@studion/infra-code-blocks 0.8.0-next.1 → 2.0.0-alpha.0

package/README.md

@@ -103,11 +103,11 @@ type ProjectArgs = {
 };
 ```
 
-| Argument         |                                                                         Description                                                                          |
-| :--------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------: |
-| services \*      |                                                                        Service list.                                                                         |
-| enableSSMConnect | Set up ec2 instance and SSM in order to connect to the database in the private subnet. Please refer to the [SSM Connect](#ssm-connect) section for more info. |
-| numberOfAvailabilityZones | Default is 2 which is recommended. If building a dev server, we can reduce to 1 availability zone to reduce hosting cost. |
+| Argument                  |                                                                          Description                                                                          |
+| :------------------------ | :-----------------------------------------------------------------------------------------------------------------------------------------------------------: |
+| services \*               |                                                                         Service list.                                                                         |
+| enableSSMConnect          | Set up ec2 instance and SSM in order to connect to the database in the private subnet. Please refer to the [SSM Connect](#ssm-connect) section for more info. |
+| numberOfAvailabilityZones |                   Default is 2 which is recommended. If building a dev server, we can reduce to 1 availability zone to reduce hosting cost.                   |
 
 ```ts
 type DatabaseServiceOptions = {
@@ -481,9 +481,11 @@ type DatabaseReplicaArgs = {
   }>;
 };
 ```
+
 Database replica requires primary DB instance to exist. If the replica is in the same
 region as primary instance, we should not set `dbSubnetGroupNameParam`.
 The `replicateSourceDb` param is referenced like this:
+
 ```javascript
   const primaryDb = new studion.Database(...);
   const replica = new studion.DatabaseReplica('replica', {

package/dist/components/acm-certificate/index.d.ts

@@ -0,0 +1,20 @@
+import * as pulumi from '@pulumi/pulumi';
+import * as aws from '@pulumi/aws-v7';
+export declare namespace AcmCertificate {
+    type Args = {
+        domain: pulumi.Input<string>;
+        /**
+         * Additional domains/subdomains to be included in this certificate.
+         */
+        subjectAlternativeNames?: pulumi.Input<string>[];
+        hostedZoneId: pulumi.Input<string>;
+        region?: pulumi.Input<string>;
+    };
+}
+export declare class AcmCertificate extends pulumi.ComponentResource {
+    certificate: aws.acm.Certificate;
+    certificateValidation: pulumi.Output<aws.acm.CertificateValidation>;
+    constructor(name: string, args: AcmCertificate.Args, opts?: pulumi.ComponentResourceOptions);
+    private createCertValidationRecords;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/components/acm-certificate/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/components/acm-certificate/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AAGtC,yBAAiB,cAAc,CAAC;IAC9B,KAAY,IAAI,GAAG;QACjB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC7B;;WAEG;QACH,uBAAuB,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAC/B,CAAC;CACH;AAED,qBAAa,cAAe,SAAQ,MAAM,CAAC,iBAAiB;IAC1D,WAAW,EAAE,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC;IACjC,qBAAqB,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;gBAGlE,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,cAAc,CAAC,IAAI,EACzB,IAAI,GAAE,MAAM,CAAC,wBAA6B;IAgC5C,OAAO,CAAC,2BAA2B;CAmCpC"}

package/dist/components/acm-certificate/index.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AcmCertificate = void 0;
+const pulumi = require("@pulumi/pulumi");
+const aws = require("@pulumi/aws-v7");
+const common_tags_1 = require("../../shared/common-tags");
+class AcmCertificate extends pulumi.ComponentResource {
+    constructor(name, args, opts = {}) {
+        super('studion:acm-certificate:AcmCertificate', name, {}, Object.assign(Object.assign({}, opts), { aliases: [...(opts.aliases || []), { type: 'studion:acm:Certificate' }] }));
+        this.certificate = new aws.acm.Certificate(`${args.domain}-certificate`, {
+            domainName: args.domain,
+            subjectAlternativeNames: args.subjectAlternativeNames,
+            validationMethod: 'DNS',
+            region: args.region,
+            tags: common_tags_1.commonTags,
+        }, { parent: this });
+        this.certificateValidation = this.createCertValidationRecords(args.domain, args.hostedZoneId, args.region);
+        this.registerOutputs();
+    }
+    createCertValidationRecords(domainName, hostedZoneId, region) {
+        return this.certificate.domainValidationOptions.apply(domains => {
+            const validationRecords = domains.map(domain => new aws.route53.Record(`${domain.domainName}-cert-validation-domain`, {
+                name: domain.resourceRecordName,
+                type: domain.resourceRecordType,
+                zoneId: hostedZoneId,
+                records: [domain.resourceRecordValue],
+                ttl: 600,
+            }, {
+                parent: this,
+                deleteBeforeReplace: true,
+            }));
+            return new aws.acm.CertificateValidation(`${domainName}-cert-validation`, {
+                certificateArn: this.certificate.arn,
+                validationRecordFqdns: validationRecords.map(record => record.fqdn),
+                region,
+            }, { parent: this });
+        });
+    }
+}
+exports.AcmCertificate = AcmCertificate;

package/dist/components/cloudfront/index.d.ts

@@ -0,0 +1,92 @@
+import * as aws from '@pulumi/aws-v7';
+import * as pulumi from '@pulumi/pulumi';
+import { AcmCertificate } from '../acm-certificate';
+export declare class CloudFront extends pulumi.ComponentResource {
+    name: string;
+    distribution: aws.cloudfront.Distribution;
+    acmCertificate?: AcmCertificate;
+    constructor(name: string, args: CloudFront.Args, opts?: pulumi.ComponentResourceOptions);
+    private createDistributionOrigins;
+    private getCacheBehavior;
+    private createCertificate;
+    private createDistribution;
+    private createAliasRecord;
+}
+export declare namespace CloudFront {
+    export enum BehaviorType {
+        S3 = "s3",
+        LB = "lb",
+        CUSTOM = "custom"
+    }
+    export type S3Behavior = BehaviorBase & {
+        type: BehaviorType.S3;
+        bucket: pulumi.Input<aws.s3.Bucket>;
+        websiteConfig: pulumi.Input<aws.s3.BucketWebsiteConfiguration>;
+    };
+    export type LbBehavior = BehaviorBase & {
+        type: BehaviorType.LB;
+        loadBalancer: pulumi.Input<aws.lb.LoadBalancer>;
+        dnsName?: pulumi.Input<string>;
+    };
+    export type CustomBehavior = BehaviorBase & {
+        type: BehaviorType.CUSTOM;
+        originId: pulumi.Input<string>;
+        domainName: pulumi.Input<string>;
+        originProtocolPolicy?: pulumi.Input<string>;
+        allowedMethods?: pulumi.Input<pulumi.Input<string>[]>;
+        cachedMethods?: pulumi.Input<pulumi.Input<string>[]>;
+        compress?: pulumi.Input<boolean>;
+        defaultRootObject?: pulumi.Input<string>;
+        cachePolicyId?: pulumi.Input<string>;
+        originRequestPolicyId?: pulumi.Input<string>;
+        responseHeadersPolicyId?: pulumi.Input<string>;
+    };
+    export type Behavior = S3Behavior | LbBehavior | CustomBehavior;
+    export type Args = {
+        /**
+         * Behavior is a combination of distribution's origin and cache behavior.
+         * Ordering is important since first encountered behavior is applied,
+         * matched by path.
+         * The default behavior, i.e. path pattern `*` or `/*`, must always be last.
+         * Mapping between behavior and cache is one to one, while origin is mapped
+         * by ID to filter out duplicates while keeping the last occurrence.
+         */
+        behaviors: Behavior[];
+        /**
+         * Domain name for CloudFront distribution. Implies creation of certificate
+         * and alias record. Must belong to the provided hosted zone.
+         * Providing the `certificate` argument has following effects:
+         * - Certificate creation is skipped
+         * - Provided certificate must cover the domain name
+         * Responsibility to ensure mentioned requirements in on the consumer, and
+         * falling to do so will result in unexpected behavior.
+         */
+        domain?: pulumi.Input<string>;
+        /**
+         * Certificate for CloudFront distribution. Domain and alternative domains
+         * are automatically pulled from the certificate and translated into alias
+         * records. Domains covered by the certificate, must belong to the provided
+         * hosted zone. The certificate must be in `us-east-1` region. In a case
+         * of wildcard certificate the `domain` argument is required.
+         * Providing the `domain` argument has following effects:
+         * - Alias records creation, from automatically pulled domains, is skipped
+         * - Certificate must cover the provided domain name
+         * Responsibility to ensure mentioned requirements in on the consumer, and
+         * falling to do so will result in unexpected behavior.
+         */
+        certificate?: pulumi.Input<aws.acm.Certificate>;
+        /**
+         * ID of hosted zone is needed when the `domain` or the `certificate`
+         * arguments are provided.
+         */
+        hostedZoneId?: pulumi.Input<string>;
+        tags?: pulumi.Input<{
+            [key: string]: pulumi.Input<string>;
+        }>;
+    };
+    type BehaviorBase = {
+        pathPattern: string;
+    };
+    export {};
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/components/cloudfront/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/components/cloudfront/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AAEzC,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAIpD,qBAAa,UAAW,SAAQ,MAAM,CAAC,iBAAiB;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;IAC1C,cAAc,CAAC,EAAE,cAAc,CAAC;gBAG9B,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,UAAU,CAAC,IAAI,EACrB,IAAI,GAAE,MAAM,CAAC,wBAA6B;IA4D5C,OAAO,CAAC,yBAAyB;IAwCjC,OAAO,CAAC,gBAAgB;IAoExB,OAAO,CAAC,iBAAiB;IAiBzB,OAAO,CAAC,kBAAkB;IA0D1B,OAAO,CAAC,iBAAiB;CA4B1B;AAED,yBAAiB,UAAU,CAAC;IAC1B,MAAM,MAAM,YAAY;QACtB,EAAE,OAAO;QACT,EAAE,OAAO;QACT,MAAM,WAAW;KAClB;IAED,MAAM,MAAM,UAAU,GAAG,YAAY,GAAG;QACtC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;QACpC,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC;KAChE,CAAC;IAEF,MAAM,MAAM,UAAU,GAAG,YAAY,GAAG;QACtC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC;QAKhD,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAChC,CAAC;IAEF,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG;QAC1C,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC;QAC1B,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACjC,oBAAoB,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5C,cAAc,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtD,aAAa,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACrD,QAAQ,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACjC,iBAAiB,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACzC,aAAa,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACrC,qBAAqB,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC7C,uBAAuB,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAChD,CAAC;IAEF,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,UAAU,GAAG,cAAc,CAAC;IAEhE,MAAM,MAAM,IAAI,GAAG;QACjB;;;;;;;WAOG;QACH,SAAS,EAAE,QAAQ,EAAE,CAAC;QACtB;;;;;;;;WAQG;QACH,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC9B;;;;;;;;;;;WAWG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChD;;;WAGG;QACH,YAAY,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC;YAClB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;SACrC,CAAC,CAAC;KACJ,CAAC;IAEF,KAAK,YAAY,GAAG;QAClB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;;CACH"}

package/dist/components/cloudfront/index.js

@@ -0,0 +1,208 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudFront = void 0;
+const aws = require("@pulumi/aws-v7");
+const pulumi = require("@pulumi/pulumi");
+const common_tags_1 = require("../../shared/common-tags");
+const acm_certificate_1 = require("../acm-certificate");
+const s3_cache_strategy_1 = require("./s3-cache-strategy");
+const lb_cache_strategy_1 = require("./lb-cache-strategy");
+class CloudFront extends pulumi.ComponentResource {
+    constructor(name, args, opts = {}) {
+        super('studion:cloudfront:CloudFront', name, args, opts);
+        this.name = name;
+        const { behaviors, domain, certificate, hostedZoneId, tags } = args;
+        const hasCustomDomain = !!domain || !!certificate;
+        if (hasCustomDomain && !hostedZoneId) {
+            throw new Error('Provide `hostedZoneId` alongside `domain` and/or `certificate`.');
+        }
+        const defaultBehavior = behaviors.at(-1);
+        const orderedBehaviors = behaviors.slice(0, -1);
+        if (!defaultBehavior || !isDefaultBehavior(defaultBehavior)) {
+            throw new Error('Default behavior must be placed last.');
+        }
+        if (domain && hostedZoneId && !certificate) {
+            this.acmCertificate = this.createCertificate({ domain, hostedZoneId });
+        }
+        const defaultRootObject = isS3BehaviorType(defaultBehavior)
+            ? 'index.html'
+            : isCustomBehaviorType(defaultBehavior)
+                ? defaultBehavior.defaultRootObject
+                : undefined;
+        this.distribution = this.createDistribution({
+            origins: this.createDistributionOrigins(behaviors),
+            defaultCache: this.getCacheBehavior(defaultBehavior),
+            orderedCaches: orderedBehaviors.length
+                ? orderedBehaviors.map(it => (Object.assign({ pathPattern: it.pathPattern }, this.getCacheBehavior(it))))
+                : undefined,
+            domain,
+            certificate: certificate || this.acmCertificate
+                ? pulumi.output(certificate !== null && certificate !== void 0 ? certificate : this.acmCertificate.certificate)
+                : undefined,
+            certificateValidation: this.acmCertificate
+                ? this.acmCertificate.certificateValidation
+                : undefined,
+            defaultRootObject,
+            tags,
+        });
+        if (hasCustomDomain && hostedZoneId) {
+            this.createAliasRecord({ hostedZoneId });
+        }
+        this.registerOutputs();
+    }
+    createDistributionOrigins(behaviors) {
+        return pulumi.output(behaviors).apply(entries => {
+            const origins = entries.map(it => {
+                var _a;
+                if (isS3BehaviorType(it)) {
+                    return getOriginWithDefaults({
+                        originId: it.bucket.arn,
+                        domainName: it.websiteConfig.websiteEndpoint,
+                        customOriginConfig: {
+                            originProtocolPolicy: 'http-only',
+                        },
+                    });
+                }
+                else if (isLbBehaviorType(it)) {
+                    return getOriginWithDefaults({
+                        originId: it.loadBalancer.arn,
+                        domainName: (_a = it.dnsName) !== null && _a !== void 0 ? _a : it.loadBalancer.dnsName,
+                    });
+                }
+                else if (isCustomBehaviorType(it)) {
+                    return getOriginWithDefaults({
+                        originId: it.originId,
+                        domainName: it.domainName,
+                        customOriginConfig: Object.assign({}, (it.originProtocolPolicy
+                            ? { originProtocolPolicy: it.originProtocolPolicy }
+                            : undefined)),
+                    });
+                }
+                else {
+                    throw new Error('Unknown CloudFront behavior encountered during mapping to distribution origins.');
+                }
+            });
+            // Remove duplicates, keeps the last occurrence of the origin
+            return [...new Map(origins.map(it => [it.originId, it])).values()];
+        });
+    }
+    getCacheBehavior(behavior) {
+        var _a, _b, _c, _d, _e;
+        const isDefault = isDefaultBehavior(behavior);
+        const getStrategyName = (backend) => `${this.name}-${backend}-${isDefault ? 'default' : 'ordered'}-cache-strategy`;
+        if (isS3BehaviorType(behavior)) {
+            const strategy = new s3_cache_strategy_1.S3CacheStrategy(getStrategyName('s3'), { pathPattern: behavior.pathPattern, bucket: behavior.bucket }, { parent: this });
+            return strategy.config;
+        }
+        else if (isLbBehaviorType(behavior)) {
+            const strategy = new lb_cache_strategy_1.LbCacheStrategy(getStrategyName('lb'), {
+                pathPattern: behavior.pathPattern,
+                loadBalancer: behavior.loadBalancer,
+            }, { parent: this });
+            return strategy.config;
+        }
+        else if (isCustomBehaviorType(behavior)) {
+            return Object.assign(Object.assign({ targetOriginId: behavior.originId, allowedMethods: (_a = behavior.allowedMethods) !== null && _a !== void 0 ? _a : [
+                    'GET',
+                    'HEAD',
+                    'OPTIONS',
+                    'PUT',
+                    'POST',
+                    'PATCH',
+                    'DELETE',
+                ], cachedMethods: (_b = behavior.cachedMethods) !== null && _b !== void 0 ? _b : ['GET', 'HEAD'] }, (behavior.compress != null && { compress: behavior.compress })), { viewerProtocolPolicy: 'redirect-to-https', cachePolicyId: (_c = behavior.cachePolicyId) !== null && _c !== void 0 ? _c : aws.cloudfront
+                    .getCachePolicyOutput({ name: 'Managed-CachingDisabled' })
+                    .apply(p => p.id), originRequestPolicyId: (_d = behavior.originRequestPolicyId) !== null && _d !== void 0 ? _d : aws.cloudfront
+                    .getOriginRequestPolicyOutput({
+                    name: 'Managed-AllViewerExceptHostHeader',
+                })
+                    .apply(p => p.id), responseHeadersPolicyId: (_e = behavior.responseHeadersPolicyId) !== null && _e !== void 0 ? _e : aws.cloudfront
+                    .getResponseHeadersPolicyOutput({
+                    name: 'Managed-SecurityHeadersPolicy',
+                })
+                    .apply(p => p.id) });
+        }
+        else {
+            throw new Error('Unknown CloudFront behavior encountered during mapping to distribution cache behaviors.');
+        }
+    }
+    createCertificate({ domain, hostedZoneId, }) {
+        return new acm_certificate_1.AcmCertificate(`${domain}-acm-certificate`, {
+            domain,
+            hostedZoneId,
+            region: 'us-east-1', // CF requires certificates to be in this region
+        }, { parent: this });
+    }
+    createDistribution({ origins, defaultCache, orderedCaches, domain, certificate, certificateValidation, defaultRootObject, tags, }) {
+        return new aws.cloudfront.Distribution(`${this.name}-distribution`, Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({ enabled: true, isIpv6Enabled: true, waitForDeployment: true, httpVersion: 'http2and3' }, (defaultRootObject && { defaultRootObject })), (certificate
+            ? {
+                aliases: domain
+                    ? [domain]
+                    : pulumi
+                        .all([
+                        certificate.domainName,
+                        certificate.subjectAlternativeNames,
+                    ])
+                        .apply(([dn, sans = []]) => [...new Set([dn, ...sans])]),
+                viewerCertificate: {
+                    acmCertificateArn: certificate.arn,
+                    sslSupportMethod: 'sni-only',
+                    minimumProtocolVersion: 'TLSv1.2_2021',
+                },
+            }
+            : {
+                viewerCertificate: {
+                    cloudfrontDefaultCertificate: true,
+                },
+            })), { origins, defaultCacheBehavior: defaultCache }), (orderedCaches && { orderedCacheBehaviors: orderedCaches })), { priceClass: 'PriceClass_100', restrictions: {
+                geoRestriction: { restrictionType: 'none' },
+            }, tags: Object.assign(Object.assign({}, common_tags_1.commonTags), tags) }), Object.assign({ parent: this, aliases: [{ name: `${this.name}-cloudfront` }] }, (certificateValidation
+            ? { dependsOn: [certificateValidation] }
+            : undefined)));
+    }
+    createAliasRecord({ hostedZoneId, }) {
+        return this.distribution.aliases.apply(aliases => aliases === null || aliases === void 0 ? void 0 : aliases.map((alias, index) => new aws.route53.Record(`${this.name}-cloudfront-alias-record-${index}`, {
+            type: 'A',
+            name: alias,
+            zoneId: hostedZoneId,
+            aliases: [
+                {
+                    name: this.distribution.domainName,
+                    zoneId: this.distribution.hostedZoneId,
+                    evaluateTargetHealth: true,
+                },
+            ],
+        }, {
+            parent: this,
+            aliases: [{ name: `${this.name}-cdn-route53-record` }],
+        })));
+    }
+}
+exports.CloudFront = CloudFront;
+(function (CloudFront) {
+    let BehaviorType;
+    (function (BehaviorType) {
+        BehaviorType["S3"] = "s3";
+        BehaviorType["LB"] = "lb";
+        BehaviorType["CUSTOM"] = "custom";
+    })(BehaviorType = CloudFront.BehaviorType || (CloudFront.BehaviorType = {}));
+})(CloudFront || (exports.CloudFront = CloudFront = {}));
+function isDefaultBehavior(value) {
+    return value.pathPattern === '*' || value.pathPattern === '/*';
+}
+function isS3BehaviorType(value) {
+    return value.type === CloudFront.BehaviorType.S3;
+}
+function isLbBehaviorType(value) {
+    return value.type === CloudFront.BehaviorType.LB;
+}
+function isCustomBehaviorType(value) {
+    return value.type === CloudFront.BehaviorType.CUSTOM;
+}
+function getOriginWithDefaults({ originId, domainName, customOriginConfig, }) {
+    return {
+        originId,
+        domainName,
+        customOriginConfig: Object.assign({ originProtocolPolicy: 'https-only', httpPort: 80, httpsPort: 443, originSslProtocols: ['TLSv1.2'] }, customOriginConfig),
+    };
+}

package/dist/components/cloudfront/lb-cache-strategy.d.ts

@@ -0,0 +1,21 @@
+import * as aws from '@pulumi/aws-v7';
+import * as pulumi from '@pulumi/pulumi';
+import { CacheStrategy } from './types';
+export declare namespace LbCacheStrategy {
+    type Args = {
+        pathPattern: string;
+        loadBalancer: pulumi.Input<aws.lb.LoadBalancer>;
+    };
+}
+export declare class LbCacheStrategy extends pulumi.ComponentResource implements CacheStrategy {
+    name: string;
+    pathPattern: string;
+    config: aws.types.input.cloudfront.DistributionDefaultCacheBehavior;
+    cachePolicy: aws.cloudfront.CachePolicy;
+    responseHeadersPolicy: aws.cloudfront.ResponseHeadersPolicy;
+    constructor(name: string, args: LbCacheStrategy.Args, opts?: pulumi.ComponentResourceOptions);
+    private createCachePolicy;
+    private createResponseHeadersPolicy;
+    getPathConfig(): aws.types.input.cloudfront.DistributionOrderedCacheBehavior;
+}
+//# sourceMappingURL=lb-cache-strategy.d.ts.map

package/dist/components/cloudfront/lb-cache-strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lb-cache-strategy.d.ts","sourceRoot":"","sources":["../../../src/components/cloudfront/lb-cache-strategy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC,yBAAiB,eAAe,CAAC;IAC/B,KAAY,IAAI,GAAG;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC;KACjD,CAAC;CACH;AAED,qBAAa,eACX,SAAQ,MAAM,CAAC,iBACf,YAAW,aAAa;IAExB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC,CAAC;IACpE,WAAW,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;IACxC,qBAAqB,EAAE,GAAG,CAAC,UAAU,CAAC,qBAAqB,CAAC;gBAG1D,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,eAAe,CAAC,IAAI,EAC1B,IAAI,GAAE,MAAM,CAAC,wBAA6B;IAoC5C,OAAO,CAAC,iBAAiB;IAyBzB,OAAO,CAAC,2BAA2B;IAsC5B,aAAa,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC;CAMpF"}

package/dist/components/cloudfront/lb-cache-strategy.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LbCacheStrategy = void 0;
+const aws = require("@pulumi/aws-v7");
+const pulumi = require("@pulumi/pulumi");
+class LbCacheStrategy extends pulumi.ComponentResource {
+    constructor(name, args, opts = {}) {
+        super('studion:cloudfront:LbCacheStrategy', name, args, opts);
+        this.name = name;
+        const { pathPattern, loadBalancer } = args;
+        this.pathPattern = pathPattern;
+        this.cachePolicy = this.createCachePolicy();
+        this.responseHeadersPolicy = this.createResponseHeadersPolicy();
+        this.config = {
+            targetOriginId: pulumi.output(loadBalancer).apply(lb => lb.arn),
+            viewerProtocolPolicy: 'redirect-to-https',
+            allowedMethods: [
+                'GET',
+                'HEAD',
+                'OPTIONS',
+                'PUT',
+                'POST',
+                'PATCH',
+                'DELETE',
+            ],
+            cachedMethods: ['GET', 'HEAD', 'OPTIONS'],
+            compress: true,
+            cachePolicyId: this.cachePolicy.id,
+            originRequestPolicyId: aws.cloudfront
+                .getOriginRequestPolicyOutput({ name: 'Managed-AllViewer' })
+                .apply(policy => policy.id),
+            responseHeadersPolicyId: this.responseHeadersPolicy.id,
+        };
+        this.registerOutputs();
+    }
+    createCachePolicy() {
+        return new aws.cloudfront.CachePolicy(`${this.name}-cache-policy`, {
+            defaultTtl: 0,
+            minTtl: 0,
+            maxTtl: 3600, // 1 hour
+            parametersInCacheKeyAndForwardedToOrigin: {
+                cookiesConfig: {
+                    cookieBehavior: 'none',
+                },
+                headersConfig: {
+                    headerBehavior: 'none',
+                },
+                queryStringsConfig: {
+                    queryStringBehavior: 'all',
+                },
+                enableAcceptEncodingGzip: true,
+                enableAcceptEncodingBrotli: true,
+            },
+        }, { parent: this });
+    }
+    createResponseHeadersPolicy() {
+        return new aws.cloudfront.ResponseHeadersPolicy(`${this.name}-res-headers-policy`, {
+            customHeadersConfig: {
+                items: [
+                    {
+                        header: 'Cache-Control',
+                        value: 'no-store',
+                        override: false,
+                    },
+                ],
+            },
+            securityHeadersConfig: {
+                contentTypeOptions: {
+                    override: true,
+                },
+                frameOptions: {
+                    frameOption: 'SAMEORIGIN',
+                    override: false,
+                },
+                referrerPolicy: {
+                    referrerPolicy: 'strict-origin-when-cross-origin',
+                    override: false,
+                },
+                // instruct browsers to only use HTTPS
+                strictTransportSecurity: {
+                    accessControlMaxAgeSec: 31536000, // 1 year
+                    includeSubdomains: true,
+                    preload: true,
+                    override: true,
+                },
+            },
+        }, { parent: this });
+    }
+    getPathConfig() {
+        return Object.assign({ pathPattern: this.pathPattern }, this.config);
+    }
+}
+exports.LbCacheStrategy = LbCacheStrategy;

package/dist/components/cloudfront/s3-cache-strategy.d.ts

@@ -0,0 +1,21 @@
+import * as aws from '@pulumi/aws-v7';
+import * as pulumi from '@pulumi/pulumi';
+import { CacheStrategy } from './types';
+export declare namespace S3CacheStrategy {
+    type Args = {
+        pathPattern: string;
+        bucket: pulumi.Input<aws.s3.Bucket>;
+    };
+}
+export declare class S3CacheStrategy extends pulumi.ComponentResource implements CacheStrategy {
+    name: string;
+    pathPattern: string;
+    config: aws.types.input.cloudfront.DistributionDefaultCacheBehavior;
+    cachePolicy: aws.cloudfront.CachePolicy;
+    responseHeadersPolicy: aws.cloudfront.ResponseHeadersPolicy;
+    constructor(name: string, args: S3CacheStrategy.Args, opts?: pulumi.ComponentResourceOptions);
+    private createCachePolicy;
+    private createResponseHeadersPolicy;
+    getPathConfig(): aws.types.input.cloudfront.DistributionOrderedCacheBehavior;
+}
+//# sourceMappingURL=s3-cache-strategy.d.ts.map

package/dist/components/cloudfront/s3-cache-strategy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"s3-cache-strategy.d.ts","sourceRoot":"","sources":["../../../src/components/cloudfront/s3-cache-strategy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAExC,yBAAiB,eAAe,CAAC;IAC/B,KAAY,IAAI,GAAG;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;KACrC,CAAC;CACH;AAED,qBAAa,eACX,SAAQ,MAAM,CAAC,iBACf,YAAW,aAAa;IAExB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC,CAAC;IACpE,WAAW,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;IACxC,qBAAqB,EAAE,GAAG,CAAC,UAAU,CAAC,qBAAqB,CAAC;gBAG1D,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,eAAe,CAAC,IAAI,EAC1B,IAAI,GAAE,MAAM,CAAC,wBAA6B;IAyB5C,OAAO,CAAC,iBAAiB;IAyBzB,OAAO,CAAC,2BAA2B;IAkCnC,aAAa,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC;CAM7E"}

package/dist/components/cloudfront/s3-cache-strategy.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.S3CacheStrategy = void 0;
+const aws = require("@pulumi/aws-v7");
+const pulumi = require("@pulumi/pulumi");
+class S3CacheStrategy extends pulumi.ComponentResource {
+    constructor(name, args, opts = {}) {
+        super('studion:cloudfront:S3CacheStrategy', name, args, opts);
+        this.name = name;
+        const { pathPattern, bucket } = args;
+        this.pathPattern = pathPattern;
+        this.cachePolicy = this.createCachePolicy();
+        this.responseHeadersPolicy = this.createResponseHeadersPolicy();
+        this.config = {
+            targetOriginId: pulumi.output(bucket).apply(b => b.arn),
+            viewerProtocolPolicy: 'redirect-to-https',
+            allowedMethods: ['GET', 'HEAD'],
+            cachedMethods: ['GET', 'HEAD'],
+            compress: true,
+            cachePolicyId: this.cachePolicy.id,
+            responseHeadersPolicyId: this.responseHeadersPolicy.id,
+        };
+        this.registerOutputs();
+    }
+    createCachePolicy() {
+        return new aws.cloudfront.CachePolicy(`${this.name}-cache-policy`, {
+            defaultTtl: 86400, // 1 day
+            minTtl: 60, // 1 minute
+            maxTtl: 31536000, // 1 year
+            parametersInCacheKeyAndForwardedToOrigin: {
+                cookiesConfig: {
+                    cookieBehavior: 'none',
+                },
+                headersConfig: {
+                    headerBehavior: 'none',
+                },
+                queryStringsConfig: {
+                    queryStringBehavior: 'none',
+                },
+                enableAcceptEncodingGzip: true,
+                enableAcceptEncodingBrotli: true,
+            },
+        }, { parent: this });
+    }
+    createResponseHeadersPolicy() {
+        return new aws.cloudfront.ResponseHeadersPolicy(`${this.name}-res-headers-policy`, {
+            customHeadersConfig: {
+                items: [
+                    {
+                        header: 'Cache-Control',
+                        value: 'no-cache',
+                        override: false,
+                    },
+                ],
+            },
+            securityHeadersConfig: {
+                contentTypeOptions: {
+                    override: true,
+                },
+                frameOptions: {
+                    frameOption: 'DENY',
+                    override: true,
+                },
+                // instruct browsers to only use HTTPS
+                strictTransportSecurity: {
+                    accessControlMaxAgeSec: 31536000, // 1 year
+                    includeSubdomains: true,
+                    preload: true,
+                    override: true,
+                },
+            },
+        }, { parent: this });
+    }
+    getPathConfig() {
+        return Object.assign({ pathPattern: this.pathPattern }, this.config);
+    }
+}
+exports.S3CacheStrategy = S3CacheStrategy;

package/dist/components/cloudfront/types.d.ts

@@ -0,0 +1,10 @@
+import * as aws from '@pulumi/aws-v7';
+export interface CacheStrategy {
+    pathPattern: string;
+    config: aws.types.input.cloudfront.DistributionDefaultCacheBehavior;
+    cachePolicy: aws.cloudfront.CachePolicy;
+    originRequestPolicy?: aws.cloudfront.OriginRequestPolicy;
+    responseHeadersPolicy?: aws.cloudfront.ResponseHeadersPolicy;
+    getPathConfig: () => aws.types.input.cloudfront.DistributionOrderedCacheBehavior;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/components/cloudfront/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/components/cloudfront/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AAEtC,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC,CAAC;IACpE,WAAW,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;IACxC,mBAAmB,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,mBAAmB,CAAC;IACzD,qBAAqB,CAAC,EAAE,GAAG,CAAC,UAAU,CAAC,qBAAqB,CAAC;IAC7D,aAAa,EAAE,MAAM,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,gCAAgC,CAAC;CAClF"}