README
¶
CloudFront Origins for the CDK CloudFront Library
This library contains convenience methods for defining origins for a CloudFront distribution. You can use this library to create origins from S3 buckets, Elastic Load Balancing v2 load balancers, or any other domain name.
S3 Bucket
An S3 bucket can be used as an origin. An S3 bucket origin can either be configured using a standard S3 bucket or using a S3 bucket that's configured as a website endpoint (see AWS docs for Using an S3 Bucket).
Note:
S3Originhas been deprecated. UseS3BucketOriginfor standard S3 origins andS3StaticWebsiteOriginfor static website S3 origins.
Standard S3 Bucket
To set up an origin using a standard S3 bucket, use the S3BucketOrigin class. The bucket
is handled as a bucket origin and
CloudFront's redirect and error handling will be used. It is recommended to use S3BucketOrigin.withOriginAccessControl() to configure OAC for your origin.
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
},
})
Note: When you use CloudFront OAC with Amazon S3 bucket origins, you must set Amazon S3 Object Ownership to Bucket owner enforced (the default for new Amazon S3 buckets). If you require ACLs, use the Bucket owner preferred setting to maintain control over objects uploaded via CloudFront.
S3 Bucket Configured as a Website Endpoint
To set up an origin using an S3 bucket configured as a website endpoint, use the S3StaticWebsiteOrigin class. When the bucket is configured as a
website endpoint, the bucket is treated as an HTTP origin,
and the distribution can use built-in S3 redirects and S3 custom error pages.
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewS3StaticWebsiteOrigin(myBucket),
},
})
Restricting access to a standard S3 Origin
CloudFront provides two ways to send authenticated requests to a standard Amazon S3 origin:
- origin access control (OAC) and
- origin access identity (OAI)
OAI is considered legacy due to limited functionality and regional limitations, whereas OAC is recommended because it supports all Amazon S3 buckets in all AWS Regions, Amazon S3 server-side encryption with AWS KMS (SSE-KMS), and dynamic requests (PUT and DELETE) to Amazon S3. Additionally, OAC provides stronger security posture with short term credentials, and more frequent credential rotations as compared to OAI. OAI and OAC can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront URLs and not S3 URLs directly.
See AWS docs on Restricting access to an Amazon S3 Origin for more details.
Note: OAC and OAI can only be used with an regular S3 bucket origin (not a bucket configured as a website endpoint).
The S3BucketOrigin class supports creating a standard S3 origin with OAC, OAI, and no access control (using your bucket access settings) via
the withOriginAccessControl(), withOriginAccessIdentity(), and withBucketDefaults() methods respectively.
Setting up a new origin access control (OAC)
Setup a standard S3 origin with origin access control as follows:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
},
})
When creating a standard S3 origin using origins.S3BucketOrigin.withOriginAccessControl(), an Origin Access Control resource is automatically created with the origin type set to s3 and signing behavior set to always.
You can grant read, write or delete access to the OAC using the originAccessLevels property:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
s3Origin := origins.S3BucketOrigin_WithOriginAccessControl(myBucket, &S3BucketOriginWithOACProps{
OriginAccessLevels: []accessLevel{
cloudfront.*accessLevel_READ,
cloudfront.*accessLevel_WRITE,
cloudfront.*accessLevel_DELETE,
},
})
You can also pass in a custom S3 origin access control:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
oac := cloudfront.NewS3OriginAccessControl(this, jsii.String("MyOAC"), &S3OriginAccessControlProps{
Signing: cloudfront.Signing_SIGV4_NO_OVERRIDE(),
})
s3Origin := origins.S3BucketOrigin_WithOriginAccessControl(myBucket, &S3BucketOriginWithOACProps{
OriginAccessControl: oac,
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
An existing S3 origin access control can be imported using the fromOriginAccessControlId method:
importedOAC := cloudfront.S3OriginAccessControl_FromOriginAccessControlId(this, jsii.String("myImportedOAC"), jsii.String("ABC123ABC123AB"))
Note: When you use OAC with S3 bucket origins, the bucket's object ownership must be either set to Bucket owner enforced (default for new S3 buckets) or Bucket owner preferred (only if you require ACLs).
Setting up OAC with a SSE-KMS encrypted S3 origin
If the objects in the S3 bucket origin are encrypted using server-side encryption with AWS Key Management Service (SSE-KMS), the OAC must have permission to use the KMS key.
Setting up a standard S3 origin using S3BucketOrigin.withOriginAccessControl() will automatically add the statement to the KMS key policy
to give the OAC permission to use the KMS key.
import kms "github.com/aws/aws-cdk-go/awscdk"
myKmsKey := kms.NewKey(this, jsii.String("myKMSKey"))
myBucket := s3.NewBucket(this, jsii.String("mySSEKMSEncryptedBucket"), &BucketProps{
Encryption: s3.BucketEncryption_KMS,
EncryptionKey: myKmsKey,
ObjectOwnership: s3.ObjectOwnership_BUCKET_OWNER_ENFORCED,
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
},
})
Scoping down the key policy
I saw this warning message during synth time. What do I do?
To avoid a circular dependency between the KMS key, Bucket, and Distribution during the initial deployment, a wildcard is used in the Key policy condition to match all Distribution IDs.
After deploying once, it is strongly recommended to further scope down the policy for best security practices by following the guidance in the "Using OAC for a SSE-KMS encrypted S3 origin" section in the module README.
If the S3 bucket has an encryptionKey defined, S3BucketOrigin.withOriginAccessControl()
will automatically add the following policy statement to the KMS key policy to allow CloudFront read-only access (unless otherwise specified in the originAccessLevels property).
{
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
}
}
}
}
This policy uses a wildcard to match all distribution IDs in the account instead of referencing the specific distribution ID to resolve the circular dependency. The policy statement is not as scoped down as the example in the AWS CloudFront docs (see SSE-KMS section).
After you have deployed the Distribution, you should follow these steps to only grant permissions to the specific distribution according to AWS best practices:
Step 1. Copy the key policy
Step 2. Use an escape hatch to update the policy statement condition so that
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:cloudfront::<account ID>:distribution/*"
}
}
...becomes...
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
Note the change of condition operator from
ArnLiketoStringEqualsin addition to replacing the wildcard (*) with the distribution ID.
To set the key policy using an escape hatch:
import kms "github.com/aws/aws-cdk-go/awscdk"
kmsKey := kms.NewKey(this, jsii.String("myKMSKey"))
myBucket := s3.NewBucket(this, jsii.String("mySSEKMSEncryptedBucket"), &BucketProps{
Encryption: s3.BucketEncryption_KMS,
EncryptionKey: kmsKey,
ObjectOwnership: s3.ObjectOwnership_BUCKET_OWNER_ENFORCED,
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
},
})
// Add the following to scope down the key policy
scopedDownKeyPolicy := map[string]interface{}{
"Version": jsii.String("2012-10-17"),
"Statement": []interface{}{
map[string]interface{}{
"Effect": jsii.String("Allow"),
"Principal": map[string]*string{
"AWS": jsii.String("arn:aws:iam::111122223333:root"),
},
"Action": jsii.String("kms:*"),
"Resource": jsii.String("*"),
},
map[string]interface{}{
"Effect": jsii.String("Allow"),
"Principal": map[string]*string{
"Service": jsii.String("cloudfront.amazonaws.com"),
},
"Action": []*string{
jsii.String("kms:Decrypt"),
jsii.String("kms:Encrypt"),
jsii.String("kms:GenerateDataKey*"),
},
"Resource": jsii.String("*"),
"Condition": map[string]map[string]*string{
"StringEquals": map[string]*string{
"AWS:SourceArn": jsii.String("arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"),
},
},
},
},
}
cfnKey := (kmsKey.Node.defaultChild.(cfnKey))
cfnKey.KeyPolicy = scopedDownKeyPolicy
Step 3. Deploy the stack
Tip: Run
cdk diffbefore deploying to verify the changes to your stack.
Step 4. Verify your final key policy includes the following statement after deploying:
{
"Effect": "Allow",
"Principal": {
"Service": [
"cloudfront.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
Updating imported key policies
If you are using an imported KMS key to encrypt your S3 bucket and want to use OAC, you will need to update the key policy manually to allow CloudFront to use the key. Like most imported resources, CDK apps cannot modify the configuration of imported keys.
After deploying the distribution, add the following policy statement to your key policy to allow CloudFront OAC to access your KMS key for SSE-KMS:
{
"Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudfront.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
See CloudFront docs on SSE-KMS for more details.
Setting up OAC with imported S3 buckets
If you are using an imported bucket for your S3 Origin and want to use OAC, you will need to update the S3 bucket policy manually to allow the OAC to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
After deploying the distribution, add the following policy statement to your S3 bucket to allow CloudFront read-only access (or additional S3 permissions as required):
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3 bucket name>/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/<CloudFront distribution ID>"
}
}
}
}
See CloudFront docs on Giving the origin access control permission to access the S3 bucket for more details.
Note: If your bucket previously used OAI, you will need to manually remove the policy statement that gives the OAI access to your bucket after setting up OAC.
Setting up an OAI (legacy)
Setup an S3 origin with origin access identity (legacy) as follows:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessIdentity(myBucket),
},
})
You can also pass in a custom S3 origin access identity:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
myOai := cloudfront.NewOriginAccessIdentity(this, jsii.String("myOAI"), &OriginAccessIdentityProps{
Comment: jsii.String("My custom OAI"),
})
s3Origin := origins.S3BucketOrigin_WithOriginAccessIdentity(myBucket, &S3BucketOriginWithOAIProps{
OriginAccessIdentity: myOai,
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
Setting up OAI with imported S3 buckets (legacy)
If you are using an imported bucket for your S3 Origin and want to use OAI, you will need to update the S3 bucket policy manually to allow the OAI to access the S3 origin. Like most imported resources, CDK apps cannot modify the configuration of imported buckets.
Add the following policy statement to your S3 bucket to allow the OAI read access:
{
"Version": "2012-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <origin access identity ID>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3 bucket name>/*"
}
]
}
See AWS docs on Giving an origin access identity permission to read files in the Amazon S3 bucket for more details.
Setting up a S3 origin with no origin access control
To setup a standard S3 origin with no access control (no OAI nor OAC), use origins.S3BucketOrigin.withBucketDefaults():
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithBucketDefaults(myBucket),
},
})
Migrating from OAI to OAC
If you are currently using OAI for your S3 origin and wish to migrate to OAC,
replace the S3Origin construct (deprecated) with S3BucketOrigin.withOriginAccessControl() which automatically
creates and sets up an OAC for you.
Existing setup using OAI and S3Origin:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
s3Origin := origins.NewS3Origin(myBucket)
distribution := cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
Step 1:
To ensure CloudFront doesn't lose access to the bucket during the transition, add a statement to bucket policy to grant OAC access to the S3 origin. Deploy the stack. If you are okay with downtime during the transition, you can skip this step.
Tip: Run
cdk diffbefore deploying to verify the changes to your stack.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
stack := awscdk.Newstack()
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
s3Origin := origins.NewS3Origin(myBucket)
distribution := cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
// Construct the bucket policy statement
distributionArn := stack.FormatArn(&ArnComponents{
Service: jsii.String("cloudfront"),
Region: jsii.String(""),
Resource: jsii.String("distribution"),
ResourceName: distribution.DistributionId,
ArnFormat: cdk.ArnFormat_SLASH_RESOURCE_NAME,
})
cloudfrontSP := iam.NewServicePrincipal(jsii.String("cloudfront.amazonaws.com"))
oacBucketPolicyStatement := iam.NewPolicyStatement(&PolicyStatementProps{
Effect: iam.Effect_ALLOW,
Principals: []iPrincipal{
cloudfrontSP,
},
Actions: []*string{
jsii.String("s3:GetObject"),
},
Resources: []*string{
myBucket.ArnForObjects(jsii.String("*")),
},
Conditions: map[string]interface{}{
"StringEquals": map[string]*string{
"AWS:SourceArn": distributionArn,
},
},
})
// Add statement to bucket policy
myBucket.AddToResourcePolicy(oacBucketPolicyStatement)
The following changes will take place:
- The bucket policy will be modified to grant the CloudFront distribution access. At this point the bucket policy allows both an OAI and an OAC to access the S3 origin.
Step 2:
Replace S3Origin with S3BucketOrigin.withOriginAccessControl(), which creates an OAC and attaches it to the distribution. You can remove the code from Step 1 which updated the bucket policy, as S3BucketOrigin.withOriginAccessControl() updates the bucket policy automatically with the same statement when defined in the Distribution (no net difference).
Run cdk diff before deploying to verify the changes to your stack.
bucket := s3.NewBucket(this, jsii.String("Bucket"))
s3Origin := origins.S3BucketOrigin_WithOriginAccessControl(bucket)
distribution := cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
The following changes will take place:
- A
AWS::CloudFront::OriginAccessControlresource will be created. - The
Originproperty of theAWS::CloudFront::Distributionwill setOriginAccessControlIdto the OAC ID after it is created. It will also setS3OriginConfigto{"OriginAccessIdentity": ""}, which deletes the origin access identity from the existing distribution. - The
AWS::CloudFront::CloudFrontOriginAccessIdentityresource will be deleted.
Will migrating from OAI to OAC cause any resource replacement?
No, following the migration steps does not cause any replacement of the existing AWS::CloudFront::Distribution, AWS::S3::Bucket nor AWS::S3::BucketPolicy resources. It will modify the bucket policy, create a AWS::CloudFront::OriginAccessControl resource, and delete the existing AWS::CloudFront::CloudFrontOriginAccessIdentity.
Will migrating from OAI to OAC have any availability implications for my application?
Updates to bucket policies are eventually consistent. Therefore, removing OAI permissions and setting up OAC in the same CloudFormation stack deployment is not recommended as it may cause downtime where CloudFront loses access to the bucket. Following the steps outlined above lowers the risk of downtime as the bucket policy is updated to have both OAI and OAC permissions, then in a subsequent deployment, the OAI permissions are removed.
For more information, see Migrating from origin access identity (OAI) to origin access control (OAC).
Adding Custom Headers
You can configure CloudFront to add custom headers to the requests that it sends to your origin. These custom headers enable you to send and gather information from your origin that you don’t get with typical viewer requests. These headers can even be customized for each origin. CloudFront supports custom headers for both for custom and Amazon S3 origins.
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket, &S3BucketOriginWithOACProps{
CustomHeaders: map[string]*string{
"Foo": jsii.String("bar"),
},
}),
},
})
ELBv2 Load Balancer
An Elastic Load Balancing (ELB) v2 load balancer may be used as an origin. In order for a load balancer to serve as an origin, it must be publicly
accessible (internetFacing is true). Both Application and Network load balancers are supported.
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
var vpc vpc
// Create an application load balancer in a VPC. 'internetFacing' must be 'true'
// for CloudFront to access the load balancer and use it as an origin.
lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &ApplicationLoadBalancerProps{
Vpc: Vpc,
InternetFacing: jsii.Boolean(true),
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewLoadBalancerV2Origin(lb),
},
})
The origin can also be customized to respond on different ports, have different connection properties, etc.
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
var loadBalancer applicationLoadBalancer
origin := origins.NewLoadBalancerV2Origin(loadBalancer, &LoadBalancerV2OriginProps{
ConnectionAttempts: jsii.Number(3),
ConnectionTimeout: awscdk.Duration_Seconds(jsii.Number(5)),
ReadTimeout: awscdk.Duration_*Seconds(jsii.Number(45)),
KeepaliveTimeout: awscdk.Duration_*Seconds(jsii.Number(45)),
ProtocolPolicy: cloudfront.OriginProtocolPolicy_MATCH_VIEWER,
})
Note that the readTimeout and keepaliveTimeout properties can extend their values over 60 seconds only if a limit increase request for CloudFront origin response timeout
quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Consider that this value is
still limited to a maximum value of 180 seconds, which is a hard limit for that quota.
From an HTTP endpoint
Origins can also be created from any other HTTP endpoint, given the domain name, and optionally, other origin properties.
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewHttpOrigin(jsii.String("www.example.com")),
},
})
See the documentation of aws-cdk-lib/aws-cloudfront for more information.
Failover Origins (Origin Groups)
You can set up CloudFront with origin failover for scenarios that require high availability.
To get started, you create an origin group with two origins: a primary and a secondary.
If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure,
CloudFront automatically switches to the secondary origin.
You achieve that behavior in the CDK using the OriginGroup class:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewOriginGroup(&OriginGroupProps{
PrimaryOrigin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
FallbackOrigin: origins.NewHttpOrigin(jsii.String("www.example.com")),
// optional, defaults to: 500, 502, 503 and 504
FallbackStatusCodes: []*f64{
jsii.Number(404),
},
}),
},
})
From an API Gateway REST API
Origins can be created from an API Gateway REST API. It is recommended to use a regional API in this case. The origin path will automatically be set as the stage name.
var api restApi
cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewRestApiOrigin(api),
},
})
If you want to use a different origin path, you can specify it in the originPath property.
var api restApi
cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewRestApiOrigin(api, &RestApiOriginProps{
OriginPath: jsii.String("/custom-origin-path"),
}),
},
})
From a Lambda Function URL
Lambda Function URLs enable direct invocation of Lambda functions via HTTP(S), without intermediaries. They can be set as CloudFront origins for streamlined function execution behind a CDN, leveraging caching and custom domains.
import lambda "github.com/aws/aws-cdk-go/awscdk"
var fn function
fnUrl := fn.AddFunctionUrl(&FunctionUrlOptions{
AuthType: lambda.FunctionUrlAuthType_NONE,
})
cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewFunctionUrlOrigin(fnUrl),
},
})
Lambda Function URL with Origin Access Control (OAC)
You can configure the Lambda Function URL with Origin Access Control (OAC) for enhanced security. When using OAC with Signing SIGV4_ALWAYS, it is recommended to set the Lambda Function URL authType to AWS_IAM to ensure proper authorization.
import lambda "github.com/aws/aws-cdk-go/awscdk"
var fn function
fnUrl := fn.AddFunctionUrl(&FunctionUrlOptions{
AuthType: lambda.FunctionUrlAuthType_AWS_IAM,
})
cloudfront.NewDistribution(this, jsii.String("MyDistribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.FunctionUrlOrigin_WithOriginAccessControl(fnUrl),
},
})
If you want to explicitly add OAC for more customized access control, you can use the originAccessControl option as shown below.
import lambda "github.com/aws/aws-cdk-go/awscdk"
var fn function
fnUrl := fn.AddFunctionUrl(&FunctionUrlOptions{
AuthType: lambda.FunctionUrlAuthType_AWS_IAM,
})
// Define a custom OAC
oac := cloudfront.NewFunctionUrlOriginAccessControl(this, jsii.String("MyOAC"), &FunctionUrlOriginAccessControlProps{
OriginAccessControlName: jsii.String("CustomLambdaOAC"),
Signing: cloudfront.Signing_SIGV4_ALWAYS(),
})
// Set up Lambda Function URL with OAC in CloudFront Distribution
// Set up Lambda Function URL with OAC in CloudFront Distribution
cloudfront.NewDistribution(this, jsii.String("MyDistribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.FunctionUrlOrigin_WithOriginAccessControl(fnUrl, &FunctionUrlOriginWithOACProps{
OriginAccessControl: oac,
}),
},
})
Documentation
¶
Index ¶
- func FunctionUrlOrigin_WithOriginAccessControl(lambdaFunctionUrl awslambda.IFunctionUrl, props *FunctionUrlOriginWithOACProps) awscloudfront.IOrigin
- func NewFunctionUrlOrigin_Override(f FunctionUrlOrigin, lambdaFunctionUrl awslambda.IFunctionUrl, ...)
- func NewHttpOrigin_Override(h HttpOrigin, domainName *string, props *HttpOriginProps)
- func NewLoadBalancerV2Origin_Override(l LoadBalancerV2Origin, loadBalancer awselasticloadbalancingv2.ILoadBalancerV2, ...)
- func NewOriginGroup_Override(o OriginGroup, props *OriginGroupProps)
- func NewRestApiOrigin_Override(r RestApiOrigin, restApi awsapigateway.RestApiBase, props *RestApiOriginProps)
- func NewS3BucketOrigin_Override(s S3BucketOrigin, bucket awss3.IBucket, props *S3BucketOriginBaseProps)
- func NewS3Origin_Override(s S3Origin, bucket awss3.IBucket, props *S3OriginProps)deprecated
- func NewS3StaticWebsiteOrigin_Override(s S3StaticWebsiteOrigin, bucket awss3.IBucket, ...)
- func S3BucketOrigin_WithBucketDefaults(bucket awss3.IBucket, props *awscloudfront.OriginProps) awscloudfront.IOrigin
- func S3BucketOrigin_WithOriginAccessControl(bucket awss3.IBucket, props *S3BucketOriginWithOACProps) awscloudfront.IOrigin
- func S3BucketOrigin_WithOriginAccessIdentity(bucket awss3.IBucket, props *S3BucketOriginWithOAIProps) awscloudfront.IOrigin
- type FunctionUrlOrigin
- type FunctionUrlOriginBaseProps
- type FunctionUrlOriginProps
- type FunctionUrlOriginWithOACProps
- type HttpOrigin
- type HttpOriginProps
- type LoadBalancerV2Origin
- type LoadBalancerV2OriginProps
- type OriginGroup
- type OriginGroupProps
- type RestApiOrigin
- type RestApiOriginProps
- type S3BucketOrigin
- type S3BucketOriginBaseProps
- type S3BucketOriginWithOACProps
- type S3BucketOriginWithOAIProps
- type S3Origindeprecated
- type S3OriginProps
- type S3StaticWebsiteOrigin
- type S3StaticWebsiteOriginProps
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func FunctionUrlOrigin_WithOriginAccessControl ¶ added in v2.168.0
func FunctionUrlOrigin_WithOriginAccessControl(lambdaFunctionUrl awslambda.IFunctionUrl, props *FunctionUrlOriginWithOACProps) awscloudfront.IOrigin
Create a Lambda Function URL Origin with Origin Access Control (OAC) configured.
func NewFunctionUrlOrigin_Override ¶ added in v2.129.0
func NewFunctionUrlOrigin_Override(f FunctionUrlOrigin, lambdaFunctionUrl awslambda.IFunctionUrl, props *FunctionUrlOriginProps)
func NewHttpOrigin_Override ¶
func NewHttpOrigin_Override(h HttpOrigin, domainName *string, props *HttpOriginProps)
func NewLoadBalancerV2Origin_Override ¶
func NewLoadBalancerV2Origin_Override(l LoadBalancerV2Origin, loadBalancer awselasticloadbalancingv2.ILoadBalancerV2, props *LoadBalancerV2OriginProps)
func NewOriginGroup_Override ¶
func NewOriginGroup_Override(o OriginGroup, props *OriginGroupProps)
func NewRestApiOrigin_Override ¶ added in v2.25.0
func NewRestApiOrigin_Override(r RestApiOrigin, restApi awsapigateway.RestApiBase, props *RestApiOriginProps)
func NewS3BucketOrigin_Override ¶ added in v2.156.0
func NewS3BucketOrigin_Override(s S3BucketOrigin, bucket awss3.IBucket, props *S3BucketOriginBaseProps)
func NewS3Origin_Override
deprecated
func NewS3Origin_Override(s S3Origin, bucket awss3.IBucket, props *S3OriginProps)
Deprecated: Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead.
func NewS3StaticWebsiteOrigin_Override ¶ added in v2.156.0
func NewS3StaticWebsiteOrigin_Override(s S3StaticWebsiteOrigin, bucket awss3.IBucket, props *S3StaticWebsiteOriginProps)
func S3BucketOrigin_WithBucketDefaults ¶ added in v2.156.0
func S3BucketOrigin_WithBucketDefaults(bucket awss3.IBucket, props *awscloudfront.OriginProps) awscloudfront.IOrigin
Create a S3 Origin with default S3 bucket settings (no origin access control).
func S3BucketOrigin_WithOriginAccessControl ¶ added in v2.156.0
func S3BucketOrigin_WithOriginAccessControl(bucket awss3.IBucket, props *S3BucketOriginWithOACProps) awscloudfront.IOrigin
Create a S3 Origin with Origin Access Control (OAC) configured.
func S3BucketOrigin_WithOriginAccessIdentity ¶ added in v2.156.0
func S3BucketOrigin_WithOriginAccessIdentity(bucket awss3.IBucket, props *S3BucketOriginWithOAIProps) awscloudfront.IOrigin
Create a S3 Origin with Origin Access Identity (OAI) configured OAI is a legacy feature and we **strongly** recommend you to use OAC via `withOriginAccessControl()` unless it is not supported in your required region (e.g. China regions).
Types ¶
type FunctionUrlOrigin ¶ added in v2.129.0
type FunctionUrlOrigin interface {
awscloudfront.OriginBase
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
An Origin for a Lambda Function URL.
Example:
import lambda "github.com/aws/aws-cdk-go/awscdk"
var fn function
fnUrl := fn.AddFunctionUrl(&FunctionUrlOptions{
AuthType: lambda.FunctionUrlAuthType_AWS_IAM,
})
cloudfront.NewDistribution(this, jsii.String("MyDistribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.FunctionUrlOrigin_WithOriginAccessControl(fnUrl),
},
})
func NewFunctionUrlOrigin ¶ added in v2.129.0
func NewFunctionUrlOrigin(lambdaFunctionUrl awslambda.IFunctionUrl, props *FunctionUrlOriginProps) FunctionUrlOrigin
type FunctionUrlOriginBaseProps ¶ added in v2.168.0
type FunctionUrlOriginBaseProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
}
Properties for configuring a origin using a standard Lambda Functions URLs.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
functionUrlOriginBaseProps := &FunctionUrlOriginBaseProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
}
type FunctionUrlOriginProps ¶ added in v2.129.0
type FunctionUrlOriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
}
Properties for a Lambda Function URL Origin.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
functionUrlOriginProps := &FunctionUrlOriginProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
KeepaliveTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
ReadTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
}
type FunctionUrlOriginWithOACProps ¶ added in v2.168.0
type FunctionUrlOriginWithOACProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
// An optional Origin Access Control.
// Default: - an Origin Access Control will be created.
//
OriginAccessControl awscloudfront.IOriginAccessControl `field:"optional" json:"originAccessControl" yaml:"originAccessControl"`
}
Properties for configuring a Lambda Functions URLs with OAC.
Example:
import lambda "github.com/aws/aws-cdk-go/awscdk"
var fn function
fnUrl := fn.AddFunctionUrl(&FunctionUrlOptions{
AuthType: lambda.FunctionUrlAuthType_AWS_IAM,
})
// Define a custom OAC
oac := cloudfront.NewFunctionUrlOriginAccessControl(this, jsii.String("MyOAC"), &FunctionUrlOriginAccessControlProps{
OriginAccessControlName: jsii.String("CustomLambdaOAC"),
Signing: cloudfront.Signing_SIGV4_ALWAYS(),
})
// Set up Lambda Function URL with OAC in CloudFront Distribution
// Set up Lambda Function URL with OAC in CloudFront Distribution
cloudfront.NewDistribution(this, jsii.String("MyDistribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.FunctionUrlOrigin_WithOriginAccessControl(fnUrl, &FunctionUrlOriginWithOACProps{
OriginAccessControl: oac,
}),
},
})
type HttpOrigin ¶
type HttpOrigin interface {
awscloudfront.OriginBase
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
An Origin for an HTTP server or S3 bucket configured for website hosting.
Example:
// Adding realtime logs config to a Cloudfront Distribution on default behavior.
import kinesis "github.com/aws/aws-cdk-go/awscdk"
var stream stream
realTimeConfig := cloudfront.NewRealtimeLogConfig(this, jsii.String("realtimeLog"), &RealtimeLogConfigProps{
EndPoints: []endpoint{
cloudfront.*endpoint_FromKinesisStream(stream),
},
Fields: []*string{
jsii.String("timestamp"),
jsii.String("c-ip"),
jsii.String("time-to-first-byte"),
jsii.String("sc-status"),
},
RealtimeLogConfigName: jsii.String("my-delivery-stream"),
SamplingRate: jsii.Number(100),
})
cloudfront.NewDistribution(this, jsii.String("myCdn"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewHttpOrigin(jsii.String("www.example.com")),
RealtimeLogConfig: realTimeConfig,
},
})
func NewHttpOrigin ¶
func NewHttpOrigin(domainName *string, props *HttpOriginProps) HttpOrigin
type HttpOriginProps ¶
type HttpOriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// The HTTP port that CloudFront uses to connect to the origin.
// Default: 80.
//
HttpPort *float64 `field:"optional" json:"httpPort" yaml:"httpPort"`
// The HTTPS port that CloudFront uses to connect to the origin.
// Default: 443.
//
HttpsPort *float64 `field:"optional" json:"httpsPort" yaml:"httpsPort"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// The SSL versions to use when interacting with the origin.
// Default: OriginSslPolicy.TLS_V1_2
//
OriginSslProtocols *[]awscloudfront.OriginSslPolicy `field:"optional" json:"originSslProtocols" yaml:"originSslProtocols"`
// Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
// Default: OriginProtocolPolicy.HTTPS_ONLY
//
ProtocolPolicy awscloudfront.OriginProtocolPolicy `field:"optional" json:"protocolPolicy" yaml:"protocolPolicy"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
}
Properties for an Origin backed by an S3 website-configured bucket, load balancer, or custom HTTP server.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
httpOriginProps := &HttpOriginProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
HttpPort: jsii.Number(123),
HttpsPort: jsii.Number(123),
KeepaliveTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
OriginSslProtocols: []originSslPolicy{
awscdk.Aws_cloudfront.*originSslPolicy_SSL_V3,
},
ProtocolPolicy: awscdk.*Aws_cloudfront.OriginProtocolPolicy_HTTP_ONLY,
ReadTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
}
type LoadBalancerV2Origin ¶
type LoadBalancerV2Origin interface {
HttpOrigin
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
An Origin for a v2 load balancer.
Example:
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
var vpc vpc
// Create an application load balancer in a VPC. 'internetFacing' must be 'true'
// for CloudFront to access the load balancer and use it as an origin.
lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &ApplicationLoadBalancerProps{
Vpc: Vpc,
InternetFacing: jsii.Boolean(true),
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewLoadBalancerV2Origin(lb),
},
})
func NewLoadBalancerV2Origin ¶
func NewLoadBalancerV2Origin(loadBalancer awselasticloadbalancingv2.ILoadBalancerV2, props *LoadBalancerV2OriginProps) LoadBalancerV2Origin
type LoadBalancerV2OriginProps ¶
type LoadBalancerV2OriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// The HTTP port that CloudFront uses to connect to the origin.
// Default: 80.
//
HttpPort *float64 `field:"optional" json:"httpPort" yaml:"httpPort"`
// The HTTPS port that CloudFront uses to connect to the origin.
// Default: 443.
//
HttpsPort *float64 `field:"optional" json:"httpsPort" yaml:"httpsPort"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// The SSL versions to use when interacting with the origin.
// Default: OriginSslPolicy.TLS_V1_2
//
OriginSslProtocols *[]awscloudfront.OriginSslPolicy `field:"optional" json:"originSslProtocols" yaml:"originSslProtocols"`
// Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
// Default: OriginProtocolPolicy.HTTPS_ONLY
//
ProtocolPolicy awscloudfront.OriginProtocolPolicy `field:"optional" json:"protocolPolicy" yaml:"protocolPolicy"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
}
Properties for an Origin backed by a v2 load balancer.
Example:
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
var loadBalancer applicationLoadBalancer
origin := origins.NewLoadBalancerV2Origin(loadBalancer, &LoadBalancerV2OriginProps{
ConnectionAttempts: jsii.Number(3),
ConnectionTimeout: awscdk.Duration_Seconds(jsii.Number(5)),
ReadTimeout: awscdk.Duration_*Seconds(jsii.Number(45)),
KeepaliveTimeout: awscdk.Duration_*Seconds(jsii.Number(45)),
ProtocolPolicy: cloudfront.OriginProtocolPolicy_MATCH_VIEWER,
})
type OriginGroup ¶
type OriginGroup interface {
awscloudfront.IOrigin
// The method called when a given Origin is added (for the first time) to a Distribution.
Bind(scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
}
An Origin that represents a group.
Consists of a primary Origin, and a fallback Origin called when the primary returns one of the provided HTTP status codes.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewOriginGroup(&OriginGroupProps{
PrimaryOrigin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
FallbackOrigin: origins.NewHttpOrigin(jsii.String("www.example.com")),
// optional, defaults to: 500, 502, 503 and 504
FallbackStatusCodes: []*f64{
jsii.Number(404),
},
}),
},
})
func NewOriginGroup ¶
func NewOriginGroup(props *OriginGroupProps) OriginGroup
type OriginGroupProps ¶
type OriginGroupProps struct {
// The fallback origin that should serve requests when the primary fails.
FallbackOrigin awscloudfront.IOrigin `field:"required" json:"fallbackOrigin" yaml:"fallbackOrigin"`
// The primary origin that should serve requests for this group.
PrimaryOrigin awscloudfront.IOrigin `field:"required" json:"primaryOrigin" yaml:"primaryOrigin"`
// The list of HTTP status codes that, when returned from the primary origin, would cause querying the fallback origin.
// Default: - 500, 502, 503 and 504.
//
FallbackStatusCodes *[]*float64 `field:"optional" json:"fallbackStatusCodes" yaml:"fallbackStatusCodes"`
}
Construction properties for `OriginGroup`.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewOriginGroup(&OriginGroupProps{
PrimaryOrigin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
FallbackOrigin: origins.NewHttpOrigin(jsii.String("www.example.com")),
// optional, defaults to: 500, 502, 503 and 504
FallbackStatusCodes: []*f64{
jsii.Number(404),
},
}),
},
})
type RestApiOrigin ¶ added in v2.25.0
type RestApiOrigin interface {
awscloudfront.OriginBase
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
An Origin for an API Gateway REST API.
Example:
var api restApi
cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewRestApiOrigin(api),
},
})
func NewRestApiOrigin ¶ added in v2.25.0
func NewRestApiOrigin(restApi awsapigateway.RestApiBase, props *RestApiOriginProps) RestApiOrigin
type RestApiOriginProps ¶ added in v2.25.0
type RestApiOriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
}
Properties for an Origin for an API Gateway REST API.
Example:
var api restApi
cloudfront.NewDistribution(this, jsii.String("Distribution"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewRestApiOrigin(api, &RestApiOriginProps{
OriginPath: jsii.String("/custom-origin-path"),
}),
},
})
type S3BucketOrigin ¶ added in v2.156.0
type S3BucketOrigin interface {
awscloudfront.OriginBase
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
A S3 Bucket Origin.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewOriginGroup(&OriginGroupProps{
PrimaryOrigin: origins.S3BucketOrigin_WithOriginAccessControl(myBucket),
FallbackOrigin: origins.NewHttpOrigin(jsii.String("www.example.com")),
// optional, defaults to: 500, 502, 503 and 504
FallbackStatusCodes: []*f64{
jsii.Number(404),
},
}),
},
})
type S3BucketOriginBaseProps ¶ added in v2.156.0
type S3BucketOriginBaseProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
}
Properties for configuring a origin using a standard S3 bucket.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
s3BucketOriginBaseProps := &S3BucketOriginBaseProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
}
type S3BucketOriginWithOACProps ¶ added in v2.156.0
type S3BucketOriginWithOACProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// An optional Origin Access Control.
// Default: - an Origin Access Control will be created.
//
OriginAccessControl awscloudfront.IOriginAccessControl `field:"optional" json:"originAccessControl" yaml:"originAccessControl"`
// The level of permissions granted in the bucket policy and key policy (if applicable) to the CloudFront distribution.
// Default: [AccessLevel.READ]
//
OriginAccessLevels *[]awscloudfront.AccessLevel `field:"optional" json:"originAccessLevels" yaml:"originAccessLevels"`
}
Properties for configuring a S3 origin with OAC.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
s3Origin := origins.S3BucketOrigin_WithOriginAccessControl(myBucket, &S3BucketOriginWithOACProps{
OriginAccessLevels: []accessLevel{
cloudfront.*accessLevel_READ,
cloudfront.*accessLevel_WRITE,
cloudfront.*accessLevel_DELETE,
},
})
type S3BucketOriginWithOAIProps ¶ added in v2.156.0
type S3BucketOriginWithOAIProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// An optional Origin Access Identity.
// Default: - an Origin Access Identity will be created.
//
OriginAccessIdentity awscloudfront.IOriginAccessIdentity `field:"optional" json:"originAccessIdentity" yaml:"originAccessIdentity"`
}
Properties for configuring a S3 origin with OAI.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
myOai := cloudfront.NewOriginAccessIdentity(this, jsii.String("myOAI"), &OriginAccessIdentityProps{
Comment: jsii.String("My custom OAI"),
})
s3Origin := origins.S3BucketOrigin_WithOriginAccessIdentity(myBucket, &S3BucketOriginWithOAIProps{
OriginAccessIdentity: myOai,
})
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: s3Origin,
},
})
type S3Origin
deprecated
type S3Origin interface {
awscloudfront.IOrigin
// The method called when a given Origin is added (for the first time) to a Distribution.
// Deprecated: Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead.
Bind(scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
}
An Origin that is backed by an S3 bucket.
If the bucket is configured for website hosting, this origin will be configured to use the bucket as an HTTP server origin and will use the bucket's configured website redirects and error handling. Otherwise, the origin is created as a bucket origin and will use CloudFront's redirect and error handling.
Example:
// Adding an existing Lambda@Edge function created in a different stack
// to a CloudFront distribution.
var s3Bucket bucket
functionVersion := lambda.Version_FromVersionArn(this, jsii.String("Version"), jsii.String("arn:aws:lambda:us-east-1:123456789012:function:functionName:1"))
cloudfront.NewDistribution(this, jsii.String("distro"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewS3Origin(s3Bucket),
EdgeLambdas: []edgeLambda{
&edgeLambda{
FunctionVersion: *FunctionVersion,
EventType: cloudfront.LambdaEdgeEventType_VIEWER_REQUEST,
},
},
},
})
Deprecated: Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead.
func NewS3Origin
deprecated
func NewS3Origin(bucket awss3.IBucket, props *S3OriginProps) S3Origin
Deprecated: Use `S3BucketOrigin` or `S3StaticWebsiteOrigin` instead.
type S3OriginProps ¶
type S3OriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// An optional Origin Access Identity of the origin identity cloudfront will use when calling your s3 bucket.
// Default: - An Origin Access Identity will be created.
//
OriginAccessIdentity awscloudfront.IOriginAccessIdentity `field:"optional" json:"originAccessIdentity" yaml:"originAccessIdentity"`
}
Properties to use to customize an S3 Origin.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import cdk "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
var originAccessIdentity originAccessIdentity
s3OriginProps := &S3OriginProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginAccessIdentity: originAccessIdentity,
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
}
type S3StaticWebsiteOrigin ¶ added in v2.156.0
type S3StaticWebsiteOrigin interface {
HttpOrigin
// Binds the origin to the associated Distribution.
//
// Can be used to grant permissions, create dependent resources, etc.
Bind(_scope constructs.Construct, options *awscloudfront.OriginBindOptions) *awscloudfront.OriginBindConfig
RenderCustomOriginConfig() *awscloudfront.CfnDistribution_CustomOriginConfigProperty
RenderS3OriginConfig() *awscloudfront.CfnDistribution_S3OriginConfigProperty
}
An Origin for a S3 bucket configured as a website endpoint.
Example:
myBucket := s3.NewBucket(this, jsii.String("myBucket"))
cloudfront.NewDistribution(this, jsii.String("myDist"), &DistributionProps{
DefaultBehavior: &BehaviorOptions{
Origin: origins.NewS3StaticWebsiteOrigin(myBucket),
},
})
func NewS3StaticWebsiteOrigin ¶ added in v2.156.0
func NewS3StaticWebsiteOrigin(bucket awss3.IBucket, props *S3StaticWebsiteOriginProps) S3StaticWebsiteOrigin
type S3StaticWebsiteOriginProps ¶ added in v2.156.0
type S3StaticWebsiteOriginProps struct {
// The number of times that CloudFront attempts to connect to the origin;
//
// valid values are 1, 2, or 3 attempts.
// Default: 3.
//
ConnectionAttempts *float64 `field:"optional" json:"connectionAttempts" yaml:"connectionAttempts"`
// The number of seconds that CloudFront waits when trying to establish a connection to the origin.
//
// Valid values are 1-10 seconds, inclusive.
// Default: Duration.seconds(10)
//
ConnectionTimeout awscdk.Duration `field:"optional" json:"connectionTimeout" yaml:"connectionTimeout"`
// A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
// Default: {}.
//
CustomHeaders *map[string]*string `field:"optional" json:"customHeaders" yaml:"customHeaders"`
// The unique identifier of an origin access control for this origin.
// Default: - no origin access control.
//
OriginAccessControlId *string `field:"optional" json:"originAccessControlId" yaml:"originAccessControlId"`
// A unique identifier for the origin.
//
// This value must be unique within the distribution.
// Default: - an originid will be generated for you.
//
OriginId *string `field:"optional" json:"originId" yaml:"originId"`
// Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
// Default: - true.
//
OriginShieldEnabled *bool `field:"optional" json:"originShieldEnabled" yaml:"originShieldEnabled"`
// When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
// See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
//
// Default: - origin shield not enabled.
//
OriginShieldRegion *string `field:"optional" json:"originShieldRegion" yaml:"originShieldRegion"`
// An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
//
// Must begin, but not end, with '/' (e.g., '/production/images').
// Default: '/'.
//
OriginPath *string `field:"optional" json:"originPath" yaml:"originPath"`
// The HTTP port that CloudFront uses to connect to the origin.
// Default: 80.
//
HttpPort *float64 `field:"optional" json:"httpPort" yaml:"httpPort"`
// The HTTPS port that CloudFront uses to connect to the origin.
// Default: 443.
//
HttpsPort *float64 `field:"optional" json:"httpsPort" yaml:"httpsPort"`
// Specifies how long, in seconds, CloudFront persists its connection to the origin.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(5)
//
KeepaliveTimeout awscdk.Duration `field:"optional" json:"keepaliveTimeout" yaml:"keepaliveTimeout"`
// The SSL versions to use when interacting with the origin.
// Default: OriginSslPolicy.TLS_V1_2
//
OriginSslProtocols *[]awscloudfront.OriginSslPolicy `field:"optional" json:"originSslProtocols" yaml:"originSslProtocols"`
// Specifies the protocol (HTTP or HTTPS) that CloudFront uses to connect to the origin.
// Default: OriginProtocolPolicy.HTTPS_ONLY
//
ProtocolPolicy awscloudfront.OriginProtocolPolicy `field:"optional" json:"protocolPolicy" yaml:"protocolPolicy"`
// Specifies how long, in seconds, CloudFront waits for a response from the origin, also known as the origin response timeout.
//
// The valid range is from 1 to 180 seconds, inclusive.
//
// Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
// has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
// Default: Duration.seconds(30)
//
ReadTimeout awscdk.Duration `field:"optional" json:"readTimeout" yaml:"readTimeout"`
}
Properties for configuring a origin using a S3 bucket configured as a website endpoint.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
s3StaticWebsiteOriginProps := &S3StaticWebsiteOriginProps{
ConnectionAttempts: jsii.Number(123),
ConnectionTimeout: cdk.Duration_Minutes(jsii.Number(30)),
CustomHeaders: map[string]*string{
"customHeadersKey": jsii.String("customHeaders"),
},
HttpPort: jsii.Number(123),
HttpsPort: jsii.Number(123),
KeepaliveTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
OriginAccessControlId: jsii.String("originAccessControlId"),
OriginId: jsii.String("originId"),
OriginPath: jsii.String("originPath"),
OriginShieldEnabled: jsii.Boolean(false),
OriginShieldRegion: jsii.String("originShieldRegion"),
OriginSslProtocols: []originSslPolicy{
awscdk.Aws_cloudfront.*originSslPolicy_SSL_V3,
},
ProtocolPolicy: awscdk.*Aws_cloudfront.OriginProtocolPolicy_HTTP_ONLY,
ReadTimeout: cdk.Duration_*Minutes(jsii.Number(30)),
}
Source Files
¶
- FunctionUrlOrigin.go
- FunctionUrlOriginBaseProps.go
- FunctionUrlOriginProps.go
- FunctionUrlOriginWithOACProps.go
- FunctionUrlOrigin__checks.go
- HttpOrigin.go
- HttpOriginProps.go
- HttpOrigin__checks.go
- LoadBalancerV2Origin.go
- LoadBalancerV2OriginProps.go
- LoadBalancerV2Origin__checks.go
- OriginGroup.go
- OriginGroupProps.go
- OriginGroup__checks.go
- RestApiOrigin.go
- RestApiOriginProps.go
- RestApiOrigin__checks.go
- S3BucketOrigin.go
- S3BucketOriginBaseProps.go
- S3BucketOriginWithOACProps.go
- S3BucketOriginWithOAIProps.go
- S3BucketOrigin__checks.go
- S3Origin.go
- S3OriginProps.go
- S3Origin__checks.go
- S3StaticWebsiteOrigin.go
- S3StaticWebsiteOriginProps.go
- S3StaticWebsiteOrigin__checks.go
- main.go
Directories
Click to show internal directories.
Click to hide internal directories.