From 7aaae577be727625c1197c3d2c7d17e117577d04 Mon Sep 17 00:00:00 2001 From: Matthias Gubler Date: Tue, 21 Jan 2025 15:48:07 -0600 Subject: [PATCH] Add CloudFront AccessLevel.READ_VERSIONED This allows creating an S3 bucket origin OriginAccessControl for access of versioned objects Fixes aws/aws-cdk#33034 --- .../integ.s3-origin-oac-read-versioned.ts | 24 +++ .../aws-cloudfront-origins/README.md | 8 +- .../lib/s3-bucket-origin.ts | 72 +++++---- .../test/s3-bucket-origin.test.ts | 64 ++++++-- .../lib/origin-access-control.ts | 152 +++++++++--------- 5 files changed, 201 insertions(+), 119 deletions(-) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-read-versioned.ts diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-read-versioned.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-read-versioned.ts new file mode 100644 index 0000000000000..3462187847e7b --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-read-versioned.ts @@ -0,0 +1,24 @@ +import * as cloudfront from 'aws-cdk-lib/aws-cloudfront'; +import * as s3 from 'aws-cdk-lib/aws-s3'; +import * as cdk from 'aws-cdk-lib'; +import * as origins from 'aws-cdk-lib/aws-cloudfront-origins'; +import { ExpectedResult, IntegTest } from '@aws-cdk/integ-tests-alpha'; + +const app = new cdk.App(); + +const stack = new cdk.Stack(app, 'cloudfront-s3-bucket-origin-oac-read-versioned-access'); + +const bucket = new s3.Bucket(stack, 'Bucket', { + removalPolicy: cdk.RemovalPolicy.DESTROY, +}); +origins.S3BucketOrigin.withOriginAccessControl(bucket, { + originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.READ_VERSIONED], +}); + +const integ = new IntegTest(app, 's3-origin-oac-read-versioned-access', { + testCases: [stack], +}); + +integ.assertions.awsApiCall('S3', 'getBucketPolicy', { + Bucket: bucket.bucketName, +}).expect(ExpectedResult.objectLike({ Statement: [{ Action: ['s3:GetObject', 's3:GetObjectVersion'] }] })); diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/README.md b/packages/aws-cdk-lib/aws-cloudfront-origins/README.md index bfb38e14a48f3..1ace2fba4d5ec 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/README.md +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/README.md @@ -73,15 +73,17 @@ new cloudfront.Distribution(this, 'myDist', { When creating a standard S3 origin using `origins.S3BucketOrigin.withOriginAccessControl()`, an [Origin Access Control resource](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html) is automatically created with the origin type set to `s3` and signing behavior set to `always`. -You can grant read, list, write or delete access to the OAC using the `originAccessLevels` property: +You can grant read, read versioned, list, write or delete access to the OAC using the `originAccessLevels` property: ```ts const myBucket = new s3.Bucket(this, 'myBucket'); -const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { - originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE], +const s3Origin = origins.S3BucketOrigin.withOriginAccessControl(myBucket, { originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.READ_VERSIONED, cloudfront.AccessLevel.WRITE, cloudfront.AccessLevel.DELETE], }); ``` +The read versioned permission does contain the read permission, so it's required to set both `AccessLevel.READ` and +`AccessLevel.READ_VERSIONED`. + For details of list permission, see [Setting up OAC with LIST permission](#setting-up-oac-with-list-permission). You can also pass in a custom S3 origin access control: diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts index 092e94dce949b..cc0b86c45bd06 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/lib/s3-bucket-origin.ts @@ -13,7 +13,11 @@ interface BucketPolicyAction { const BUCKET_ACTIONS: Record = { READ: [{ action: 's3:GetObject' }], - LIST: [{ action: 's3:ListBucket', needsBucketArn: true }], + READ_VERSIONED: [{ action: 's3:GetObjectVersion' }], + LIST: [{ + action: 's3:ListBucket', + needsBucketArn: true, + }], WRITE: [{ action: 's3:PutObject' }], DELETE: [{ action: 's3:DeleteObject' }], }; @@ -26,25 +30,26 @@ const KEY_ACTIONS: Record = { /** * Properties for configuring a origin using a standard S3 bucket */ -export interface S3BucketOriginBaseProps extends cloudfront.OriginProps { } +export interface S3BucketOriginBaseProps extends cloudfront.OriginProps { +} /** * Properties for configuring a S3 origin with OAC */ export interface S3BucketOriginWithOACProps extends S3BucketOriginBaseProps { /** - * An optional Origin Access Control - * - * @default - an Origin Access Control will be created. - */ + * An optional Origin Access Control + * + * @default - an Origin Access Control will be created. + */ readonly originAccessControl?: cloudfront.IOriginAccessControl; /** - * The level of permissions granted in the bucket policy and key policy (if applicable) - * to the CloudFront distribution. - * - * @default [AccessLevel.READ] - */ + * The level of permissions granted in the bucket policy and key policy (if applicable) + * to the CloudFront distribution. + * + * @default [AccessLevel.READ] + */ readonly originAccessLevels?: AccessLevel[]; } @@ -53,10 +58,10 @@ export interface S3BucketOriginWithOACProps extends S3BucketOriginBaseProps { */ export interface S3BucketOriginWithOAIProps extends S3BucketOriginBaseProps { /** - * An optional Origin Access Identity - * - * @default - an Origin Access Identity will be created. - */ + * An optional Origin Access Identity + * + * @default - an Origin Access Identity will be created. + */ readonly originAccessIdentity?: cloudfront.IOriginAccessIdentity; } @@ -65,24 +70,24 @@ export interface S3BucketOriginWithOAIProps extends S3BucketOriginBaseProps { */ export abstract class S3BucketOrigin extends cloudfront.OriginBase { /** - * Create a S3 Origin with Origin Access Control (OAC) configured - */ + * Create a S3 Origin with Origin Access Control (OAC) configured + */ public static withOriginAccessControl(bucket: IBucket, props?: S3BucketOriginWithOACProps): cloudfront.IOrigin { return new S3BucketOriginWithOAC(bucket, props); } /** - * Create a S3 Origin with Origin Access Identity (OAI) configured - * OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()` - * unless it is not supported in your required region (e.g. China regions). - */ + * Create a S3 Origin with Origin Access Identity (OAI) configured + * OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()` + * unless it is not supported in your required region (e.g. China regions). + */ public static withOriginAccessIdentity(bucket: IBucket, props?: S3BucketOriginWithOAIProps): cloudfront.IOrigin { return new S3BucketOriginWithOAI(bucket, props); } /** - * Create a S3 Origin with default S3 bucket settings (no origin access control) - */ + * Create a S3 Origin with default S3 bucket settings (no origin access control) + */ public static withBucketDefaults(bucket: IBucket, props?: cloudfront.OriginProps): cloudfront.IOrigin { return new class extends S3BucketOrigin { constructor() { @@ -126,9 +131,9 @@ class S3BucketOriginWithOAC extends S3BucketOrigin { const accessLevels = new Set(this.originAccessLevels ?? [cloudfront.AccessLevel.READ]); if (accessLevels.has(AccessLevel.LIST)) { Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:listBucketSecurityRisk', - 'When the origin with AccessLevel.LIST is associated to the default behavior, '+ - 'it is strongly recommended to ensure the distribution\'s defaultRootObject is specified,\n'+ - 'See the "Setting up OAC with LIST permission" section of module\'s README for more info.'); + 'When the origin with AccessLevel.LIST is associated to the default behavior, ' + + 'it is strongly recommended to ensure the distribution\'s defaultRootObject is specified,\n' + + 'See the "Setting up OAC with LIST permission" section of module\'s README for more info.'); } const bucketPolicyActions = this.getBucketPolicyActions(accessLevels); @@ -138,7 +143,7 @@ class S3BucketOriginWithOAC extends S3BucketOrigin { if (!bucketPolicyResult.statementAdded) { Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info.'); + 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info.'); } if (this.bucket.encryptionKey) { @@ -148,7 +153,7 @@ class S3BucketOriginWithOAC extends S3BucketOrigin { if (!keyPolicyResult.statementAdded) { Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac', 'Cannot update key policy of an imported key. You will need to update the policy manually instead.\n' + - 'See the "Updating imported key policies" section of the module\'s README for more info.'); + 'See the "Updating imported key policies" section of the module\'s README for more info.'); } } @@ -210,9 +215,9 @@ class S3BucketOriginWithOAC extends S3BucketOrigin { ); Annotations.of(key.node.scope!).addWarningV2('@aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac', 'To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, ' + - 'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' + - 'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' + - 'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.'); + 'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' + + 'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' + + 'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.'); const result = key.addToResourcePolicy(oacKeyPolicyStatement); return result; } @@ -242,7 +247,8 @@ class S3BucketOriginWithOAI extends S3BucketOrigin { this.originAccessIdentity = new cloudfront.OriginAccessIdentity(oaiScope, oaiId, { comment: `Identity for ${options.originId}`, }); - }; + } + ; // Used rather than `grantRead` because `grantRead` will grant overly-permissive policies. // Only GetObject is needed to retrieve objects for the distribution. // This also excludes KMS permissions; OAI only supports SSE-S3 for buckets. @@ -255,7 +261,7 @@ class S3BucketOriginWithOAI extends S3BucketOrigin { if (!result.statementAdded) { Annotations.of(scope).addWarningV2('@aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info.'); + 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info.'); } return this._bind(scope, options); } diff --git a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts index 19a8d95f4bf20..50bf5c0c82521 100644 --- a/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront-origins/test/s3-bucket-origin.test.ts @@ -3,7 +3,7 @@ import * as cloudfront from '../../aws-cloudfront/index'; import * as origins from '../../aws-cloudfront-origins'; import * as kms from '../../aws-kms'; import * as s3 from '../../aws-s3/index'; -import { App, Duration, Fn, Stack } from '../../core'; +import { App, Duration, Stack } from '../../core'; describe('S3BucketOrigin', () => { describe('withOriginAccessControl', () => { @@ -380,9 +380,9 @@ describe('S3BucketOrigin', () => { }); Annotations.fromStack(stack).hasWarning('/Default', 'To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, ' + - 'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' + - 'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' + - 'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README. [ack: @aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac]'); + 'a wildcard is used in the Key policy condition to match all Distribution IDs.\n' + + 'After deploying once, it is strongly recommended to further scope down the policy for best security practices by ' + + 'following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README. [ack: @aws-cdk/aws-cloudfront-origins:wildcardKeyPolicyForOac]'); }); it('should allow users to use escape hatch to scope down KMS key policy to specific distribution id', () => { @@ -475,7 +475,7 @@ describe('S3BucketOrigin', () => { }); Annotations.fromStack(stack).hasWarning('/Default/MyDistributionA/Origin1', 'Cannot update key policy of an imported key. You will need to update the policy manually instead.\n' + - 'See the "Updating imported key policies" section of the module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac]'); + 'See the "Updating imported key policies" section of the module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedKeyPolicyOac]'); }); }); @@ -716,7 +716,7 @@ describe('S3BucketOrigin', () => { it('should warn user bucket policy is not updated', () => { Annotations.fromStack(stack).hasWarning('/Default/MyDistributionA/Origin1', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac]'); + 'See the "Setting up OAC with imported S3 buckets" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOac]'); }); it('should match expected template resources', () => { @@ -893,6 +893,48 @@ describe('S3BucketOrigin', () => { }); }); + describe('when specifying READ and READ_VERSIONED origin access levels', () => { + it('should add the correct permissions to bucket policy', () => { + const stack = new Stack(); + const bucket = new s3.Bucket(stack, 'MyBucket'); + const origin = origins.S3BucketOrigin.withOriginAccessControl(bucket, { + originAccessLevels: [cloudfront.AccessLevel.READ, cloudfront.AccessLevel.READ_VERSIONED], + }); + new cloudfront.Distribution(stack, 'MyDistribution', { + defaultBehavior: { origin }, + }); + + Template.fromStack(stack).hasResourceProperties('AWS::S3::BucketPolicy', { + PolicyDocument: { + Statement: [ + { + Action: ['s3:GetObject', 's3:GetObjectVersion'], + Effect: 'Allow', + Principal: { Service: 'cloudfront.amazonaws.com' }, + Condition: { + StringEquals: { + 'AWS:SourceArn': { + 'Fn::Join': [ + '', + [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':cloudfront::', + { Ref: 'AWS::AccountId' }, + ':distribution/', + { Ref: 'MyDistribution6271DFB5' }, + ], + ], + }, + }, + }, + Resource: { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['MyBucketF68F3FF0', 'Arn'] }, '/*']] }, + }, + ], + }, + }); + }); + }); it('should add the warning annotation', () => { const stack = new Stack(); const bucket = new s3.Bucket(stack, 'MyBucket'); @@ -903,10 +945,10 @@ describe('S3BucketOrigin', () => { defaultBehavior: { origin }, }); Annotations.fromStack(stack).hasWarning('/Default/MyDistribution/Origin1', - 'When the origin with AccessLevel.LIST is associated to the default behavior, '+ - 'it is strongly recommended to ensure the distribution\'s defaultRootObject is specified,\n'+ - 'See the "Setting up OAC with LIST permission" section of module\'s README for more info.'+ - ' [ack: @aws-cdk/aws-cloudfront-origins:listBucketSecurityRisk]'); + 'When the origin with AccessLevel.LIST is associated to the default behavior, ' + + 'it is strongly recommended to ensure the distribution\'s defaultRootObject is specified,\n' + + 'See the "Setting up OAC with LIST permission" section of module\'s README for more info.' + + ' [ack: @aws-cdk/aws-cloudfront-origins:listBucketSecurityRisk]'); }); }); @@ -1229,7 +1271,7 @@ describe('S3BucketOrigin', () => { it('should warn user bucket policy is not updated', () => { Annotations.fromStack(distributionStack).hasWarning('/distributionStack/MyDistributionA/Origin1', 'Cannot update bucket policy of an imported bucket. You will need to update the policy manually instead.\n' + - 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai]'); + 'See the "Setting up OAI with imported S3 buckets (legacy)" section of module\'s README for more info. [ack: @aws-cdk/aws-cloudfront-origins:updateImportedBucketPolicyOai]'); }); it('should create OAI in bucket stack and output it, then reference the output in the distribution stack', () => { diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/origin-access-control.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/origin-access-control.ts index bda8bd24fc36a..6972b8ba71a78 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/origin-access-control.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/origin-access-control.ts @@ -1,15 +1,15 @@ import { Construct } from 'constructs'; import { CfnOriginAccessControl } from './cloudfront.generated'; -import { IResource, Resource, Names } from '../../core'; +import { IResource, Names, Resource } from '../../core'; /** * Represents a CloudFront Origin Access Control */ export interface IOriginAccessControl extends IResource { /** - * The unique identifier of the origin access control. - * @attribute - */ + * The unique identifier of the origin access control. + * @attribute + */ readonly originAccessControlId: string; } @@ -18,24 +18,24 @@ export interface IOriginAccessControl extends IResource { */ export interface OriginAccessControlBaseProps { /** - * A description of the origin access control. - * - * @default - no description - */ + * A description of the origin access control. + * + * @default - no description + */ readonly description?: string; /** - * A name to identify the origin access control, with a maximum length of 64 characters. - * - * @default - a generated name - */ + * A name to identify the origin access control, with a maximum length of 64 characters. + * + * @default - a generated name + */ readonly originAccessControlName?: string; /** - * Specifies which requests CloudFront signs and the signing protocol. - * - * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html#cfn-cloudfront-originaccesscontrol-originaccesscontrolconfig-signingbehavior - * - * @default SIGV4_ALWAYS - */ + * Specifies which requests CloudFront signs and the signing protocol. + * + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-originaccesscontrol-originaccesscontrolconfig.html#cfn-cloudfront-originaccesscontrol-originaccesscontrolconfig-signingbehavior + * + * @default SIGV4_ALWAYS + */ readonly signing?: Signing; } @@ -44,52 +44,58 @@ export interface OriginAccessControlBaseProps { */ export enum AccessLevel { /** - * Grants read permissions to CloudFront Distribution - */ + * Grants read permissions to CloudFront Distribution + */ READ = 'READ', /** - * Grants list permissions to CloudFront Distribution - */ + * Grants versioned read permissions to CloudFront Distribution + */ + READ_VERSIONED = 'READ_VERSIONED', + /** + * Grants list permissions to CloudFront Distribution + */ LIST = 'LIST', /** - * Grants write permission to CloudFront Distribution - */ + * Grants write permission to CloudFront Distribution + */ WRITE = 'WRITE', /** - * Grants delete permission to CloudFront Distribution - */ + * Grants delete permission to CloudFront Distribution + */ DELETE = 'DELETE', } /** * Properties for creating a S3 Origin Access Control resource. */ -export interface S3OriginAccessControlProps extends OriginAccessControlBaseProps { } +export interface S3OriginAccessControlProps extends OriginAccessControlBaseProps { +} /** * Properties for creating a Lambda Function URL Origin Access Control resource. */ -export interface FunctionUrlOriginAccessControlProps extends OriginAccessControlBaseProps { } +export interface FunctionUrlOriginAccessControlProps extends OriginAccessControlBaseProps { +} /** * Origin types supported by Origin Access Control. */ export enum OriginAccessControlOriginType { /** - * Uses an Amazon S3 bucket origin. - */ + * Uses an Amazon S3 bucket origin. + */ S3 = 's3', /** - * Uses a Lambda function URL origin. - */ + * Uses a Lambda function URL origin. + */ LAMBDA = 'lambda', /** - * Uses an AWS Elemental MediaStore origin. - */ + * Uses an AWS Elemental MediaStore origin. + */ MEDIASTORE = 'mediastore', /** - * Uses an AWS Elemental MediaPackage v2 origin. - */ + * Uses an AWS Elemental MediaPackage v2 origin. + */ MEDIAPACKAGEV2 = 'mediapackagev2', } @@ -99,20 +105,20 @@ export enum OriginAccessControlOriginType { */ export enum SigningBehavior { /** - * Sign all origin requests, overwriting the Authorization header - * from the viewer request if one exists. - */ + * Sign all origin requests, overwriting the Authorization header + * from the viewer request if one exists. + */ ALWAYS = 'always', /** - * Do not sign any origin requests. - * This value turns off origin access control for all origins in all - * distributions that use this origin access control. - */ + * Do not sign any origin requests. + * This value turns off origin access control for all origins in all + * distributions that use this origin access control. + */ NEVER = 'never', /** - * Sign origin requests only if the viewer request - * doesn't contain the Authorization header. - */ + * Sign origin requests only if the viewer request + * doesn't contain the Authorization header. + */ NO_OVERRIDE = 'no-override', } @@ -121,8 +127,8 @@ export enum SigningBehavior { */ export enum SigningProtocol { /** - * The AWS Signature Version 4 signing protocol. - */ + * The AWS Signature Version 4 signing protocol. + */ SIGV4 = 'sigv4', } @@ -131,29 +137,29 @@ export enum SigningProtocol { */ export class Signing { /** - * Sign all origin requests using the AWS Signature Version 4 signing protocol. - */ + * Sign all origin requests using the AWS Signature Version 4 signing protocol. + */ public static readonly SIGV4_ALWAYS = new Signing(SigningProtocol.SIGV4, SigningBehavior.ALWAYS); /** - * Sign only if the viewer request doesn't contain the Authorization header - * using the AWS Signature Version 4 signing protocol. - */ + * Sign only if the viewer request doesn't contain the Authorization header + * using the AWS Signature Version 4 signing protocol. + */ public static readonly SIGV4_NO_OVERRIDE = new Signing(SigningProtocol.SIGV4, SigningBehavior.NO_OVERRIDE); /** - * Do not sign any origin requests. - */ + * Do not sign any origin requests. + */ public static readonly NEVER = new Signing(SigningProtocol.SIGV4, SigningBehavior.NEVER); /** - * The signing protocol - */ + * The signing protocol + */ public readonly protocol: SigningProtocol; /** - * Which requests CloudFront signs. - */ + * Which requests CloudFront signs. + */ public readonly behavior: SigningBehavior; public constructor(protocol: SigningProtocol, behavior: SigningBehavior) { @@ -168,9 +174,9 @@ export class Signing { */ export abstract class OriginAccessControlBase extends Resource implements IOriginAccessControl { /** - * The Id of the origin access control - * @attribute - */ + * The Id of the origin access control + * @attribute + */ public abstract readonly originAccessControlId: string; } @@ -181,20 +187,21 @@ export abstract class OriginAccessControlBase extends Resource implements IOrigi */ export class S3OriginAccessControl extends OriginAccessControlBase { /** - * Imports an S3 origin access control from its id. - */ + * Imports an S3 origin access control from its id. + */ public static fromOriginAccessControlId(scope: Construct, id: string, originAccessControlId: string): IOriginAccessControl { class Import extends Resource implements IOriginAccessControl { public readonly originAccessControlId = originAccessControlId; public readonly originAccessControlOriginType = OriginAccessControlOriginType.S3; } + return new Import(scope, id); } /** - * The unique identifier of this Origin Access Control. - * @attribute - */ + * The unique identifier of this Origin Access Control. + * @attribute + */ public readonly originAccessControlId: string; constructor(scope: Construct, id: string, props: S3OriginAccessControlProps = {}) { @@ -223,20 +230,21 @@ export class S3OriginAccessControl extends OriginAccessControlBase { */ export class FunctionUrlOriginAccessControl extends OriginAccessControlBase { /** - * Imports a Lambda Function URL origin access control from its id. - */ + * Imports a Lambda Function URL origin access control from its id. + */ public static fromOriginAccessControlId(scope: Construct, id: string, originAccessControlId: string): IOriginAccessControl { class Import extends Resource implements IOriginAccessControl { public readonly originAccessControlId = originAccessControlId; public readonly originAccessControlOriginType = OriginAccessControlOriginType.LAMBDA; } + return new Import(scope, id); } /** - * The unique identifier of this Origin Access Control. - * @attribute - */ + * The unique identifier of this Origin Access Control. + * @attribute + */ public readonly originAccessControlId: string; constructor(scope: Construct, id: string, props: FunctionUrlOriginAccessControlProps = {}) {