From 7ea0e24a80646b227ca0fc19034858034125104b Mon Sep 17 00:00:00 2001 From: Mark Carroll Date: Tue, 23 Apr 2019 16:57:39 -0700 Subject: [PATCH 1/2] #255 Fix bug where wrong origin set on API CORS policy When CustomDomainName set, the origin set on the API gateway CORS headers is the CloudFront URL not the custom one that the caller will actually be coming from. This fix changes the CORS header to be the custom URL --- cloudformation/template.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cloudformation/template.yaml b/cloudformation/template.yaml index 96dec3276..d389073c9 100644 --- a/cloudformation/template.yaml +++ b/cloudformation/template.yaml @@ -184,7 +184,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -231,7 +231,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -278,7 +278,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -325,7 +325,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -398,7 +398,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -458,7 +458,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -510,7 +510,7 @@ Resources: method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Origin: !If [ 'DevelopmentMode', "'*'", !If [ 'UseCustomDomainName', - !Join ['', [ "'https://", !GetAtt CustomDomainCloudfrontDistribution.DomainName, "'" ]], + !Join ['', [ "'https://", !Ref CustomDomainName, "'" ]], !Join ['', [ "'https://", !GetAtt DefaultCloudfrontDistribution.DomainName, "'" ]] ]] passthroughBehavior: when_no_match @@ -1455,7 +1455,7 @@ Outputs: !Join [ '', [ 'https://', !GetAtt DevPortalSiteS3Bucket.RegionalDomainName, '/index.html' ]], !If [ 'UseCustomDomainName', - !Join [ '', [ 'https://', !GetAtt CustomDomainCloudfrontDistribution.DomainName ]], + !Join [ '', [ 'https://', !Ref CustomDomainName ]], !Join [ '', [ 'https://', !GetAtt DefaultCloudfrontDistribution.DomainName ]] ] ] From 82de3946a949fd27677621acc3f9a43c0ef83ddf Mon Sep 17 00:00:00 2001 From: Mark Carroll Date: Wed, 24 Apr 2019 22:14:35 -0700 Subject: [PATCH 2/2] Remove WWW. from domain definition to solve CORS and Cert issues --- cloudformation/template.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cloudformation/template.yaml b/cloudformation/template.yaml index d389073c9..b925350a9 100644 --- a/cloudformation/template.yaml +++ b/cloudformation/template.yaml @@ -1366,7 +1366,6 @@ Resources: DistributionConfig: Aliases: - !Ref CustomDomainName - - !Join [ '', [ 'www.', !Ref CustomDomainName ] ] CustomErrorResponses: - ErrorCode: 403 ResponseCode: 403 @@ -1443,11 +1442,6 @@ Resources: # this is a "magic string" for using CFN aliases; see this link: # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html HostedZoneId: 'Z2FDTNDATAQYW2' - - Name: !Join [ '', [ 'www.', !Ref CustomDomainName, '.' ] ] - Type: A - AliasTarget: - DNSName: !Join [ '', [ !GetAtt CustomDomainCloudfrontDistribution.DomainName, '.' ] ] - HostedZoneId: 'Z2FDTNDATAQYW2' Outputs: WebsiteURL: