aws-cdk-lib 2.176.0__py3-none-any.whl → 2.177.0__py3-none-any.whl

aws_cdk/aws_cloudfront/__init__.py

@@ -1347,6 +1347,8 @@ class AccessLevel(enum.Enum):
 
     READ = "READ"
     '''Grants read permissions to CloudFront Distribution.'''
+    LIST = "LIST"
+    '''Grants list permissions to CloudFront Distribution.'''
     WRITE = "WRITE"
     '''Grants write permission to CloudFront Distribution.'''
     DELETE = "DELETE"
@@ -2699,6 +2701,8 @@ class CfnAnycastIpList(
 ):
     '''An Anycast static IP list.
 
+    For more information, see `Request Anycast static IPs to use for allowlisting <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html>`_ in the *Amazon CloudFront Developer Guide* .
+
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-anycastiplist.html
     :cloudformationResource: AWS::CloudFront::AnycastIpList
     :exampleMetadata: fixture=_generated
@@ -2880,6 +2884,8 @@ class CfnAnycastIpList(
         ) -> None:
             '''An Anycast static IP list.
 
+            For more information, see `Request Anycast static IPs to use for allowlisting <https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/request-static-ips.html>`_ in the *Amazon CloudFront Developer Guide* .
+
             :param anycast_ips: The static IP addresses that are allocated to the Anycast static IP list.
             :param arn: The Amazon Resource Name (ARN) of the Anycast static IP list.
             :param id: The ID of the Anycast static IP list.
@@ -21519,7 +21525,7 @@ class ResponseHeadersCorsBehavior:
 
         :param access_control_allow_credentials: A Boolean that CloudFront uses as the value for the Access-Control-Allow-Credentials HTTP response header.
         :param access_control_allow_headers: A list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header. You can specify ``['*']`` to allow all headers.
-        :param access_control_allow_methods: A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.
+        :param access_control_allow_methods: A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header. Allowed methods: ``'GET'``, ``'DELETE'``, ``'HEAD'``, ``'OPTIONS'``, ``'PATCH'``, ``'POST'``, and ``'PUT'``. You can specify ``['ALL']`` to allow all methods.
         :param access_control_allow_origins: A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header. You can specify ``['*']`` to allow all origins.
         :param origin_override: A Boolean that determines whether CloudFront overrides HTTP response headers received from the origin with the ones specified in this response headers policy.
         :param access_control_expose_headers: A list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header. You can specify ``['*']`` to expose all headers. Default: - no headers exposed
@@ -21614,7 +21620,11 @@ class ResponseHeadersCorsBehavior:
 
     @builtins.property
     def access_control_allow_methods(self) -> typing.List[builtins.str]:
-        '''A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.'''
+        '''A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.
+
+        Allowed methods: ``'GET'``, ``'DELETE'``, ``'HEAD'``, ``'OPTIONS'``, ``'PATCH'``, ``'POST'``, and ``'PUT'``.
+        You can specify ``['ALL']`` to allow all methods.
+        '''
         result = self._values.get("access_control_allow_methods")
         assert result is not None, "Required property 'access_control_allow_methods' is missing"
         return typing.cast(typing.List[builtins.str], result)

aws_cdk/aws_cloudfront_origins/__init__.py

@@ -74,7 +74,7 @@ cloudfront.Distribution(self, "myDist",
 
 When creating a standard S3 origin using `origins.S3BucketOrigin.withOriginAccessControl()`, an [Origin Access Control resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html) is automatically created with the origin type set to `s3` and signing behavior set to `always`.
 
-You can grant read, write or delete access to the OAC using the `originAccessLevels` property:
+You can grant read, list, write or delete access to the OAC using the `originAccessLevels` property:
 
 ```python
 my_bucket = s3.Bucket(self, "myBucket")
@@ -83,6 +83,8 @@ s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
 )
 ```
 
+For details of list permission, see [Setting up OAC with LIST permission](#setting-up-oac-with-list-permission).
+
 You can also pass in a custom S3 origin access control:
 
 ```python
@@ -336,6 +338,29 @@ See CloudFront docs on [Giving the origin access control permission to access th
 > Note: If your bucket previously used OAI, you will need to manually remove the policy statement
 > that gives the OAI access to your bucket after setting up OAC.
 
+#### Setting up OAC with LIST permission
+
+By default, S3 origin returns 403 Forbidden HTTP response when the requested object does not exist.
+When you want to receive 404 Not Found, specify `AccessLevel.LIST` in `originAccessLevels` to add `s3:ListBucket` permission in the bucket policy.
+
+This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404).
+
+```python
+my_bucket = s3.Bucket(self, "myBucket")
+s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
+    origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST]
+)
+cloudfront.Distribution(self, "distribution",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=s3_origin
+    ),
+    default_root_object="index.html"
+)
+```
+
+When the origin is associated to the default behavior, it is highly recommended to specify `defaultRootObject` distribution property.
+Without it, the root path `https://xxxx.cloudfront.net/` will return the list of the S3 object keys.
+
 #### Setting up an OAI (legacy)
 
 Setup an S3 origin with origin access identity (legacy) as follows:
@@ -3171,7 +3196,13 @@ class S3BucketOriginWithOACProps(S3BucketOriginBaseProps):
 
             my_bucket = s3.Bucket(self, "myBucket")
             s3_origin = origins.S3BucketOrigin.with_origin_access_control(my_bucket,
-                origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE]
+                origin_access_levels=[cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST]
+            )
+            cloudfront.Distribution(self, "distribution",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=s3_origin
+                ),
+                default_root_object="index.html"
             )
         '''
         if __debug__:

aws_cdk/aws_codepipeline/__init__.py

@@ -2499,6 +2499,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -2523,6 +2524,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -2547,6 +2549,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -3574,6 +3577,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -3719,6 +3723,7 @@ class CfnPipeline(
                 condition_property = codepipeline.CfnPipeline.ConditionProperty(
                     result="result",
                     rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                        commands=["commands"],
                         configuration=configuration,
                         input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                             name="name"
@@ -3891,6 +3896,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -4809,6 +4815,7 @@ class CfnPipeline(
         jsii_type="aws-cdk-lib.aws_codepipeline.CfnPipeline.RuleDeclarationProperty",
         jsii_struct_bases=[],
         name_mapping={
+            "commands": "commands",
             "configuration": "configuration",
             "input_artifacts": "inputArtifacts",
             "name": "name",
@@ -4821,6 +4828,7 @@ class CfnPipeline(
         def __init__(
             self,
             *,
+            commands: typing.Optional[typing.Sequence[builtins.str]] = None,
             configuration: typing.Any = None,
             input_artifacts: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnPipeline.InputArtifactProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             name: typing.Optional[builtins.str] = None,
@@ -4832,6 +4840,7 @@ class CfnPipeline(
 
             An example would be creating a new rule for an entry condition, such as a rule that checks for a test result before allowing the run to enter the deployment stage. For more information about conditions, see `Stage conditions <https://docs.aws.amazon.com/codepipeline/latest/userguide/stage-conditions.html>`_ . For more information about rules, see the `AWS CodePipeline rule reference <https://docs.aws.amazon.com/codepipeline/latest/userguide/rule-reference.html>`_ .
 
+            :param commands: The shell commands to run with your commands rule in CodePipeline. All commands are supported except multi-line formats. While CodeBuild logs and permissions are used, you do not need to create any resources in CodeBuild. .. epigraph:: Using compute time for this action will incur separate charges in AWS CodeBuild .
             :param configuration: The action configuration fields for the rule.
             :param input_artifacts: The input artifacts fields for the rule, such as specifying an input file for the rule.
             :param name: The name of the rule that is created for the condition, such as ``VariableCheck`` .
@@ -4851,6 +4860,7 @@ class CfnPipeline(
                 # configuration: Any
                 
                 rule_declaration_property = codepipeline.CfnPipeline.RuleDeclarationProperty(
+                    commands=["commands"],
                     configuration=configuration,
                     input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                         name="name"
@@ -4868,6 +4878,7 @@ class CfnPipeline(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__8b4c62f005bd4f9080fa5e8c7f7671821e7ac1c9314d5d3b1130fbf53e40fa51)
+                check_type(argname="argument commands", value=commands, expected_type=type_hints["commands"])
                 check_type(argname="argument configuration", value=configuration, expected_type=type_hints["configuration"])
                 check_type(argname="argument input_artifacts", value=input_artifacts, expected_type=type_hints["input_artifacts"])
                 check_type(argname="argument name", value=name, expected_type=type_hints["name"])
@@ -4875,6 +4886,8 @@ class CfnPipeline(
                 check_type(argname="argument role_arn", value=role_arn, expected_type=type_hints["role_arn"])
                 check_type(argname="argument rule_type_id", value=rule_type_id, expected_type=type_hints["rule_type_id"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if commands is not None:
+                self._values["commands"] = commands
             if configuration is not None:
                 self._values["configuration"] = configuration
             if input_artifacts is not None:
@@ -4888,6 +4901,20 @@ class CfnPipeline(
             if rule_type_id is not None:
                 self._values["rule_type_id"] = rule_type_id
 
+        @builtins.property
+        def commands(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''The shell commands to run with your commands rule in CodePipeline.
+
+            All commands are supported except multi-line formats. While CodeBuild logs and permissions are used, you do not need to create any resources in CodeBuild.
+            .. epigraph::
+
+               Using compute time for this action will incur separate charges in AWS CodeBuild .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-ruledeclaration.html#cfn-codepipeline-pipeline-ruledeclaration-commands
+            '''
+            result = self._values.get("commands")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
         @builtins.property
         def configuration(self) -> typing.Any:
             '''The action configuration fields for the rule.
@@ -5145,6 +5172,7 @@ class CfnPipeline(
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -5169,6 +5197,7 @@ class CfnPipeline(
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -5193,6 +5222,7 @@ class CfnPipeline(
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -5413,6 +5443,7 @@ class CfnPipeline(
                     conditions=[codepipeline.CfnPipeline.ConditionProperty(
                         result="result",
                         rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                            commands=["commands"],
                             configuration=configuration,
                             input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                 name="name"
@@ -5653,6 +5684,7 @@ class CfnPipelineProps:
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -5677,6 +5709,7 @@ class CfnPipelineProps:
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -5701,6 +5734,7 @@ class CfnPipelineProps:
                         conditions=[codepipeline.CfnPipeline.ConditionProperty(
                             result="result",
                             rules=[codepipeline.CfnPipeline.RuleDeclarationProperty(
+                                commands=["commands"],
                                 configuration=configuration,
                                 input_artifacts=[codepipeline.CfnPipeline.InputArtifactProperty(
                                     name="name"
@@ -10978,6 +11012,7 @@ def _typecheckingstub__ffc8deb7765afd70d3fe572ffa86634cd8936e44aafd092f3182c532d
 
 def _typecheckingstub__8b4c62f005bd4f9080fa5e8c7f7671821e7ac1c9314d5d3b1130fbf53e40fa51(
     *,
+    commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     configuration: typing.Any = None,
     input_artifacts: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnPipeline.InputArtifactProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     name: typing.Optional[builtins.str] = None,