feat(cloudfront): add PublicKey and KeyGroup L2 constructs #12743
Conversation
|
|
github-actions
bot
added
the
@aws-cdk/aws-cloudfront
There was a problem hiding this comment.
Thanks for this contribution! Nice work.
It's already looking pretty good, just a few minor comments on what you have here.
Next step(s) would be tests, some awslint exclusions in the package.json file for some of the missing properties (LastModifiedTime and CreatedTime, which I think are safe to omit), and then (preferably here, but maybe in a separate PR) integration with the Distribution(s).
|
@njlynch Thank you so much for your mentorship and guidance. Much appreciated.
Can you elaborate a bit on awslint exclusions. Are those autogenerated or I need to manually add them in Something like this? "docs-public-apis:@aws-cdk/aws-cloudfront.PublicKey.CreatedTime",
"docs-public-apis:@aws-cdk/aws-cloudfront.KeyGroup.LastModifiedTime", |
They need to be manually added. When you run the build (e.g., |
|
@njlynch I have lots of work to do 😄 . I see some awslint errors outside of the scope of this PR... I should probably address those in a separate PR. ~ yarn awslint
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.CachePolicy.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.CloudFrontWebDistribution.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.Distribution.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.KeyGroup.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IKeyGroup] construct interface must extend core.IConstruct
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.OriginAccessIdentity.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.OriginRequestPolicy.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-ctor:@aws-cdk/aws-cloudfront.PublicKey.<initializer>.params[0]] signature of all construct constructors should be "scope, id, props". If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IPublicKey] construct interface must extend core.IConstruct
error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IKeyGroup] construct interfaces of AWS resources must extend cdk.IResource
error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IPublicKey] construct interfaces of AWS resources must extend cdk.IResource
error: [awslint:resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.keyGroupId] resources must represent all cloudformation attributes as attribute properties. "@attribute ATTR[,ATTR]" can be used to tag non-standard attribute names. missing property: keyGroupId
error: [awslint:props-physical-name:@aws-cdk/aws-cloudfront.PublicKeyProps] Every Resource must have a single physical name construction property, with a name that is an ending substring of <cfnResource>Name
error: [awslint:from-signature:@aws-cdk/aws-cloudfront.CachePolicy.fromCachePolicyId.params[0]] invalid method signature for fromXxx method. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:from-attributes:@aws-cdk/aws-cloudfront.Distribution.fromDistributionAttributes.params[0]] static fromXxxAttributes is a factory of IXxx from its primitive attributes. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:from-signature:@aws-cdk/aws-cloudfront.KeyGroup.fromKeyGroupId.params[0]] invalid method signature for fromXxx method. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:from-signature:@aws-cdk/aws-cloudfront.OriginAccessIdentity.fromOriginAccessIdentityName.params[0]] invalid method signature for fromXxx method. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:from-signature:@aws-cdk/aws-cloudfront.OriginRequestPolicy.fromOriginRequestPolicyId.params[0]] invalid method signature for fromXxx method. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:from-signature:@aws-cdk/aws-cloudfront.PublicKey.fromPublicKeyId.params[0]] invalid method signature for fromXxx method. If the construct is using the "constructs" module, set the environment variable "AWSLINT_BASE_CONSTRUCT" and re-run (expected="@aws-cdk/core.Construct",actual="constructs.Construct")
error: [awslint:docs-public-apis:@aws-cdk/aws-cloudfront.KeyGroup.fromKeyGroupId] Public API element must have a docstring
error: [awslint:docs-public-apis:@aws-cdk/aws-cloudfront.PublicKey.fromPublicKeyId] Public API element must have a docstring
error: [awslint:props-default-doc:@aws-cdk/aws-cloudfront.KeyGroupProps.items] Optional property must have @default documentation
error Command failed with exit code 1. |
See the error message: If you set that and re-run, it looks like all of the errors are related to the new constructs and probably relevant to fix (or explicitly ignore). |
|
@njlynch Interestingly... "resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.keyGroupLastModifiedTime",
"resource-attribute:@aws-cdk/aws-cloudfront.KeyGroup.keyGroupLastModifiedTime"...while AWS docs for Do you think AWS docs are out of date perhaps? |
Yep... looks better now... AWSLINT_BASE_CONSTRUCT="1" yarn awslint
yarn run v1.22.10
$ cdk-awslint
error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IKeyGroup] construct interface must extend core.IConstruct
error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IPublicKey] construct interface must extend core.IConstruct
error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IKeyGroup] construct interfaces of AWS resources must extend cdk.IResource
error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IPublicKey] construct interfaces of AWS resources must extend cdk.IResource
error: [awslint:resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.keyGroupId] resources must represent all cloudformation attributes as attribute properties. "@attribute ATTR[,ATTR]" can be used to tag non-standard attribute names. missing property: keyGroupId
error: [awslint:props-physical-name:@aws-cdk/aws-cloudfront.PublicKeyProps] Every Resource must have a single physical name construction property, with a name that is an ending substring of <cfnResource>Name
error: [awslint:docs-public-apis:@aws-cdk/aws-cloudfront.KeyGroup.fromKeyGroupId] Public API element must have a docstring
error: [awslint:docs-public-apis:@aws-cdk/aws-cloudfront.PublicKey.fromPublicKeyId] Public API element must have a docstring
error: [awslint:props-default-doc:@aws-cdk/aws-cloudfront.KeyGroupProps.items] Optional property must have @default documentation
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command. |
robertd
force-pushed
the
robertd/cloudfront-public-keys-and-key-groups
branch
from
9beb550
to
e0a1c2b
Compare
|
@njlynch I've added some basic tests... Any advice on how to tackle these errors? @aws-cdk/aws-cloudfront: error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IKeyGroup] construct interface must extend core.IConstruct
@aws-cdk/aws-cloudfront: error: [awslint:construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IPublicKey] construct interface must extend core.IConstruct
@aws-cdk/aws-cloudfront: error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IKeyGroup] construct interfaces of AWS resources must extend cdk.IResource
@aws-cdk/aws-cloudfront: error: [awslint:resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IPublicKey] construct interfaces of AWS resources must extend cdk.IResource
@aws-cdk/aws-cloudfront: error: [awslint:resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.keyGroupId] resources must represent all cloudformation attributes as attribute properties. "@attribute ATTR[,ATTR]" can be used to tag non-standard attribute names. missing property: keyGroupId
@aws-cdk/aws-cloudfront: error: [awslint:props-physical-name:@aws-cdk/aws-cloudfront.PublicKeyProps] Every Resource must have a single physical name construction property, with a name that is an ending substring of <cfnResource>Name |
The first four are (hopefully) somewhat self-explanatory; the interfaces need to extend The second two took me a minute to spot, but the issue is here: :) |
robertd
force-pushed
the
robertd/cloudfront-public-keys-and-key-groups
branch
from
800ce3b
to
3242e7b
Compare
I've been using https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-cloudfront/lib/origin-request-policy.ts as a template and that one doesn't extend IResource for the interfaces... Do you know why?
Ah... copy paste error and I wasn't even paying attention to comments area :) |
That was a conscious design decision to enable the static managed policies API to be as friendly as possible. There's not a huge downside to not extending IResource in that specific case -- or frankly, this one -- as the resources can't be referenced or shared cross-account (due to not having ARNs). That being said, whereas Origin Request & Cache Policies had the excuse of the managed policies, I don't think IPublicKey and IKeyGroup have a good reason not to extend IResource. |
robertd
force-pushed
the
robertd/cloudfront-public-keys-and-key-groups
branch
from
8860a46
to
500ee4e
Compare
|
@njlynch I think this is ready for your review. I think this will do it for the MVP. Let me know if you need anything else addressed and then I'll rebase this into a single commit. 👍 In the meantime I'll start working on hooking this up in Btw... I have a few (far fetched) ideas for the future. :)
Thoughts? |
|
Anything against adding throwaway public key to the repo? ... It's needed for integ tests to work. |
robertd
force-pushed
the
robertd/cloudfront-public-keys-and-key-groups
branch
from
2867788
to
291fbd4
Compare
|
|
||
| private generateName(): string { | ||
| const name = Names.uniqueId(this); | ||
| if (name.length > 80) { |
There was a problem hiding this comment.
Did you find this documented somewhere, or find it via trial & error, or is this just a conservative guess?
There was a problem hiding this comment.
There was a problem hiding this comment.
My main point was more around the length. If the key group can have a 255-character (or 1024-character) name, should we artificially restrict to 80? I suppose this is fine for a first take; Names.uniqueId will rarely return a name this long anyway.
There was a problem hiding this comment.
Should these helper functions (shorteners) be part of Names perhaps?
Loading keys from file (inline) would be a useful extension. It seems like we could add that in later by adding an Key rotation would be interesting. I wonder about the use cases for that, and the potential complexity with cross-environment/account usage. Ideally, you'd create a new key, add the new key to CloudFront, transition the usage to the new key, and then remove the old key(s) from CloudFront. I imagine that would be a multi-step, multi-deployment activity across multiple accounts in many cases.
No, this is fine. As you said, it's needed for the tests to work. |
Oh btw, don't worry about that. Our automation will automatically update from HEAD, build, squash + commit when it's approved. In the meantime, rebasing makes reviewing incremental diffs on GitHub difficult (or impossible). If you want/need to keep up to date, merge commits are fine (e.g., |
Co-authored-by: Nick Lynch <nlynch@amazon.com>
…public-keys-and-key-groups
Co-authored-by: Nick Lynch <nlynch@amazon.com>
Good to know... I've been rebasing/force pushing to make things look like a single commit ... but I'll stop doing that 👍 |
We can wait for more feedback.
It's a long shot... so we can put this on a wish list. |
|
@njlynch I'm going to play with adding ability to point to a Until then I think we can release this as MVP unless there are any other issues you want me to address first. |
|
Just one more tweak (see above + the change to the test to support it), and this looks good to go! |
|
@njlynch Ready for your review! 👍 Many thanks for all your assistance. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
@njlynch This is my humble start on creating L2 constructs for `PublicKey` and `KeyGroup` for CloudFront module. I'm going to need some guidance/mentorship as this is my first L2 construct from the scratch. I'll convert this PR to draft and I'll post some of my thoughts and ideas around this feature tomorrow. I'm trying to address feature requests in aws#11791. I've decided to lump `PublicKey` and `KeyGroup` features together as they seem to depend on each other. All in the good spirits of learning how to extend CDK 🍻 . Any ideas and/or constructive criticism is more than welcome... that's the best way to learn.✌️ ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@njlynch This is my humble start on creating L2 constructs for
PublicKeyandKeyGroupfor CloudFront module. I'm going to need some guidance/mentorship as this is my first L2 construct from the scratch. I'll convert this PR to draft and I'll post some of my thoughts and ideas around this feature tomorrow. I'm trying to address feature requests in #11791. I've decided to lumpPublicKeyandKeyGroupfeatures together as they seem to depend on each other.All in the good spirits of learning how to extend CDK 🍻 .
Any ideas and/or constructive criticism is more than welcome... that's the best way to learn.✌️
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license