fix (CloudFrontToMediaStore - use cloudfront function instead of lambda@edge) (#317)

* fix (CloudFrontToApiGateway - use cloudfront function instead of lambda@edge) (#295)

* fix (CloudFrontToMediStore - use cloudfront function instead of lambda@edge) (#296)

Author: hnishar

source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/README.md

@@ -65,7 +65,7 @@ _Parameters_
 |cloudFrontLoggingBucket|[`s3.Bucket`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-s3.Bucket.html)|Returns an instance of s3.Bucket as the logging bucket for the CloudFront Web Distribution.|
 |cloudFrontOriginRequestPolicy|[`cloudfront.OriginRequestPolicy`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.OriginRequestPolicy.html)|Returns an instance of cloudfront.OriginRequestPolicy created by the construct for the CloudFront Web Distribution.|
 |cloudFrontOriginAccessIdentity?|[`cloudfront.OriginAccessIdentity`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.OriginAccessIdentity.html)|Returns an instance of cloudfront.OriginAccessIdentity created by the construct for the CloudFront Web Distribution origin custom headers and the MediaStore Container policy.|
-|edgeLambdaFunctionVersion|[`lambda.Version`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-lambda.Version.html)|Returns an instance of the edge Lambda function version created by the pattern.|
+|cloudFrontFunction?|[`cloudfront.Function`](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Function.html)|Returns an instance of the Cloudfront function created by the pattern.|
 
 ## Default settings
 

source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/lib/index.ts

@@ -14,7 +14,6 @@
 import * as cloudfront from '@aws-cdk/aws-cloudfront';
 import * as mediastore from '@aws-cdk/aws-mediastore';
 import * as s3 from '@aws-cdk/aws-s3';
-import * as lambda from '@aws-cdk/aws-lambda';
 import * as defaults from '@aws-solutions-constructs/core';
 import { Construct, Aws} from '@aws-cdk/core';
 
@@ -55,7 +54,7 @@ export class CloudFrontToMediaStore extends Construct {
   public readonly cloudFrontLoggingBucket: s3.Bucket;
   public readonly cloudFrontOriginRequestPolicy: cloudfront.OriginRequestPolicy;
   public readonly cloudFrontOriginAccessIdentity?: cloudfront.OriginAccessIdentity;
-  public readonly edgeLambdaFunctionVersion?: lambda.Version;
+  public readonly cloudFrontFunction?: cloudfront.Function;
 
   /**
    * @summary Constructs a new instance of CloudFrontToMediaStore class.
@@ -122,7 +121,7 @@ export class CloudFrontToMediaStore extends Construct {
       this.mediaStoreContainer = defaults.MediaStoreContainer(this, mediaStoreProps);
     }
 
-    [this.cloudFrontWebDistribution, this.cloudFrontLoggingBucket, this.cloudFrontOriginRequestPolicy, this.edgeLambdaFunctionVersion]
+    [this.cloudFrontWebDistribution, this.cloudFrontLoggingBucket, this.cloudFrontOriginRequestPolicy, this.cloudFrontFunction]
       = defaults.CloudFrontDistributionForMediaStore(this, this.mediaStoreContainer, cloudFrontDistributionProps, props.insertHttpSecurityHeaders);
   }
 }

source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/__snapshots__/cloudfront-mediastore.test.js.snap

@@ -29,11 +29,14 @@ Object {
               "OPTIONS",
             ],
             "Compress": true,
-            "LambdaFunctionAssociations": Array [
+            "FunctionAssociations": Array [
               Object {
-                "EventType": "origin-response",
-                "LambdaFunctionARN": Object {
-                  "Ref": "testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3",
+                "EventType": "viewer-response",
+                "FunctionARN": Object {
+                  "Fn::GetAtt": Array [
+                    "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
+                    "FunctionARN",
+                  ],
                 },
               },
             ],
@@ -307,149 +310,16 @@ Object {
       "Type": "AWS::MediaStore::Container",
     },
     "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D": Object {
-      "DependsOn": Array [
-        "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407",
-        "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
-      ],
-      "Metadata": Object {
-        "cfn_nag": Object {
-          "rules_to_suppress": Array [
-            Object {
-              "id": "W58",
-              "reason": "Lambda functions has the required permission to write CloudWatch Logs. It uses custom policy instead of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole with tighter permissions.",
-            },
-            Object {
-              "id": "W89",
-              "reason": "This is not a rule for the general case, just for specific use cases/industries",
-            },
-            Object {
-              "id": "W92",
-              "reason": "Impossible for us to define the correct concurrency for clients",
-            },
-          ],
-        },
-      },
-      "Properties": Object {
-        "Code": Object {
-          "ZipFile": "exports.handler = (event, context, callback) => {           const response = event.Records[0].cf.response;           const headers = response.headers;           headers['x-xss-protection'] = [             {               key: 'X-XSS-Protection',               value: '1; mode=block'             }           ];           headers['x-frame-options'] = [             {               key: 'X-Frame-Options',               value: 'DENY'             }           ];           headers['x-content-type-options'] = [             {               key: 'X-Content-Type-Options',               value: 'nosniff'             }           ];           headers['strict-transport-security'] = [             {               key: 'Strict-Transport-Security',               value: 'max-age=63072000; includeSubdomains; preload'             }           ];           headers['referrer-policy'] = [             {               key: 'Referrer-Policy',               value: 'same-origin'             }           ];           headers['content-security-policy'] = [             {               key: 'Content-Security-Policy',               value: \\"default-src 'none'; base-uri 'self'; img-src 'self'; script-src 'self'; style-src 'self' https:; object-src 'none'; frame-ancestors 'none'; font-src 'self' https:; form-action 'self'; manifest-src 'self'; connect-src 'self'\\"              }           ];           callback(null, response);         };",
-        },
-        "Handler": "index.handler",
-        "Role": Object {
-          "Fn::GetAtt": Array [
-            "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
-            "Arn",
-          ],
-        },
-        "Runtime": "nodejs12.x",
-        "TracingConfig": Object {
-          "Mode": "Active",
-        },
-      },
-      "Type": "AWS::Lambda::Function",
-    },
-    "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449": Object {
-      "Properties": Object {
-        "AssumeRolePolicyDocument": Object {
-          "Statement": Array [
-            Object {
-              "Action": "sts:AssumeRole",
-              "Effect": "Allow",
-              "Principal": Object {
-                "Service": "lambda.amazonaws.com",
-              },
-            },
-            Object {
-              "Action": "sts:AssumeRole",
-              "Effect": "Allow",
-              "Principal": Object {
-                "Service": "edgelambda.amazonaws.com",
-              },
-            },
-          ],
-          "Version": "2012-10-17",
-        },
-        "Policies": Array [
-          Object {
-            "PolicyDocument": Object {
-              "Statement": Array [
-                Object {
-                  "Action": Array [
-                    "logs:CreateLogGroup",
-                    "logs:CreateLogStream",
-                    "logs:PutLogEvents",
-                  ],
-                  "Effect": "Allow",
-                  "Resource": Object {
-                    "Fn::Join": Array [
-                      "",
-                      Array [
-                        "arn:",
-                        Object {
-                          "Ref": "AWS::Partition",
-                        },
-                        ":logs:",
-                        Object {
-                          "Ref": "AWS::Region",
-                        },
-                        ":",
-                        Object {
-                          "Ref": "AWS::AccountId",
-                        },
-                        ":log-group:/aws/lambda/*",
-                      ],
-                    ],
-                  },
-                },
-              ],
-              "Version": "2012-10-17",
-            },
-            "PolicyName": "LambdaFunctionServiceRolePolicy",
-          },
-        ],
-      },
-      "Type": "AWS::IAM::Role",
-    },
-    "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407": Object {
-      "Metadata": Object {
-        "cfn_nag": Object {
-          "rules_to_suppress": Array [
-            Object {
-              "id": "W12",
-              "reason": "Lambda needs the following minimum required permissions to send trace data to X-Ray and access ENIs in a VPC.",
-            },
-          ],
-        },
-      },
-      "Properties": Object {
-        "PolicyDocument": Object {
-          "Statement": Array [
-            Object {
-              "Action": Array [
-                "xray:PutTraceSegments",
-                "xray:PutTelemetryRecords",
-              ],
-              "Effect": "Allow",
-              "Resource": "*",
-            },
-          ],
-          "Version": "2012-10-17",
-        },
-        "PolicyName": "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRoleDefaultPolicy73DF1407",
-        "Roles": Array [
-          Object {
-            "Ref": "testcloudfrontmediastoreSetHttpSecurityHeadersServiceRole2F1F5449",
-          },
-        ],
-      },
-      "Type": "AWS::IAM::Policy",
-    },
-    "testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3": Object {
       "Properties": Object {
-        "FunctionName": Object {
-          "Ref": "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
+        "AutoPublish": true,
+        "FunctionCode": "function handler(event) { var response = event.response;       var headers = response.headers;       headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};       headers['content-security-policy'] = { value: \\"default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'\\"};       headers['x-content-type-options'] = { value: 'nosniff'};       headers['x-frame-options'] = {value: 'DENY'};       headers['x-xss-protection'] = {value: '1; mode=block'};       return response;     }",
+        "FunctionConfig": Object {
+          "Comment": "SetHttpSecurityHeadersc82c7d803c8b3899ab37eeee5cc2bce7beb7673c36",
+          "Runtime": "cloudfront-js-1.0",
         },
+        "Name": "SetHttpSecurityHeadersc82c7d803c8b3899ab37eeee5cc2bce7beb7673c36",
       },
-      "Type": "AWS::Lambda::Version",
+      "Type": "AWS::CloudFront::Function",
     },
   },
 }

source/patterns/@aws-solutions-constructs/aws-cloudfront-mediastore/test/cloudfront-mediastore.test.ts

@@ -45,7 +45,7 @@ test('Test the default deployment pattern variables', () => {
   expect(cloudFrontToMediaStore.cloudFrontLoggingBucket).not.toEqual(undefined);
   expect(cloudFrontToMediaStore.cloudFrontOriginRequestPolicy).not.toEqual(undefined);
   expect(cloudFrontToMediaStore.cloudFrontOriginAccessIdentity).not.toEqual(undefined);
-  expect(cloudFrontToMediaStore.edgeLambdaFunctionVersion).not.toEqual(undefined);
+  expect(cloudFrontToMediaStore.cloudFrontFunction).not.toEqual(undefined);
 });
 
 // --------------------------------------------------------------
@@ -135,7 +135,7 @@ test('Test the deployment without HTTP security headers', () => {
       ]
     }
   });
-  expect(cloudFrontToMediaStore.edgeLambdaFunctionVersion).toEqual(undefined);
+  expect(cloudFrontToMediaStore.cloudFrontFunction).toEqual(undefined);
 });
 
 // --------------------------------------------------------------
@@ -167,11 +167,14 @@ test('Test the deployment with existing MediaStore container', () => {
           'OPTIONS'
         ],
         Compress: true,
-        LambdaFunctionAssociations: [
+        FunctionAssociations: [
           {
-            EventType: 'origin-response',
-            LambdaFunctionARN: {
-              Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
+            EventType: "viewer-response",
+            FunctionARN: {
+              "Fn::GetAtt": [
+                "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
+                "FunctionARN"
+              ]
             }
           }
         ],
@@ -303,11 +306,14 @@ test('Test the deployment with the user provided MediaStore properties', () => {
           'OPTIONS'
         ],
         Compress: true,
-        LambdaFunctionAssociations: [
+        FunctionAssociations: [
           {
-            EventType: 'origin-response',
-            LambdaFunctionARN: {
-              Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
+            EventType: "viewer-response",
+            FunctionARN: {
+              "Fn::GetAtt": [
+                "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
+                "FunctionARN"
+              ]
             }
           }
         ],
@@ -446,11 +452,14 @@ test('Test the deployment with the user provided CloudFront properties', () => {
           'HEAD'
         ],
         Compress: true,
-        LambdaFunctionAssociations: [
+        FunctionAssociations: [
           {
-            EventType: 'origin-response',
-            LambdaFunctionARN: {
-              Ref: 'testcloudfrontmediastoreSetHttpSecurityHeadersVersionE87B65C3'
+            EventType: "viewer-response",
+            FunctionARN: {
+              "Fn::GetAtt": [
+                "testcloudfrontmediastoreSetHttpSecurityHeaders9995A63D",
+                "FunctionARN"
+              ]
             }
           }
         ],