cdk-nuxt 2.14.0 → 2.18.1

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 Ferdinand Frank
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -9,358 +9,196 @@
 
 Easily deploy Nuxt applications (Nuxt 3 and Nuxt 4) via CDK on AWS, including the following features:
 
-- Fast responses via [AWS Lambda](https://aws.amazon.com/lambda/)
-- Publicly available by a custom domain (or subdomain) via [Route53](https://aws.amazon.com/route53/) and [API Gateway](https://aws.amazon.com/api-gateway/)
-- Automatic redirects from HTTP to HTTPS via [CloudFront](https://aws.amazon.com/cloudfront/)
-- Automatic upload of the build files for CSR and static assets to [S3](https://aws.amazon.com/s3/) with optimized caching rules
-- Scheduled pings of the Nuxt app to keep the Lambda warm for fast responses via [EventBridge](https://aws.amazon.com/eventbridge/) rules
-- Automatic cleanup of outdated static assets and build files
-- Access logs analysis via [Athena](https://aws.amazon.com/athena/) for the Nuxt app's CloudFront distribution
+- ⚡ **Fast responses** via [AWS Lambda](https://aws.amazon.com/lambda/)
+- 🌐 **Custom domain** support via [Route53](https://aws.amazon.com/route53/) and [CloudFront](https://aws.amazon.com/cloudfront/)
+- 🔒 **Automatic HTTPS** with certificate management
+- 📦 **Optimized static asset** delivery via [S3](https://aws.amazon.com/s3/)
+- 🔥 **Lambda warming** via scheduled [EventBridge](https://aws.amazon.com/eventbridge/) pings
+- 🗑️ **Automatic cleanup** of outdated assets
+- 📊 **Access logs analysis** via [Athena](https://aws.amazon.com/athena/) ([docs](docs/ACCESS_LOGS.md))
+- 🛡️ **WAF integration** for security ([docs](docs/WAF.md))
+- ⚙️ **Flexible caching** configuration ([docs](docs/CACHING.md))
+
+## Quick Links
+
+- 📚 [Full Configuration Reference](docs/CONFIGURATION.md)
+- 🚀 [Deployment Guide](docs/DEPLOYMENT.md)
+- 🛡️ [WAF Documentation](docs/WAF.md)
+- 📊 [Access Logs Analysis](docs/ACCESS_LOGS.md)
+- 🔄 [Caching Configuration](docs/CACHING.md)
 
 ## Table of Contents
 
-- [Prerequisites](#prerequisites)
 - [Compatibility](#compatibility)
-- [Installation](#installation)
-- [Setup](#setup)
-- [Configuration](#configuration)
-- [Deployment](#deployment)
-- [Destroy the Stack](#destroy-the-stack)
-- [Reference: Created AWS Resources](#reference-created-aws-resources)
-- [Guidelines](#guidelines)
-
-## Prerequisites
-
-- You need an [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/?nc1=h_ls) to create and deploy the required resources for the Nuxt app on AWS.
-- You can use your preferred package manager: pnpm, npm, or Yarn. The examples below show commands for each where relevant.
+- [Quick Start](#quick-start)
+- [AWS Resources Created](#aws-resources-created)
+- [Documentation](#documentation)
 
 ## Compatibility
 
-This package is compatible with the following Nuxt versions:
-- Nuxt 3 (latest stable)
-- Nuxt 4 (RC and stable)
+- ✅ Nuxt 3 (latest stable)
+- ✅ Nuxt 4 (RC and stable)
 
-Notes:
-- Make sure to set Nitro's preset to `aws-lambda` as shown below.
-- If you encounter any version-specific issues, please open an issue on GitHub.
+## Quick Start
 
-## Installation
+### 1. Installation
 
-This library ships compiled JS and small CLI helpers. To use it in your CDK app, install the following in your project by choosing your package manager:
+Install the package and its peer dependencies:
 
-Using pnpm:
 ```bash
-pnpm add -D cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2
-# If your CDK app is written in TypeScript:
-pnpm add -D typescript ts-node
-# Optional (only if you enable Access Logs Analysis):
-pnpm add -D @aws-cdk/aws-glue-alpha@2.214.0-alpha.0
-```
+# Using pnpm (recommended)
+pnpm add -D cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2 typescript ts-node
 
-Using npm:
-```bash
-npm install --save-dev cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2
-# If your CDK app is written in TypeScript:
-npm install --save-dev typescript ts-node
-# Optional (only if you enable Access Logs Analysis):
-npm install --save-dev @aws-cdk/aws-glue-alpha@2.214.0-alpha.0
+# Using npm
+npm install --save-dev cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2 typescript ts-node
+
+# Using yarn
+yarn add -D cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2 typescript ts-node
 ```
 
-Using Yarn:
+**Optional:** If you plan to enable Access Logs Analysis:
 ```bash
-yarn add -D cdk-nuxt aws-cdk@^2.214.0 aws-cdk-lib@^2.214.0 constructs@^10.4.2
-# If your CDK app is written in TypeScript:
-yarn add -D typescript ts-node
-# Optional (only if you enable Access Logs Analysis):
-yarn add -D @aws-cdk/aws-glue-alpha@2.214.0-alpha.0
+pnpm add -D @aws-cdk/aws-glue-alpha@2.214.0-alpha.0
 ```
 
-## Setup
-
-1. Set the Nitro preset on your Nuxt configuration file (`nuxt.config.js`) to `aws-lambda`:
-    ```js
-    export default defineNuxtConfig({
-        ...
-        nitro: {
-            preset: 'aws-lambda'
-        },
-        ...      
-    });
-    ```
-   See https://nitro.unjs.io/deploy/providers/aws for more details.
-2. Remove `"type": "module"` from your `package.json` file, if it exists.
-   This is required to make the CDK stack work. Click [here](https://github.com/ferdinandfrank/cdk-nuxt/issues/3) for details. 
-3. [Create an AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/?nc1=h_ls), if you don't have one yet. Then login into the AWS console and note the `Account ID`. You will need it in step 7.
-4. [Create a hosted zone in Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html) for the desired domain, if you don't have one yet.<br/>This is required to create DNS records for the domain to make the Nuxt app publicly available on that domain.<br/>On the hosted zone details you should see the `Hosted zone ID` of the hosted zone. You will need it in step 7.
-5. [Request a public **regional** certificate in the AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) for the desired domain in your desired region, e.g., `eu-central-1`, and validate it, if you don't have one yet.<br/>This is required to make the Nuxt app accessible via the custom domain and to provide the custom domain to the Nuxt app via the 'Host' header for server side rendering use cases.<br/>Take note of the displayed `ARN` for the certificate. You will need it in step 7.
-6. [Request a public **global** certificate in the AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) for the desired domain in `us-east-1` (**global**) and validate it, if you don't have one yet.<br/>This is required to provide the Nuxt app via HTTPS on the public internet.<br/>Take note of the displayed `ARN` for the certificate. You will need it in step 7.<br/>**Important: The certificate must be issued in us-east-1 (global) regardless of the region used for the Nuxt app itself as it will be attached to the Cloudfront distribution which works globally.**
-7. Run the following command to automatically create the required CDK stack entrypoint at `stack/index.ts`. This file defines the config how the Nuxt app will be deployed via CDK. You should adapt the file to the project's needs, especially the props `env.account` (setup step 3), `hostedZoneId` (setup step 4), `regionalTlsCertificateArn` (setup step 5) and `globalTlsCertificateArn` (setup step 6).
-
-   ```bash
-   node_modules/.bin/cdk-nuxt-init-server
-   ```
-
-   > :warning: It's recommended using a `.env` file or another secrets file to import the sensitive secrets into the `stack/index.ts` file.
-
-## Configuration
-
-The `NuxtServerAppStack` construct can be configured via the following props:
-
-### project: string
-A string identifier for the project the Nuxt app is part of.
-A project might have multiple different services.
-
-### service: string
-A string identifier for the project's service the Nuxt app is created for.
-This can be seen as the name of the Nuxt app.
-
-### environment: string
-A string to identify the environment of the Nuxt app. This enables us
-to deploy multiple different environments of the same Nuxt app, e.g., production and development.
-
-### domain: string
-The domain (without the protocol) at which the Nuxt app shall be publicly available.
-A DNS record will be automatically created in Route53 for the domain.
-This also supports subdomains.
-Examples: "example.com", "sub.example.com"
-
-### hostedZoneId: string
-The id of the hosted zone to create a DNS record for the specified domain.
-
-### globalTlsCertificateArn: string
-The ARN of the certificate to use on CloudFront for the Nuxt app to make it accessible via HTTPS.
-The certificate must be issued for the specified domain in us-east-1 (global) regardless of the
-region specified via 'env.region' as CloudFront only works globally.
-
-### regionalTlsCertificateArn: string
-The ARN of the certificate to use at the ApiGateway for the Nuxt app to make it accessible via the custom domain
-and to provide the custom domain to the Nuxt app via the 'Host' header for server side rendering use cases.
-The certificate must be issued in the same region as specified via 'env.region' as ApiGateway works regionally.
-
-### rootDir?: string;
-The path to the root directory of the Nuxt app (at which the `nuxt.config.ts` file is located).
-Defaults to '.'.
-
-### entrypoint?: string
-The file name (without extension) of the Lambda entrypoint within the 'server' directory exporting a handler.
-Defaults to "index".
-
-### entrypointEnv?: string
-A JSON serialized string of environment variables to pass to the Lambda function.
-
-### memorySize?: number
-The memory size to apply to the Nuxt app's Lambda.
-Defaults to 1792MB (optimized for costs and performance for standard Nuxt apps).
-
-### enableTracing?: boolean
-Whether to enable AWS X-Ray for the Nuxt Lambda function.
-
-### enableApi?: boolean
-Whether to enable (HTTPS only) API access to the Nuxt app via the `/api` path which support all HTTP methods. 
-See https://nuxt.com/docs/guide/directory-structure/server#recipes for details.
-
-### enableSitemap?: boolean
-Whether to enable a global Sitemap bucket which is permanently accessible through multiple deployments.
-
-### enableAccessLogsAnalysis?: boolean
-Whether to enable access logs analysis for the Nuxt app's CloudFront distribution via Athena.
-
-### accessLogCookies?: string[]
-An array of cookies to include for reporting in the access logs analysis.
-Only has an effect when `enableAccessLogsAnalysis` is set to `true`.
-
-### outdatedAssetsRetentionDays?: number
-The number of days to retain static assets of outdated deployments in the S3 bucket.
-Useful to allow users to still access old assets after a new deployment when they are still browsing on an old version.
-Defaults to 30 days.
+### 2. Configure Nuxt
 
-### forwardHeaders?: string[]
-An array of HTTP headers to forward to the Nuxt app on origin requests without affecting the cache key at CloudFront edge locations.
-This should only be used for headers that do not affect the response.
+Set the Nitro preset in your `nuxt.config.ts`:
 
-No headers are forwarded by default.
-
-### cacheKeyHeaders?: string[]
-An array of HTTP headers to forward to the Nuxt app and to include in the cache key for objects that are cached at CloudFront edge locations.
-This should be used for headers that might affect the response, e.g., 'Authorization'.
-
-No headers are forwarded or included in the cache key by default.
-
-### forwardCookies?: string[]
-An array of cookies to forward to the Nuxt app on origin requests without affecting the cache key at CloudFront edge locations.
-This should only be used for cookies that do not affect the response.
+```typescript
+export default defineNuxtConfig({
+  nitro: {
+    preset: 'aws-lambda'
+  },
+});
+```
 
-No cookies are forwarded by default.
+**Important:** Remove `"type": "module"` from your `package.json` if present ([why?](https://github.com/ferdinandfrank/cdk-nuxt/issues/3)).
 
-### cacheKeyCookies?: string[]
-An array of cookies to forward to the Nuxt app and to include in the cache key for objects that are cached at CloudFront edge locations.
-This should be used for cookies that might affect the response, e.g., authentication cookies.
+### 3. AWS Prerequisites
 
-No cookies are forwarded or included in the cache key by default.
+Before deployment, you need:
 
-### forwardQueryParams?: string[]
-An array of query params to forward to the Nuxt app on origin requests without affecting the cache key at CloudFront edge locations.
-This should only be used for query params that do not affect the response and are required on SSR requests.
+1. **AWS Account** - [Create one](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) if you don't have one
+2. **Route53 Hosted Zone** - For your domain ([guide](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html))
+3. **SSL Certificates** - Two certificates for HTTPS:
+   - **Global certificate** (us-east-1) for CloudFront ([request](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html))
+   - **Regional certificate** (your region) for API Gateway ([request](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html))
 
-All query params are forwarded by default.
+### 4. Initialize CDK Stack
 
-### cacheKeyQueryParams?: string[]
-An array of query params to forward to the Nuxt app and to include in the cache key for objects that are cached at CloudFront edge locations.
-This should be used for query params that affect the response and are required on SSR requests, e.g., filters.
+Generate the CDK stack configuration:
 
-All query params are forwarded and included in the cache key by default.
+```bash
+node_modules/.bin/cdk-nuxt-init-server
+```
 
-### denyCacheKeyQueryParams?: string[]
-An array of query params to prevent forwarding to the Nuxt app and to not include in the cache key for objects that are cached at CloudFront edge locations.
-When set, all query params that are not specified in this array will be forwarded to the Nuxt app and included in the cache key.
-This should be used for query params that do not affect the response and are not required on SSR requests, e.g., 'fbclid' or 'utm_campaign'.
+This creates `stack/index.ts` with a complete template including all available configuration options with sensible defaults.
 
-If both `cacheKeyQueryParams` and `denyCacheKeyQueryParams` are specified, the `denyCacheKeyQueryParams` will be ignored.
-All query params are forwarded and included in the cache key by default.
+**Update the following required values:**
+- `env.account` and `env.region` - Your AWS account and region
+- `project`, `service`, `environment` - Identifiers for your app
+- `domain` - Your custom domain
+- `hostedZoneId` - Your Route53 hosted zone ID  
+- `globalTlsCertificateArn` - Certificate in us-east-1 for CloudFront
+- `regionalTlsCertificateArn` - Certificate in your region for API Gateway
 
+The full template can also be viewed here: [lib/templates/stack-index-server.ts](lib/templates/stack-index-server.ts)
 
-## Deployment
+For a complete list of all configuration options, see the [Configuration Reference](docs/CONFIGURATION.md).
 
-After the installation and the setup, you are already good to go to build the Nuxt app and to deploy it to AWS with this package
-by following the steps below:
+> 💡 **Tip:** Use environment variables or a `.env` file to store sensitive values like certificate ARNs and AWS account IDs.
 
-### 1. Bootstrap CDK
-Deploying stacks with the AWS CDK requires dedicated Amazon S3 buckets and other containers to be available to AWS CloudFormation during deployment. 
-Creating this is called bootstrapping and is **only required once** per account and region. 
-To bootstrap, run the following command:
+### 5. Bootstrap and Deploy
 
+First-time setup (once per AWS account/region):
 ```bash
-cdk bootstrap aws://ACCOUNT-NUMBER/REGION
+cdk bootstrap aws://YOUR_ACCOUNT_ID/YOUR_REGION
 ```
 
-See https://docs.aws.amazon.com/cdk/v2/guide/getting_started.html for details.
-
-### 2. Build and Deploy
-
-By running the following script, the Nuxt app will be built (using your package manager's `build` script)
-and the CDK stack will be deployed to AWS.
-
+Deploy your app:
 ```bash
 node_modules/.bin/cdk-nuxt-deploy-server
 ```
 
-Alternatively, you can run the following commands separately to customize the deployment process. Choose your package manager:
+That's it! Your Nuxt app is now live on AWS. 🎉
+
+For detailed deployment options and CI/CD setup, see the [Deployment Guide](docs/DEPLOYMENT.md).
+
+## AWS Resources Created
+
+When you deploy your Nuxt app, the following AWS resources are automatically created:
+
+- **Lambda Functions:**
+  - Main SSR function for rendering your Nuxt app
+  - Lambda Layer for node_modules
+  - Cleanup function for outdated assets
+
+- **S3 Buckets:**
+  - Static assets bucket (`.nuxt/dist/client`)
+  - Access logs bucket (if enabled)
+  
+- **CloudFront:**
+  - Global CDN distribution with HTTPS
+  - Optimized cache behaviors for static and dynamic content
+  
+- **API Gateway:**
+  - HTTP API for Lambda function access
+  - Custom domain configuration
+  
+- **Route53:**
+  - DNS records (A and AAAA) for your domain
+  
+- **EventBridge Rules:**
+  - Lambda warming (every 5 minutes)
+  - Asset cleanup (weekly, Tuesdays at 03:30 GMT)
+  
+- **Athena (optional):**
+  - Database and tables for access log analysis
+  - Automatic log partitioning
+
+- **WAF (optional):**
+  - Web Application Firewall for CloudFront distribution
+  - Protection against common web exploits, bots, and DDoS attacks
+  - Configurable managed rules and rate limiting
+
+For more details on each resource and their configuration, see the [Deployment Guide](docs/DEPLOYMENT.md).
+
+## Documentation
+
+### Getting Started
+- [Quick Start](#quick-start) - Get up and running quickly
+- [Deployment Guide](docs/DEPLOYMENT.md) - Detailed deployment instructions, CI/CD setup
+- [Configuration Reference](docs/CONFIGURATION.md) - Complete list of all configuration options
+
+### Features
+- [WAF Integration](docs/WAF.md) - Protect your app with AWS WAF
+- [Access Logs Analysis](docs/ACCESS_LOGS.md) - Analyze traffic with Athena
+- [Caching Configuration](docs/CACHING.md) - Optimize performance with CloudFront caching
+
+### Advanced
+- [Destroy the Stack](#destroy-the-stack) - Clean up resources
 
-Using pnpm:
-```bash
-pnpm build
-pnpm cdk deploy --require-approval never --all --app="pnpm ts-node stack/index.ts"
-```
+## Destroy the Stack
 
-Using npm:
-```bash
-npm run build
-npx cdk deploy --require-approval never --all --app="npx ts-node stack/index.ts"
-```
+To completely remove all AWS resources created by this package:
 
-Using Yarn:
 ```bash
-yarn build
-yarn cdk deploy --require-approval never --all --app="yarn ts-node stack/index.ts"
+node_modules/.bin/cdk-nuxt-destroy-server
 ```
 
-#### Deploy with a custom TypeScript configuration
-Depending on your Nuxt app's TypeScript configuration and the setup of your stack, you might need a different TypeScript configuration for the CDK stack.
-You can do so by creating a `tsconfig.cdk.json` file in the root directory of your project and adjust the deployment command accordingly (choose your package manager):
+⚠️ **Warning:** This permanently deletes all resources including S3 buckets and logs. This action cannot be undone.
 
-Using pnpm:
-```bash
-pnpm build
-pnpm cdk deploy --require-approval never --all --app="pnpm ts-node --project=tsconfig.cdk.json stack/index.ts"
-```
+## Contributing
 
-Using npm:
-```bash
-npm run build
-npx cdk deploy --require-approval never --all --app="npx ts-node --project=tsconfig.cdk.json stack/index.ts"
-```
+Contributions are welcome! Please feel free to submit a Pull Request.
 
-Using Yarn:
-```bash
-yarn build
-yarn cdk deploy --require-approval never --all --app="yarn ts-node --project=tsconfig.cdk.json stack/index.ts"
-```
+## License
 
-## Destroy the Stack
-
-If you want to destroy the stack and all its resources (including storage, e.g., access logs), run the following script:
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
 
-```bash
-node_modules/.bin/cdk-nuxt-destroy-server
-```
+## Support
 
-## Reference: Created AWS Resources
-
-In the following, you can find an overview of the AWS resources that will be created by this package for reference.
-
-### NuxtServerAppStack
-
-This stack is responsible for deploying dynamic Nuxt apps to AWS.
-This stack will create the following AWS resources:
-
-- [Lambda](https://aws.amazon.com/lambda/):
-    - A Lambda function to render the Nuxt app including a separated Lambda layer to provide the `node_modules` of the Nuxt app required for server-side rendering.
-    - A Lambda function that deletes the outdated static assets of the Nuxt app from S3.
-- [S3](https://aws.amazon.com/s3/):
-    - A bucket to store the client files and static assets of the Nuxt build (`.nuxt/dist/client`) with optimized cache settings.
-    - A bucket to store the CloudFront access logs for analysis via Athena. Only created if `enableAccessLogsAnalysis` is set to `true`.
-- [Route53](https://aws.amazon.com/route53/): Two DNS records (`A` for IPv4 and `AAAA` for IPv6) in the configured hosted zone to make the Nuxt app available on the internet via the configured custom domain.
-- [API Gateway](https://aws.amazon.com/api-gateway/): An HTTP API to make the Nuxt Lambda function publicly available.
-- [CloudFront](https://aws.amazon.com/cloudfront/): A distribution to route incoming requests to the Nuxt Lambda function (via the API Gateway) and the S3 bucket to serve the static assets for the Nuxt app.
-- [EventBridge](https://aws.amazon.com/eventbridge/):
-    - A scheduled rule to ping the Nuxt app's Lambda function every 5 minutes in order to keep it warm and to speed up initial SSR requests.
-    - A scheduled rule to trigger the cleanup Lambda function for deleting the outdated static assets of the Nuxt app from S3 every tuesday at 03:30 AM GMT.
-- [Athena](https://aws.amazon.com/athena/): A database and table to analyze the access logs of the Nuxt app's CloudFront distribution. Only created if `enableAccessLogsAnalysis` is set to `true`.
-
-## Guidelines
-
-In the following, you can find some guidelines for the deployment and usages of this package.
-
-### Automatically deploy on every push (CD) via [GitHub Actions](https://github.com/features/actions)
-
-Feel free to copy the following GitHub Actions YAML file content into a YAML file at `.github/workflows/deploy.yml` to automatically build and deploy the Nuxt app to AWS on every push to a specific branch.<br/>This only works if you're using GitHub for the project's VCS repository.
-
-```yaml
-name: Deploy
-
-on:
-  push:
-    branches:
-      - master # Feel free to use another branch name
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout source code
-        uses: actions/checkout@v4
-        
-      # Enable if using Yarn >= 2  
-      # - name: Enable Corepack for Yarn
-      #   run: corepack enable
-
-      - name: Configure Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          cache: 'pnpm' # or 'yarn' or 'npm'
-
-      - name: Install dependencies
-        run: |
-          pnpm install --frozen-lockfile
-          # or: npm ci
-          # or: yarn install --frozen-lockfile # or `yarn install --immutable` for Yarn >= 2
-
-      - name: Build and deploy to AWS
-        run: node_modules/.bin/cdk-nuxt-deploy-server # Or run a customized deployment, see 'Build and Deploy' section
-        env:
-           # Create an IAM user on AWS for the deployment and create the appropriate secrets in the GitHub repository secrets
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-```
+- 📖 [Documentation](docs/)
+- 🐛 [Issue Tracker](https://github.com/ferdinandfrank/cdk-nuxt/issues)
+- 💬 [Discussions](https://github.com/ferdinandfrank/cdk-nuxt/discussions)

package/index.d.ts

@@ -1,3 +1,6 @@
 export { NuxtServerAppStack } from "./lib/stack/server/NuxtServerAppStack";
 export { NuxtServerAppStackProps } from "./lib/stack/server/NuxtServerAppStackProps";
+export type { WafConfig } from "./lib/stack/waf/WafConfig";
+export { DEFAULT_NUXT_WAF_CONFIG } from "./lib/stack/waf/WafConfig";
+export { CloudFrontWebAcl } from "./lib/stack/waf/CloudFrontWebAcl";
 export { App } from "aws-cdk-lib";

package/index.js

@@ -1,8 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.App = exports.NuxtServerAppStack = void 0;
+exports.App = exports.CloudFrontWebAcl = exports.DEFAULT_NUXT_WAF_CONFIG = exports.NuxtServerAppStack = void 0;
 var NuxtServerAppStack_1 = require("./lib/stack/server/NuxtServerAppStack");
 Object.defineProperty(exports, "NuxtServerAppStack", { enumerable: true, get: function () { return NuxtServerAppStack_1.NuxtServerAppStack; } });
+var WafConfig_1 = require("./lib/stack/waf/WafConfig");
+Object.defineProperty(exports, "DEFAULT_NUXT_WAF_CONFIG", { enumerable: true, get: function () { return WafConfig_1.DEFAULT_NUXT_WAF_CONFIG; } });
+var CloudFrontWebAcl_1 = require("./lib/stack/waf/CloudFrontWebAcl");
+Object.defineProperty(exports, "CloudFrontWebAcl", { enumerable: true, get: function () { return CloudFrontWebAcl_1.CloudFrontWebAcl; } });
 var aws_cdk_lib_1 = require("aws-cdk-lib");
 Object.defineProperty(exports, "App", { enumerable: true, get: function () { return aws_cdk_lib_1.App; } });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw0RUFBd0U7QUFBaEUsd0hBQUEsa0JBQWtCLE9BQUE7QUFFMUIsMkNBQWdDO0FBQXhCLGtHQUFBLEdBQUcsT0FBQSIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCB7TnV4dFNlcnZlckFwcFN0YWNrfSBmcm9tIFwiLi9saWIvc3RhY2svc2VydmVyL051eHRTZXJ2ZXJBcHBTdGFja1wiXG5leHBvcnQge051eHRTZXJ2ZXJBcHBTdGFja1Byb3BzfSBmcm9tIFwiLi9saWIvc3RhY2svc2VydmVyL051eHRTZXJ2ZXJBcHBTdGFja1Byb3BzXCJcbmV4cG9ydCB7QXBwfSBmcm9tIFwiYXdzLWNkay1saWJcIjsiXX0=
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyJpbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSw0RUFBd0U7QUFBaEUsd0hBQUEsa0JBQWtCLE9BQUE7QUFHMUIsdURBQWlFO0FBQXpELG9IQUFBLHVCQUF1QixPQUFBO0FBQy9CLHFFQUFpRTtBQUF6RCxvSEFBQSxnQkFBZ0IsT0FBQTtBQUN4QiwyQ0FBZ0M7QUFBeEIsa0dBQUEsR0FBRyxPQUFBIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0IHtOdXh0U2VydmVyQXBwU3RhY2t9IGZyb20gXCIuL2xpYi9zdGFjay9zZXJ2ZXIvTnV4dFNlcnZlckFwcFN0YWNrXCJcbmV4cG9ydCB7TnV4dFNlcnZlckFwcFN0YWNrUHJvcHN9IGZyb20gXCIuL2xpYi9zdGFjay9zZXJ2ZXIvTnV4dFNlcnZlckFwcFN0YWNrUHJvcHNcIlxuZXhwb3J0IHR5cGUge1dhZkNvbmZpZ30gZnJvbSBcIi4vbGliL3N0YWNrL3dhZi9XYWZDb25maWdcIlxuZXhwb3J0IHtERUZBVUxUX05VWFRfV0FGX0NPTkZJR30gZnJvbSBcIi4vbGliL3N0YWNrL3dhZi9XYWZDb25maWdcIlxuZXhwb3J0IHtDbG91ZEZyb250V2ViQWNsfSBmcm9tIFwiLi9saWIvc3RhY2svd2FmL0Nsb3VkRnJvbnRXZWJBY2xcIlxuZXhwb3J0IHtBcHB9IGZyb20gXCJhd3MtY2RrLWxpYlwiOyJdfQ==

package/lib/stack/server/NuxtServerAppStack.d.ts

@@ -87,6 +87,12 @@ export declare class NuxtServerAppStack extends Stack {
      * @private
      */
     private readonly cdn;
+    /**
+     * The AWS WAF Web ACL to protect the CloudFront distribution (optional).
+     *
+     * @private
+     */
+    private webAcl;
     constructor(scope: Construct, id: string, props: NuxtServerAppStackProps);
     /**
      * Creates the current deployment revision file in the public folder of the Nuxt app to be accessible
@@ -161,6 +167,12 @@ export declare class NuxtServerAppStack extends Stack {
      * Creates a behavior for the CloudFront distribution to route matching Nuxt app API requests to the API gateway.
      */
     private createApiRouteBehavior;
+    /**
+     * Creates behaviors for the CloudFront distribution to route specified path patterns to the SSR origin.
+     * This allows server endpoints that use file-like URLs (e.g., /sitemap.xml from @nuxtjs/sitemap)
+     * to be handled by the Lambda function for dynamic content generation.
+     */
+    private createServerRouteBehavior;
     /**
      * Creates a behavior for the CloudFront distribution to route matching incoming requests for the static assets
      * to the S3 bucket that holds these static assets.