout?: number;
-  }
-
-  interface CustomOriginConfig {
-    /**
-     * Port number of the origin. e.g., 80 or 443
-     */
-    port: number;
-
-    /**
-     * Protocol used to connect. Must be "http" or "https"
-     */
-    protocol: "http" | "https";
-
-    /**
-     * Minimum TLS/SSL version to use for HTTPS connections.
-     */
-    sslProtocols: Array<"SSLv3" | "TLSv1" | "TLSv1.1" | "TLSv1.2">;
-  }
-
-  interface UpdateRequestOriginParams {
-    /**
-     * New origin's domain name. Optional if reusing existing origin's domain.
-     */
-    domainName?: string;
-
-    /**
-     * Path prefix to append when forwarding request to origin.
-     */
-    originPath?: string;
-
-    /**
-     * Override or clear custom headers for the origin request.
-     */
-    customHeaders?: Record<string, string>;
-
-    /**
-     * Number of connection attempts (1–3).
-     */
-    connectionAttempts?: number;
-
-    /**
-     * Origin Shield configuration. Enables shield layer if specified.
-     */
-    originShield?: OriginShield;
-
-    /**
-     * Origin Access Control (OAC) configuration.
-     */
-    originAccessControlConfig?: OriginAccessControlConfig;
-
-    /**
-     * Response and connection timeout configurations.
-     */
-    timeouts?: Timeouts;
-
-    /**
-     * Settings for non-S3 origins or S3 with static website hosting.
-     */
-    customOriginConfig?: CustomOriginConfig;
-  }
-
-  /**
-   * Mutates the current request’s origin.
-   * You can specify a new origin (e.g., S3 or ALB), change custom headers, enable OAC, or enable Origin Shield.
-   * Missing fields will inherit values from the assigned origin.
-   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#update-request-origin-helper-function
-   */
-  function updateRequestOrigin(params: UpdateRequestOriginParams): void;
-
-  /**
-   * Switches to another origin already defined in the distribution by origin ID.
-   * This is more efficient than defining a new one via `updateRequestOrigin()`.
-   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#select-request-origin-id-helper-function
-   */
-  function selectRequestOriginById(originId: string): void;
-
-  interface CreateRequestOriginGroupParams {
-    /**
-     * Two origin IDs to form an origin group.
-     * The first is primary; the second is used for failover.
-     */
-    originIds: [string, string];
-
-    /**
-     * Failover selection strategy: default or media-quality-score.
-     */
-    selectionCriteria?: "default" | "media-quality-score";
-
-    /**
-     * List of status codes that trigger failover to the secondary origin.
-     */
-    failoverCriteria: {
-      statusCodes: number[];
-    };
-  }
-
-  /**
-   * Creates a new origin group for failover logic.
-   * The origin group can be referenced later via origin ID.
-   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/helper-functions-origin-modification.html#create-request-origin-group-helper-function
-   */
-  function createRequestOriginGroup(
-    params: CreateRequestOriginGroupParams,
-  ): void;
-
-  const cf: {
-    kvs: typeof kvs;
-    updateRequestOrigin: typeof updateRequestOrigin;
-    selectRequestOriginById: typeof selectRequestOriginById;
-    createRequestOriginGroup: typeof createRequestOriginGroup;
-  };
-
-  export default cf;
-}