@liflig/cdk-cloudfront-auth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Henrik Steen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,63 @@
+# CloudFront authorization with Cognito for CDK
+
+Easily add Cognito-based authorization to your CloudFront distribution,
+to place static files behind authorization.
+
+This is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
+
+## Usage
+
+```bash
+npm install @liflig/cdk-cloudfront-auth
+```
+
+Deploy the Lambda@Edge functions to us-east-1:
+
+```ts
+// In a stack deployed to us-east-1.
+const authLambdas = new AuthLambdas(this, "AuthLambdas", {
+  regions: ["eu-west-1"], // Regions to make Lambda version params available.
+})
+```
+
+Deploy the Cognito and CloudFront setup in whatever region
+of your choice:
+
+```ts
+const auth = new CloudFrontAuth(this, "Auth", {
+  cognitoAuthDomain: `${domain.domainName}.auth.${region}.amazoncognito.com`,
+  authLambdas, // AuthLambdas from above
+  userPool, // Cognito User Pool
+})
+const distribution = new cloudfront.Distribution(this, "Distribution", {
+  defaultBehavior: auth.createProtectedBehavior(origin),
+  additionalBehaviors: auth.createAuthPagesBehaviors(origin),
+})
+auth.updateClient("ClientUpdate", {
+  signOutUrl: `https://${distribution.distributionDomainName}${auth.signOutRedirectTo}`,
+  callbackUrl: `https://${distribution.distributionDomainName}${auth.callbackPath}`,
+})
+```
+
+If using `CloudFrontWebDistribution` instead of `Distribution`:
+
+```ts
+const distribution = new cloudfront.CloudFrontWebDistribution(this, "Distribution", {
+  originConfigs: [
+    {
+      behaviors: [
+        ...auth.authPages,
+        {
+          isDefaultBehavior: true,
+          lambdaFunctionAssociations: auth.authFilters,
+        },
+      ],
+    },
+  ],
+})
+```
+
+## Customizing authorization
+
+The `CloudFrontAuth` construct accepts a `requireGroupAnyOf` property
+that causes access to be restricted to only users in specific groups.