Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloudfront): vpc origins #33318

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat(cloudfront): vpc origins #33318

wants to merge 18 commits into from

Conversation

Tietew
Copy link
Contributor

@Tietew Tietew commented Feb 6, 2025
edited
Loading

Issue # (if applicable)

Closes #32396.

Reason for this change

VPC origins has been added to CloudFront and now CloudFormation supports it.
For details, see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html

Description of changes

Added an L2 construct cloudfront.VpcOrigin for AWS::CloudFront::VpcOrigin.
It will be created implicitly by origin class described below.
You can create it explicitly to share VPC origins between distributions.

import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';

// Create a VPC origin resource
const vpcOrigin = new cloudfront.VpcOrigin(this, 'VpcOrigin', {
  // An EC2 instance endpoint
  endpoint: cloudfront.VpcOriginEndpoint.fromEc2Instance(instance),
  // An Application Load Balancer endpoint
  endpoint: cloudfront.VpcOriginEndpoint.fromApplicationLoadBalancer(alb),
  // A Network Load Balancer endpoint
  endpoint: cloudfront.VpcOriginEndpoint.fromNetoworkLoadBalancer(nlb),
  // Endpoint from ARN, i.e. imported resource
  endpoint: new cloudfront.VpcOriginEndpoint({ endpointArn }),
  // Optional VPC origin resource configurations
  vpcOriginName: 'Name of the VPC origin',
  httpPort: 80,
  httpsPort: 443,
  protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER,
  originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2],
});

Added an origin class cloudfront_origins.VpcOrigin for distribution configuration.
It can be configured with an Application Load Balancer, a Network Load Balancer, an EC2 instance, or a cloudfront.VpcOrigin construct.

import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';

// An EC2 instance as a VPC origin
const ec2InstanceOrigin = origins.VpcOrigin.withEc2Instance(instance, {
  // Optional VPC origin configurations
  domainName: 'internal.example.com', // default: PrivateDnsName of the instance
  readTimeout: cdk.Duration.seconds(30),
  keepaliveTimeout: cdk.Duration.seconds(5),
  // Optional VPC origin resource configurations
  vpcOriginName: 'Name of the VPC origin',
  httpPort: 80,
  httpsPort: 443,
  protocolPolicy: cloudfront.OriginProtocolPolicy.MATCH_VIEWER,
  originSslProtocols: [cloudfront.OriginSslPolicy.TLSV1_2],
  // Optional origin common configurations
  connectionTimeout: Duration.seconds(10),
  connectionAttempts: 3,
  customHeaders: {},
  originShieldRegion: 'region-name',
  originShieldEnabled: true,
  originId: 'origin-id',
});

// An Application Load Balancer as a VPC origin
const albOrigin = origins.VpcOrigin.withApplicationLoadBalancer(alb, {
  // Optional VPC origin configurations
  domainName: 'internal.example.com', // default: DNSName of the ALB
  readTimeout: cdk.Duration.seconds(30),
  keepaliveTimeout: cdk.Duration.seconds(5),
  // Optional VPC origin resource configurations
  // Optional origin common configurations
});

// A Network Load Balancer as a VPC origin
const nlbOrigin = origins.VpcOrigin.withNetworkLoadBalancer(nlb, {
  // Optional VPC origin configurations
  domainName: 'internal.example.com', // default: DNSName  of the NLB
  readTimeout: cdk.Duration.seconds(30),
  keepaliveTimeout: cdk.Duration.seconds(5),
  // Optional VPC origin resource configurations
  // Optional origin common configurations
});

// Use an explicit VPC origin resource
const vpcOriginOrigin = origins.VpcOrigin.withVpcOrigin(vpcOrigin, {
  // Mandatory if the vpcOrigin is created without domainName
  domainName: 'internal.example.com',
  // Optional VPC origin configurations
  readTimeout: cdk.Duration.seconds(30),
  keepaliveTimeout: cdk.Duration.seconds(5),
  // Optional origin common configurations
});

Describe any new or updated permissions being added

No permissions are added automatically.
See README how to allow connections from VPC origins.

Description of how you validated changes

Unit tests and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team February 6, 2025 13:55
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 admired-contributor [Pilot] contributed between 13-24 PRs to the CDK labels Feb 6, 2025
Tietew
Tietew commented Feb 6, 2025
View reviewed changes
packages/aws-cdk-lib/aws-cloudfront/lib/vpc-origin.ts
httpsPort: props.httpsPort,
name: props.vpcOriginName ?? Names.uniqueResourceName(this, {}),
originProtocolPolicy: props.protocolPolicy,
originSslProtocols: props.originSslProtocols ?? [OriginSslPolicy.TLS_V1_2],
Copy link
Contributor Author

@Tietew Tietew Feb 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value of originSslProtocols is ['SSLv3', 'TLSv1'].
This explicit default ['TLSv1.2'] is same as the AWS management console.

@codecov Codecov
Copy link

codecov bot commented Feb 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.92%. Comparing base (873233b) to head (ae4ccdb).
Report is 21 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #33318      +/-   ##
==========================================
+ Coverage   80.83%   80.92%   +0.08%     
==========================================
  Files         236      236              
  Lines       14251    14253       +2     
  Branches     2490     2490              
==========================================
+ Hits        11520    11534      +14     
+ Misses       2446     2434      -12     
  Partials      285      285
Flag Coverage Δ
suite.unit 80.92% <ø> (+0.08%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 79.73% <ø> (+0.16%) ⬆️
packages/aws-cdk-lib/core 82.20% <ø> (ø)

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 7, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

aws-cdk-automation
aws-cdk-automation previously requested changes Feb 7, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@aws-cdk-automation aws-cdk-automation dismissed their stale review February 7, 2025 16:08

Dismissing outdated PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 7, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review February 7, 2025 16:33

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 7, 2025
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: ae4ccdb
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
admired-contributor [Pilot] contributed between 13-24 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(CloudFront): Add coverage/support for VPC origins construct
2 participants
@Tietew @aws-cdk-automation