Skip to content

Commit

Permalink
Used the newest CloudFront to S3 construct to fix the bucket ACL that…
Browse files Browse the repository at this point in the history 
… causes launch error in Ohio region.
  • Loading branch information
@eggoynes
eggoynes committed Apr 17, 2023
1 parent c61714d commit 7a66ec8
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 11 deletions.
63 changes: 54 additions & 9 deletions source/constructs/lib/live-streaming.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,50 @@ export class LiveStreaming extends cdk.Stack {
mediaPackageCmafEndpoint.node.addDependency(mediaPackagePolicy);


/**
* S3: Logs bucket for CloudFront
*/
const logsBucket = new s3.Bucket(this, 'LogsBucket', {
enforceSSL: true,
versioned: true,
removalPolicy: cdk.RemovalPolicy.RETAIN,
encryption: s3.BucketEncryption.S3_MANAGED,
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER,
blockPublicAccess: {
blockPublicAcls: true,
blockPublicPolicy: true,
ignorePublicAcls: true,
restrictPublicBuckets: true
}
});
/** get the cfn resource and attach cfn_nag rule */
(logsBucket.node.defaultChild as cdk.CfnResource).cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [
{
id: 'W35',
reason: 'Used to store access logs for other buckets'
}, {
id: 'W51',
reason: 'Bucket is private and does not need a bucket policy'
}
]
}
};
//cdk_nag
NagSuppressions.addResourceSuppressions(
logsBucket,
[
{
id: 'AwsSolutions-S1', //same as cfn_nag rule W35
reason: 'Used to store access logs for other buckets'
}, {
id: 'AwsSolutions-S10',
reason: 'Bucket is private and is not using HTTP'
}
]
);

/**
* CloudFront Distribution
*/
Expand Down Expand Up @@ -653,6 +697,7 @@ export class LiveStreaming extends cdk.Stack {
cachedMethods: cloudfront.CachedMethods.CACHE_GET_HEAD_OPTIONS
},
enabled: true,
logBucket: logsBucket,
logFilePrefix: 'cloudfront-logs/',
errorResponses: [
errorResponse400,
Expand Down Expand Up @@ -689,9 +734,6 @@ export class LiveStreaming extends cdk.Stack {
}, {
id: 'AwsSolutions-CFR2',
reason: 'Use case does not warrant CloudFront integration with AWS WAF'
}, {
id: 'AwsSolutions-CFR3',
reason: 'S3 changing ownership have to remove since it is causing solution not to deploy'
}, {
id: 'AwsSolutions-CFR4', //same as cfn_nag rule W70
reason: 'CloudFront automatically sets the security policy to TLSv1 when the distribution uses the CloudFront domain name'
Expand Down Expand Up @@ -737,16 +779,13 @@ export class LiveStreaming extends cdk.Stack {
]
},
bucketProps: {
versioned: false,
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER
versioned: false
},
loggingBucketProps: {
versioned: false,
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER
versioned: false
},
cloudFrontLoggingBucketProps: {
versioned: false,
objectOwnership: s3.ObjectOwnership.OBJECT_WRITER
versioned: false
},
insertHttpSecurityHeaders: false
});
Expand Down Expand Up @@ -972,6 +1011,12 @@ export class LiveStreaming extends cdk.Stack {
exportName: `${cdk.Aws.STACK_NAME}-DemoBucket`
});

new cdk.CfnOutput(this, 'LogsBucketConsole', { // NOSONAR
description: 'Logs bucket',
value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/s3/buckets/${logsBucket.bucketName}?region=${cdk.Aws.REGION}`,
exportName: `${cdk.Aws.STACK_NAME}-LogsBucket`
});

new cdk.CfnOutput(this, 'AppRegistryConsole', { // NOSONAR
description: 'AppRegistry',
value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/servicecatalog/home?#applications/${appRegistry.applicationId}`,
Expand Down
4 changes: 2 additions & 2 deletions source/constructs/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
},
"dependencies": {
"@aws-cdk/aws-servicecatalogappregistry-alpha": "2.35.0-alpha.0",
"@aws-solutions-constructs/aws-cloudfront-s3": "2.35.0",
"aws-cdk-lib": "2.68.0",
"@aws-solutions-constructs/aws-cloudfront-s3": "2.38.0",
"aws-cdk-lib": "2.74.0",
"cdk-nag": "^2.21.52",
"constructs": "10.1.283",
"source-map-support": "0.5.19"
Expand Down

0 comments on commit 7a66ec8

Please sign in to comment.