@inizioevoke/evosynth 1.6.0

package/src/constructs/s3.ts

@@ -0,0 +1,25 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Construct } from 'constructs';
+import { Bucket } from 'aws-cdk-lib/aws-s3';
+import { tagResource } from '../lib/tags.js';
+import { ResourceProps } from "../lib/types.js";
+
+export interface S3BucketProps extends ResourceProps {
+  /** The name of the S3 bucket */
+  bucketName?: string;
+}
+
+export class S3Bucket extends Construct {
+  public readonly bucket: Bucket;
+
+  constructor(scope: Construct, id: string, props: S3BucketProps) {
+    super(scope, id);
+
+    this.bucket = new Bucket(this, 'S3Bucket', {
+      bucketName: props.bucketName,
+      removalPolicy: props.destroy !== undefined ? props.destroy ? RemovalPolicy.DESTROY : RemovalPolicy.RETAIN : undefined,
+      autoDeleteObjects: props.destroy === true ? true : undefined
+    });
+    tagResource(this.bucket, props.tags);
+  }
+}

package/src/constructs/ssm.ts

@@ -0,0 +1,24 @@
+
+import { Construct } from 'constructs';
+import { StringParameter } from 'aws-cdk-lib/aws-ssm';
+
+interface CreateStringParameterProps {
+  parameterName: string;
+  stringValue: string;
+  overwrite?: boolean;
+}
+export function createStringParameter(scope: Construct, id: string, { parameterName, stringValue, overwrite = false }: CreateStringParameterProps): StringParameter | undefined {
+  let param: StringParameter | undefined = undefined;
+  let flag = overwrite;
+  if (!flag) {
+    const existingValue = StringParameter.valueFromLookup(scope, parameterName, 'a8a79532-4163-46b9-a907-429dad04e93b');
+    flag = existingValue === 'a8a79532-4163-46b9-a907-429dad04e93b';
+  }
+  if (flag) {
+    param = new StringParameter(scope, id, {
+      parameterName,
+      stringValue
+    });
+  }
+  return param;
+}

package/src/constructs/waf.ts

@@ -0,0 +1,118 @@
+import { RemovalPolicy } from "aws-cdk-lib";
+import { Construct } from 'constructs';
+import { CfnWebACL } from 'aws-cdk-lib/aws-wafv2';
+import { tagResource } from '../lib/tags.js';
+import { cleanResourceName } from '../lib/utils.js';
+import type { ResourceProps } from '../lib/types.js';
+
+export type WebAclManagedRule = 
+  'AWSManagedRulesAmazonIpReputationList' |
+  'AWSManagedRulesAnonymousIpList' | 
+  'AWSManagedRulesAntiDDoSRuleSet' | 
+  'AWSManagedRulesBotControlRuleSet' |
+  'AWSManagedRulesCommonRuleSet' |
+  'AWSManagedRulesKnownBadInputsRuleSet' |
+  'AWSManagedRulesSQLiRuleSet';
+
+export interface CloudFrontWebAclProps extends ResourceProps {
+  name: string;
+  managedRules?: (WebAclManagedRule & string)[];
+}
+export class CloudFrontWebAcl extends Construct {
+  public readonly acl: CfnWebACL;
+
+  constructor(scope: Construct, id: string, props: CloudFrontWebAclProps) {
+    super(scope, id);
+
+    props.name = cleanResourceName(props.name);
+
+    if (!props.managedRules) {
+      props.managedRules = [
+        'AWSManagedRulesAmazonIpReputationList',
+        'AWSManagedRulesAnonymousIpList',
+        'AWSManagedRulesCommonRuleSet',
+        'AWSManagedRulesKnownBadInputsRuleSet',
+        'AWSManagedRulesBotControlRuleSet'
+      ];
+    }
+
+    this.acl = new CfnWebACL(this, 'CloudFrontWebAcl', {
+      scope: 'CLOUDFRONT',
+      name: props.name,
+      defaultAction: { allow: {} },
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        sampledRequestsEnabled: true,
+        metricName: `${props.name}-metrics`
+      },
+      rules: transformManagedRules(props.managedRules)
+    });
+    tagResource(this.acl, props.tags);
+    if (typeof props.destroy == 'boolean') {
+      this.acl.applyRemovalPolicy(props.destroy ? RemovalPolicy.DESTROY : RemovalPolicy.RETAIN);
+    } 
+  }
+}
+
+export interface ApiGatewayWebAclProps extends ResourceProps {
+  name: string;
+  aclScope?: 'CLOUDFRONT' | 'REGIONAL';
+  managedRules?: (WebAclManagedRule & string)[];
+}
+export class ApiGatewayWebAcl extends Construct {
+  public readonly acl: CfnWebACL;
+  constructor(scope: Construct, id: string, props: ApiGatewayWebAclProps) {
+    super(scope, id);
+
+    props.name = cleanResourceName(props.name);
+
+    if (!props.managedRules) {
+      props.managedRules = [
+        'AWSManagedRulesAmazonIpReputationList',
+        'AWSManagedRulesAnonymousIpList',
+        'AWSManagedRulesCommonRuleSet',
+        'AWSManagedRulesSQLiRuleSet',
+        'AWSManagedRulesKnownBadInputsRuleSet',
+        'AWSManagedRulesBotControlRuleSet'
+      ];
+    }
+
+    this.acl = new CfnWebACL(this, 'ApiGatewayWebAcl', {
+      scope: props.aclScope ?? 'REGIONAL',
+      name: props.name,
+      defaultAction: { allow: {} },
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        sampledRequestsEnabled: true,
+        metricName: `${props.name}-metrics`
+      },
+      rules: transformManagedRules(props.managedRules)
+    });
+    tagResource(this.acl, props.tags);
+    if (typeof props.destroy == 'boolean') {
+      this.acl.applyRemovalPolicy(props.destroy ? RemovalPolicy.DESTROY : RemovalPolicy.RETAIN);
+    } 
+  }
+}
+
+
+function transformManagedRules(rules: (WebAclManagedRule | string)[]): CfnWebACL.RuleProperty[] {
+  return rules.map((ruleName, i) => {
+    return {
+      name: `AWS-${ruleName}`,
+      priority: i,
+      statement: {
+        managedRuleGroupStatement: {
+          name: ruleName,
+          vendorName: 'AWS'
+        }
+      },
+      overrideAction: { none: {} },
+      visibilityConfig: { 
+        cloudWatchMetricsEnabled: true,
+        sampledRequestsEnabled: true,
+        metricName: `AWS-${ruleName}`
+      }
+    } as CfnWebACL.RuleProperty;
+  });
+}

package/src/index.ts

@@ -0,0 +1,35 @@
+import { Environment } from "aws-cdk-lib";
+
+export * from './lib/tags.ts';
+
+interface GetEnvParams { 
+  account?: number | string;
+  region?: string; 
+}
+export function getEnv(region?: string): Environment;
+export function getEnv(account?: string | number): Environment;
+export function getEnv({ account, region }: GetEnvParams): Environment;
+export function getEnv(env?: Environment): Environment;
+export function getEnv(env?: string | number | GetEnvParams | Environment) {
+  let account: string = process.env.CDK_DEFAULT_ACCOUNT || '';
+  let region: string = process.env.CDK_DEFAULT_REGION || 'us-east-1';
+  if (env) {
+    switch (typeof env) {
+      case 'number':
+        account = env.toString();
+        break;
+      case 'string':
+        if (/^\d+$/.test(env)) {
+          account = env;
+        } else {
+          region = env;
+        }
+        break;
+      default:
+        account = (env as Environment).account ?? '';
+        region = (env as Environment).region ?? region;
+        break;
+    }
+  }
+  return { account, region };
+}

package/src/lib/const.ts

@@ -0,0 +1 @@
+export const NPM_LIBRARY_NAME = '@inizioevoke/evosynth';

package/src/lib/csv-redirects.ts

@@ -0,0 +1,139 @@
+import { readFileSync } from 'node:fs';
+import { resolve, isAbsolute } from 'node:path';
+import type { CloudFrontFunctionRedirectPaths, HttpRedirectCode } from '../constructs/cloudfront.js';
+
+const VALID_HTTP_CODES: readonly number[] = [301, 302, 303, 307, 308];
+
+function parseCsvLine(line: string): string[] {
+  const fields: string[] = [];
+  let current = '';
+  let inQuotes = false;
+
+  for (let i = 0; i < line.length; i++) {
+    const ch = line[i];
+    if (inQuotes) {
+      if (ch === '"') {
+        if (i + 1 < line.length && line[i + 1] === '"') {
+          current += '"';
+          i++;
+        } else {
+          inQuotes = false;
+        }
+      } else {
+        current += ch;
+      }
+    } else {
+      if (ch === '"') {
+        inQuotes = true;
+      } else if (ch === ',') {
+        fields.push(current.trim());
+        current = '';
+      } else {
+        current += ch;
+      }
+    }
+  }
+  fields.push(current.trim());
+  return fields;
+}
+
+export function parseCsvRedirects(filePath: string): CloudFrontFunctionRedirectPaths {
+  const resolvedPath = isAbsolute(filePath) ? filePath : resolve(process.cwd(), filePath);
+  const content = readFileSync(resolvedPath, 'utf8');
+  const lines = content.split(/\r?\n/).filter(line => line.trim() !== '');
+
+  if (lines.length === 0) {
+    return {};
+  }
+
+  const headers = parseCsvLine(lines[0]).map(h => h.toLowerCase());
+  const sourceIdx = headers.indexOf('source');
+  const destIdx = headers.indexOf('destination');
+  const codeIdx = headers.indexOf('http_code');
+
+  if (sourceIdx === -1) {
+    throw new Error("redirects.csv: Required column 'source' is missing.");
+  }
+  if (destIdx === -1) {
+    throw new Error("redirects.csv: Required column 'destination' is missing.");
+  }
+
+  const result: CloudFrontFunctionRedirectPaths = {};
+
+  for (let i = 1; i < lines.length; i++) {
+    const rowNum = i + 1;
+    const fields = parseCsvLine(lines[i]);
+
+    const source = fields[sourceIdx] ?? '';
+    const destination = fields[destIdx] ?? '';
+
+    if (!source) {
+      throw new Error(`redirects.csv: Row ${rowNum} has an empty 'source' value.`);
+    }
+    if (!destination) {
+      throw new Error(`redirects.csv: Row ${rowNum} has an empty 'destination' value.`);
+    }
+
+    if (source === destination) {
+      throw new Error(`redirects.csv: Row ${rowNum} contains a circular redirect — source and destination are the same: '${source}'.`);
+    }
+
+    let httpCode: HttpRedirectCode = 302;
+    if (codeIdx !== -1) {
+      const rawCode = fields[codeIdx] ?? '';
+      if (rawCode !== '') {
+        const parsed = parseInt(rawCode, 10);
+        if (!VALID_HTTP_CODES.includes(parsed)) {
+          throw new Error(`redirects.csv: Row ${rowNum} has an invalid 'http_code' value: '${rawCode}'. Expected a redirect status code (e.g. 301, 302, 307, 308).`);
+        }
+        httpCode = parsed as HttpRedirectCode;
+      }
+    }
+
+    result[source] = httpCode === 302 ? destination : [destination, httpCode];
+  }
+
+  // Detect indirect circular chains
+  detectCircularChains(result);
+
+  return result;
+}
+
+function detectCircularChains(redirects: CloudFrontFunctionRedirectPaths): void {
+  const graph = new Map<string, string>();
+  for (const [source, value] of Object.entries(redirects)) {
+    const dest = Array.isArray(value) ? value[0] : value;
+    graph.set(source, dest);
+  }
+
+  for (const start of graph.keys()) {
+    const visited = new Set<string>();
+    let current: string | undefined = start;
+    while (current !== undefined && graph.has(current)) {
+      if (visited.has(current)) {
+        const chain = [...visited, current].join(' → ');
+        throw new Error(`redirects.csv: Circular redirect chain detected: ${chain}`);
+      }
+      visited.add(current);
+      current = graph.get(current);
+    }
+  }
+}
+
+export function mergeRedirects(
+  base: CloudFrontFunctionRedirectPaths | undefined,
+  override: CloudFrontFunctionRedirectPaths | undefined
+): CloudFrontFunctionRedirectPaths {
+  if (!base && !override) return {};
+  if (!base) return { ...override! };
+  if (!override) return { ...base };
+
+  const merged = { ...base };
+  for (const [key, value] of Object.entries(override)) {
+    if (key in merged) {
+      console.warn(`Redirect conflict for '${key}': override wins.`);
+    }
+    merged[key] = value;
+  }
+  return merged;
+}

package/src/lib/tags.ts

@@ -0,0 +1,55 @@
+import { IConstruct } from 'constructs';
+import { Tags } from 'aws-cdk-lib/core';
+import { NPM_LIBRARY_NAME } from './const.ts';
+import { TOOL_VERSION } from './version.ts';
+
+export const TAG_EVO_VERSION = 'EvoSynthToolVersion';
+export const TAG_EVO_STAGE = 'EvoSynthStageName';
+export const TAG_EVO_STACK = 'EvoSynthStackName';
+
+export function createEvoVersionTag(): { [TAG_EVO_VERSION]: string } {
+  return { [TAG_EVO_VERSION]: `${NPM_LIBRARY_NAME}@${TOOL_VERSION}` };
+}
+export function addEvoVersionTag(resource: IConstruct) {
+  tagResource(resource, createEvoVersionTag());
+}
+
+export function createEvoStackTag(value: string): { [TAG_EVO_STACK]: string } {
+  return { [TAG_EVO_STACK]: value };
+}
+export function addEvoStackTags(resource: IConstruct, value: string){
+  addEvoVersionTag(resource);
+  tagResource(resource, createEvoStackTag(value));
+}
+
+export function createEvoStageTag(value: string): { [TAG_EVO_STAGE]: string } {
+  return { [TAG_EVO_STAGE]: value };
+}
+export function addEvoStageTags(resource: IConstruct, value: string) {
+  addEvoVersionTag(resource);
+  tagResource(resource, createEvoStageTag(value));
+}
+
+export function mergeTags(...tags: (Record<string, string> | null | undefined)[]): Record<string, string> {
+  const _tags = tags.filter(t => t !== undefined && t !== null) ?? [];
+  return Object.assign({}, ..._tags);
+}
+
+export function tagResource(resource: IConstruct, tags?: Record<string, string>): void;
+export function tagResource(resource: IConstruct, tag: string, value: string): void;
+export function tagResource(resource: IConstruct, ...args: any[]): void {
+  let tags: Record<string, string> | undefined = undefined;
+  switch (args.length) {
+    case 1:
+      tags = tags || undefined;
+      break;
+    case 2:
+      tags = { [args[0]]: args[1] };
+      break;
+  }
+  if (tags) {
+    for (const [key, value] of Object.entries(tags)) {
+      Tags.of(resource).add(key, value);
+    }
+  }
+}

package/src/lib/types.ts

@@ -0,0 +1,17 @@
+export type DeepPartial<T> = T extends object ? {
+  [P in keyof T]?: DeepPartial<T[P]>;
+} : T;
+
+export type WithRequiredProperty<Type, Key extends keyof Type> = Omit<Type, Key> & {
+  [Property in Key]-?: Type[Property];
+};
+
+export interface ResourceProps {
+  destroy?: boolean;
+  tags?: Record<string, string>;
+}
+
+export interface SsmStringParameter {
+  path: string;
+  version?: number;
+}

package/src/lib/utils.ts

@@ -0,0 +1,7 @@
+export function domainAsId(domain: string) {
+  return domain.replace(/\./g, '-');
+}
+
+export function cleanResourceName(name: string) {
+  return name.replace(/[^0-9a-z_\-]/gi, '');
+}

package/src/lib/version.ts

@@ -0,0 +1,6 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+
+const pkg = JSON.parse(readFileSync(resolve(import.meta.dirname, '../../package.json'), 'utf8'));
+
+export const TOOL_VERSION = pkg.version as string;

package/src/stacks/web-static-serverless/codepipeline-stack.ts

@@ -0,0 +1,42 @@
+import { Stack, StackProps } from 'aws-cdk-lib/core';
+import { Construct } from 'constructs';
+import { CodeBuildPipelineProject, CodeBuildPipelineProjectProps } from '../../constructs/codebuild.js';
+import { CodePipelineProject, AddSourceStageParams, AddBuildStageParams } from '../../constructs/codepipeline.js';
+import { addEvoStackTags } from '../../lib/tags.ts';
+
+export interface CodePipelineStackProps {
+  pipelineName?: string;
+  sourceStage: AddSourceStageParams;
+  buildStage?: Pick<AddBuildStageParams, 'stageName' | 'environmentVariables'>;
+  codeBuildProject?: Omit<CodeBuildPipelineProjectProps, 'destroy' | 'tags'>,
+  destroy?: boolean;
+  tags?: Record<string, string>;
+}
+export class CodePipelineStack extends Stack {
+  public readonly codeBuildPipelineProject: CodeBuildPipelineProject;
+  public readonly codePipelineProject: CodePipelineProject;
+
+  constructor(scope: Construct, id: string, props: CodePipelineStackProps & StackProps) {
+    super(scope, id, props);
+    addEvoStackTags(this, 'CodePipelineStack');
+
+    this.codeBuildPipelineProject = new CodeBuildPipelineProject(this, 'CodeBuildPipelineProject', {
+      ...(props.codeBuildProject ?? {}),
+      destroy: props.destroy
+    });
+
+    this.codePipelineProject = new CodePipelineProject(this, 'CodePipelineProject', {
+      pipelineName: props.pipelineName,
+      destroy: props.destroy
+    });
+
+    const sourceArtifact = this.codePipelineProject.addSourceStage(props.sourceStage);
+
+    this.codePipelineProject.addBuildStage({
+      stageName: props.buildStage?.stageName,
+      codeBuildProject: this.codeBuildPipelineProject.project,
+      sourceArtifact: sourceArtifact,
+      environmentVariables: props.buildStage?.environmentVariables
+    });
+  }
+}

package/src/stacks/web-static-serverless/web-global-stack.ts

@@ -0,0 +1,184 @@
+import { Stack, StackProps, PhysicalName } from 'aws-cdk-lib/core';
+import { Construct } from 'constructs';
+
+import { Certificate } from "aws-cdk-lib/aws-certificatemanager";
+import { Distribution, Function, FunctionEventType, IResponseHeadersPolicy, ResponseHeadersPolicyProps, BehaviorOptions, ResponseHeadersPolicy } from 'aws-cdk-lib/aws-cloudfront';
+import { ARecord, AaaaRecord } from "aws-cdk-lib/aws-route53";
+import { Bucket } from "aws-cdk-lib/aws-s3";
+import { StringParameter } from 'aws-cdk-lib/aws-ssm';
+import { CfnWebACL } from 'aws-cdk-lib/aws-wafv2';
+
+import { SSLCertificate } from '../../constructs/certificatemanager.js';
+import { CloudFrontFunctionRedirects, CloudFrontFunction, CloudFrontDistribution } from '../../constructs/cloudfront.js';
+import { getHostedZone, CloudFrontAlias } from '../../constructs/route53.js';
+import { S3Bucket } from '../../constructs/s3.js';
+import { CloudFrontWebAcl } from '../../constructs/waf.js';
+import { domainAsId } from '../../lib/utils.js';
+import { addEvoStackTags } from '../../lib/tags.ts';
+import { SsmStringParameter } from '../../lib/types.ts';
+import { S3BucketOrigin } from 'aws-cdk-lib/aws-cloudfront-origins';
+
+export interface BasicAuthCredentials {
+  user: string;
+  password: string;
+}
+
+type AWSManagedResponseHeadersPolicy = 
+  'CORS_ALLOW_ALL_ORIGINS' |
+  'CORS_ALLOW_ALL_ORIGINS_AND_SECURITY_HEADERS' |
+  'CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT' |
+  'CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS' |
+  'SECURITY_HEADERS';
+
+type UUID = `${string}-${string}-${string}-${string}-${string}`;
+export interface WebGlobalStackProps {
+  envType: 'NOT_PROD' | 'PROD';
+  description?: string;
+  bucketName?: string;
+  hostedZone: string;
+  domainName: string;
+  basicAuth?: string | BasicAuthCredentials | SsmStringParameter;
+  viewerRequestResponse?: string;
+  redirects?: CloudFrontFunctionRedirects;
+  redirectsCsvPath?: string;
+  // attachWebAcl?: boolean | string;
+  webAcl?: boolean | string | SsmStringParameter;
+  responseHeadersPolicy?: false | AWSManagedResponseHeadersPolicy | UUID | SsmStringParameter;
+  responseHeadersPolicyProps?: ResponseHeadersPolicyProps;
+  destroy?: boolean;
+  tags?: Record<string, string>;
+}
+
+export class WebGlobalStack extends Stack {
+  public readonly sslCertificate: Certificate;
+  public readonly s3Bucket: Bucket;
+  public readonly cloudFrontFunction: Function;
+  public readonly cloudFrontDistribution: Distribution;
+  public readonly webAcl: CfnWebACL | undefined;
+  public readonly responseHeadersPolicy: IResponseHeadersPolicy | undefined;
+  public readonly aRecord: ARecord;
+  public readonly aaaaRecord: AaaaRecord;
+
+  constructor(scope: Construct, id: string, props: WebGlobalStackProps & StackProps) {
+    super(scope, id, props);
+    addEvoStackTags(this, 'WebGlobalStack');
+
+    const hostedZone = getHostedZone(this, 'getHostedZone', props.hostedZone);
+
+    const _sslCert = new SSLCertificate(this, 'SSLCertificate', {
+      hostedZone: hostedZone,
+      domainName: props.domainName,
+      destroy: props.destroy
+    });
+    this.sslCertificate = _sslCert.certificate;
+
+    const _s3Bucket = new S3Bucket(this, 'S3Bucket', {
+      bucketName: props.bucketName ?? PhysicalName.GENERATE_IF_NEEDED,
+      destroy: props.destroy
+    });
+    this.s3Bucket = _s3Bucket.bucket;
+
+    let responseHeadersPolicy: IResponseHeadersPolicy | undefined = undefined;
+    if (props.responseHeadersPolicy) {
+      if (typeof props.responseHeadersPolicy == 'string') {
+        if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(props.responseHeadersPolicy)) {
+          responseHeadersPolicy = ResponseHeadersPolicy.fromResponseHeadersPolicyId(this, 'response-headers-policy-by-id', props.responseHeadersPolicy);
+        } else {
+          responseHeadersPolicy = ResponseHeadersPolicy[props.responseHeadersPolicy as keyof typeof ResponseHeadersPolicy] as IResponseHeadersPolicy ?? ResponseHeadersPolicy.SECURITY_HEADERS;
+        }
+      } else if (props.responseHeadersPolicy.path) {
+        responseHeadersPolicy = ResponseHeadersPolicy.fromResponseHeadersPolicyId(this, 'response-headers-policy-by-id', StringParameter.valueForStringParameter(this, props.responseHeadersPolicy.path, props.responseHeadersPolicy.version));
+      }
+    }
+    if (!responseHeadersPolicy && props.responseHeadersPolicyProps) {
+      responseHeadersPolicy = new ResponseHeadersPolicy(this, 'response-headers-policy', {
+        ...props.responseHeadersPolicyProps,
+        responseHeadersPolicyName: props.responseHeadersPolicyProps.responseHeadersPolicyName || `${domainAsId(props.domainName)}-response-headers-policy`
+      });
+      this.responseHeadersPolicy = responseHeadersPolicy;
+    }
+
+    const defaultBehavior: BehaviorOptions = {
+      origin: S3BucketOrigin.withOriginAccessControl(this.s3Bucket),
+      functionAssociations: [],
+      responseHeadersPolicy: responseHeadersPolicy ?? props.responseHeadersPolicy !== false ? ResponseHeadersPolicy.SECURITY_HEADERS : undefined
+    };
+
+    let cffn: CloudFrontFunction;
+    if (props.basicAuth) {
+      if (typeof props.basicAuth != 'string') {
+        if ((props.basicAuth as BasicAuthCredentials).user && (props.basicAuth as BasicAuthCredentials).password) {
+          props.basicAuth = Buffer.from(`${(props.basicAuth as BasicAuthCredentials).user}:${(props.basicAuth as BasicAuthCredentials).password}`).toString('base64');
+        } else if ((props.basicAuth as SsmStringParameter).path) {
+          props.basicAuth = StringParameter.valueForStringParameter(this, (props.basicAuth as SsmStringParameter).path, (props.basicAuth as SsmStringParameter).version);
+        } else {
+          props.basicAuth = undefined;
+        }
+      }
+    }
+    if (props.viewerRequestResponse) {
+      cffn = CloudFrontFunction.createViewerRequestResponseFunction(this, null, {
+        credentials: props.basicAuth,
+        redirects: props.redirects,
+        redirectsCsvPath: props.redirectsCsvPath,
+        code: props.viewerRequestResponse,
+        destroy: props.destroy
+      });
+    } else if (props.basicAuth) {
+      cffn = CloudFrontFunction.createBasicAuthDefaultDoc(this, {
+        credentials: props.basicAuth,
+        redirects: props.redirects,
+        redirectsCsvPath: props.redirectsCsvPath,
+        destroy: props.destroy
+      });
+    } else {
+      cffn = CloudFrontFunction.createDefaultDoc(this, {
+        redirects: props.redirects,
+        redirectsCsvPath: props.redirectsCsvPath,
+        destroy: props.destroy
+      });
+    }
+    this.cloudFrontFunction = cffn.fn;
+    
+    defaultBehavior.functionAssociations!.push({
+      eventType: FunctionEventType.VIEWER_REQUEST,
+      function: this.cloudFrontFunction
+    });
+    defaultBehavior.functionAssociations!.push({
+      eventType: FunctionEventType.VIEWER_RESPONSE,
+      function: this.cloudFrontFunction
+    });
+    
+    let webAclId: string | undefined = undefined;
+    if (typeof props.webAcl == 'string' && props.webAcl.startsWith('arn:aws')) {
+      webAclId = props.webAcl;
+    } else if ((props.webAcl as SsmStringParameter).path) {
+      webAclId = StringParameter.valueForStringParameter(this, (props.webAcl as SsmStringParameter).path, (props.webAcl as SsmStringParameter).version);
+    } else if (props.webAcl === true) {
+      const waf = new CloudFrontWebAcl(this, 'CloudFrontWebAcl', {
+        name: `${domainAsId(props.domainName)}`,
+        destroy: props.destroy
+      });
+      this.webAcl = waf.acl;
+      webAclId = waf.acl.attrArn;
+    }
+
+    const cfDistribution = new CloudFrontDistribution(this, 'CloudFrontDistribution', {
+      domainName: props.domainName,
+      description: props.description ?? props.domainName,
+      priceClass: props.envType,
+      certificate: this.sslCertificate,
+      defaultBehavior,
+      webAclId
+    });
+    this.cloudFrontDistribution = cfDistribution.distribution;
+
+    const cfAlias = new CloudFrontAlias(this, 'CloudFrontAlias', {
+      distribution: cfDistribution.distribution,
+      domainName: props.domainName,
+      hostedZone: hostedZone
+    });
+    this.aRecord = cfAlias.aRecord;
+    this.aaaaRecord = cfAlias.aaaaRecord;
+  }
+}