fix(cloudfront): Use regional endpoint for S3 bucket origins

RomainMuller · RomainMuller · commit 64c3c6b782e4 · 2019-05-21T12:58:14.000+02:00
The regional endpoint has to be used for S3 bucket origins, otherwise
CloudFront will receive an HTTP 302 response (redirecting to the
regional endpoint), which it will cache. This will lead to users seeing
the actual bucket endpoint, instead of it being hidden behind the
CloudFront distribution.
diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts
@@ -566,7 +566,7 @@ export class CloudFrontWebDistribution extends cdk.Construct implements route53.
       const originProperty: CfnDistribution.OriginProperty = {
         id: originId,
         domainName: originConfig.s3OriginSource
-          ? originConfig.s3OriginSource.s3BucketSource.bucketDomainName
+          ? originConfig.s3OriginSource.s3BucketSource.bucketRegionalDomainName
           : originConfig.customOriginSource!.domainName,
         originPath: originConfig.originPath,
         originCustomHeaders: originHeaders.length > 0 ? originHeaders : undefined,
@@ -660,7 +660,7 @@ export class CloudFrontWebDistribution extends cdk.Construct implements route53.
       distributionConfig = {
         ...distributionConfig,
         logging: {
-          bucket: this.loggingBucket.bucketDomainName,
+          bucket: this.loggingBucket.bucketRegionalDomainName,
           includeCookies: props.loggingConfig.includeCookies || false,
           prefix: props.loggingConfig.prefix
         }
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-alias-target.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-alias-target.expected.json
@@ -1,78 +1,78 @@
 {
-    "Resources": {
-      "HostedZoneDB99F866": {
-        "Type": "AWS::Route53::HostedZone",
-        "Properties": {
-          "Name": "test.public."
-        }
-      },
-      "HostedZoneAlias40D2E006": {
-        "Type": "AWS::Route53::RecordSet",
-        "Properties": {
-          "Name": "_foo.test.public.",
-          "Type": "A",
-          "AliasTarget": {
-            "DNSName": {
-              "Fn::GetAtt": [
-                "MyDistributionCFDistributionDE147309",
-                "DomainName"
-              ]
-            },
-            "HostedZoneId": "Z2FDTNDATAQYW2"
+  "Resources": {
+    "HostedZoneDB99F866": {
+      "Type": "AWS::Route53::HostedZone",
+      "Properties": {
+        "Name": "test.public."
+      }
+    },
+    "HostedZoneAlias40D2E006": {
+      "Type": "AWS::Route53::RecordSet",
+      "Properties": {
+        "Name": "_foo.test.public.",
+        "Type": "A",
+        "AliasTarget": {
+          "DNSName": {
+            "Fn::GetAtt": [
+              "MyDistributionCFDistributionDE147309",
+              "DomainName"
+            ]
           },
-          "HostedZoneId": {
-            "Ref": "HostedZoneDB99F866"
-          }
+          "HostedZoneId": "Z2FDTNDATAQYW2"
+        },
+        "HostedZoneId": {
+          "Ref": "HostedZoneDB99F866"
         }
-      },
-      "Bucket83908E77": {
-        "Type": "AWS::S3::Bucket"
-      },
-      "MyDistributionCFDistributionDE147309": {
-        "Type": "AWS::CloudFront::Distribution",
-        "Properties": {
-          "DistributionConfig": {
-            "CacheBehaviors": [],
-            "DefaultCacheBehavior": {
-              "AllowedMethods": [
-                "GET",
-                "HEAD"
-              ],
-              "CachedMethods": [
-                "GET",
-                "HEAD"
-              ],
-              "ForwardedValues": {
-                "Cookies": {
-                  "Forward": "none"
-                },
-                "QueryString": false
+      }
+    },
+    "Bucket83908E77": {
+      "Type": "AWS::S3::Bucket"
+    },
+    "MyDistributionCFDistributionDE147309": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "CacheBehaviors": [],
+          "DefaultCacheBehavior": {
+            "AllowedMethods": [
+              "GET",
+              "HEAD"
+            ],
+            "CachedMethods": [
+              "GET",
+              "HEAD"
+            ],
+            "ForwardedValues": {
+              "Cookies": {
+                "Forward": "none"
               },
-              "TargetOriginId": "origin1",
-              "ViewerProtocolPolicy": "redirect-to-https"
+              "QueryString": false
             },
-            "DefaultRootObject": "index.html",
-            "Enabled": true,
-            "HttpVersion": "http2",
-            "IPV6Enabled": true,
-            "Origins": [
-              {
-                "DomainName": {
-                  "Fn::GetAtt": [
-                    "Bucket83908E77",
-                    "DomainName"
-                  ]
-                },
-                "Id": "origin1",
-                "S3OriginConfig": {}
-              }
-            ],
-            "PriceClass": "PriceClass_100",
-            "ViewerCertificate": {
-              "CloudFrontDefaultCertificate": true
+            "TargetOriginId": "origin1",
+            "ViewerProtocolPolicy": "redirect-to-https"
+          },
+          "DefaultRootObject": "index.html",
+          "Enabled": true,
+          "HttpVersion": "http2",
+          "IPV6Enabled": true,
+          "Origins": [
+            {
+              "DomainName": {
+                "Fn::GetAtt": [
+                  "Bucket83908E77",
+                  "RegionalDomainName"
+                ]
+              },
+              "Id": "origin1",
+              "S3OriginConfig": {}
             }
+          ],
+          "PriceClass": "PriceClass_100",
+          "ViewerCertificate": {
+            "CloudFrontDefaultCertificate": true
           }
         }
       }
     }
   }
+}
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-bucket-logging.expected.json
@@ -34,7 +34,7 @@
             "Bucket": {
               "Fn::GetAtt": [
                 "Bucket83908E77",
-                "DomainName"
+                "RegionalDomainName"
               ]
             },
             "IncludeCookies": true,
@@ -104,7 +104,7 @@
             "Bucket": {
               "Fn::GetAtt": [
                 "AnAmazingWebsiteProbably2LoggingBucket222F7CE9",
-                "DomainName"
+                "RegionalDomainName"
               ]
             },
             "IncludeCookies": false
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-ipv6-disabled.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-ipv6-disabled.expected.json
@@ -35,7 +35,7 @@
               "DomainName": {
                 "Fn::GetAtt": [
                   "Bucket83908E77",
-                  "DomainName"
+                  "RegionalDomainName"
                 ]
               },
               "Id": "origin1",
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.expected.json
@@ -0,0 +1,133 @@
+{
+  "Resources": {
+    "Bucket83908E77": {
+      "Type": "AWS::S3::Bucket"
+    },
+    "BucketPolicyE9A3008A": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "Bucket83908E77"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": [
+                "s3:Get*",
+                "s3:List*"
+              ],
+              "Effect": "Allow",
+              "Principal": {
+                "CanonicalUser": {
+                  "Fn::GetAtt": [
+                    "OAI",
+                    "S3CanonicalUserId"
+                  ]
+                }
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "Bucket83908E77",
+                    "Arn"
+                  ]
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "Bucket83908E77",
+                          "Arn"
+                        ]
+                      },
+                      "/*"
+                    ]
+                  ]
+                }
+              ]
+            }
+          ],
+          "Version": "2012-10-17"
+        }
+      }
+    },
+    "OAI": {
+      "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
+      "Properties": {
+        "CloudFrontOriginAccessIdentityConfig": {
+          "Comment": "Allows CloudFront to reach to the bucket!"
+        }
+      }
+    },
+    "DistributionCFDistribution882A7313": {
+      "Type": "AWS::CloudFront::Distribution",
+      "Properties": {
+        "DistributionConfig": {
+          "CacheBehaviors": [],
+          "DefaultCacheBehavior": {
+            "AllowedMethods": [
+              "GET",
+              "HEAD"
+            ],
+            "CachedMethods": [
+              "GET",
+              "HEAD"
+            ],
+            "ForwardedValues": {
+              "Cookies": {
+                "Forward": "none"
+              },
+              "QueryString": false
+            },
+            "TargetOriginId": "origin1",
+            "ViewerProtocolPolicy": "redirect-to-https"
+          },
+          "DefaultRootObject": "index.html",
+          "Enabled": true,
+          "HttpVersion": "http2",
+          "IPV6Enabled": true,
+          "Origins": [
+            {
+              "DomainName": {
+                "Fn::GetAtt": [
+                  "Bucket83908E77",
+                  "RegionalDomainName"
+                ]
+              },
+              "Id": "origin1",
+              "S3OriginConfig": {
+                "OriginAccessIdentity": {
+                  "Fn::Join": [
+                    "",
+                    [
+                      "origin-access-identity/cloudfront/",
+                      {
+                        "Ref": "OAI"
+                      }
+                    ]
+                  ]
+                }
+              }
+            }
+          ],
+          "PriceClass": "PriceClass_100",
+          "ViewerCertificate": {
+            "CloudFrontDefaultCertificate": true
+          }
+        }
+      }
+    }
+  },
+  "Outputs": {
+    "DistributionDomainName": {
+      "Value": {
+        "Fn::GetAtt": [
+          "DistributionCFDistribution882A7313",
+          "DomainName"
+        ]
+      }
+    }
+  }
+}
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-s3.ts
@@ -0,0 +1,30 @@
+import iam = require('@aws-cdk/aws-iam');
+import s3 = require('@aws-cdk/aws-s3');
+import cdk = require('@aws-cdk/cdk');
+import cloudfront = require('../lib');
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'integ-cloudfront-s3');
+
+const bucket = new s3.Bucket(stack, 'Bucket', { removalPolicy: cdk.RemovalPolicy.Destroy });
+const oai = new cloudfront.CfnCloudFrontOriginAccessIdentity(stack, 'OAI', {
+  cloudFrontOriginAccessIdentityConfig: {
+    comment: 'Allows CloudFront to reach to the bucket!',
+  }
+});
+const dist = new cloudfront.CloudFrontWebDistribution(stack, 'Distribution', {
+  originConfigs: [{
+    behaviors: [{ isDefaultBehavior: true }],
+    s3OriginSource: {
+      s3BucketSource: bucket,
+      originAccessIdentityId: oai.cloudFrontOriginAccessIdentityId,
+    },
+  }]
+});
+bucket.addToResourcePolicy(new iam.PolicyStatement()
+  .allow()
+  .addActions('s3:Get*', 's3:List*')
+  .addResources(bucket.bucketArn, bucket.arnForObjects('*'))
+  .addCanonicalUserPrincipal(oai.cloudFrontOriginAccessIdentityS3CanonicalUserId));
+
+new cdk.CfnOutput(stack, 'DistributionDomainName', { value: dist.domainName });
diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront.expected.json
@@ -35,7 +35,7 @@
               "DomainName": {
                 "Fn::GetAtt": [
                   "Bucket83908E77",
-                  "DomainName"
+                  "RegionalDomainName"
                 ]
               },
               "Id": "origin1",
@@ -50,4 +50,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts b/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts
@@ -130,7 +130,7 @@ export = {
                   "DomainName": {
                     "Fn::GetAtt": [
                       "Bucket83908E77",
-                      "DomainName"
+                      "RegionalDomainName"
                     ]
                   },
                   "Id": "origin1",
@@ -205,7 +205,7 @@ export = {
                   "DomainName": {
                     "Fn::GetAtt": [
                       "Bucket83908E77",
-                      "DomainName"
+                      "RegionalDomainName"
                     ]
                   },
                   "Id": "origin1",
@@ -283,7 +283,7 @@ export = {
                   "DomainName": {
                     "Fn::GetAtt": [
                       "Bucket83908E77",
-                      "DomainName"
+                      "RegionalDomainName"
                     ]
                   },
                   "Id": "origin1",

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@`
`35`	`35`	`"DomainName": {`
`36`	`36`	`"Fn::GetAtt": [`
`37`	`37`	`"Bucket83908E77",`
`38`		`- "DomainName"`
	`38`	`+ "RegionalDomainName"`
`39`	`39`	`]`
`40`	`40`	`},`
`41`	`41`	`"Id": "origin1",`