Skip to content

Commit

Permalink
Simplify static side website infra following CDK update
Browse files Browse the repository at this point in the history 
aws/aws-cdk#18192 lets us use the default OAI config that deploys more restricted permissions (without us doing anything).
  • Loading branch information
@mnapoli
mnapoli committed Jan 6, 2022
1 parent e86dfa8 commit ff87537
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 29 deletions.
10 changes: 1 addition & 9 deletions src/constructs/aws/StaticWebsite.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import {
Distribution,
FunctionEventType,
HttpVersion,
OriginAccessIdentity,
ViewerProtocolPolicy,
} from "@aws-cdk/aws-cloudfront";
import * as cloudfront from "@aws-cdk/aws-cloudfront";
Expand Down Expand Up @@ -95,11 +94,6 @@ export class StaticWebsite extends AwsConstruct {
removalPolicy: RemovalPolicy.DESTROY,
});

const cloudFrontOAI = new OriginAccessIdentity(this, "OriginAccessIdentity", {
comment: `Identity that represents CloudFront for the ${id} static website.`,
});
bucket.grantRead(cloudFrontOAI);

// Cast the domains to an array
this.domains = configuration.domain !== undefined ? flatten([configuration.domain]) : undefined;
const certificate =
Expand Down Expand Up @@ -129,9 +123,7 @@ export class StaticWebsite extends AwsConstruct {
defaultRootObject: "index.html",
defaultBehavior: {
// Origins are where CloudFront fetches content
origin: new S3Origin(bucket, {
originAccessIdentity: cloudFrontOAI,
}),
origin: new S3Origin(bucket),
allowedMethods: AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
// Use the "Managed-CachingOptimized" policy
// See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policies-list
Expand Down
25 changes: 5 additions & 20 deletions test/unit/staticWebsites.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ describe("static websites", () => {
});
const bucketLogicalId = computeLogicalId("landing", "Bucket");
const bucketPolicyLogicalId = computeLogicalId("landing", "Bucket", "Policy");
const originAccessIdentityLogicalId = computeLogicalId("landing", "OriginAccessIdentity");
const originAccessIdentityLogicalId = computeLogicalId("landing", "CDN", "Origin1", "S3Origin");
const responseFunction = computeLogicalId("landing", "ResponseFunction");
const cfDistributionLogicalId = computeLogicalId("landing", "CDN");
const cfOriginId = computeLogicalId("landing", "CDN", "Origin1");
Expand All @@ -35,8 +35,8 @@ describe("static websites", () => {
"ServerlessDeploymentBucketPolicy",
bucketLogicalId,
bucketPolicyLogicalId,
originAccessIdentityLogicalId,
responseFunction,
originAccessIdentityLogicalId,
cfDistributionLogicalId,
]);
expect(cfTemplate.Resources[bucketLogicalId]).toMatchObject({
Expand All @@ -52,29 +52,14 @@ describe("static websites", () => {
PolicyDocument: {
Statement: [
{
Action: ["s3:GetObject*", "s3:GetBucket*", "s3:List*"],
Action: "s3:GetObject",
Effect: "Allow",
Principal: {
CanonicalUser: {
"Fn::GetAtt": [originAccessIdentityLogicalId, "S3CanonicalUserId"],
},
},
Resource: [
{
"Fn::GetAtt": [bucketLogicalId, "Arn"],
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [bucketLogicalId, "Arn"],
},
"/*",
],
],
},
],
Resource: { "Fn::Join": ["", [{ "Fn::GetAtt": [bucketLogicalId, "Arn"] }, "/*"]] },
},
],
Version: "2012-10-17",
Expand All @@ -85,7 +70,7 @@ describe("static websites", () => {
Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity",
Properties: {
CloudFrontOriginAccessIdentityConfig: {
Comment: "Identity that represents CloudFront for the landing static website.",
Comment: `Identity for ${cfOriginId}`,
},
},
});
Expand Down

0 comments on commit ff87537

Please sign in to comment.