daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

agent-claw: automated task changes

Browse Source
This commit is contained in:
daniel
2026-05-06 18:55:16 -05:00
parent 38905bb1e9
commit 732b00fb66
8494 changed files with 2018127 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/.jsiirc.json generated vendored Normal file
View File

@@ -0,0 +1,13 @@
{
"targets": {
"java": {
"package": "software.amazon.awscdk.services.cloudfront.origins"
},
"dotnet": {
"namespace": "Amazon.CDK.AWS.CloudFront.Origins"
},
"python": {
"module": "aws_cdk.aws_cloudfront_origins"
}
}
}

929
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/README.md generated vendored Normal file
View File

@@ -0,0 +1,929 @@
# CloudFront Origins for the CDK CloudFront Library
This library contains convenience methods for defining origins for a CloudFront distribution. You can use this library to create origins from
S3 buckets, Elastic Load Balancing v2 load balancers, or any other domain name.
## S3 Bucket
An S3 bucket can be used as an origin. An S3 bucket origin can either be configured using a standard S3 bucket or using a S3 bucket that's configured as a website endpoint (see AWS docs for [Using an S3 Bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html#using-s3-as-origin)).
> Note: `S3Origin` has been deprecated. Use `S3BucketOrigin` for standard S3 origins and `S3StaticWebsiteOrigin` for static website S3 origins.
### Standard S3 Bucket
To set up an origin using a standard S3 bucket, use the `S3BucketOrigin` class. The bucket
is handled as a bucket origin and
CloudFront's redirect and error handling will be used. It is recommended to use `S3BucketOrigin.withOriginAccessControl()` to configure OAC for your origin.
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) },
});
```
> Note: When you use CloudFront OAC with Amazon S3 bucket origins, you must set Amazon S3 Object Ownership to Bucket owner enforced (the default for new Amazon S3 buckets). If you require ACLs, use the Bucket owner preferred setting to maintain control over objects uploaded via CloudFront.
### S3 Bucket Configured as a Website Endpoint
To set up an origin using an S3 bucket configured as a website endpoint, use the `S3StaticWebsiteOrigin` class. When the bucket is configured as a
website endpoint, the bucket is treated as an HTTP origin,
and the distribution can use built-in S3 redirects and S3 custom error pages.
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: new origins.S3StaticWebsiteOrigin(myBucket) },
});
```
### Restricting access to a standard S3 Origin
CloudFront provides two ways to send authenticated requests to a standard Amazon S3 origin:
* origin access control (OAC) and
* origin access identity (OAI)
OAI is considered legacy due to limited functionality and regional
limitations, whereas OAC is recommended because it supports all Amazon S3
buckets in all AWS Regions, Amazon S3 server-side encryption with AWS KMS (SSE-KMS), and dynamic requests (PUT and DELETE) to Amazon S3. Additionally,
OAC provides stronger security posture with short term credentials,
and more frequent credential rotations as compared to OAI. OAI and OAC can be used in conjunction with a bucket that is not public to
require that your users access your content using CloudFront URLs and not S3 URLs directly.
See AWS docs on [Restricting access to an Amazon S3 Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) for more details.
> Note: OAC and OAI can only be used with an regular S3 bucket origin (not a bucket configured as a website endpoint).
The `S3BucketOrigin` class supports creating a standard S3 origin with OAC, OAI, and no access control (using your bucket access settings) via
the `withOriginAccessControl()`, `withOriginAccessIdentity()`, and `withBucketDefaults()` methods respectively.
#### Setting up a new origin access control (OAC)
Setup a standard S3 origin with origin access control as follows:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically creates a S3OriginAccessControl construct
},
});
```
When creating a standard S3 origin using `origins.S3BucketOrigin.withOriginAccessControl()`, an [Origin Access Control resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html) is automatically created with the origin type set to `s3` and signing behavior set to `always`.
You can grant read, read versioned, list, write or delete access to the OAC using the `originAccessLevels` property:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.READ_VERSIONED, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE],
});
```
The read versioned permission does contain the read permission, so it's required to set both `AccessLevel.READ` and
`AccessLevel.READ_VERSIONED`.
For details of list permission, see [Setting up OAC with LIST permission](#setting-up-oac-with-list-permission).
You can also pass in a custom S3 origin access control:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
const oac = new cloudfront.S3OriginAccessControl(this, 'MyOAC', {
signing: cloudfront.Signing.SIGV4_NO_OVERRIDE
});
const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
originAccessControl: oac
}
)
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: s3Origin
},
});
```
An existing S3 origin access control can be imported using the `fromOriginAccessControlId` method:
```ts
const importedOAC = cloudfront.S3OriginAccessControl.fromOriginAccessControlId(this, 'myImportedOAC', 'ABC123ABC123AB');
```
> [Note](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html): When you use OAC with S3
bucket origins, the bucket's object ownership must be either set to Bucket owner enforced (default for new S3 buckets) or Bucket owner preferred (only if you require ACLs).
#### Setting up OAC with a SSE-KMS encrypted S3 origin
If the objects in the S3 bucket origin are encrypted using server-side encryption with
AWS Key Management Service (SSE-KMS), the OAC must have permission to use the KMS key.
Setting up a standard S3 origin using `S3BucketOrigin.withOriginAccessControl()` will automatically add the statement to the KMS key policy
to give the OAC permission to use the KMS key.
```ts
import * as kms from 'aws-cdk-lib/aws-kms';
const myKmsKey = new kms.Key(this, 'myKMSKey');
const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', {
encryption: s3.BucketEncryption.KMS,
encryptionKey: myKmsKey,
objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket) // Automatically grants Distribution access to `myKmsKey`
},
});
```
##### Scoping down the key policy
I saw this warning message during synth time. What do I do?
```text
To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, a wildcard is used in the Key policy condition to match all Distribution IDs.
After deploying once, it is strongly recommended to further scope down the policy for best security practices by following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.
```
If the S3 bucket has an `encryptionKey` defined, `S3BucketOrigin.withOriginAccessControl()`
will automatically add the following policy statement to the KMS key policy to allow CloudFront read-only access (unless otherwise specified in the `originAccessLevels` property).
```json
{
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
}
}
}
}
```
This policy uses a wildcard to match all distribution IDs in the account instead of referencing the specific distribution ID to resolve the circular dependency. The policy statement is not as scoped down as the example in the AWS CloudFront docs (see [SSE-KMS section](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3)).
After you have deployed the Distribution, you should follow these steps to only grant permissions to the specific distribution according to AWS best practices:
**Step 1.** Copy the key policy
**Step 2.** Use an escape hatch to update the policy statement condition so that
```json
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
}
}
```
...becomes...
```json
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
```
> Note the change of condition operator from `ArnLike` to `StringEquals` in addition to replacing the wildcard (`*`) with the distribution ID.
To set the key policy using an escape hatch:
```ts
import * as kms from 'aws-cdk-lib/aws-kms';
const kmsKey = new kms.Key(this, 'myKMSKey');
const myBucket = new s3.Bucket(this, 'mySSEKMSEncryptedBucket', {
encryption: s3.BucketEncryption.KMS,
encryptionKey: kmsKey,
objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket)
},
});
// Add the following to scope down the key policy
const scopedDownKeyPolicy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
]
};
const cfnKey = (kmsKey.node.defaultChild as kms.CfnKey);
cfnKey.keyPolicy = scopedDownKeyPolicy;
```
**Step 3.** Deploy the stack
> Tip: Run `cdk diff` before deploying to verify the
changes to your stack.
**Step 4.** Verify your final key policy includes the following statement after deploying:
```json
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudfront.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
```
##### Updating imported key policies
If you are using an imported KMS key to encrypt your S3 bucket and want to use OAC, you will need to update the
key policy manually to allow CloudFront to use the key. Like most imported resources, CDK apps cannot modify the configuration of imported keys.
After deploying the distribution, add the following policy statement to your key policy to allow CloudFront OAC to access your KMS key for SSE-KMS:
```json
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudfront.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
```
See CloudFront docs on [SSE-KMS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details.
#### Setting up OAC with imported S3 buckets
If you are using an imported bucket for your S3 Origin and want to use OAC,
you will need to update
the S3 bucket policy manually to allow the OAC to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
After deploying the distribution, add the following
policy statement to your
S3 bucket to allow CloudFront read-only access
(or additional S3 permissions as required):
```json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3 bucket name>/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
}
```
See CloudFront docs on [Giving the origin access control permission to access the S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#create-oac-overview-s3) for more details.
> Note: If your bucket previously used OAI, you will need to manually remove the policy statement
that gives the OAI access to your bucket after setting up OAC.
#### Setting up OAC with LIST permission
By default, S3 origin returns 403 Forbidden HTTP response when the requested object does not exist.
When you want to receive 404 Not Found, specify `AccessLevel.LIST` in `originAccessLevels` to add `s3:ListBucket` permission in the bucket policy.
This is useful to distinguish between responses blocked by WAF (403) and responses where the file does not exist (404).
``` ts
const myBucket = new s3.Bucket(this, 'myBucket');
const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.LIST],
});
new cloudfront.Distribution(this, 'distribution', {
defaultBehavior: {
origin: s3Origin,
},
defaultRootObject: 'index.html', // recommended to specify
});
```
When the origin is associated to the default behavior, it is highly recommended to specify `defaultRootObject` distribution property.
Without it, the root path `https://xxxx.cloudfront.net/` will return the list of the S3 object keys.
#### Setting up an OAI (legacy)
Setup an S3 origin with origin access identity (legacy) as follows:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessIdentity(myBucket) // Automatically creates an OAI
},
});
```
You can also pass in a custom S3 origin access identity:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
const myOai = new cloudfront.OriginAccessIdentity(this, 'myOAI', {
comment: 'My custom OAI'
});
const s3Origin = origins.S3BucketOrigin.withOriginAccessIdentity(myBucket, {
originAccessIdentity: myOai
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: s3Origin
},
});
```
#### Setting up OAI with imported S3 buckets (legacy)
If you are using an imported bucket for your S3 Origin and want to use OAI,
you will need to update
the S3 bucket policy manually to allow the OAI to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
Add the following
policy statement to your
S3 bucket to allow the OAI read access:
```json
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3 bucket name>/*"
}
]
}
```
See AWS docs on [Giving an origin access identity permission to read files in the Amazon S3 bucket](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai) for more details.
### Setting up a S3 origin with no origin access control
To setup a standard S3 origin with no access control (no OAI nor OAC), use `origins.S3BucketOrigin.withBucketDefaults()`:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withBucketDefaults(myBucket)
},
});
```
### Migrating from OAI to OAC
If you are currently using OAI for your S3 origin and wish to migrate to OAC,
replace the `S3Origin` construct (deprecated) with `S3BucketOrigin.withOriginAccessControl()` which automatically
creates and sets up an OAC for you.
Existing setup using OAI and `S3Origin`:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
const s3Origin = new origins.S3Origin(myBucket);
const distribution = new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: s3Origin },
});
```
**Step 1:**
To ensure CloudFront doesn't lose access to the bucket during the transition, add a statement to bucket policy to grant OAC access to the S3 origin. Deploy the stack. If you are okay with downtime during the transition, you can skip this step.
> Tip: Run `cdk diff` before deploying to verify the
changes to your stack.
```ts
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
const stack = new Stack();
const myBucket = new s3.Bucket(this, 'myBucket');
const s3Origin = new origins.S3Origin(myBucket);
const distribution = new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: s3Origin },
});
// Construct the bucket policy statement
const distributionArn = stack.formatArn(
{
service: 'cloudfront',
region: '',
resource: 'distribution',
resourceName: distribution.distributionId,
arnFormat: cdk.ArnFormat.SLASH_RESOURCE_NAME
}
);
const cloudfrontSP = new iam.ServicePrincipal('cloudfront.amazonaws.com');
const oacBucketPolicyStatement = new iam.PolicyStatement(
{
effect: iam.Effect.ALLOW,
principals: [cloudfrontSP],
actions: ['s3:GetObject'],
resources: [myBucket.arnForObjects('*')],
conditions: {
"StringEquals": {
"AWS:SourceArn": distributionArn
}
}
}
)
// Add statement to bucket policy
myBucket.addToResourcePolicy(oacBucketPolicyStatement);
```
The following changes will take place:
1. The bucket policy will be modified to grant the CloudFront distribution access. At this point the bucket policy allows both an OAI and an OAC to access the S3 origin.
**Step 2:**
Replace `S3Origin` with `S3BucketOrigin.withOriginAccessControl()`, which creates an OAC and attaches it to the distribution. You can remove the code from Step 1 which updated the bucket policy, as `S3BucketOrigin.withOriginAccessControl()` updates the bucket policy automatically with the same statement when defined in the `Distribution` (no net difference).
Run `cdk diff` before deploying to verify the changes to your stack.
```ts
const bucket = new s3.Bucket(this, 'Bucket');
const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(bucket);
const distribution = new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: { origin: s3Origin },
});
```
The following changes will take place:
1. A `AWS::CloudFront::OriginAccessControl` resource will be created.
2. The `Origin` property of the `AWS::CloudFront::Distribution` will set [`OriginAccessControlId`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-origin.html#cfn-cloudfront-distribution-origin-originaccesscontrolid) to the OAC ID after it is created. It will also set [`S3OriginConfig`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-s3originconfig.html#aws-properties-cloudfront-distribution-s3originconfig-properties) to `{"OriginAccessIdentity": ""}`, which deletes the origin access identity from the existing distribution.
3. The `AWS::CloudFront::CloudFrontOriginAccessIdentity` resource will be deleted.
**Will migrating from OAI to OAC cause any resource replacement?**
No, following the migration steps does not cause any replacement of the existing `AWS::CloudFront::Distribution`, `AWS::S3::Bucket` nor `AWS::S3::BucketPolicy` resources. It will modify the bucket policy, create a `AWS::CloudFront::OriginAccessControl` resource, and delete the existing `AWS::CloudFront::CloudFrontOriginAccessIdentity`.
**Will migrating from OAI to OAC have any availability implications for my application?**
Updates to bucket policies are eventually consistent. Therefore, removing OAI permissions and setting up OAC in the same CloudFormation stack deployment is not recommended as it may cause downtime where CloudFront loses access to the bucket. Following the steps outlined above lowers the risk of downtime as the bucket policy is updated to have both OAI and OAC permissions, then in a subsequent deployment, the OAI permissions are removed.
For more information, see [Migrating from origin access identity (OAI) to origin access control (OAC)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#migrate-from-oai-to-oac).
### Adding Custom Headers
You can configure CloudFront to add custom headers to the requests that it sends to your origin. These custom headers enable you to send and gather information from your origin that you dont get with typical viewer requests. These headers can even be customized for each origin. CloudFront supports custom headers for both for custom and Amazon S3 origins.
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: origins.S3BucketOrigin.withOriginAccessControl(myBucket, {
customHeaders: {
Foo: 'bar',
},
})},
});
```
## ELBv2 Load Balancer
An Elastic Load Balancing (ELB) v2 load balancer may be used as an origin. In order for a load balancer to serve as an origin, it must be publicly
accessible (`internetFacing` is true). Both Application and Network load balancers are supported.
```ts
declare const vpc: ec2.Vpc;
// Create an application load balancer in a VPC. 'internetFacing' must be 'true'
// for CloudFront to access the load balancer and use it as an origin.
const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
vpc,
internetFacing: true,
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: new origins.LoadBalancerV2Origin(lb) },
});
```
The origin can also be customized to respond on different ports, have different connection properties, etc.
```ts
declare const loadBalancer: elbv2.ApplicationLoadBalancer;
const origin = new origins.LoadBalancerV2Origin(loadBalancer, {
connectionAttempts: 3,
connectionTimeout: Duration.seconds(5),
readTimeout: Duration.seconds(45),
responseCompletionTimeout: Duration.seconds(120),
keepaliveTimeout: Duration.seconds(45),
protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER,
});
```
Note that the `readTimeout` and `keepaliveTimeout` properties can extend their values over 60 seconds only if a limit increase request for CloudFront origin response timeout
quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Consider that this value is
still limited to a maximum value of 180 seconds, which is a hard limit for that quota.
## From an HTTP endpoint
Origins can also be created from any other HTTP endpoint, given the domain name, and optionally, other origin properties.
```ts
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: new origins.HttpOrigin('www.example.com') },
});
```
You can specify the IP address type for connecting to the origin:
```ts
const origin = new origins.HttpOrigin('www.example.com', {
ipAddressType: cloudfront.OriginIpAddressType.IPV6, // IPv4, IPv6, or DUALSTACK
});
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: { origin },
});
```
The `ipAddressType` property allows you to specify whether CloudFront should use IPv4, IPv6, or both (dual-stack) when connecting to your origin.
The origin can be customized with timeout settings to handle different response scenarios:
```ts
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: new origins.HttpOrigin('api.example.com', {
readTimeout: Duration.seconds(60),
responseCompletionTimeout: Duration.seconds(120),
keepaliveTimeout: Duration.seconds(45),
}),
},
});
```
The `responseCompletionTimeout` property specifies the time that a request from CloudFront to the origin can stay open and wait for a response. If the complete response isn't received from the origin by this time, CloudFront ends the connection. Valid values are 1-3600 seconds, and if set, the value must be equal to or greater than the `readTimeout` value.
See the documentation of `aws-cdk-lib/aws-cloudfront` for more information.
## VPC origins
You can use CloudFront to deliver content from applications that are hosted in your virtual private cloud (VPC) private subnets.
You can use Application Load Balancers (ALBs), Network Load Balancers (NLBs), and EC2 instances in private subnets as VPC origins.
Learn more about [Restrict access with VPC origins](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html).
### From an Application Load Balancer
An Application Load Balancer (ALB) can be used as a VPC origin.
It is not needed to be publicly accessible.
``` ts
// Creates a distribution from an Application Load Balancer
declare const vpc: ec2.Vpc;
// Create an application load balancer in a VPC. 'internetFacing' can be 'false'.
const alb = new elbv2.ApplicationLoadBalancer(this, 'ALB', {
vpc,
internetFacing: false,
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: origins.VpcOrigin.withApplicationLoadBalancer(alb) },
});
```
### From a Network Load Balancer
A Network Load Balancer (NLB) can also be use as a VPC origin.
It is not needed to be publicly accessible.
- A Network Load Balancer must have a security group attached to it.
- Dual-stack Network Load Balancers and Network Load Balancers with TLS listeners can't be added as origins.
``` ts
// Creates a distribution from a Network Load Balancer
declare const vpc: ec2.Vpc;
// Create a network load balancer in a VPC. 'internetFacing' can be 'false'.
const nlb = new elbv2.NetworkLoadBalancer(this, 'NLB', {
vpc,
internetFacing: false,
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
securityGroups: [new ec2.SecurityGroup(this, 'NLB-SG', { vpc })],
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: origins.VpcOrigin.withNetworkLoadBalancer(nlb) },
});
```
### From an EC2 instance
An EC2 instance can also be used directly as a VPC origin.
It can be in a private subnet.
``` ts
// Creates a distribution from an EC2 instance
declare const vpc: ec2.Vpc;
// Create an EC2 instance in a VPC. 'subnetType' can be private.
const instance = new ec2.Instance(this, 'Instance', {
vpc,
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.MICRO),
machineImage: ec2.MachineImage.latestAmazonLinux2023(),
vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
});
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: { origin: origins.VpcOrigin.withEc2Instance(instance) },
});
```
### Restrict traffic coming to the VPC origin
You may need to update the security group for your VPC private origin (Application Load Balancer, Network Load Balancer, or EC2 instance) to explicitly allow the traffic from your VPC origins.
#### The CloudFront managed prefix list
You can allow the traffic from the CloudFront managed prefix list named **com.amazonaws.global.cloudfront.origin-facing**. For more information, see [Use an AWS-managed prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#use-aws-managed-prefix-list).
``` ts
declare const alb: elbv2.ApplicationLoadBalancer;
const cfOriginFacing = ec2.PrefixList.fromLookup(this, 'CloudFrontOriginFacing', {
prefixListName: 'com.amazonaws.global.cloudfront.origin-facing',
});
alb.connections.allowFrom(cfOriginFacing, ec2.Port.HTTP);
```
#### The VPC origin service security group
VPC origin will create a security group named `CloudFront-VPCOrigins-Service-SG`.
It can be further restricted to allow only traffic from your VPC origins.
The id of the security group is not provided by CloudFormation currently.
You can retrieve it dynamically using a custom resource.
``` ts
import * as cr from 'aws-cdk-lib/custom-resources';
declare const vpc: ec2.Vpc;
declare const distribution: cloudfront.Distribution;
declare const alb: elbv2.ApplicationLoadBalancer;
// Call ec2:DescribeSecurityGroups API to retrieve the VPC origins security group.
const getSg = new cr.AwsCustomResource(this, 'GetSecurityGroup', {
onCreate: {
service: 'ec2',
action: 'describeSecurityGroups',
parameters: {
Filters: [
{ Name: 'vpc-id', Values: [vpc.vpcId] },
{ Name: 'group-name', Values: ['CloudFront-VPCOrigins-Service-SG'] },
],
},
physicalResourceId: cr.PhysicalResourceId.of('CloudFront-VPCOrigins-Service-SG'),
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({ resources: ['*'] }),
});
// The security group may be available after the distributon is deployed
getSg.node.addDependency(distribution);
const sgVpcOrigins = ec2.SecurityGroup.fromSecurityGroupId(
this,
'VpcOriginsSecurityGroup',
getSg.getResponseField('SecurityGroups.0.GroupId'),
);
// Allow connections from the security group
alb.connections.allowFrom(sgVpcOrigins, ec2.Port.HTTP);
```
## Failover Origins (Origin Groups)
You can set up CloudFront with origin failover for scenarios that require high availability.
To get started, you create an origin group with two origins: a primary and a secondary.
If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure,
CloudFront automatically switches to the secondary origin.
You achieve that behavior in the CDK using the `OriginGroup` class:
```ts
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: new origins.OriginGroup({
primaryOrigin: origins.S3BucketOrigin.withOriginAccessControl(myBucket),
fallbackOrigin: new origins.HttpOrigin('www.example.com'),
// optional, defaults to: 500, 502, 503 and 504
fallbackStatusCodes: [404],
}),
},
});
```
### Selection Criteria: Media Quality Based with AWS Elemental MediaPackageV2
You can setup your origin group to be configured for media quality based failover with your AWS Elemental MediaPackageV2 endpoints.
You can achieve this behavior in the CDK, again using the `OriginGroup` class:
```ts
new cloudfront.Distribution(this, 'myDist', {
defaultBehavior: {
origin: new origins.OriginGroup({
primaryOrigin: new origins.HttpOrigin("<AWS Elemental MediaPackageV2 origin 1>"),
fallbackOrigin: new origins.HttpOrigin("<AWS Elemental MediaPackageV2 origin 2>"),
fallbackStatusCodes: [404],
selectionCriteria: cloudfront.OriginSelectionCriteria.MEDIA_QUALITY_BASED,
}),
},
});
```
## From an API Gateway REST API
Origins can be created from an API Gateway REST API. It is recommended to use a
[regional API](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html) in this case. The origin path will automatically be set as the stage name.
```ts
declare const api: apigateway.RestApi;
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: { origin: new origins.RestApiOrigin(api) },
});
```
If you want to use a different origin path, you can specify it in the `originPath` property.
```ts
declare const api: apigateway.RestApi;
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: { origin: new origins.RestApiOrigin(api, { originPath: '/custom-origin-path' }) },
});
```
## From a Lambda Function URL
Lambda Function URLs enable direct invocation of Lambda functions via HTTP(S), without intermediaries. They can be set as CloudFront origins for streamlined function execution behind a CDN, leveraging caching and custom domains.
```ts
import * as lambda from 'aws-cdk-lib/aws-lambda';
declare const fn: lambda.Function;
const fnUrl = fn.addFunctionUrl({ authType: lambda.FunctionUrlAuthType.NONE });
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: { origin: new origins.FunctionUrlOrigin(fnUrl) },
});
```
You can also configure timeout settings for Lambda Function URL origins:
```ts
import * as lambda from 'aws-cdk-lib/aws-lambda';
declare const fn: lambda.Function;
const fnUrl = fn.addFunctionUrl({ authType: lambda.FunctionUrlAuthType.NONE });
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: new origins.FunctionUrlOrigin(fnUrl, {
readTimeout: Duration.seconds(30),
responseCompletionTimeout: Duration.seconds(90),
keepaliveTimeout: Duration.seconds(45),
}),
},
});
```
### Configuring IP Address Type
You can specify which IP protocol CloudFront uses when connecting to your Lambda Function URL origin. By default, CloudFront uses IPv4 only.
```ts
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { OriginIpAddressType } from 'aws-cdk-lib/aws-cloudfront';
declare const fn: lambda.Function;
const fnUrl = fn.addFunctionUrl({ authType: lambda.FunctionUrlAuthType.NONE });
// Uses default IPv4 only
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: new origins.FunctionUrlOrigin(fnUrl)
},
});
// Explicitly specify IP address type
new cloudfront.Distribution(this, 'Distribution', {
defaultBehavior: {
origin: new origins.FunctionUrlOrigin(fnUrl, {
ipAddressType: OriginIpAddressType.DUALSTACK, // Use both IPv4 and IPv6
})
},
});
```
Supported values for `ipAddressType`:
- `OriginIpAddressType.IPV4` - CloudFront uses IPv4 only to connect to the origin (default)
- `OriginIpAddressType.IPV6` - CloudFront uses IPv6 only to connect to the origin
- `OriginIpAddressType.DUALSTACK` - CloudFront uses both IPv4 and IPv6 to connect to the origin
### Lambda Function URL with Origin Access Control (OAC)
You can configure the Lambda Function URL with Origin Access Control (OAC) for enhanced security. When using OAC with Signing SIGV4_ALWAYS, it is recommended to set the Lambda Function URL authType to AWS_IAM to ensure proper authorization.
```ts
import * as lambda from 'aws-cdk-lib/aws-lambda';
declare const fn: lambda.Function;
const fnUrl = fn.addFunctionUrl({
authType: lambda.FunctionUrlAuthType.AWS_IAM,
});
new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl),
},
});
```
If you want to explicitly add OAC for more customized access control, you can use the originAccessControl option as shown below.
```ts
import * as lambda from 'aws-cdk-lib/aws-lambda';
declare const fn: lambda.Function;
const fnUrl = fn.addFunctionUrl({
authType: lambda.FunctionUrlAuthType.AWS_IAM,
});
// Define a custom OAC
const oac = new cloudfront.FunctionUrlOriginAccessControl(this, 'MyOAC', {
originAccessControlName: 'CustomLambdaOAC',
signing: cloudfront.Signing.SIGV4_ALWAYS,
});
// Set up Lambda Function URL with OAC in CloudFront Distribution
new cloudfront.Distribution(this, 'MyDistribution', {
defaultBehavior: {
origin: origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
originAccessControl: oac,
}),
},
});
```

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1 @@
export * from './lib';

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/index.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.FunctionUrlOrigin=void 0,Object.defineProperty(exports,_noFold="FunctionUrlOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").FunctionUrlOrigin;return Object.defineProperty(exports,_noFold="FunctionUrlOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.HttpOrigin=void 0,Object.defineProperty(exports,_noFold="HttpOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").HttpOrigin;return Object.defineProperty(exports,_noFold="HttpOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.LoadBalancerV2Origin=void 0,Object.defineProperty(exports,_noFold="LoadBalancerV2Origin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").LoadBalancerV2Origin;return Object.defineProperty(exports,_noFold="LoadBalancerV2Origin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3Origin=void 0,Object.defineProperty(exports,_noFold="S3Origin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").S3Origin;return Object.defineProperty(exports,_noFold="S3Origin",{enumerable:!0,configurable:!0,value}),value}}),exports.OriginGroup=void 0,Object.defineProperty(exports,_noFold="OriginGroup",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").OriginGroup;return Object.defineProperty(exports,_noFold="OriginGroup",{enumerable:!0,configurable:!0,value}),value}}),exports.RestApiOrigin=void 0,Object.defineProperty(exports,_noFold="RestApiOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").RestApiOrigin;return Object.defineProperty(exports,_noFold="RestApiOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3StaticWebsiteOrigin=void 0,Object.defineProperty(exports,_noFold="S3StaticWebsiteOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").S3StaticWebsiteOrigin;return Object.defineProperty(exports,_noFold="S3StaticWebsiteOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3BucketOrigin=void 0,Object.defineProperty(exports,_noFold="S3BucketOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").S3BucketOrigin;return Object.defineProperty(exports,_noFold="S3BucketOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.VpcOrigin=void 0,Object.defineProperty(exports,_noFold="VpcOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./lib").VpcOrigin;return Object.defineProperty(exports,_noFold="VpcOrigin",{enumerable:!0,configurable:!0,value}),value}});

65
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,65 @@
import * as cloudfront from '../../aws-cloudfront';
import type { OriginIpAddressType } from '../../aws-cloudfront';
import * as lambda from '../../aws-lambda';
import * as cdk from '../../core';
/**
* Properties for a Lambda Function URL Origin.
*/
export interface FunctionUrlOriginProps extends cloudfront.OriginProps {
/**
* Specifies how long, in seconds, CloudFront waits for a response from the origin.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(30)
*/
readonly readTimeout?: cdk.Duration;
/**
* Specifies how long, in seconds, CloudFront persists its connection to the origin.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(5)
*/
readonly keepaliveTimeout?: cdk.Duration;
/**
* Specifies which IP protocol CloudFront uses when connecting to your origin.
*
* If your origin uses both IPv4 and IPv6 protocols, you can choose dualstack to help optimize reliability.
*
* @default OriginIpAddressType.IPV4
*/
readonly ipAddressType?: OriginIpAddressType;
}
/**
* Properties for configuring a origin using a standard Lambda Functions URLs.
*/
export interface FunctionUrlOriginBaseProps extends cloudfront.OriginProps {
}
/**
* Properties for configuring a Lambda Functions URLs with OAC.
*/
export interface FunctionUrlOriginWithOACProps extends FunctionUrlOriginProps {
/**
* An optional Origin Access Control
*
* @default - an Origin Access Control will be created.
*/
readonly originAccessControl?: cloudfront.IOriginAccessControlRef;
}
/**
* An Origin for a Lambda Function URL.
*/
export declare class FunctionUrlOrigin extends cloudfront.OriginBase {
private readonly props;
/**
* Create a Lambda Function URL Origin with Origin Access Control (OAC) configured
*/
static withOriginAccessControl(lambdaFunctionUrl: lambda.IFunctionUrl, props?: FunctionUrlOriginWithOACProps): cloudfront.IOrigin;
constructor(lambdaFunctionUrl: lambda.IFunctionUrl, props?: FunctionUrlOriginProps);
protected renderCustomOriginConfig(): cloudfront.CfnDistribution.CustomOriginConfigProperty | undefined;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.FunctionUrlOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var utils_1=()=>{var tmp=require("./private/utils");return utils_1=()=>tmp,tmp},cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp},lambda=()=>{var tmp=require("../../aws-lambda");return lambda=()=>tmp,tmp},cdk=()=>{var tmp=require("../../core");return cdk=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};class FunctionUrlOrigin extends cloudfront().OriginBase{props;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOrigin",version:"2.252.0"};static withOriginAccessControl(lambdaFunctionUrl,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_lambda_IFunctionUrl(lambdaFunctionUrl),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_FunctionUrlOriginWithOACProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withOriginAccessControl),error}return new FunctionUrlOriginWithOAC(lambdaFunctionUrl,props)}constructor(lambdaFunctionUrl,props={}){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_lambda_IFunctionUrl(lambdaFunctionUrl),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_FunctionUrlOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,FunctionUrlOrigin),error}const domainName=cdk().Fn.select(2,cdk().Fn.split("/",lambdaFunctionUrl.url));super(domainName,props),this.props=props,(0,utils_1().validateSecondsInRangeOrUndefined)("readTimeout",1,180,props.readTimeout),(0,utils_1().validateSecondsInRangeOrUndefined)("keepaliveTimeout",1,180,props.keepaliveTimeout),this.validateResponseCompletionTimeoutWithReadTimeout(props.responseCompletionTimeout,props.readTimeout)}renderCustomOriginConfig(){return{originSslProtocols:[cloudfront().OriginSslPolicy.TLS_V1_2],originProtocolPolicy:cloudfront().OriginProtocolPolicy.HTTPS_ONLY,originReadTimeout:this.props.readTimeout?.toSeconds(),originKeepaliveTimeout:this.props.keepaliveTimeout?.toSeconds(),ipAddressType:this.props.ipAddressType}}}exports.FunctionUrlOrigin=FunctionUrlOrigin;class FunctionUrlOriginWithOAC extends cloudfront().OriginBase{originAccessControl;functionUrl;props;constructor(lambdaFunctionUrl,props={}){const domainName=cdk().Fn.select(2,cdk().Fn.split("/",lambdaFunctionUrl.url));super(domainName,props),this.functionUrl=lambdaFunctionUrl,this.originAccessControl=props?.originAccessControl,this.props=props,(0,utils_1().validateSecondsInRangeOrUndefined)("readTimeout",1,180,props.readTimeout),(0,utils_1().validateSecondsInRangeOrUndefined)("keepaliveTimeout",1,180,props.keepaliveTimeout)}renderCustomOriginConfig(){return{originSslProtocols:[cloudfront().OriginSslPolicy.TLS_V1_2],originProtocolPolicy:cloudfront().OriginProtocolPolicy.HTTPS_ONLY,originReadTimeout:this.props.readTimeout?.toSeconds(),originKeepaliveTimeout:this.props.keepaliveTimeout?.toSeconds(),ipAddressType:this.props.ipAddressType}}bind(scope,options){const originBindConfig=super.bind(scope,options);return this.originAccessControl||(this.originAccessControl=new(cloudfront()).FunctionUrlOriginAccessControl(scope,"FunctionUrlOriginAccessControl")),this.validateAuthType(scope),this.addInvokePermission(scope,options),{...originBindConfig,originProperty:{...originBindConfig.originProperty,originAccessControlId:this.originAccessControl?.originAccessControlRef.originAccessControlId}}}addInvokePermission(scope,options){const distributionId=options.distributionId;new(lambda()).CfnPermission(scope,`InvokeFromApiFor${options.originId}`,{principal:"cloudfront.amazonaws.com",action:"lambda:InvokeFunctionUrl",functionName:this.functionUrl.functionArn,sourceArn:`arn:${cdk().Aws.PARTITION}:cloudfront::${cdk().Aws.ACCOUNT_ID}:distribution/${distributionId}`})}validateAuthType(scope){const originAccessControlConfig=(this.originAccessControl?.node.children.find(child=>child instanceof cloudfront().CfnOriginAccessControl)).originAccessControlConfig,isAlwaysSigning=originAccessControlConfig.signingBehavior===cloudfront().SigningBehavior.ALWAYS&&originAccessControlConfig.signingProtocol===cloudfront().SigningProtocol.SIGV4,isAuthTypeIsNone=this.functionUrl.authType!==lambda().FunctionUrlAuthType.AWS_IAM;if(isAlwaysSigning&&isAuthTypeIsNone)throw new(cdk()).ValidationError((0,literal_string_1().lit)`FunctionUrlAuthTypeMustBeAwsIam`,"The authType of the Function URL must be set to AWS_IAM when origin access control signing method is SIGV4_ALWAYS.",scope)}}

67
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/http-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,67 @@
import * as cloudfront from '../../aws-cloudfront';
import type * as cdk from '../../core';
/**
* Properties for an Origin backed by an S3 website-configured bucket, load balancer, or custom HTTP server.
*/
export interface HttpOriginProps extends cloudfront.OriginProps {
/**
* Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
*
* @default OriginProtocolPolicy.HTTPS_ONLY
*/
readonly protocolPolicy?: cloudfront.OriginProtocolPolicy;
/**
* The SSL versions to use when interacting with the origin.
*
* @default OriginSslPolicy.TLS_V1_2
*/
readonly originSslProtocols?: cloudfront.OriginSslPolicy[];
/**
* The HTTP port that CloudFront uses to connect to the origin.
*
* @default 80
*/
readonly httpPort?: number;
/**
* The HTTPS port that CloudFront uses to connect to the origin.
*
* @default 443
*/
readonly httpsPort?: number;
/**
* Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(30)
*/
readonly readTimeout?: cdk.Duration;
/**
* Specifies how long, in seconds, CloudFront persists its connection to the origin.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(5)
*/
readonly keepaliveTimeout?: cdk.Duration;
/**
* Specifies which IP protocol CloudFront uses when connecting to your origin.
*
* If your origin uses both IPv4 and IPv6 protocols, you can choose dualstack to help optimize reliability.
*
* @default undefined - AWS Cloudfront default is IPv4
*/
readonly ipAddressType?: cloudfront.OriginIpAddressType;
}
/**
* An Origin for an HTTP server or S3 bucket configured for website hosting.
*/
export declare class HttpOrigin extends cloudfront.OriginBase {
private readonly props;
constructor(domainName: string, props?: HttpOriginProps);
protected renderCustomOriginConfig(): cloudfront.CfnDistribution.CustomOriginConfigProperty | undefined;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/http-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.HttpOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var utils_1=()=>{var tmp=require("./private/utils");return utils_1=()=>tmp,tmp},cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp};class HttpOrigin extends cloudfront().OriginBase{props;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.HttpOrigin",version:"2.252.0"};constructor(domainName,props={}){super(domainName,props),this.props=props;try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_HttpOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,HttpOrigin),error}(0,utils_1().validateSecondsInRangeOrUndefined)("readTimeout",1,180,props.readTimeout),(0,utils_1().validateSecondsInRangeOrUndefined)("keepaliveTimeout",1,180,props.keepaliveTimeout),this.validateResponseCompletionTimeoutWithReadTimeout(props.responseCompletionTimeout,props.readTimeout)}renderCustomOriginConfig(){return{originSslProtocols:this.props.originSslProtocols??[cloudfront().OriginSslPolicy.TLS_V1_2],originProtocolPolicy:this.props.protocolPolicy??cloudfront().OriginProtocolPolicy.HTTPS_ONLY,httpPort:this.props.httpPort,httpsPort:this.props.httpsPort,originReadTimeout:this.props.readTimeout?.toSeconds(),originKeepaliveTimeout:this.props.keepaliveTimeout?.toSeconds(),ipAddressType:this.props.ipAddressType}}}exports.HttpOrigin=HttpOrigin;

9
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,9 @@
export * from './function-url-origin';
export * from './http-origin';
export * from './load-balancer-origin';
export * from './s3-origin';
export * from './origin-group';
export * from './rest-api-origin';
export * from './s3-static-website-origin';
export * from './s3-bucket-origin';
export * from './vpc-origin';

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/index.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";var __createBinding=exports&&exports.__createBinding||(Object.create?(function(o,m,k,k2){k2===void 0&&(k2=k);var desc=Object.getOwnPropertyDescriptor(m,k);(!desc||("get"in desc?!m.__esModule:desc.writable||desc.configurable))&&(desc={enumerable:!0,get:function(){return m[k]}}),Object.defineProperty(o,k2,desc)}):(function(o,m,k,k2){k2===void 0&&(k2=k),o[k2]=m[k]})),__exportStar=exports&&exports.__exportStar||function(m,exports2){for(var p in m)p!=="default"&&!Object.prototype.hasOwnProperty.call(exports2,p)&&__createBinding(exports2,m,p)};Object.defineProperty(exports,"__esModule",{value:!0});var _noFold;exports.FunctionUrlOrigin=void 0,Object.defineProperty(exports,_noFold="FunctionUrlOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./function-url-origin").FunctionUrlOrigin;return Object.defineProperty(exports,_noFold="FunctionUrlOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.HttpOrigin=void 0,Object.defineProperty(exports,_noFold="HttpOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./http-origin").HttpOrigin;return Object.defineProperty(exports,_noFold="HttpOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.LoadBalancerV2Origin=void 0,Object.defineProperty(exports,_noFold="LoadBalancerV2Origin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./load-balancer-origin").LoadBalancerV2Origin;return Object.defineProperty(exports,_noFold="LoadBalancerV2Origin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3Origin=void 0,Object.defineProperty(exports,_noFold="S3Origin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./s3-origin").S3Origin;return Object.defineProperty(exports,_noFold="S3Origin",{enumerable:!0,configurable:!0,value}),value}}),exports.OriginGroup=void 0,Object.defineProperty(exports,_noFold="OriginGroup",{enumerable:!0,configurable:!0,get:()=>{var value=require("./origin-group").OriginGroup;return Object.defineProperty(exports,_noFold="OriginGroup",{enumerable:!0,configurable:!0,value}),value}}),exports.RestApiOrigin=void 0,Object.defineProperty(exports,_noFold="RestApiOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./rest-api-origin").RestApiOrigin;return Object.defineProperty(exports,_noFold="RestApiOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3StaticWebsiteOrigin=void 0,Object.defineProperty(exports,_noFold="S3StaticWebsiteOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./s3-static-website-origin").S3StaticWebsiteOrigin;return Object.defineProperty(exports,_noFold="S3StaticWebsiteOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.S3BucketOrigin=void 0,Object.defineProperty(exports,_noFold="S3BucketOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./s3-bucket-origin").S3BucketOrigin;return Object.defineProperty(exports,_noFold="S3BucketOrigin",{enumerable:!0,configurable:!0,value}),value}}),exports.VpcOrigin=void 0,Object.defineProperty(exports,_noFold="VpcOrigin",{enumerable:!0,configurable:!0,get:()=>{var value=require("./vpc-origin").VpcOrigin;return Object.defineProperty(exports,_noFold="VpcOrigin",{enumerable:!0,configurable:!0,value}),value}});

14
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/load-balancer-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,14 @@
import type { HttpOriginProps } from './http-origin';
import { HttpOrigin } from './http-origin';
import type * as elbv2 from '../../aws-elasticloadbalancingv2';
/**
* Properties for an Origin backed by a v2 load balancer.
*/
export interface LoadBalancerV2OriginProps extends HttpOriginProps {
}
/**
* An Origin for a v2 load balancer.
*/
export declare class LoadBalancerV2Origin extends HttpOrigin {
constructor(loadBalancer: elbv2.ILoadBalancerV2, props?: LoadBalancerV2OriginProps);
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/load-balancer-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.LoadBalancerV2Origin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var http_origin_1=()=>{var tmp=require("./http-origin");return http_origin_1=()=>tmp,tmp};class LoadBalancerV2Origin extends http_origin_1().HttpOrigin{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.LoadBalancerV2Origin",version:"2.252.0"};constructor(loadBalancer,props={}){super(loadBalancer.loadBalancerDnsName,{...props});try{jsiiDeprecationWarnings().aws_cdk_lib_aws_elasticloadbalancingv2_ILoadBalancerV2(loadBalancer),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_LoadBalancerV2OriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,LoadBalancerV2Origin),error}}}exports.LoadBalancerV2Origin=LoadBalancerV2Origin;

39
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/origin-group.d.ts generated vendored Normal file
View File

@@ -0,0 +1,39 @@
import type { Construct } from 'constructs';
import type * as cloudfront from '../../aws-cloudfront';
/** Construction properties for `OriginGroup`. */
export interface OriginGroupProps {
/**
* The primary origin that should serve requests for this group.
*/
readonly primaryOrigin: cloudfront.IOrigin;
/**
* The fallback origin that should serve requests when the primary fails.
*/
readonly fallbackOrigin: cloudfront.IOrigin;
/**
* The list of HTTP status codes that,
* when returned from the primary origin,
* would cause querying the fallback origin.
*
* @default - 500, 502, 503 and 504
*/
readonly fallbackStatusCodes?: number[];
/**
* The selection criteria for the origin group.
*
* @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html#concept_origin_groups.creating
*
* @default - OriginSelectionCriteria.DEFAULT
*/
readonly selectionCriteria?: cloudfront.OriginSelectionCriteria;
}
/**
* An Origin that represents a group.
* Consists of a primary Origin,
* and a fallback Origin called when the primary returns one of the provided HTTP status codes.
*/
export declare class OriginGroup implements cloudfront.IOrigin {
private readonly props;
constructor(props: OriginGroupProps);
bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/origin-group.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.OriginGroup=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};class OriginGroup{props;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.OriginGroup",version:"2.252.0"};constructor(props){this.props=props;try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_OriginGroupProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,OriginGroup),error}}bind(scope,options){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_OriginBindOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.bind),error}const primaryOriginConfig=this.props.primaryOrigin.bind(scope,options);if(primaryOriginConfig.failoverConfig)throw new(core_1()).ValidationError((0,literal_string_1().lit)`OriginGroupCannotUseOriginWithFailover`,"An OriginGroup cannot use an Origin with its own failover configuration as its primary origin!",scope);return{originProperty:primaryOriginConfig.originProperty,failoverConfig:{failoverOrigin:this.props.fallbackOrigin,statusCodes:this.props.fallbackStatusCodes},selectionCriteria:this.props.selectionCriteria}}}exports.OriginGroup=OriginGroup;

5
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/private/utils.d.ts generated vendored Normal file
View File

@@ -0,0 +1,5 @@
import * as cdk from '../../../core';
/**
* Throws an error if a duration is defined and not an integer number of seconds within a range.
*/
export declare function validateSecondsInRangeOrUndefined(name: string, min: number, max: number, duration?: cdk.Duration): void;

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/private/utils.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.validateSecondsInRangeOrUndefined=validateSecondsInRangeOrUndefined;var cdk=()=>{var tmp=require("../../../core");return cdk=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};function validateSecondsInRangeOrUndefined(name,min,max,duration){if(duration===void 0)return;const value=duration.toSeconds();if(!Number.isInteger(value)||value<min||value>max)throw new(cdk()).UnscopedValidationError((0,literal_string_1().lit)`InvalidDurationRange`,`${name}: Must be an int between ${min} and ${max} seconds (inclusive); received ${value}.`)}

36
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/rest-api-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,36 @@
import type * as apigateway from '../../aws-apigateway';
import * as cloudfront from '../../aws-cloudfront';
import * as cdk from '../../core';
/**
* Properties for an Origin for an API Gateway REST API.
*/
export interface RestApiOriginProps extends cloudfront.OriginProps {
/**
* Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(30)
*/
readonly readTimeout?: cdk.Duration;
/**
* Specifies how long, in seconds, CloudFront persists its connection to the origin.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(5)
*/
readonly keepaliveTimeout?: cdk.Duration;
}
/**
* An Origin for an API Gateway REST API.
*/
export declare class RestApiOrigin extends cloudfront.OriginBase {
private readonly props;
constructor(restApi: apigateway.RestApiBase, props?: RestApiOriginProps);
protected renderCustomOriginConfig(): cloudfront.CfnDistribution.CustomOriginConfigProperty | undefined;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/rest-api-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.RestApiOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var utils_1=()=>{var tmp=require("./private/utils");return utils_1=()=>tmp,tmp},cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp},cdk=()=>{var tmp=require("../../core");return cdk=()=>tmp,tmp};class RestApiOrigin extends cloudfront().OriginBase{props;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.RestApiOrigin",version:"2.252.0"};constructor(restApi,props={}){super(cdk().Fn.select(2,cdk().Fn.split("/",restApi.url)),{originPath:props.originPath??`/${cdk().Fn.select(3,cdk().Fn.split("/",restApi.url))}`,...props}),this.props=props;try{jsiiDeprecationWarnings().aws_cdk_lib_aws_apigateway_RestApiBase(restApi),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_RestApiOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,RestApiOrigin),error}(0,utils_1().validateSecondsInRangeOrUndefined)("readTimeout",1,180,props.readTimeout),(0,utils_1().validateSecondsInRangeOrUndefined)("keepaliveTimeout",1,180,props.keepaliveTimeout),this.validateResponseCompletionTimeoutWithReadTimeout(props.responseCompletionTimeout,props.readTimeout)}renderCustomOriginConfig(){return{originSslProtocols:[cloudfront().OriginSslPolicy.TLS_V1_2],originProtocolPolicy:cloudfront().OriginProtocolPolicy.HTTPS_ONLY,originReadTimeout:this.props.readTimeout?.toSeconds(),originKeepaliveTimeout:this.props.keepaliveTimeout?.toSeconds()}}}exports.RestApiOrigin=RestApiOrigin;

63
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,63 @@
import type { Construct } from 'constructs';
import * as cloudfront from '../../aws-cloudfront';
import { AccessLevel } from '../../aws-cloudfront';
import * as iam from '../../aws-iam';
import type { IBucket } from '../../aws-s3';
import type { IOriginAccessControlRef } from '../../interfaces/generated/aws-cloudfront-interfaces.generated';
/**
* Properties for configuring a origin using a standard S3 bucket
*/
export interface S3BucketOriginBaseProps extends cloudfront.OriginProps {
}
/**
* Properties for configuring a S3 origin with OAC
*/
export interface S3BucketOriginWithOACProps extends S3BucketOriginBaseProps {
/**
* An optional Origin Access Control
*
* @default - an Origin Access Control will be created.
*/
readonly originAccessControl?: IOriginAccessControlRef;
/**
* The level of permissions granted in the bucket policy and key policy (if applicable)
* to the CloudFront distribution.
*
* @default [AccessLevel.READ]
*/
readonly originAccessLevels?: AccessLevel[];
}
/**
* Properties for configuring a S3 origin with OAI
*/
export interface S3BucketOriginWithOAIProps extends S3BucketOriginBaseProps {
/**
* An optional Origin Access Identity
*
* @default - an Origin Access Identity will be created.
*/
readonly originAccessIdentity?: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
}
/**
* A S3 Bucket Origin
*/
export declare abstract class S3BucketOrigin extends cloudfront.OriginBase {
/**
* Create a S3 Origin with Origin Access Control (OAC) configured
*/
static withOriginAccessControl(bucket: IBucket, props?: S3BucketOriginWithOACProps): cloudfront.IOrigin;
/**
* Create a S3 Origin with Origin Access Identity (OAI) configured
* OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()`
* unless it is not supported in your required region (e.g. China regions).
*/
static withOriginAccessIdentity(bucket: IBucket, props?: S3BucketOriginWithOAIProps): cloudfront.IOrigin;
/**
* Create a S3 Origin with default S3 bucket settings (no origin access control)
*/
static withBucketDefaults(bucket: IBucket, props?: cloudfront.OriginProps): cloudfront.IOrigin;
constructor(bucket: IBucket, props?: S3BucketOriginBaseProps);
/** @internal */
protected _bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig;
protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined;
}

6
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.js generated vendored Normal file
View File

@@ -0,0 +1,6 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.S3BucketOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp},aws_cloudfront_1=()=>{var tmp=require("../../aws-cloudfront");return aws_cloudfront_1=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},core_1=()=>{var tmp=require("../../core");return core_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};const BUCKET_ACTIONS={READ:[{action:"s3:GetObject"}],READ_VERSIONED:[{action:"s3:GetObjectVersion"}],LIST:[{action:"s3:ListBucket",needsBucketArn:!0}],WRITE:[{action:"s3:PutObject"}],DELETE:[{action:"s3:DeleteObject"}]},KEY_ACTIONS={READ:["kms:Decrypt"],WRITE:["kms:Encrypt","kms:GenerateDataKey*"]};class S3BucketOrigin extends cloudfront().OriginBase{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.S3BucketOrigin",version:"2.252.0"};static withOriginAccessControl(bucket,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_S3BucketOriginWithOACProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withOriginAccessControl),error}return new S3BucketOriginWithOAC(bucket,props)}static withOriginAccessIdentity(bucket,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_S3BucketOriginWithOAIProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withOriginAccessIdentity),error}return new S3BucketOriginWithOAI(bucket,props)}static withBucketDefaults(bucket,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_OriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withBucketDefaults),error}return new class extends S3BucketOrigin{constructor(){super(bucket,{...props})}}}constructor(bucket,props){super(bucket.bucketRegionalDomainName,props);try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_S3BucketOriginBaseProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,S3BucketOrigin),error}}_bind(scope,options){return super.bind(scope,options)}renderS3OriginConfig(){return{originAccessIdentity:""}}}exports.S3BucketOrigin=S3BucketOrigin;class S3BucketOriginWithOAC extends S3BucketOrigin{bucket;originAccessControl;originAccessLevels;constructor(bucket,props){super(bucket,{...props}),this.bucket=bucket,this.originAccessControl=props?.originAccessControl,this.originAccessLevels=props?.originAccessLevels}bind(scope,options){this.originAccessControl||(this.originAccessControl=new(cloudfront()).S3OriginAccessControl(scope,"S3OriginAccessControl"));const distributionId=options.distributionId,accessLevels=new Set(this.originAccessLevels??[cloudfront().AccessLevel.READ]);accessLevels.has(aws_cloudfront_1().AccessLevel.LIST)&&core_1().Annotations.of(scope).addWarningV2("@aws-cdk/aws-cloudfront-origins:listBucketSecurityRisk",`When the origin with AccessLevel.LIST is associated to the default behavior, it is strongly recommended to ensure the distribution's defaultRootObject is specified,
See the "Setting up OAC with LIST permission" section of module's README for more info.`);const bucketPolicyActions=this.getBucketPolicyActions(accessLevels);if(this.grantDistributionAccessToBucket(distributionId,bucketPolicyActions).statementAdded||core_1().Annotations.of(scope).addWarningV2("@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac",`Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.
See the "Setting up OAC with imported S3 buckets" section of module's README for more info.`),this.bucket.encryptionKey){const keyPolicyActions=this.getKeyPolicyActions(accessLevels);this.grantDistributionAccessToKey(keyPolicyActions,this.bucket.encryptionKey).statementAdded||core_1().Annotations.of(scope).addWarningV2("@aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac",`Cannot update key policy of an imported key. You will need to update the policy manually instead.
See the "Updating imported key policies" section of the module's README for more info.`)}const originBindConfig=this._bind(scope,options);return{...originBindConfig,originProperty:{...originBindConfig.originProperty,originAccessControlId:this.originAccessControl.originAccessControlRef.originAccessControlId}}}getBucketPolicyActions(accessLevels){return[...accessLevels].flatMap(accessLevel=>BUCKET_ACTIONS[accessLevel]??[])}getKeyPolicyActions(accessLevels){return[...accessLevels].flatMap(accessLevel=>KEY_ACTIONS[accessLevel]??[])}grantDistributionAccessToBucket(distributionId,policyActions){const resources=[this.bucket.arnForObjects("*")];policyActions.some(pa=>pa.needsBucketArn)&&resources.push(this.bucket.bucketArn);const oacBucketPolicyStatement=new(iam()).PolicyStatement({effect:iam().Effect.ALLOW,principals:[new(iam()).ServicePrincipal("cloudfront.amazonaws.com")],actions:policyActions.map(pa=>pa.action),resources,conditions:{StringEquals:{"AWS:SourceArn":`arn:${core_1().Aws.PARTITION}:cloudfront::${core_1().Aws.ACCOUNT_ID}:distribution/${distributionId}`}}});return this.bucket.addToResourcePolicy(oacBucketPolicyStatement)}grantDistributionAccessToKey(actions,key){const oacKeyPolicyStatement=new(iam()).PolicyStatement({effect:iam().Effect.ALLOW,principals:[new(iam()).ServicePrincipal("cloudfront.amazonaws.com")],actions,resources:["*"],conditions:{ArnLike:{"AWS:SourceArn":`arn:${core_1().Aws.PARTITION}:cloudfront::${core_1().Aws.ACCOUNT_ID}:distribution/*`}}});return core_1().Annotations.of(key.node.scope).addWarningV2("@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac",`To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, a wildcard is used in the Key policy condition to match all Distribution IDs.
After deploying once, it is strongly recommended to further scope down the policy for best security practices by following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.`),key.addToResourcePolicy(oacKeyPolicyStatement)}}class S3BucketOriginWithOAI extends S3BucketOrigin{bucket;originAccessIdentity;constructor(bucket,props){super(bucket,{...props}),this.bucket=bucket,this.originAccessIdentity=props?.originAccessIdentity}bind(scope,options){if(!this.originAccessIdentity){const bucketStack=core_1().Stack.of(this.bucket),bucketInDifferentStack=bucketStack!==core_1().Stack.of(scope),oaiScope=bucketInDifferentStack?bucketStack:scope,oaiId=bucketInDifferentStack?`${core_1().Names.uniqueId(scope)}S3Origin`:"S3Origin";this.originAccessIdentity=new(cloudfront()).OriginAccessIdentity(oaiScope,oaiId,{comment:`Identity for ${options.originId}`})}return this.bucket.addToResourcePolicy(new(iam()).PolicyStatement({resources:[this.bucket.arnForObjects("*")],actions:["s3:GetObject"],principals:[this.originAccessIdentity.grantPrincipal]})).statementAdded||core_1().Annotations.of(scope).addWarningV2("@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai",`Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.
See the "Setting up OAI with imported S3 buckets (legacy)" section of module's README for more info.`),this._bind(scope,options)}renderS3OriginConfig(){if(!this.originAccessIdentity)throw new(core_1()).UnscopedValidationError((0,literal_string_1().lit)`OriginAccessIdentityCannotBeUndefined`,"Origin access identity cannot be undefined");return{originAccessIdentity:`origin-access-identity/cloudfront/${this.originAccessIdentity.cloudFrontOriginAccessIdentityRef.cloudFrontOriginAccessIdentityId}`}}}

29
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,29 @@
import type { Construct } from 'constructs';
import * as cloudfront from '../../aws-cloudfront';
import * as iam from '../../aws-iam';
import type * as s3 from '../../aws-s3';
/**
* Properties to use to customize an S3 Origin.
*/
export interface S3OriginProps extends cloudfront.OriginProps {
/**
* An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
*
* @default - An Origin Access Identity will be created.
*/
readonly originAccessIdentity?: cloudfront.ICloudFrontOriginAccessIdentityRef & iam.IGrantable;
}
/**
* An Origin that is backed by an S3 bucket.
*
* If the bucket is configured for website hosting, this origin will be configured to use the bucket as an
* HTTP server origin and will use the bucket's configured website redirects and error handling. Otherwise,
* the origin is created as a bucket origin and will use CloudFront's redirect and error handling.
*
* @deprecated Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead.
*/
export declare class S3Origin implements cloudfront.IOrigin {
private readonly origin;
constructor(bucket: s3.IBucket, props?: S3OriginProps);
bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.S3Origin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var http_origin_1=()=>{var tmp=require("./http-origin");return http_origin_1=()=>tmp,tmp},cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp},iam=()=>{var tmp=require("../../aws-iam");return iam=()=>tmp,tmp},cdk=()=>{var tmp=require("../../core");return cdk=()=>tmp,tmp};class S3Origin{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.S3Origin",version:"2.252.0"};origin;constructor(bucket,props={}){try{jsiiDeprecationWarnings().print("aws-cdk-lib.aws_cloudfront_origins.S3Origin","Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead."),jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_S3OriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,S3Origin),error}this.origin=bucket.isWebsite?new(http_origin_1()).HttpOrigin(bucket.bucketWebsiteDomainName,{protocolPolicy:cloudfront().OriginProtocolPolicy.HTTP_ONLY,...props}):new S3BucketOrigin(bucket,props)}bind(scope,options){try{jsiiDeprecationWarnings().print("aws-cdk-lib.aws_cloudfront_origins.S3Origin#bind","Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead."),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_OriginBindOptions(options)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.bind),error}return this.origin.bind(scope,options)}}exports.S3Origin=S3Origin;class S3BucketOrigin extends cloudfront().OriginBase{bucket;originAccessIdentity;constructor(bucket,{originAccessIdentity,...props}){super(bucket.bucketRegionalDomainName,props),this.bucket=bucket,originAccessIdentity&&(this.originAccessIdentity=originAccessIdentity)}bind(scope,options){if(!this.originAccessIdentity){const bucketStack=cdk().Stack.of(this.bucket),bucketInDifferentStack=bucketStack!==cdk().Stack.of(scope),oaiScope=bucketInDifferentStack?bucketStack:scope,oaiId=bucketInDifferentStack?`${cdk().Names.uniqueId(scope)}S3Origin`:"S3Origin";this.originAccessIdentity=new(cloudfront()).OriginAccessIdentity(oaiScope,oaiId,{comment:`Identity for ${options.originId}`})}return this.bucket.addToResourcePolicy(new(iam()).PolicyStatement({resources:[this.bucket.arnForObjects("*")],actions:["s3:GetObject"],principals:[this.originAccessIdentity.grantPrincipal]})),super.bind(scope,options)}renderS3OriginConfig(){return{originAccessIdentity:`origin-access-identity/cloudfront/${this.originAccessIdentity.cloudFrontOriginAccessIdentityRef.cloudFrontOriginAccessIdentityId}`}}}

14
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-static-website-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,14 @@
import type { HttpOriginProps } from './http-origin';
import { HttpOrigin } from './http-origin';
import type { IBucket } from '../../aws-s3';
/**
* Properties for configuring a origin using a S3 bucket configured as a website endpoint
*/
export interface S3StaticWebsiteOriginProps extends HttpOriginProps {
}
/**
* An Origin for a S3 bucket configured as a website endpoint
*/
export declare class S3StaticWebsiteOrigin extends HttpOrigin {
constructor(bucket: IBucket, props?: S3StaticWebsiteOriginProps);
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/s3-static-website-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.S3StaticWebsiteOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var http_origin_1=()=>{var tmp=require("./http-origin");return http_origin_1=()=>tmp,tmp},cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp};class S3StaticWebsiteOrigin extends http_origin_1().HttpOrigin{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.S3StaticWebsiteOrigin",version:"2.252.0"};constructor(bucket,props){super(bucket.bucketWebsiteDomainName,{protocolPolicy:cloudfront().OriginProtocolPolicy.HTTP_ONLY,...props});try{jsiiDeprecationWarnings().aws_cdk_lib_aws_s3_IBucket(bucket),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_S3StaticWebsiteOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,S3StaticWebsiteOrigin),error}}}exports.S3StaticWebsiteOrigin=S3StaticWebsiteOrigin;

65
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/vpc-origin.d.ts generated vendored Normal file
View File

@@ -0,0 +1,65 @@
import * as cloudfront from '../../aws-cloudfront';
import type { IInstance } from '../../aws-ec2';
import type { IApplicationLoadBalancer, INetworkLoadBalancer } from '../../aws-elasticloadbalancingv2';
import * as cdk from '../../core';
/**
* Properties to define a VPC origin.
*/
export interface VpcOriginProps extends cloudfront.OriginProps {
/**
* The domain name associated with your VPC origin.
* @default - The default domain name of the endpoint.
*/
readonly domainName?: string;
/**
* Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(30)
*/
readonly readTimeout?: cdk.Duration;
/**
* Specifies how long, in seconds, CloudFront persists its connection to the origin.
* The valid range is from 1 to 180 seconds, inclusive.
*
* Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
* has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
*
* @default Duration.seconds(5)
*/
readonly keepaliveTimeout?: cdk.Duration;
}
/**
* Properties to define a VPC origin with endpoint.
*/
export interface VpcOriginWithEndpointProps extends VpcOriginProps, cloudfront.VpcOriginOptions {
}
/**
* Represents a distribution's VPC origin.
*/
export declare abstract class VpcOrigin extends cloudfront.OriginBase {
protected readonly props: VpcOriginProps;
/**
* Create a VPC origin with an existing VPC origin resource.
*/
static withVpcOrigin(origin: cloudfront.IVpcOrigin, props?: VpcOriginProps): VpcOrigin;
/**
* Create a VPC origin with an EC2 instance.
*/
static withEc2Instance(instance: IInstance, props?: VpcOriginWithEndpointProps): VpcOrigin;
/**
* Create a VPC origin with an Application Load Balancer.
*/
static withApplicationLoadBalancer(alb: IApplicationLoadBalancer, props?: VpcOriginWithEndpointProps): VpcOrigin;
/**
* Create a VPC origin with a Network Load Balancer.
*/
static withNetworkLoadBalancer(nlb: INetworkLoadBalancer, props?: VpcOriginWithEndpointProps): VpcOrigin;
/** @jsii suppress JSII5019 For historic reasons */
protected vpcOrigin?: cloudfront.IVpcOrigin;
protected constructor(domainName: string, props: VpcOriginProps);
protected renderVpcOriginConfig(): cloudfront.CfnDistribution.VpcOriginConfigProperty | undefined;
}

1
cdk/node_modules/aws-cdk-lib/aws-cloudfront-origins/lib/vpc-origin.js generated vendored Normal file
View File

@@ -0,0 +1 @@
"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.VpcOrigin=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var cloudfront=()=>{var tmp=require("../../aws-cloudfront");return cloudfront=()=>tmp,tmp},cdk=()=>{var tmp=require("../../core");return cdk=()=>tmp,tmp},utils_1=()=>{var tmp=require("./private/utils");return utils_1=()=>tmp,tmp},literal_string_1=()=>{var tmp=require("../../core/lib/private/literal-string");return literal_string_1=()=>tmp,tmp};class VpcOrigin extends cloudfront().OriginBase{props;static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_cloudfront_origins.VpcOrigin",version:"2.252.0"};static withVpcOrigin(origin,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_IVpcOrigin(origin),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_VpcOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withVpcOrigin),error}return new VpcOriginWithVpcOrigin(origin,props)}static withEc2Instance(instance,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_ec2_IInstance(instance),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_VpcOriginWithEndpointProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withEc2Instance),error}return new VpcOriginWithEndpoint(cloudfront().VpcOriginEndpoint.ec2Instance(instance),props)}static withApplicationLoadBalancer(alb,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_elasticloadbalancingv2_IApplicationLoadBalancer(alb),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_VpcOriginWithEndpointProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withApplicationLoadBalancer),error}return new VpcOriginWithEndpoint(cloudfront().VpcOriginEndpoint.applicationLoadBalancer(alb),props)}static withNetworkLoadBalancer(nlb,props){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_elasticloadbalancingv2_INetworkLoadBalancer(nlb),jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_VpcOriginWithEndpointProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.withNetworkLoadBalancer),error}return new VpcOriginWithEndpoint(cloudfront().VpcOriginEndpoint.networkLoadBalancer(nlb),props)}vpcOrigin;constructor(domainName,props){super(domainName,props),this.props=props;try{jsiiDeprecationWarnings().aws_cdk_lib_aws_cloudfront_origins_VpcOriginProps(props)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,VpcOrigin),error}(0,utils_1().validateSecondsInRangeOrUndefined)("readTimeout",1,180,props.readTimeout),(0,utils_1().validateSecondsInRangeOrUndefined)("keepaliveTimeout",1,180,props.keepaliveTimeout)}renderVpcOriginConfig(){if(!this.vpcOrigin)throw new(cdk()).UnscopedValidationError((0,literal_string_1().lit)`VpcOriginCannotBeUndefined`,"VPC origin cannot be undefined.");return{vpcOriginId:this.vpcOrigin.vpcOriginId,originReadTimeout:this.props.readTimeout?.toSeconds(),originKeepaliveTimeout:this.props.keepaliveTimeout?.toSeconds()}}}exports.VpcOrigin=VpcOrigin;class VpcOriginWithVpcOrigin extends VpcOrigin{vpcOrigin;constructor(vpcOrigin,props={}){const domainName=props.domainName??vpcOrigin.domainName;if(!domainName)throw new(cdk()).UnscopedValidationError((0,literal_string_1().lit)`DomainNameMustBeSpecified`,"'domainName' must be specified when no default domain name is defined.");super(domainName,props),this.vpcOrigin=vpcOrigin}}class VpcOriginWithEndpoint extends VpcOrigin{vpcOriginEndpoint;props;constructor(vpcOriginEndpoint,props={}){const domainName=props.domainName??vpcOriginEndpoint.domainName;if(!domainName)throw new(cdk()).UnscopedValidationError((0,literal_string_1().lit)`DomainNameMustBeSpecifiedForEndpoint`,"'domainName' must be specified when no default domain name is defined.");super(domainName,props),this.vpcOriginEndpoint=vpcOriginEndpoint,this.props=props}bind(_scope,options){return this.vpcOrigin??=new(cloudfront()).VpcOrigin(_scope,"VpcOrigin",{endpoint:this.vpcOriginEndpoint,vpcOriginName:this.props.vpcOriginName,httpPort:this.props.httpPort,httpsPort:this.props.httpsPort,protocolPolicy:this.props.protocolPolicy,originSslProtocols:this.props.originSslProtocols}),super.bind(_scope,options)}}