@alma-cdk/origin-verify

npm i -D @alma-cdk/origin-verify

Enforce API Gateway or Application Load Balancer traffic via CloudFront by generating a Secrets Manager secret value which is used as a CloudFront Origin Custom header and a WAFv2 WebACL header match rule.

Work in Progress

🚧  Do not use for production critial stuff! This construct is still very much work in progress and breaking changes may occur. 🚧

Getting Started

import { OriginVerify } from '@alma-cdk/origin-verify';
import { Distribution } from 'aws-cdk-lib/aws-cloudfront';

const api: RestApi; // TODO: implement the RestApi
const apiDomain: string; // TODO: implement the domain

const verification = new OriginVerify(this, 'OriginVerify', {
  origin: api.deploymentStage,
});

new Distribution(this, 'CDN', {
  defaultBehavior: { origin: new HttpOrigin(apiDomain, {
    customHeaders: {
      [verification.headerName]: verification.headerValue,
    },
  }) },
})

Notes

Internally this construct creates the headerValue by using AWS Secrets Manager but the secret value is exposed directly by using secretValue.unsafeUnwrap() method: This is:

• required, because we must be able to set it into the WAFv2 WebACL rule
• required, because you must be able to set it into the CloudFront Origin Custom Header
• okay, because it's meant to protect the API externally and it's not considered as a secret that should be kept – well – secret within your AWS account