sst 2.0.14 → 2.0.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/constructs/Auth.js +18 -12
- package/constructs/EdgeFunction.d.ts +2 -2
- package/constructs/EdgeFunction.js +21 -15
- package/constructs/SsrFunction.js +12 -6
- package/constructs/SsrSite.js +18 -13
- package/constructs/StaticSite.js +17 -11
- package/package.json +1 -1
- package/support/bridge/bridge.mjs +1 -1
package/constructs/Auth.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import * as ssm from "aws-cdk-lib/aws-ssm";
|
|
2
|
-
import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
2
|
+
import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
3
3
|
import { Construct } from "constructs";
|
|
4
4
|
import { Stack } from "./Stack.js";
|
|
5
5
|
import { ENVIRONMENT_PLACEHOLDER, getEnvironmentKey, getParameterPath, } from "./util/functionBinding.js";
|
|
@@ -37,7 +37,22 @@ export class Auth extends Construct {
|
|
|
37
37
|
this.id = id;
|
|
38
38
|
const stack = Stack.of(scope);
|
|
39
39
|
this.authenticator = props.authenticator;
|
|
40
|
-
new
|
|
40
|
+
const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
|
|
41
|
+
statements: [
|
|
42
|
+
new PolicyStatement({
|
|
43
|
+
actions: [
|
|
44
|
+
"ssm:GetParameter",
|
|
45
|
+
"ssm:PutParameter",
|
|
46
|
+
"ssm:DeleteParameter",
|
|
47
|
+
],
|
|
48
|
+
resources: [
|
|
49
|
+
`arn:${stack.partition}:ssm:${stack.region}:${stack.account}:parameter/*`,
|
|
50
|
+
],
|
|
51
|
+
}),
|
|
52
|
+
],
|
|
53
|
+
});
|
|
54
|
+
stack.customResourceHandler.role?.attachInlinePolicy(policy);
|
|
55
|
+
const resource = new CustomResource(this, "StackMetadata", {
|
|
41
56
|
serviceToken: stack.customResourceHandler.functionArn,
|
|
42
57
|
resourceType: "Custom::AuthKeys",
|
|
43
58
|
properties: {
|
|
@@ -45,16 +60,7 @@ export class Auth extends Construct {
|
|
|
45
60
|
privatePath: getParameterPath(this, PRIVATE_KEY_PROP),
|
|
46
61
|
},
|
|
47
62
|
});
|
|
48
|
-
|
|
49
|
-
actions: [
|
|
50
|
-
"ssm:GetParameter",
|
|
51
|
-
"ssm:PutParameter",
|
|
52
|
-
"ssm:DeleteParameter",
|
|
53
|
-
],
|
|
54
|
-
resources: [
|
|
55
|
-
`arn:${stack.partition}:ssm:${stack.region}:${stack.account}:parameter/*`,
|
|
56
|
-
],
|
|
57
|
-
}));
|
|
63
|
+
resource.node.addDependency(policy);
|
|
58
64
|
}
|
|
59
65
|
/** @internal */
|
|
60
66
|
getConstructMetadata() {
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { Construct, IConstruct } from "constructs";
|
|
2
|
-
import
|
|
2
|
+
import { Role } from "aws-cdk-lib/aws-iam";
|
|
3
3
|
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
4
4
|
import { Size } from "./util/size.js";
|
|
5
5
|
import { Duration } from "./util/duration.js";
|
|
@@ -23,7 +23,7 @@ export interface EdgeFunctionProps {
|
|
|
23
23
|
scopeOverride?: IConstruct;
|
|
24
24
|
}
|
|
25
25
|
export declare class EdgeFunction extends Construct {
|
|
26
|
-
role:
|
|
26
|
+
role: Role;
|
|
27
27
|
functionArn: string;
|
|
28
28
|
private scope;
|
|
29
29
|
private versionId;
|
|
@@ -3,7 +3,7 @@ import url from "url";
|
|
|
3
3
|
import path from "path";
|
|
4
4
|
import crypto from "crypto";
|
|
5
5
|
import { Construct } from "constructs";
|
|
6
|
-
import
|
|
6
|
+
import { Effect, Role, Policy, PolicyStatement, CompositePrincipal, ServicePrincipal, ManagedPolicy, } from "aws-cdk-lib/aws-iam";
|
|
7
7
|
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
8
8
|
import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
|
|
9
9
|
import { Lazy, Duration as CdkDuration, CustomResource, } from "aws-cdk-lib";
|
|
@@ -95,10 +95,10 @@ ${exports}
|
|
|
95
95
|
createRole() {
|
|
96
96
|
const { permissions } = this.props;
|
|
97
97
|
// Create function role
|
|
98
|
-
const role = new
|
|
99
|
-
assumedBy: new
|
|
98
|
+
const role = new Role(this.scope, `ServerLambdaRole`, {
|
|
99
|
+
assumedBy: new CompositePrincipal(new ServicePrincipal("lambda.amazonaws.com"), new ServicePrincipal("edgelambda.amazonaws.com")),
|
|
100
100
|
managedPolicies: [
|
|
101
|
-
|
|
101
|
+
ManagedPolicy.fromManagedPolicyArn(this, "EdgeLambdaPolicy", `arn:${Stack.of(this).partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole`),
|
|
102
102
|
],
|
|
103
103
|
});
|
|
104
104
|
// Attach permission
|
|
@@ -150,6 +150,16 @@ ${exports}
|
|
|
150
150
|
// They need to be replaced with real values before the Lambda
|
|
151
151
|
// functions get deployed.
|
|
152
152
|
const stack = Stack.of(this);
|
|
153
|
+
const policy = new Policy(this, "AssetReplacerPolicy", {
|
|
154
|
+
statements: [
|
|
155
|
+
new PolicyStatement({
|
|
156
|
+
effect: Effect.ALLOW,
|
|
157
|
+
actions: ["s3:GetObject", "s3:PutObject"],
|
|
158
|
+
resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
|
|
159
|
+
}),
|
|
160
|
+
],
|
|
161
|
+
});
|
|
162
|
+
stack.customResourceHandler.role?.attachInlinePolicy(policy);
|
|
153
163
|
const resource = new CustomResource(this.scope, "AssetReplacer", {
|
|
154
164
|
serviceToken: stack.customResourceHandler.functionArn,
|
|
155
165
|
resourceType: "Custom::AssetReplacer",
|
|
@@ -159,11 +169,7 @@ ${exports}
|
|
|
159
169
|
replacements: this.getLambdaContentReplaceValues(),
|
|
160
170
|
},
|
|
161
171
|
});
|
|
162
|
-
|
|
163
|
-
effect: iam.Effect.ALLOW,
|
|
164
|
-
actions: ["s3:GetObject", "s3:PutObject"],
|
|
165
|
-
resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
|
|
166
|
-
}));
|
|
172
|
+
resource.node.addDependency(policy);
|
|
167
173
|
return resource;
|
|
168
174
|
}
|
|
169
175
|
createSingletonBucketCR() {
|
|
@@ -183,8 +189,8 @@ ${exports}
|
|
|
183
189
|
timeout: CdkDuration.minutes(15),
|
|
184
190
|
memorySize: 1024,
|
|
185
191
|
initialPolicy: [
|
|
186
|
-
new
|
|
187
|
-
effect:
|
|
192
|
+
new PolicyStatement({
|
|
193
|
+
effect: Effect.ALLOW,
|
|
188
194
|
actions: ["s3:*"],
|
|
189
195
|
resources: ["*"],
|
|
190
196
|
}),
|
|
@@ -215,8 +221,8 @@ ${exports}
|
|
|
215
221
|
timeout: CdkDuration.minutes(15),
|
|
216
222
|
memorySize: 1024,
|
|
217
223
|
initialPolicy: [
|
|
218
|
-
new
|
|
219
|
-
effect:
|
|
224
|
+
new PolicyStatement({
|
|
225
|
+
effect: Effect.ALLOW,
|
|
220
226
|
actions: ["lambda:*", "s3:*"],
|
|
221
227
|
resources: ["*"],
|
|
222
228
|
}),
|
|
@@ -253,8 +259,8 @@ ${exports}
|
|
|
253
259
|
timeout: CdkDuration.minutes(15),
|
|
254
260
|
memorySize: 1024,
|
|
255
261
|
initialPolicy: [
|
|
256
|
-
new
|
|
257
|
-
effect:
|
|
262
|
+
new PolicyStatement({
|
|
263
|
+
effect: Effect.ALLOW,
|
|
258
264
|
actions: ["lambda:*"],
|
|
259
265
|
resources: ["*"],
|
|
260
266
|
}),
|
|
@@ -2,7 +2,7 @@ import url from "url";
|
|
|
2
2
|
import path from "path";
|
|
3
3
|
import spawn from "cross-spawn";
|
|
4
4
|
import { Construct } from "constructs";
|
|
5
|
-
import
|
|
5
|
+
import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
6
6
|
import * as logs from "aws-cdk-lib/aws-logs";
|
|
7
7
|
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
8
8
|
import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
|
|
@@ -78,6 +78,16 @@ export class SsrFunction extends Construct {
|
|
|
78
78
|
// They need to be replaced with real values before the Lambda
|
|
79
79
|
// functions get deployed.
|
|
80
80
|
const stack = Stack.of(this);
|
|
81
|
+
const policy = new Policy(this, "AssetReplacerPolicy", {
|
|
82
|
+
statements: [
|
|
83
|
+
new PolicyStatement({
|
|
84
|
+
effect: Effect.ALLOW,
|
|
85
|
+
actions: ["s3:GetObject", "s3:PutObject"],
|
|
86
|
+
resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
|
|
87
|
+
}),
|
|
88
|
+
],
|
|
89
|
+
});
|
|
90
|
+
stack.customResourceHandler.role?.attachInlinePolicy(policy);
|
|
81
91
|
const resource = new CustomResource(this, "AssetReplacer", {
|
|
82
92
|
serviceToken: stack.customResourceHandler.functionArn,
|
|
83
93
|
resourceType: "Custom::AssetReplacer",
|
|
@@ -87,11 +97,7 @@ export class SsrFunction extends Construct {
|
|
|
87
97
|
replacements: this.getLambdaContentReplaceValues(),
|
|
88
98
|
},
|
|
89
99
|
});
|
|
90
|
-
|
|
91
|
-
effect: iam.Effect.ALLOW,
|
|
92
|
-
actions: ["s3:GetObject", "s3:PutObject"],
|
|
93
|
-
resources: [`arn:${stack.partition}:s3:::${asset.s3BucketName}/*`],
|
|
94
|
-
}));
|
|
100
|
+
resource.node.addDependency(policy);
|
|
95
101
|
return resource;
|
|
96
102
|
}
|
|
97
103
|
getLambdaContentReplaceValues() {
|
package/constructs/SsrSite.js
CHANGED
|
@@ -8,7 +8,7 @@ import { execSync } from "child_process";
|
|
|
8
8
|
import { Construct } from "constructs";
|
|
9
9
|
import { Fn, Token, Duration as CdkDuration, CfnOutput, RemovalPolicy, CustomResource, } from "aws-cdk-lib";
|
|
10
10
|
import { Bucket } from "aws-cdk-lib/aws-s3";
|
|
11
|
-
import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
11
|
+
import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
12
12
|
import { Function, Code, Runtime, FunctionUrlAuthType, } from "aws-cdk-lib/aws-lambda";
|
|
13
13
|
import { HostedZone, ARecord, AaaaRecord, RecordTarget, } from "aws-cdk-lib/aws-route53";
|
|
14
14
|
import { Asset } from "aws-cdk-lib/aws-s3-assets";
|
|
@@ -100,8 +100,7 @@ export class SsrSite extends Construct {
|
|
|
100
100
|
: this.createCloudFrontDistributionForRegional();
|
|
101
101
|
this.distribution.node.addDependency(s3deployCR);
|
|
102
102
|
// Invalidate CloudFront
|
|
103
|
-
|
|
104
|
-
invalidationCR.node.addDependency(this.distribution);
|
|
103
|
+
this.createCloudFrontInvalidation();
|
|
105
104
|
// Connect Custom Domain to CloudFront Distribution
|
|
106
105
|
this.createRoute53Records();
|
|
107
106
|
}
|
|
@@ -553,6 +552,21 @@ export class SsrSite extends Construct {
|
|
|
553
552
|
}
|
|
554
553
|
createCloudFrontInvalidation() {
|
|
555
554
|
const stack = Stack.of(this);
|
|
555
|
+
const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
|
|
556
|
+
statements: [
|
|
557
|
+
new PolicyStatement({
|
|
558
|
+
effect: Effect.ALLOW,
|
|
559
|
+
actions: [
|
|
560
|
+
"cloudfront:GetInvalidation",
|
|
561
|
+
"cloudfront:CreateInvalidation",
|
|
562
|
+
],
|
|
563
|
+
resources: [
|
|
564
|
+
`arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
|
|
565
|
+
],
|
|
566
|
+
}),
|
|
567
|
+
],
|
|
568
|
+
});
|
|
569
|
+
stack.customResourceHandler.role?.attachInlinePolicy(policy);
|
|
556
570
|
const resource = new CustomResource(this, "CloudFrontInvalidator", {
|
|
557
571
|
serviceToken: stack.customResourceHandler.functionArn,
|
|
558
572
|
resourceType: "Custom::CloudFrontInvalidator",
|
|
@@ -563,16 +577,7 @@ export class SsrSite extends Construct {
|
|
|
563
577
|
waitForInvalidation: this.props.waitForInvalidation,
|
|
564
578
|
},
|
|
565
579
|
});
|
|
566
|
-
|
|
567
|
-
effect: Effect.ALLOW,
|
|
568
|
-
actions: [
|
|
569
|
-
"cloudfront:GetInvalidation",
|
|
570
|
-
"cloudfront:CreateInvalidation",
|
|
571
|
-
],
|
|
572
|
-
resources: [
|
|
573
|
-
`arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
|
|
574
|
-
],
|
|
575
|
-
}));
|
|
580
|
+
resource.node.addDependency(policy);
|
|
576
581
|
return resource;
|
|
577
582
|
}
|
|
578
583
|
/////////////////////
|
package/constructs/StaticSite.js
CHANGED
|
@@ -7,7 +7,7 @@ import { Construct } from "constructs";
|
|
|
7
7
|
import { Token, Duration, CfnOutput, RemovalPolicy, CustomResource, } from "aws-cdk-lib";
|
|
8
8
|
import * as s3 from "aws-cdk-lib/aws-s3";
|
|
9
9
|
import * as s3Assets from "aws-cdk-lib/aws-s3-assets";
|
|
10
|
-
import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
10
|
+
import { Effect, Policy, PolicyStatement } from "aws-cdk-lib/aws-iam";
|
|
11
11
|
import * as lambda from "aws-cdk-lib/aws-lambda";
|
|
12
12
|
import * as route53 from "aws-cdk-lib/aws-route53";
|
|
13
13
|
import * as route53Targets from "aws-cdk-lib/aws-route53-targets";
|
|
@@ -427,6 +427,21 @@ interface ImportMeta {
|
|
|
427
427
|
.createHash("md5")
|
|
428
428
|
.update(assets.map(({ assetHash }) => assetHash).join(""))
|
|
429
429
|
.digest("hex");
|
|
430
|
+
const policy = new Policy(this, "CloudFrontInvalidatorPolicy", {
|
|
431
|
+
statements: [
|
|
432
|
+
new PolicyStatement({
|
|
433
|
+
effect: Effect.ALLOW,
|
|
434
|
+
actions: [
|
|
435
|
+
"cloudfront:GetInvalidation",
|
|
436
|
+
"cloudfront:CreateInvalidation",
|
|
437
|
+
],
|
|
438
|
+
resources: [
|
|
439
|
+
`arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
|
|
440
|
+
],
|
|
441
|
+
}),
|
|
442
|
+
],
|
|
443
|
+
});
|
|
444
|
+
stack.customResourceHandler.role?.attachInlinePolicy(policy);
|
|
430
445
|
const resource = new CustomResource(this, "CloudFrontInvalidator", {
|
|
431
446
|
serviceToken: stack.customResourceHandler.functionArn,
|
|
432
447
|
resourceType: "Custom::CloudFrontInvalidator",
|
|
@@ -437,16 +452,7 @@ interface ImportMeta {
|
|
|
437
452
|
waitForInvalidation: this.props.waitForInvalidation,
|
|
438
453
|
},
|
|
439
454
|
});
|
|
440
|
-
|
|
441
|
-
effect: Effect.ALLOW,
|
|
442
|
-
actions: [
|
|
443
|
-
"cloudfront:GetInvalidation",
|
|
444
|
-
"cloudfront:CreateInvalidation",
|
|
445
|
-
],
|
|
446
|
-
resources: [
|
|
447
|
-
`arn:${stack.partition}:cloudfront::${stack.account}:distribution/${this.distribution.distributionId}`,
|
|
448
|
-
],
|
|
449
|
-
}));
|
|
455
|
+
resource.node.addDependency(policy);
|
|
450
456
|
return resource;
|
|
451
457
|
}
|
|
452
458
|
/////////////////////
|