RFC 617: CloudFront Origin Access Control L2 #619
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
May 29, 2024 14:11
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
colifran
reviewed
Jun 13, 2024
text/0617-cloudfront-oac-l2.md
Outdated
| distribution has been created via the `GetKeyPolicy()` and `PutKeyPolicy()` API calls. | ||
|
|
||
| ```ts | ||
| class S3BucketOacOrigin extends cloudfront.OriginBase { |
There was a problem hiding this comment.
I think at this point we shouldn't add a new origin class. Instead, what if we use S3BucketOrigin as an abstract class that defines a contract for an origin identity class (for existing behavior) and a origin access class using your implementation. This could look like this:
abstract class S3BucketOrigin extends cloudfront.OriginBase {
public static withAccessIdentity(bucket: s3.IBucket, props: S3OriginProps = {}): S3BucketOrigin {
return new (class OriginAccessIdentity extends S3BucketOrigin {
private originAccessIdentity?: cloudfront.IOriginAccessIdentity;
public constructor() {
super(bucket, props);
this.originAccessIdentity = props.originAccessIdentity;
}
public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
if (!this.originAccessIdentity) {
// Using a bucket from another stack creates a cyclic reference with
// the bucket taking a dependency on the generated S3CanonicalUserId for the grant principal,
// and the distribution having a dependency on the bucket's domain name.
// Fix this by parenting the OAI in the bucket's stack when cross-stack usage is detected.
const bucketStack = cdk.Stack.of(this.bucket);
const bucketInDifferentStack = bucketStack !== cdk.Stack.of(scope);
const oaiScope = bucketInDifferentStack ? bucketStack : scope;
const oaiId = bucketInDifferentStack ? `${cdk.Names.uniqueId(scope)}S3Origin` : 'S3Origin';
this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, {
comment: `Identity for ${options.originId}`,
});
}
// Used rather than `grantRead` because `grantRead` will grant overly-permissive policies.
// Only GetObject is needed to retrieve objects for the distribution.
// This also excludes KMS permissions; currently, OAI only supports SSE-S3 for buckets.
// Source: https://aws.amazon.com/blogs/networking-and-content-delivery/serving-sse-kms-encrypted-content-from-s3-using-cloudfront/
this.bucket.addToResourcePolicy(new iam.PolicyStatement({
resources: [this.bucket.arnForObjects('*')],
actions: ['s3:GetObject'],
principals: [this.originAccessIdentity.grantPrincipal],
}));
return this._bind(scope, options);
}
protected renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined {
if (!this.originAccessIdentity) {
throw new Error('Origin access identity cannot be undefined');
}
return { originAccessIdentity: `origin-access-identity/cloudfront/${this.originAccessIdentity.originAccessIdentityId}` };
}
})();
}
public static withAccessControl(bucket: s3.IBucket, props: S3OriginProps = {}): S3BucketOrigin {
return new (class OriginAccessControl extends S3BucketOrigin {
private originAccessControl?: cloudfront.IOriginAccessControl;
public constructor() {
super(bucket, props);
this.originAccessControl = props.originAccessControl;
}
// Add your origin access control implementation here ...
})();
}
protected constructor(protected readonly bucket: s3.IBucket, props: S3OriginProps = {}) {
super(bucket.bucketRegionalDomainName, props);
}
public abstract bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig;
protected abstract renderS3OriginConfig(): cloudfront.CfnDistribution.S3OriginConfigProperty | undefined;
protected _bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
return super.bind(scope, options);
}
}
colifran
reviewed
Jun 13, 2024
gracelu0
force-pushed
the
0617-cloudfront-oac
branch
from
ed84f7b
to
ad1d43f
Compare
colifran
reviewed
Jun 24, 2024
colifran
approved these changes
Jun 24, 2024
1 task
gracelu0
added a commit
that referenced
this pull request
Jun 26, 2024
Reverts #619 Reverting to re-open for final comment period
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a request for comments about CloudFront Origin Access Control. See #617 for
additional details.
APIs are signed off by @colifran .
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache-2.0 license