UNPKG

23 kBTypeScriptView Raw
1import * as certificatemanager from '@aws-cdk/aws-certificatemanager';
2import * as lambda from '@aws-cdk/aws-lambda';
3import * as s3 from '@aws-cdk/aws-s3';
4import * as cdk from '@aws-cdk/core';
5import { Construct } from 'constructs';
6import { CfnDistribution } from './cloudfront.generated';
7import { HttpVersion, IDistribution, LambdaEdgeEventType, OriginProtocolPolicy, PriceClass, ViewerProtocolPolicy, SSLMethod, SecurityPolicyProtocol } from './distribution';
8import { FunctionAssociation } from './function';
9import { GeoRestriction } from './geo-restriction';
10import { IKeyGroup } from './key-group';
11import { IOriginAccessIdentity } from './origin-access-identity';
12/**
13 * HTTP status code to failover to second origin
14 */
15export declare enum FailoverStatusCode {
16 /**
17 * Forbidden (403)
18 */
19 FORBIDDEN = 403,
20 /**
21 * Not found (404)
22 */
23 NOT_FOUND = 404,
24 /**
25 * Internal Server Error (500)
26 */
27 INTERNAL_SERVER_ERROR = 500,
28 /**
29 * Bad Gateway (502)
30 */
31 BAD_GATEWAY = 502,
32 /**
33 * Service Unavailable (503)
34 */
35 SERVICE_UNAVAILABLE = 503,
36 /**
37 * Gateway Timeout (504)
38 */
39 GATEWAY_TIMEOUT = 504
40}
41/**
42 * Configuration for custom domain names
43 *
44 * CloudFront can use a custom domain that you provide instead of a
45 * "cloudfront.net" domain. To use this feature you must provide the list of
46 * additional domains, and the ACM Certificate that CloudFront should use for
47 * these additional domains.
48 * @deprecated see {@link CloudFrontWebDistributionProps#viewerCertificate} with {@link ViewerCertificate#acmCertificate}
49 */
50export interface AliasConfiguration {
51 /**
52 * ARN of an AWS Certificate Manager (ACM) certificate.
53 */
54 readonly acmCertRef: string;
55 /**
56 * Domain names on the certificate
57 *
58 * Both main domain name and Subject Alternative Names.
59 */
60 readonly names: string[];
61 /**
62 * How CloudFront should serve HTTPS requests.
63 *
64 * See the notes on SSLMethod if you wish to use other SSL termination types.
65 *
66 * @default SSLMethod.SNI
67 * @see https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ViewerCertificate.html
68 */
69 readonly sslMethod?: SSLMethod;
70 /**
71 * The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
72 *
73 * CloudFront serves your objects only to browsers or devices that support at
74 * least the SSL version that you specify.
75 *
76 * @default - SSLv3 if sslMethod VIP, TLSv1 if sslMethod SNI
77 */
78 readonly securityPolicy?: SecurityPolicyProtocol;
79}
80/**
81 * Logging configuration for incoming requests
82 */
83export interface LoggingConfiguration {
84 /**
85 * Bucket to log requests to
86 *
87 * @default - A logging bucket is automatically created.
88 */
89 readonly bucket?: s3.IBucket;
90 /**
91 * Whether to include the cookies in the logs
92 *
93 * @default false
94 */
95 readonly includeCookies?: boolean;
96 /**
97 * Where in the bucket to store logs
98 *
99 * @default - No prefix.
100 */
101 readonly prefix?: string;
102}
103/**
104 * A source configuration is a wrapper for CloudFront origins and behaviors.
105 * An origin is what CloudFront will "be in front of" - that is, CloudFront will pull it's assets from an origin.
106 *
107 * If you're using s3 as a source - pass the `s3Origin` property, otherwise, pass the `customOriginSource` property.
108 *
109 * One or the other must be passed, and it is invalid to pass both in the same SourceConfiguration.
110 */
111export interface SourceConfiguration {
112 /**
113 * The number of times that CloudFront attempts to connect to the origin.
114 * You can specify 1, 2, or 3 as the number of attempts.
115 *
116 * @default 3
117 */
118 readonly connectionAttempts?: number;
119 /**
120 * The number of seconds that CloudFront waits when trying to establish a connection to the origin.
121 * You can specify a number of seconds between 1 and 10 (inclusive).
122 *
123 * @default cdk.Duration.seconds(10)
124 */
125 readonly connectionTimeout?: cdk.Duration;
126 /**
127 * An s3 origin source - if you're using s3 for your assets
128 */
129 readonly s3OriginSource?: S3OriginConfig;
130 /**
131 * A custom origin source - for all non-s3 sources.
132 */
133 readonly customOriginSource?: CustomOriginConfig;
134 /**
135 * An s3 origin source for failover in case the s3OriginSource returns invalid status code
136 *
137 * @default - no failover configuration
138 */
139 readonly failoverS3OriginSource?: S3OriginConfig;
140 /**
141 * A custom origin source for failover in case the s3OriginSource returns invalid status code
142 *
143 * @default - no failover configuration
144 */
145 readonly failoverCustomOriginSource?: CustomOriginConfig;
146 /**
147 * HTTP status code to failover to second origin
148 *
149 * @default [500, 502, 503, 504]
150 */
151 readonly failoverCriteriaStatusCodes?: FailoverStatusCode[];
152 /**
153 * The behaviors associated with this source.
154 * At least one (default) behavior must be included.
155 */
156 readonly behaviors: Behavior[];
157 /**
158 * The relative path to the origin root to use for sources.
159 *
160 * @default /
161 * @deprecated Use originPath on s3OriginSource or customOriginSource
162 */
163 readonly originPath?: string;
164 /**
165 * Any additional headers to pass to the origin
166 *
167 * @default - No additional headers are passed.
168 * @deprecated Use originHeaders on s3OriginSource or customOriginSource
169 */
170 readonly originHeaders?: {
171 [key: string]: string;
172 };
173 /**
174 * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
175 *
176 * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
177 *
178 * @default - origin shield not enabled
179 */
180 readonly originShieldRegion?: string;
181}
182/**
183 * A custom origin configuration
184 */
185export interface CustomOriginConfig {
186 /**
187 * The domain name of the custom origin. Should not include the path - that should be in the parent SourceConfiguration
188 */
189 readonly domainName: string;
190 /**
191 * The origin HTTP port
192 *
193 * @default 80
194 */
195 readonly httpPort?: number;
196 /**
197 * The origin HTTPS port
198 *
199 * @default 443
200 */
201 readonly httpsPort?: number;
202 /**
203 * The keep alive timeout when making calls in seconds.
204 *
205 * @default Duration.seconds(5)
206 */
207 readonly originKeepaliveTimeout?: cdk.Duration;
208 /**
209 * The protocol (http or https) policy to use when interacting with the origin.
210 *
211 * @default OriginProtocolPolicy.HttpsOnly
212 */
213 readonly originProtocolPolicy?: OriginProtocolPolicy;
214 /**
215 * The read timeout when calling the origin in seconds
216 *
217 * @default Duration.seconds(30)
218 */
219 readonly originReadTimeout?: cdk.Duration;
220 /**
221 * The SSL versions to use when interacting with the origin.
222 *
223 * @default OriginSslPolicy.TLS_V1_2
224 */
225 readonly allowedOriginSSLVersions?: OriginSslPolicy[];
226 /**
227 * The relative path to the origin root to use for sources.
228 *
229 * @default /
230 */
231 readonly originPath?: string;
232 /**
233 * Any additional headers to pass to the origin
234 *
235 * @default - No additional headers are passed.
236 */
237 readonly originHeaders?: {
238 [key: string]: string;
239 };
240 /**
241 * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
242 *
243 * @default - origin shield not enabled
244 */
245 readonly originShieldRegion?: string;
246}
247export declare enum OriginSslPolicy {
248 SSL_V3 = "SSLv3",
249 TLS_V1 = "TLSv1",
250 TLS_V1_1 = "TLSv1.1",
251 TLS_V1_2 = "TLSv1.2"
252}
253/**
254 * S3 origin configuration for CloudFront
255 */
256export interface S3OriginConfig {
257 /**
258 * The source bucket to serve content from
259 */
260 readonly s3BucketSource: s3.IBucket;
261 /**
262 * The optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
263 *
264 * @default No Origin Access Identity which requires the S3 bucket to be public accessible
265 */
266 readonly originAccessIdentity?: IOriginAccessIdentity;
267 /**
268 * The relative path to the origin root to use for sources.
269 *
270 * @default /
271 */
272 readonly originPath?: string;
273 /**
274 * Any additional headers to pass to the origin
275 *
276 * @default - No additional headers are passed.
277 */
278 readonly originHeaders?: {
279 [key: string]: string;
280 };
281 /**
282 * When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance
283 *
284 * @default - origin shield not enabled
285 */
286 readonly originShieldRegion?: string;
287}
288/**
289 * An enum for the supported methods to a CloudFront distribution.
290 */
291export declare enum CloudFrontAllowedMethods {
292 GET_HEAD = "GH",
293 GET_HEAD_OPTIONS = "GHO",
294 ALL = "ALL"
295}
296/**
297 * Enums for the methods CloudFront can cache.
298 */
299export declare enum CloudFrontAllowedCachedMethods {
300 GET_HEAD = "GH",
301 GET_HEAD_OPTIONS = "GHO"
302}
303/**
304 * A CloudFront behavior wrapper.
305 */
306export interface Behavior {
307 /**
308 * If CloudFront should automatically compress some content types.
309 *
310 * @default true
311 */
312 readonly compress?: boolean;
313 /**
314 * If this behavior is the default behavior for the distribution.
315 *
316 * You must specify exactly one default distribution per CloudFront distribution.
317 * The default behavior is allowed to omit the "path" property.
318 */
319 readonly isDefaultBehavior?: boolean;
320 /**
321 * Trusted signers is how CloudFront allows you to serve private content.
322 * The signers are the account IDs that are allowed to sign cookies/presigned URLs for this distribution.
323 *
324 * If you pass a non empty value, all requests for this behavior must be signed (no public access will be allowed)
325 * @deprecated - We recommend using trustedKeyGroups instead of trustedSigners.
326 */
327 readonly trustedSigners?: string[];
328 /**
329 * A list of Key Groups that CloudFront can use to validate signed URLs or signed cookies.
330 *
331 * @default - no KeyGroups are associated with cache behavior
332 * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
333 */
334 readonly trustedKeyGroups?: IKeyGroup[];
335 /**
336 *
337 * The default amount of time CloudFront will cache an object.
338 *
339 * This value applies only when your custom origin does not add HTTP headers,
340 * such as Cache-Control max-age, Cache-Control s-maxage, and Expires to objects.
341 * @default 86400 (1 day)
342 *
343 */
344 readonly defaultTtl?: cdk.Duration;
345 /**
346 * The method this CloudFront distribution responds do.
347 *
348 * @default GET_HEAD
349 */
350 readonly allowedMethods?: CloudFrontAllowedMethods;
351 /**
352 * The path this behavior responds to.
353 * Required for all non-default behaviors. (The default behavior implicitly has "*" as the path pattern. )
354 *
355 */
356 readonly pathPattern?: string;
357 /**
358 * Which methods are cached by CloudFront by default.
359 *
360 * @default GET_HEAD
361 */
362 readonly cachedMethods?: CloudFrontAllowedCachedMethods;
363 /**
364 * The values CloudFront will forward to the origin when making a request.
365 *
366 * @default none (no cookies - no headers)
367 *
368 */
369 readonly forwardedValues?: CfnDistribution.ForwardedValuesProperty;
370 /**
371 * The minimum amount of time that you want objects to stay in the cache
372 * before CloudFront queries your origin.
373 */
374 readonly minTtl?: cdk.Duration;
375 /**
376 * The max amount of time you want objects to stay in the cache
377 * before CloudFront queries your origin.
378 *
379 * @default Duration.seconds(31536000) (one year)
380 */
381 readonly maxTtl?: cdk.Duration;
382 /**
383 * Declares associated lambda@edge functions for this distribution behaviour.
384 *
385 * @default No lambda function associated
386 */
387 readonly lambdaFunctionAssociations?: LambdaFunctionAssociation[];
388 /**
389 * The CloudFront functions to invoke before serving the contents.
390 *
391 * @default - no functions will be invoked
392 */
393 readonly functionAssociations?: FunctionAssociation[];
394 /**
395 * The viewer policy for this behavior.
396 *
397 * @default - the distribution wide viewer protocol policy will be used
398 */
399 readonly viewerProtocolPolicy?: ViewerProtocolPolicy;
400}
401export interface LambdaFunctionAssociation {
402 /**
403 * The lambda event type defines at which event the lambda
404 * is called during the request lifecycle
405 */
406 readonly eventType: LambdaEdgeEventType;
407 /**
408 * A version of the lambda to associate
409 */
410 readonly lambdaFunction: lambda.IVersion;
411 /**
412 * Allows a Lambda function to have read access to the body content.
413 * Only valid for "request" event types (`ORIGIN_REQUEST` or `VIEWER_REQUEST`).
414 * See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-include-body-access.html
415 *
416 * @default false
417 */
418 readonly includeBody?: boolean;
419}
420export interface ViewerCertificateOptions {
421 /**
422 * How CloudFront should serve HTTPS requests.
423 *
424 * See the notes on SSLMethod if you wish to use other SSL termination types.
425 *
426 * @default SSLMethod.SNI
427 * @see https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ViewerCertificate.html
428 */
429 readonly sslMethod?: SSLMethod;
430 /**
431 * The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
432 *
433 * CloudFront serves your objects only to browsers or devices that support at
434 * least the SSL version that you specify.
435 *
436 * @default - SSLv3 if sslMethod VIP, TLSv1 if sslMethod SNI
437 */
438 readonly securityPolicy?: SecurityPolicyProtocol;
439 /**
440 * Domain names on the certificate (both main domain name and Subject Alternative names)
441 */
442 readonly aliases?: string[];
443}
444/**
445 * Viewer certificate configuration class
446 */
447export declare class ViewerCertificate {
448 readonly props: CfnDistribution.ViewerCertificateProperty;
449 readonly aliases: string[];
450 /**
451 * Generate an AWS Certificate Manager (ACM) viewer certificate configuration
452 *
453 * @param certificate AWS Certificate Manager (ACM) certificate.
454 * Your certificate must be located in the us-east-1 (US East (N. Virginia)) region to be accessed by CloudFront
455 * @param options certificate configuration options
456 */
457 static fromAcmCertificate(certificate: certificatemanager.ICertificate, options?: ViewerCertificateOptions): ViewerCertificate;
458 /**
459 * Generate an IAM viewer certificate configuration
460 *
461 * @param iamCertificateId Identifier of the IAM certificate
462 * @param options certificate configuration options
463 */
464 static fromIamCertificate(iamCertificateId: string, options?: ViewerCertificateOptions): ViewerCertificate;
465 /**
466 * Generate a viewer certifcate configuration using
467 * the CloudFront default certificate (e.g. d111111abcdef8.cloudfront.net)
468 * and a {@link SecurityPolicyProtocol.TLS_V1} security policy.
469 *
470 * @param aliases Alternative CNAME aliases
471 * You also must create a CNAME record with your DNS service to route queries
472 */
473 static fromCloudFrontDefaultCertificate(...aliases: string[]): ViewerCertificate;
474 private constructor();
475}
476export interface CloudFrontWebDistributionProps {
477 /**
478 * AliasConfiguration is used to configured CloudFront to respond to requests on custom domain names.
479 *
480 * @default - None.
481 * @deprecated see {@link CloudFrontWebDistributionProps#viewerCertificate} with {@link ViewerCertificate#acmCertificate}
482 */
483 readonly aliasConfiguration?: AliasConfiguration;
484 /**
485 * A comment for this distribution in the CloudFront console.
486 *
487 * @default - No comment is added to distribution.
488 */
489 readonly comment?: string;
490 /**
491 * Enable or disable the distribution.
492 *
493 * @default true
494 */
495 readonly enabled?: boolean;
496 /**
497 * The default object to serve.
498 *
499 * @default - "index.html" is served.
500 */
501 readonly defaultRootObject?: string;
502 /**
503 * If your distribution should have IPv6 enabled.
504 *
505 * @default true
506 */
507 readonly enableIpV6?: boolean;
508 /**
509 * The max supported HTTP Versions.
510 *
511 * @default HttpVersion.HTTP2
512 */
513 readonly httpVersion?: HttpVersion;
514 /**
515 * The price class for the distribution (this impacts how many locations CloudFront uses for your distribution, and billing)
516 *
517 * @default PriceClass.PRICE_CLASS_100 the cheapest option for CloudFront is picked by default.
518 */
519 readonly priceClass?: PriceClass;
520 /**
521 * The default viewer policy for incoming clients.
522 *
523 * @default RedirectToHTTPs
524 */
525 readonly viewerProtocolPolicy?: ViewerProtocolPolicy;
526 /**
527 * The origin configurations for this distribution. Behaviors are a part of the origin.
528 */
529 readonly originConfigs: SourceConfiguration[];
530 /**
531 * Optional - if we should enable logging.
532 * You can pass an empty object ({}) to have us auto create a bucket for logging.
533 * Omission of this property indicates no logging is to be enabled.
534 *
535 * @default - no logging is enabled by default.
536 */
537 readonly loggingConfig?: LoggingConfiguration;
538 /**
539 * How CloudFront should handle requests that are not successful (eg PageNotFound)
540 *
541 * By default, CloudFront does not replace HTTP status codes in the 4xx and 5xx range
542 * with custom error messages. CloudFront does not cache HTTP status codes.
543 *
544 * @default - No custom error configuration.
545 */
546 readonly errorConfigurations?: CfnDistribution.CustomErrorResponseProperty[];
547 /**
548 * Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.
549 *
550 * To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example
551 * `arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a`.
552 *
553 * To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example `473e64fd-f30b-4765-81a0-62ad96dd167a`.
554 *
555 * @see https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
556 * @see https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html#API_CreateDistribution_RequestParameters.
557 *
558 * @default - No AWS Web Application Firewall web access control list (web ACL).
559 */
560 readonly webACLId?: string;
561 /**
562 * Specifies whether you want viewers to use HTTP or HTTPS to request your objects,
563 * whether you're using an alternate domain name with HTTPS, and if so,
564 * if you're using AWS Certificate Manager (ACM) or a third-party certificate authority.
565 *
566 * @default ViewerCertificate.fromCloudFrontDefaultCertificate()
567 *
568 * @see https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/
569 */
570 readonly viewerCertificate?: ViewerCertificate;
571 /**
572 * Controls the countries in which your content is distributed.
573 *
574 * @default No geo restriction
575 */
576 readonly geoRestriction?: GeoRestriction;
577}
578/**
579 * Attributes used to import a Distribution.
580 */
581export interface CloudFrontWebDistributionAttributes {
582 /**
583 * The generated domain name of the Distribution, such as d111111abcdef8.cloudfront.net.
584 *
585 * @attribute
586 */
587 readonly domainName: string;
588 /**
589 * The distribution ID for this distribution.
590 *
591 * @attribute
592 */
593 readonly distributionId: string;
594}
595/**
596 * Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos,
597 * applications, and APIs to your viewers with low latency and high transfer speeds.
598 * CloudFront fronts user provided content and caches it at edge locations across the world.
599 *
600 * Here's how you can use this construct:
601 *
602 * ```ts
603 * const sourceBucket = new s3.Bucket(this, 'Bucket');
604 *
605 * const distribution = new cloudfront.CloudFrontWebDistribution(this, 'MyDistribution', {
606 * originConfigs: [
607 * {
608 * s3OriginSource: {
609 * s3BucketSource: sourceBucket,
610 * },
611 * behaviors : [ {isDefaultBehavior: true}],
612 * },
613 * ],
614 * });
615 * ```
616 *
617 * This will create a CloudFront distribution that uses your S3Bucket as it's origin.
618 *
619 * You can customize the distribution using additional properties from the CloudFrontWebDistributionProps interface.
620 *
621 * @resource AWS::CloudFront::Distribution
622 */
623export declare class CloudFrontWebDistribution extends cdk.Resource implements IDistribution {
624 /**
625 * Creates a construct that represents an external (imported) distribution.
626 */
627 static fromDistributionAttributes(scope: Construct, id: string, attrs: CloudFrontWebDistributionAttributes): IDistribution;
628 /**
629 * The logging bucket for this CloudFront distribution.
630 * If logging is not enabled for this distribution - this property will be undefined.
631 */
632 readonly loggingBucket?: s3.IBucket;
633 /**
634 * The domain name created by CloudFront for this distribution.
635 * If you are using aliases for your distribution, this is the domainName your DNS records should point to.
636 * (In Route53, you could create an ALIAS record to this value, for example.)
637 *
638 * @deprecated - Use `distributionDomainName` instead.
639 */
640 readonly domainName: string;
641 /**
642 * The domain name created by CloudFront for this distribution.
643 * If you are using aliases for your distribution, this is the domainName your DNS records should point to.
644 * (In Route53, you could create an ALIAS record to this value, for example.)
645 */
646 readonly distributionDomainName: string;
647 /**
648 * The distribution ID for this distribution.
649 */
650 readonly distributionId: string;
651 /**
652 * Maps our methods to the string arrays they are
653 */
654 private readonly METHOD_LOOKUP_MAP;
655 /**
656 * Maps for which SecurityPolicyProtocol are available to which SSLMethods
657 */
658 private readonly VALID_SSL_PROTOCOLS;
659 constructor(scope: Construct, id: string, props: CloudFrontWebDistributionProps);
660 private toBehavior;
661 private toOriginProperty;
662 /**
663 * Takes origin shield region from props and converts to CfnDistribution.OriginShieldProperty
664 */
665 private toOriginShieldProperty;
666}