feat(static-website): add support for Origin Access Control (OAC) #660
Conversation
| }; | ||
|
|
||
| switch (event.RequestType) { | ||
| case "Create": |
There was a problem hiding this comment.
Think it's worth adding Update to ensure these policies are present in the event a user manually removes them?
Delete shouldn't be needed as that will be handled by the delete handler for BucketPolicy
There was a problem hiding this comment.
Yeah probably useful! If doing update you might need to add IDs to the policy statements you add and replace if they exist to avoid continually growing the bucket/key policies :)
| const stack = Stack.of(this); | ||
| this.oac = new CfnOriginAccessControl(this, `${id}-OAC`, { | ||
| originAccessControlConfig: { | ||
| name: `${stack.stackName}_OAC`, |
There was a problem hiding this comment.
If we need to hardcode a name it's best to include something like this.node.addr.slice(-8) for some additional uniqueness, eg if we need to add 2 websites in the same stack :)
| arnFormat: ArnFormat.SLASH_RESOURCE_NAME, | ||
| }); | ||
| const onEventHandler = new NodejsFunction(this, "UpdatePolicy", { | ||
| entry: path.join(__dirname, "update_policy_handler/index.ts"), |
There was a problem hiding this comment.
Will this still be .ts when used as a lib?
| }; | ||
|
|
||
| switch (event.RequestType) { | ||
| case "Create": |
There was a problem hiding this comment.
Yeah probably useful! If doing update you might need to add IDs to the policy statements you add and replace if they exist to avoid continually growing the bucket/key policies :)
|
This pull request is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label. |
|
Closing this pull request as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label. |
This PR exposes a new
OriginAccessControlconstruct which is responsible for updating the Distribution and Bucket to configure OAC. As part of this is does the following:The StaticWebsite construct now also accepts an optional
originAccessTypewhich by default uses OAI :( but can be configured to use OAC (this is needed to preserve backward compat).Note: This implementation is a stop-gap until aws/aws-cdk#21771 is resolved properly. Eventually, the OriginAccessControl component in here will be deprecated in favor of whatever CDK L2 construct(s) come along.
Fixes #49