konokenj.cdk-api-mcp-server 0.31.0__py3-none-any.whl → 0.33.0__py3-none-any.whl

cdk_api_mcp_server/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Kenji Kono <konoken@amazon.co.jp>
 #
 # SPDX-License-Identifier: MIT
-__version__ = "0.31.0"
+__version__ = "0.33.0"

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2/integ.api-dualstack.ts

@@ -4,14 +4,13 @@ import * as cdk from 'aws-cdk-lib';
 import * as apigw from 'aws-cdk-lib/aws-apigatewayv2';
 
 const app = new cdk.App();
-const stack = new cdk.Stack(app, 'DualStackHttpApiStack');
+const stack = new cdk.Stack(app, 'DualStackWebsocketApiStack');
 
-new apigw.HttpApi(stack, 'HttpApi', {
-  routeSelectionExpression: true,
+new apigw.WebSocketApi(stack, 'WebSocketApi', {
   ipAddressType: apigw.IpAddressType.DUAL_STACK,
 });
 
-new IntegTest(app, 'DualStackHttpApiInteg', {
+new IntegTest(app, 'DualStackWebsocketApiInteg', {
   testCases: [stack],
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2/integ.api.ts

@@ -6,11 +6,9 @@ import * as apigw from 'aws-cdk-lib/aws-apigatewayv2';
 const app = new cdk.App();
 const stack = new cdk.Stack(app, 'aws-cdk-aws-apigatewayv2');
 
-new apigw.HttpApi(stack, 'HttpApi', {
-  routeSelectionExpression: true,
-});
+new apigw.WebSocketApi(stack, 'WebSocketApi');
 
-new IntegTest(app, 'http-api', {
+new IntegTest(app, 'web-socket-api', {
   testCases: [stack],
 });
 

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2/integ.stage.ts

@@ -1,33 +1,20 @@
 #!/usr/bin/env node
-import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 import * as cdk from 'aws-cdk-lib';
-import * as apigwv2 from 'aws-cdk-lib/aws-apigatewayv2';
-import * as apigw from 'aws-cdk-lib/aws-apigateway';
-import * as logs from 'aws-cdk-lib/aws-logs';
+import * as apigw from 'aws-cdk-lib/aws-apigatewayv2';
 
 const app = new cdk.App();
-const stack = new cdk.Stack(app, 'aws-cdk-aws-apigatewayv2-http-stage');
+const stack = new cdk.Stack(app, 'aws-cdk-aws-apigatewayv2-websocket-stage');
 
-const testLogGroup = new logs.LogGroup(stack, 'MyLogGroup');
-
-const httpApi = new apigwv2.HttpApi(stack, 'HttpApi', { createDefaultStage: false });
-new apigwv2.HttpStage(stack, 'HttpStageWithProperties', {
-  httpApi,
+const webSocketApi = new apigw.WebSocketApi(stack, 'WebSocketApi');
+new apigw.WebSocketStage(stack, 'WebSocketStage', {
+  webSocketApi,
+  stageName: 'dev',
   throttle: {
     rateLimit: 1000,
     burstLimit: 1000,
   },
   detailedMetricsEnabled: true,
   description: 'My Stage',
-  accessLogSettings: {
-    destination: new apigwv2.LogGroupLogDestination(testLogGroup),
-    format: apigw.AccessLogFormat.custom(JSON.stringify({
-      extendedRequestId: apigw.AccessLogField.contextExtendedRequestId(),
-      requestTime: apigw.AccessLogField.contextRequestTime(),
-    })),
-  },
 });
 
-new IntegTest(app, 'aws-cdk-aws-apigatewayv2-http-stage-test', {
-  testCases: [stack],
-});
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-authorizers/integ.iam.ts

@@ -1,46 +1,53 @@
 import * as apigatewayv2 from 'aws-cdk-lib/aws-apigatewayv2';
+import { WebSocketLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
 import * as cdk from 'aws-cdk-lib';
-import { HttpIamAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
+import { Stack } from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { WebSocketIamAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
 
-class ExampleComIntegration extends apigatewayv2.HttpRouteIntegration {
-  public bind(): apigatewayv2.HttpRouteIntegrationConfig {
-    return {
-      type: apigatewayv2.HttpIntegrationType.HTTP_PROXY,
-      payloadFormatVersion: apigatewayv2.PayloadFormatVersion.VERSION_1_0,
-      method: apigatewayv2.HttpMethod.GET,
-      uri: 'https://www.example.com/',
-    };
-  }
-}
-
-const app = new cdk.App();
+const app = new cdk.App({
+  postCliContext: {
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+  },
+});
 const stack = new cdk.Stack(app, 'IntegApiGatewayV2Iam');
 const user = new iam.User(stack, 'User');
 const userAccessKey = new iam.AccessKey(stack, 'UserAccess', {
   user,
 });
 
-const httpApi = new apigatewayv2.HttpApi(stack, 'HttpApi', {
-  defaultAuthorizer: new HttpIamAuthorizer(),
+const handler = new Function(stack, 'auth-function', {
+  runtime: Runtime.NODEJS_18_X,
+  code: Code.fromInline('exports.handler = () => {return true}'),
+  handler: 'index.handler',
 });
 
-const [fooRoute] = httpApi.addRoutes({
-  integration: new ExampleComIntegration('examplecom'),
-  path: '/foo',
+const webSocketApi = new apigatewayv2.WebSocketApi(stack, 'WebSocketApi', {
+  connectRouteOptions: {
+    integration: new WebSocketLambdaIntegration('WebSocketLambdaIntegration', handler),
+    authorizer: new WebSocketIamAuthorizer(),
+  },
 });
 
-fooRoute.grantInvoke(user);
-
-const [booksRoute] = httpApi.addRoutes({
-  integration: new ExampleComIntegration('examplecom'),
-  path: '/books/{book}',
+const arn = Stack.of(stack).formatArn({
+  service: 'execute-api',
+  resource: webSocketApi.apiId,
 });
 
-booksRoute.grantInvoke(user);
+user.attachInlinePolicy(new iam.Policy(stack, 'AllowInvoke', {
+  statements: [
+    new iam.PolicyStatement({
+      actions: ['execute-api:Invoke'],
+      effect: iam.Effect.ALLOW,
+      resources: [arn],
+    }),
+  ],
+}));
 
-new cdk.CfnOutput(stack, 'API', {
-  value: httpApi.url!,
+new integ.IntegTest(app, 'ApiGatewayV2WebSocketIamTest', {
+  testCases: [stack],
 });
 
 new cdk.CfnOutput(stack, 'TESTACCESSKEYID', {
@@ -55,15 +62,4 @@ new cdk.CfnOutput(stack, 'TESTREGION', {
   value: stack.region,
 });
 
-/*
- * Stack verification steps:
- * * Get cURL version 7.75.0 or later so you can use the --aws-sigv4 option
- * * Curl <url>/foo without sigv4 and expect a 403
- * * Curl <url>/books/something without sigv4 and expect a 403
- * * Curl <url>/foo with sigv4 from the authorized user and expect 200
- * * Curl <url>/books/something with sigv4 from the authorized user and expect 200
- *
- * Reference:
- * * Using cURL 7.75.0 or later via the official docker image: docker run --rm curlimages/curl -s -o/dev/null -w"%{http_code}" <url>
- * * Args to enable sigv4 with authorized credentials: --user "$TESTACCESSKEYID:$TESTSECRETACCESSKEY" --aws-sigv4 "aws:amz:$TESTREGION:execute-api"
- */
+app.synth();

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-apigatewayv2-integrations/integ.sqs.ts

@@ -1,85 +1,72 @@
-import * as apigwv2 from 'aws-cdk-lib/aws-apigatewayv2';
+import { HttpMethod, PassthroughBehavior, WebSocketApi, WebSocketStage } from 'aws-cdk-lib/aws-apigatewayv2';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
-import { App, Stack } from 'aws-cdk-lib';
-import { HttpSqsIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
-import * as integ from '@aws-cdk/integ-tests-alpha';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { App, Stack, Aws } from 'aws-cdk-lib';
+import { WebSocketAwsIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
 
-const app = new App();
-const stack = new Stack(app, 'sqs-integration');
+/*
+ * Stack verification steps:
+ * 1. Verify manually that the integration has type "AWS"
+ */
 
-const queue = new sqs.Queue(stack, 'Queue');
+const app = new App();
+const stack = new Stack(app, 'integ-aws-websocket-sqs-integration');
 
-const httpApi = new apigwv2.HttpApi(stack, 'Api');
-httpApi.addRoutes({
-  path: '/default',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('defaultIntegration', {
-    queue,
-  }),
-});
-httpApi.addRoutes({
-  path: '/send-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('sendMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_SEND_MESSAGE,
-  }),
-});
-httpApi.addRoutes({
-  path: '/receive-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('receiveMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_RECEIVE_MESSAGE,
-  }),
-});
-httpApi.addRoutes({
-  path: '/delete-message',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('deleteMessageIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_DELETE_MESSAGE,
-  }),
+const sqsMessageQueue = new sqs.Queue(stack, 'MessageSQSQueue', {
+  fifo: true,
+  queueName: 'MessageSQSQueue.fifo',
 });
-httpApi.addRoutes({
-  path: '/purge-queue',
-  methods: [apigwv2.HttpMethod.POST],
-  integration: new HttpSqsIntegration('purgeQueueIntegration', {
-    queue,
-    subtype: apigwv2.HttpIntegrationSubtype.SQS_PURGE_QUEUE,
-  }),
+
+// API Gateway WebSocket API
+const webSocketApi = new WebSocketApi(stack, 'webSocketApi', {
+  description: 'Send websocket data to SQS which is then processed by a Lambda 2',
+  routeSelectionExpression: '$request.body.action',
 });
 
-const integTest = new integ.IntegTest(app, 'SqsIntegrationIntegTest', {
-  testCases: [stack],
+// Optionally, create a WebSocket stage
+new WebSocketStage(stack, 'DevStage', {
+  webSocketApi: webSocketApi,
+  stageName: 'dev',
+  autoDeploy: true,
 });
 
-const defaultAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/default`, {
-    body: JSON.stringify({ MessageBody: 'Hello World!' }),
-    method: 'POST',
-  },
-);
-defaultAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+// IAM Role for API Gateway
+const webSocketApiRole = new iam.Role(stack, 'webSocketApiRole', {
+  assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com'),
+});
 
-const sendMessageAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/send-message`, {
-    body: JSON.stringify({ MessageBody: 'Hello World!' }),
-    method: 'POST',
-  },
+webSocketApiRole.addToPolicy(
+  new iam.PolicyStatement({
+    actions: ['sqs:SendMessage'],
+    effect: iam.Effect.ALLOW,
+    resources: [sqsMessageQueue.queueArn],
+  }),
 );
-sendMessageAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
 
-const receiveMessageAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/receive-message`, {
-    method: 'POST',
-  },
-);
-receiveMessageAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+webSocketApi.addRoute('$default', {
+  integration: new WebSocketAwsIntegration('SQSSendMessage', {
+    integrationUri: `arn:aws:apigateway:${Aws.REGION}:sqs:path/${Aws.ACCOUNT_ID}/${sqsMessageQueue.queueName}`,
+    integrationMethod: HttpMethod.POST,
+    credentialsRole: webSocketApiRole,
+    passthroughBehavior: PassthroughBehavior.NEVER,
+    templateSelectionExpression: '\\$default',
+    requestTemplates: {
+      $default: 'Action=SendMessage&MessageGroupId=$input.path(\'$.MessageGroupId\')&MessageDeduplicationId=$context.requestId&MessageAttribute.1.Name=connectionId&MessageAttribute.1.Value.StringValue=$context.connectionId&MessageAttribute.1.Value.DataType=String&MessageAttribute.2.Name=requestId&MessageAttribute.2.Value.StringValue=$context.requestId&MessageAttribute.2.Value.DataType=String&MessageBody=$input.json(\'$\')',
+    },
+    requestParameters: {
+      'integration.request.header.Content-Type': '\'application/x-www-form-urlencoded\'',
+    },
+  }),
+});
 
-const purgeQueueAssertion = integTest.assertions.httpApiCall(
-  `${httpApi.apiEndpoint}/purge-queue`, {
-    method: 'POST',
+new IntegTest(app, 'apigatewayv2-aws-integration-sqs-integ-test', {
+  testCases: [stack],
+  cdkCommandOptions: {
+    deploy: {
+      args: {
+        rollback: true,
+      },
+    },
   },
-);
-purgeQueueAssertion.expect(integ.ExpectedResult.objectLike({ status: 200, statusText: 'OK' }));
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/aws-cloudfront/README.md

@@ -67,6 +67,297 @@ new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.HttpOrigin('www.example.com') },
 });
 ```
+### CloudFront SaaS Manager resources
+
+#### Multi-tenant distribution and tenant providing ACM certificates
+You can use Cloudfront to build multi-tenant distributions to house applications.
+
+To create a multi-tenant distribution w/parameters, create a Distribution construct, and then update DistributionConfig in the CfnDistribution to use connectionMode: "tenant-only"
+
+Then create a tenant
+```ts
+// Create the simple Origin
+const myBucket = new s3.Bucket(this, 'myBucket');
+const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
+    originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST],
+});
+
+// Create the Distribution construct
+const myMultiTenantDistribution = new cloudfront.Distribution(this, 'distribution', {
+    defaultBehavior: {
+        origin: s3Origin,
+    },
+    defaultRootObject: 'index.html', // recommended to specify
+});
+
+// Access the underlying L1 CfnDistribution to configure SaaS Manager properties which are not yet available in the L2 Distribution construct
+const cfnDistribution = myMultiTenantDistribution.node.defaultChild as cloudfront.CfnDistribution;
+
+const defaultCacheBehavior: cloudfront.CfnDistribution.DefaultCacheBehaviorProperty = {
+    targetOriginId: myBucket.bucketArn,
+    viewerProtocolPolicy: 'allow-all',
+    compress: false,
+    allowedMethods: ['GET', 'HEAD'],
+    cachePolicyId: cloudfront.CachePolicy.CACHING_OPTIMIZED.cachePolicyId
+};
+// Create the updated distributionConfig
+const distributionConfig: cloudfront.CfnDistribution.DistributionConfigProperty = {
+    defaultCacheBehavior: defaultCacheBehavior,
+    enabled: true,
+    // the properties below are optional
+    connectionMode: 'tenant-only',
+    origins: [
+        {
+            id: myBucket.bucketArn,
+            domainName: myBucket.bucketDomainName,
+            s3OriginConfig: {},
+            originPath: "/{{tenantName}}"
+        },
+    ],
+    tenantConfig: {
+        parameterDefinitions: [
+            {
+                definition: {
+                    stringSchema: {
+                        required: false,
+                        // the properties below are optional
+                        comment: 'tenantName',
+                        defaultValue: 'root',
+                    },
+                },
+                name: 'tenantName',
+            },
+        ],
+    },
+};
+
+// Override the distribution configuration to enable multi-tenancy.
+cfnDistribution.distributionConfig = distributionConfig;
+
+// Create a distribution tenant using an existing ACM certificate
+const cfnDistributionTenant = new cloudfront.CfnDistributionTenant(this, 'distribution-tenant', {
+    distributionId: myMultiTenantDistribution.distributionId,
+    domains: ['my-tenant.my.domain.com'],
+    name: 'my-tenant',
+    enabled: true,
+    parameters: [ // Override the default 'tenantName' parameter (root) defined in the multi-tenant distribution. 
+        {
+            name: 'tenantName',
+            value: 'app',
+        },
+    ],
+    customizations: {
+        certificate: {
+            arn: 'REPLACE_WITH_ARN', // Certificate must be in us-east-1 region and cover 'my-tenant.my.domain.com'
+        },
+    },
+});
+```
+
+#### Multi-tenant distribution and tenant with CloudFront-hosted certificate
+A distribution tenant with CloudFront-hosted domain validation is useful if you don't currently have traffic to the domain.
+
+Start by creating a parent multi-tenant distribution, then create the distribution tenant.
+```ts
+import * as route53 from 'aws-cdk-lib/aws-route53';
+
+// Create the simple Origin
+const myBucket = new s3.Bucket(this, 'myBucket');
+const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
+    originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST],
+});
+
+// Create the Distribution construct
+const myMultiTenantDistribution = new cloudfront.Distribution(this, 'cf-hosted-distribution', {
+    defaultBehavior: {
+        origin: s3Origin,
+    },
+    defaultRootObject: 'index.html', // recommended to specify
+});
+
+// Access the underlying L1 CfnDistribution to configure SaaS Manager properties which are not yet available in the L2 Distribution construct
+const cfnDistribution = myMultiTenantDistribution.node.defaultChild as cloudfront.CfnDistribution;
+
+const defaultCacheBehavior: cloudfront.CfnDistribution.DefaultCacheBehaviorProperty = {
+    targetOriginId: myBucket.bucketArn,
+    viewerProtocolPolicy: 'allow-all',
+    compress: false,
+    allowedMethods: ['GET', 'HEAD'],
+    cachePolicyId: cloudfront.CachePolicy.CACHING_OPTIMIZED.cachePolicyId
+};
+// Create the updated distributionConfig
+const distributionConfig: cloudfront.CfnDistribution.DistributionConfigProperty = {
+    defaultCacheBehavior: defaultCacheBehavior,
+    enabled: true,
+    // the properties below are optional
+    connectionMode: 'tenant-only',
+    origins: [
+        {
+            id: myBucket.bucketArn,
+            domainName: myBucket.bucketDomainName,
+            s3OriginConfig: {},
+            originPath: "/{{tenantName}}"
+        },
+    ],
+    tenantConfig: {
+        parameterDefinitions: [
+            {
+                definition: {
+                    stringSchema: {
+                        required: false,
+                        // the properties below are optional
+                        comment: 'tenantName',
+                        defaultValue: 'root',
+                    },
+                },
+                name: 'tenantName',
+            },
+        ],
+    },
+};
+
+// Override the distribution configuration to enable multi-tenancy.
+cfnDistribution.distributionConfig = distributionConfig;
+
+// Create a connection group and a cname record in an existing hosted zone to validate domain ownership
+const connectionGroup = new cloudfront.CfnConnectionGroup(this, 'cf-hosted-connection-group', {
+    enabled: true,
+    ipv6Enabled: true,
+    name: 'my-connection-group',
+});
+
+// Import the existing hosted zone info, replacing with your hostedZoneId and zoneName
+const hostedZoneId = 'YOUR_HOSTED_ZONE_ID';
+const zoneName = 'my.domain.com';
+const hostedZone = route53.HostedZone.fromHostedZoneAttributes(this, 'hosted-zone', {
+    hostedZoneId,
+    zoneName,
+});
+
+const record = new route53.CnameRecord(this, 'cname-record', {
+    domainName: connectionGroup.attrRoutingEndpoint,
+    zone: hostedZone,
+    recordName: 'cf-hosted-tenant.my.domain.com',
+});
+
+// Create the cloudfront-hosted tenant, passing in the previously created connection group
+const cloudfrontHostedTenant = new cloudfront.CfnDistributionTenant(this, 'cf-hosted-tenant', {
+    distributionId: myMultiTenantDistribution.distributionId,
+    name: 'cf-hosted-tenant',
+    domains: ['cf-hosted-tenant.my.domain.com'],
+    connectionGroupId: connectionGroup.attrId,
+    enabled: true,
+    managedCertificateRequest: {
+        validationTokenHost: 'cloudfront'
+    },
+});
+```
+
+#### Multi-tenant distribution and tenant with self-hosted certificate
+A tenant with self-hosted domain validation is useful if you already have traffic to the domain and can't tolerate downtime during migration to multi-tenant architecture.
+
+The tenant will be created, and the managed certificate will be awaiting validation of domain ownership.  You can then validate domain ownership via http redirect or token file upload.  [More details here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.html#complete-domain-ownership)
+
+Traffic won't be migrated until you update your hosted zone to point the tenant domain to the CloudFront RoutingEndpoint.
+
+Start by creating a parent multi-tenant distribution
+```ts
+// Create the simple Origin
+const myBucket = new s3.Bucket(this, 'myBucket');
+const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
+    originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST],
+});
+
+// Create the Distribution construct
+const myMultiTenantDistribution = new cloudfront.Distribution(this, 'cf-hosted-distribution', {
+    defaultBehavior: {
+        origin: s3Origin,
+    },
+    defaultRootObject: 'index.html', // recommended to specify
+});
+
+// Access the underlying L1 CfnDistribution to configure SaaS Manager properties which are not yet available in the L2 Distribution construct
+const cfnDistribution = myMultiTenantDistribution.node.defaultChild as cloudfront.CfnDistribution;
+
+const defaultCacheBehavior: cloudfront.CfnDistribution.DefaultCacheBehaviorProperty = {
+    targetOriginId: myBucket.bucketArn,
+    viewerProtocolPolicy: 'allow-all',
+    compress: false,
+    allowedMethods: ['GET', 'HEAD'],
+    cachePolicyId: cloudfront.CachePolicy.CACHING_OPTIMIZED.cachePolicyId
+};
+// Create the updated distributionConfig
+const distributionConfig: cloudfront.CfnDistribution.DistributionConfigProperty = {
+    defaultCacheBehavior: defaultCacheBehavior,
+    enabled: true,
+    // the properties below are optional
+    connectionMode: 'tenant-only',
+    origins: [
+        {
+            id: myBucket.bucketArn,
+            domainName: myBucket.bucketDomainName,
+            s3OriginConfig: {},
+            originPath: "/{{tenantName}}"
+        },
+    ],
+    tenantConfig: {
+        parameterDefinitions: [
+            {
+                definition: {
+                    stringSchema: {
+                        required: false,
+                        // the properties below are optional
+                        comment: 'tenantName',
+                        defaultValue: 'root',
+                    },
+                },
+                name: 'tenantName',
+            },
+        ],
+    },
+};
+
+// Override the distribution configuration to enable multi-tenancy.
+cfnDistribution.distributionConfig = distributionConfig;
+
+// Create a connection group so we have access to the RoutingEndpoint associated with the tenant we are about to create
+const connectionGroup = new cloudfront.CfnConnectionGroup(this, 'self-hosted-connection-group', {
+    enabled: true,
+    ipv6Enabled: true,
+    name: 'self-hosted-connection-group',
+});
+
+// Export the RoutingEndpoint, skip this step if you'd prefer to fetch it from the CloudFront console or via Cloudfront.ListConnectionGroups API 
+new CfnOutput(this, 'RoutingEndpoint', {
+    value: connectionGroup.attrRoutingEndpoint,
+    description: 'CloudFront Routing Endpoint to be added to my hosted zone CNAME records',
+});
+
+// Create a distribution tenant with a self-hosted domain.
+const selfHostedTenant = new cloudfront.CfnDistributionTenant(this, 'self-hosted-tenant', {
+    distributionId: myMultiTenantDistribution.distributionId,
+    connectionGroupId: connectionGroup.attrId,
+    name: 'self-hosted-tenant',
+    domains: ['self-hosted-tenant.my.domain.com'],
+    enabled: true,
+    managedCertificateRequest: {
+        primaryDomainName: 'self-hosted-tenant.my.domain.com',
+        validationTokenHost: 'self-hosted',
+    },
+});
+```
+While CDK is deploying, it will attempt to validate domain ownership by confirming that a validation token is served directly from your domain, or via http redirect.
+
+[follow the steps here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.html#complete-domain-ownership) to complete domain setup before deploying this CDK stack, or while CDK is in the waiting state during tenant creation. Refer to the section "I have existing traffic"
+
+A simple option for validating via http redirect, would be to add a rewrite rule like so to your server (Apache in this example)
+```
+RewriteEngine On
+RewriteCond %{REQUEST_URI} ^/\.well-known/pki-validation/(.+)$ [NC]
+RewriteRule ^(.*)$ https://validation.us-east-1.acm-validations.aws/%{ENV:AWS_ACCOUNT_ID}/.well-known/pki-validation/%1 [R=301,L]
+```
+
+Then, when you are ready to accept traffic, follow the steps [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.html#point-domains-to-cloudfront) using the RoutingEndpoint from above to configure DNS to point to CloudFront.
 
 ### VPC origins
 
@@ -548,7 +839,7 @@ const functionVersion = lambda.Version.fromVersionArn(this, 'Version', 'arn:aws:
 
 new cloudfront.Distribution(this, 'distro', {
   defaultBehavior: {
-    origin: new origins.S3Origin(s3Bucket),
+    origin: origins.S3BucketOrigin.withOriginAccessControl(s3Bucket),
     edgeLambdas: [
       {
         functionVersion,