merge upstream

.doc_gen/metadata/cloudfront-functions_metadata.yaml

@@ -0,0 +1,204 @@
+cloudfront_functions_add_cache_control_header:
+  title: Add a cache control header to a &CF; Functions viewer response event
+  title_abbrev: Add a cache control header
+  synopsis: add a cache control header to a &CF; Functions viewer response event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-cache-control-header
+          excerpts:
+            - description:
+              snippet_files:
+                - add-cache-control-header/index.js
+  services:
+    cloudfront:
+cloudfront_functions_add_cors_header:
+  title: Add a CORS header to a &CF; Functions viewer response event
+  title_abbrev: Add a CORS header
+  synopsis: add a CORS header to a &CF; Functions viewer response event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-cors-header
+          excerpts:
+            - description:
+              snippet_files:
+                - add-cors-header/index.js
+  services:
+    cloudfront:
+cloudfront_functions_add_origin_header:
+  title: Add an origin header to a &CF; Functions viewer request event
+  title_abbrev: Add an origin header
+  synopsis: add an origin header to a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-origin-header
+          excerpts:
+            - description:
+              snippet_files:
+                - add-origin-header/index.js
+  services:
+    cloudfront:
+cloudfront_functions_add_security_headers:
+  title: Add HTTP security headers to a &CF; Functions viewer response event
+  title_abbrev: Add HTTP security headers
+  synopsis: add HTTP security headers to a &CF; Functions viewer response event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-security-headers
+          excerpts:
+            - description:
+              snippet_files:
+                - add-security-headers/index.js
+  services:
+    cloudfront:
+cloudfront_functions_add_true_client_ip_header:
+  title: Add a true client IP header to a &CF; Functions viewer request event
+  title_abbrev: Add a true client IP header
+  synopsis: add a true client IP header to a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/add-true-client-ip-header
+          excerpts:
+            - description:
+              snippet_files:
+                - add-true-client-ip-header/index.js
+  services:
+    cloudfront:
+cloudfront_functions_kvs_conditional_read:
+  title: Rewrite a request URI based on KeyValueStore configuration for a &CF; Functions viewer request event
+  title_abbrev: Rewrite a request URI
+  synopsis: rewrite a request URI based on KeyValueStore configuration for a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/kvs-conditional-read
+          excerpts:
+            - description:
+              snippet_files:
+                - kvs-conditional-read/ABUriMappingFunction.js
+  services:
+    cloudfront:
+cloudfront_functions_kvs_jwt_verify:
+  title: Validate a simple token in a &CF; Functions viewer request
+  title_abbrev: Validate a simple token
+  synopsis: validate a simple token in a &CF; Functions viewer request.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/kvs-jwt-verify
+          excerpts:
+            - description:
+              snippet_files:
+                - kvs-jwt-verify/verify-jwt.js
+  services:
+    cloudfront:
+cloudfront_functions_kvs_key_value_pairs:
+  title: Use key-value pairs in a &CF; Functions viewer request
+  title_abbrev: Use key-value pairs
+  synopsis: use key-value pairs in a &CF; Functions viewer request.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/kvs-key-value-pairs
+          excerpts:
+            - description:
+              snippet_files:
+                - kvs-key-value-pairs/kvs-key-value-pairs.js
+  services:
+    cloudfront:
+cloudfront_functions_normalize_query_string_parameters:
+  title: Normalize query string parameters in a &CF; Functions viewer request
+  title_abbrev: Normalize query string parameters
+  synopsis: normalize query string parameters in a &CF; Functions viewer request.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/normalize-query-string-parameters
+          excerpts:
+            - description:
+              snippet_files:
+                - normalize-query-string-parameters/normalize-query-string.js
+  services:
+    cloudfront:
+cloudfront_functions_redirect_based_on_country:
+  title: Redirect to a new URL in a &CF; Functions viewer request event
+  title_abbrev: Redirect to a new URL
+  synopsis: redirect to a new URL in a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/redirect-based-on-country
+          excerpts:
+            - description:
+              snippet_files:
+                - redirect-based-on-country/index.js
+  services:
+    cloudfront:
+cloudfront_functions_url_rewrite_single_page_apps:
+  title: Add index.html to request URLs without a file name in a &CF; Functions viewer request event
+  title_abbrev: Add index.html to request URLs
+  synopsis: add index.html to request URLs without a file name in a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/url-rewrite-single-page-apps
+          excerpts:
+            - description:
+              snippet_files:
+                - url-rewrite-single-page-apps/index.js
+  services:
+    cloudfront:
+cloudfront_functions_select_origin_based_on_country:
+  title: Route requests to an origin closer to the viewer in a &CF; Functions viewer request event
+  title_abbrev: Select origin closer to the viewer
+  synopsis: route requests to an origin closer to the viewer in a &CF; Functions viewer request event.
+
+  category: CloudFront Functions examples
+  languages:
+    JavaScript:
+      versions:
+        - sdk_version: 102
+          github: https://github.com/aws-samples/amazon-cloudfront-functions/tree/main/select-origin-based-on-country
+          excerpts:
+            - description:
+              snippet_files:
+                - select-origin-based-on-country/index.js
+  services:
+    cloudfront:

add-cache-control-header/index.js

@@ -1,9 +1,11 @@
-function handler(event) {
+async function handler(event) {
     var response = event.response;
     var headers = response.headers;
 
-    // Set the cache-control header
-     headers['cache-control'] = {value: 'public, max-age=63072000'};
+    if (response.statusCode >= 200 && response.statusCode < 400) {
+        // Set the cache-control header
+        headers['cache-control'] = {value: 'public, max-age=63072000'};
+    }
 
     // Return response to viewers
     return response;

add-cors-header/index.js

@@ -1,4 +1,4 @@
-function handler(event)  {
+async function handler(event)  {
     var request = event.request;
     var response  = event.response;
 

add-origin-header/index.js

@@ -1,4 +1,4 @@
-function handler(event) {
+async function handler(event) {
     var request = event.request;
     var headers = request.headers;
     var host = request.headers.host.value;
@@ -8,4 +8,4 @@ function handler(event) {
        headers.origin = {value:`https://${host}`};
 
    return request;
-}
+}

add-security-headers/index.js

@@ -1,4 +1,4 @@
-function handler(event) {
+async function handler(event) {
     var response = event.response;
     var headers = response.headers;
 

add-true-client-ip-header/index.js

@@ -1,9 +1,9 @@
-function handler(event) {
+async function handler(event) {
     var request = event.request;
     var clientIP = event.viewer.ip;
 
     //Add the true-client-ip header to the incoming request
     request.headers['true-client-ip'] = {value: clientIP};
 
     return request;
-}
+}

kvs-conditional-read/ABUriMappingFunction.js

@@ -1,6 +1,6 @@
 import cf from 'cloudfront'; 
 
-// Replace KVS_ID with actual KVS ID
+// (Optional) Replace KVS_ID with actual KVS ID
 const kvsId = "KVS_ID";
 // enable stickiness by setting a cookie from origin or using another edge function
 const stickinessCookieName = "appversion";
@@ -77,4 +77,4 @@ function log(message) {
     if (loggingEnabled) {
         console.log(message);
     }
-}
+}

kvs-conditional-read/README.md

@@ -0,0 +1,5 @@
+## Rewrite request URI
+
+**CloudFront Functions event type: viewer request**
+
+This example provides a dynamic request URI rewriting mechanism, allowing for A/B testing or gradual rollout of application versions, while also maintaining user stickiness to ensure a consistent experience. It rewrites the request URI based on a configuration stored in CloudFront KeyValueStore. To use this example, you [create a KeyValueStore](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-create.html) for your secret and [associate the KeyValueStore with the CloudFront function](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions-associate.html).

kvs-jwt-verify/README.md

@@ -0,0 +1,60 @@
+## Verify a JSON Web Token (JWT) using SHA256 HMAC signature
+
+**CloudFront Functions event type: viewer request**
+
+This function validates a JSON Web Token (JWT) in the query string of the incoming request. It is compatible with the CloudFront Functions [JavaScript 2.0 runtime](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/functions-javascript-runtime-20.html) and uses [CloudFront KeyValueStore](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/kvs-with-functions.html) to store the secret. Using your CloudFront KeyValueStore ID is optional.
+
+JWT is an open, industry standard [RFC 7519](https://tools.ietf.org/html/rfc7519) method for representing claims securely between two parties. You can use JWTs to validate that a viewer has the right access to view the content being requested. You can use this type of tokenization to give a user of your site a URL that is timebound. After the predetermined expiry time is reached, the user no longer has access to the content on that URL.
+
+This function has two components. First, your origin or application must be able to generate a JWT and append that token as a query string to the URL. Second, you must use this sample function (or some variation of this function) on a viewer request event type to validate the JWT in the query string, ensuring that the URL hasn't been changed or tampered with and the expiry time hasn't passed. If the token is valid and the expiry time hasn't passed, the request passes through to CloudFront and the request is served. If the token is invalid or the expiry time has passed, the function generates and serves a 401 Unauthorized response to the viewer.
+
+In this example, your origin or application establishes a JWT. We have provided a simple bash script for building a JWT called `generate-jwt.sh`. There are many libraries across multiple different languages for signing and verifying JWTs available on [jwt.io](https://jwt.io/). 
+
+The output of `generate-jwt.sh` is the JWT that the function will validate. Append the output to the URL as a query string in the following format `token=<generated JWT>` (for example, `token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJuYmYiOjE1MTYyMzkwMjIsImV4cCI6MTcxNjIzOTAyMn0.jyu6HjS95wU8iSofQ8nBlmPjFYODxn4PQAdFM-Cv8JY`).
+
+CloudFront already provides a [signed URLs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html) feature that you can use instead of this function. A signed URL can include additional information, such as an expiration date and time, start date and time, and client IP address. This gives you more control over access to your content. However, creating a signed URL creates long and complex URLs and is more computationally costly to produce. If you need a simple and lightweight way to validate timebound URLs, this function can be easier than using CloudFront signed URLs.
+
+**Testing the function**
+
+To validate that the function is working as expected, you can use the JSON test objects in the `test-objects` directory. To test, you can use the `test-function` CLI command as shown in the following example:
+
+```
+$ aws cloudfront test-function --if-match EXXXXXXXXXXXX --name kvs-jwt-verify --event-object fileb://kvs-jwt-verify/test-objects/valid-jwt.json
+```
+
+If the function has been set up correctly, you should see a log entry saying the token is valid in the `FunctionExecutionLogs` and JWT token removed in the `FunctionOutput` JSON object:
+```
+{
+    "TestResult": {
+        "FunctionSummary": {
+            "Name": "kvs-jwt-verify",
+            "Status": "UNASSOCIATED",
+            "FunctionConfig": {
+                "Comment": "",
+                "Runtime": "cloudfront-js-2.0",
+                "KeyValueStoreAssociations": {
+                    "Quantity": 1,
+                    "Quantity": 1,
+                    "Items": [
+                        {
+                            "KeyValueStoreARN": "arn:aws:cloudfront::123456789012:key-value-store/6ed3b692-38e9-4952-b89b-bea9cexample"
+                        }
+                    ]
+                }
+            },
+            "FunctionMetadata": {
+                "FunctionARN": "arn:aws:cloudfront::123456789012:function/kvs-jwt-verify",
+                "Stage": "DEVELOPMENT",
+                "CreatedTime": "2021-04-09T22:02:12.937000+00:00",
+                "LastModifiedTime": "2021-04-09T22:09:19.277000+00:00"
+            }
+        },
+        "ComputeUtilization": "19",
+        "FunctionExecutionLogs": [
+            "Valid JWT token"
+        ],
+        "FunctionErrorMessage": "",
+        "FunctionOutput": "{\"request\":{\"headers\":{\"host\":{\"value\":\"www.example.com\"},\"accept\":{\"value\":\"text/html\"}},\"method\":\"GET\",\"querystring\":{\"test\":{\"value\":\"anotherQueryString\"}},\"uri\":\"/index.html\",\"cookies\":{}}}"
+    }
+}
+```

verify-jwt/test-objects/expired-jwt.json → kvs-jwt-verify/test-objects/expired-jwt.json

@@ -18,4 +18,4 @@
             "accept": { "value": "text/html", "multivalue": [ { "value": "text/html" }, { "value": "application/xhtml+xml" } ] }
         }
     }
-}
+}

verify-jwt/test-objects/invalid-jwt.json → kvs-jwt-verify/test-objects/invalid-jwt.json

@@ -18,4 +18,4 @@
             "accept": { "value": "text/html", "multivalue": [ { "value": "text/html" }, { "value": "application/xhtml+xml" } ] }
         }
     }
-}
+}

verify-jwt/test-objects/invalid-nbe-jwt.json → kvs-jwt-verify/test-objects/invalid-nbe-jwt.json

@@ -18,4 +18,4 @@
             "accept": { "value": "text/html", "multivalue": [ { "value": "text/html" }, { "value": "application/xhtml+xml" } ] }
         }
     }
-}
+}

verify-jwt/test-objects/missing-jwt.json → kvs-jwt-verify/test-objects/missing-jwt.json

@@ -17,4 +17,4 @@
             "accept": { "value": "text/html", "multivalue": [ { "value": "text/html" }, { "value": "application/xhtml+xml" } ] }
         }
     }
-}
+}

verify-jwt/test-objects/valid-jwt.json → kvs-jwt-verify/test-objects/valid-jwt.json

@@ -18,4 +18,4 @@
             "accept": { "value": "text/html", "multivalue": [ { "value": "text/html" }, { "value": "application/xhtml+xml" } ] }
         }
     }
-}
+}