@aws-cdk/aws-cloudfront

Amazon CloudFront Construct Library

---

Features	Stability
CFN Resources
Higher level constructs for Distribution
Higher level constructs for CloudFrontWebDistribution

CFN Resources: All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

Experimental: Higher level constructs in this module that are marked as experimental are under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Stable: Higher level constructs in this module that are marked stable will not undergo any breaking changes. They will strictly follow the Semantic Versioning model.

---

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so that content is delivered with the best possible performance.

Distribution API - Experimental

The Distribution API is currently being built to replace the existing CloudFrontWebDistribution API. The Distribution API is optimized for the most common use cases of CloudFront distributions (e.g., single origin and behavior, few customizations) while still providing the ability for more advanced use cases. The API focuses on simplicity for the common use cases, and convenience methods for creating the behaviors and origins necessary for more complex use cases.

Creating a distribution

CloudFront distributions deliver your content from one or more origins; an origin is the location where you store the original version of your content. Origins can be created from S3 buckets or a custom origin (HTTP server). Each distribution has a default behavior which applies to all requests to that distribution, and routes requests to a primary origin.

From an S3 Bucket

An S3 bucket can be added as an origin. If the bucket is configured as a website endpoint, the distribution can use S3 redirects and S3 custom error documents.

import * as cloudfront from '@aws-cdk/aws-cloudfront';

// Creates a distribution for a S3 bucket.
const myBucket = new s3.Bucket(this, 'myBucket');
new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: { origin: cloudfront.Origin.fromBucket(myBucket) },
});

The above will treat the bucket differently based on if IBucket.isWebsite is set or not. If the bucket is configured as a website, the bucket is treated as an HTTP origin, and the built-in S3 redirects and error pages can be used. Otherwise, the bucket is handled as a bucket origin and CloudFront's redirect and error handling will be used. In the latter case, the Origin wil create an origin access identity and grant it access to the underlying bucket. This can be used in conjunction with a bucket that is not public to require that your users access your content using CloudFront URLs and not S3 URLs directly.

Domain Names and Certificates

When you create a distribution, CloudFront assigns a domain name for the distribution, for example: d111111abcdef8.cloudfront.net; this value can be retrieved from distribution.distributionDomainName. CloudFront distributions use a default certificate (*.cloudfront.net) to support HTTPS by default. If you want to use your own domain name, such as www.example.com, you must associate a certificate with your distribution that contains your domain name. The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate may either be created by ACM, or created elsewhere and imported into ACM.

const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', {
  domainName: 'www.example.com',
  hostedZone,
});
new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: { origin: cloudfront.Origin.fromBucket(myBucket) },
  certificate: myCertificate,
});

Multiple Behaviors & Origins

Each distribution has a default behavior which applies to all requests to that distribution; additional behaviors may be specified for a given URL path pattern. Behaviors allow routing with multiple origins, controlling which HTTP methods to support, whether to require users to use HTTPS, and what query strings or cookies to forward to your origin, among others.

The properties of the default behavior can be adjusted as part of the distribution creation. The following example shows configuring the HTTP methods and viewer protocol policy of the cache.

const myWebDistribution = new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: {
    origin: cloudfront.Origin.fromBucket(myBucket),
    allowedMethods: AllowedMethods.ALLOW_ALL,
    viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  }
});

Additional behaviors can be specified at creation, or added after the initial creation. Each additional behavior is associated with an origin, and enable customization for a specific set of resources based on a URL path pattern. For example, we can add a behavior to myWebDistribution to override the default time-to-live (TTL) for all of the images.

myWebDistribution.addBehavior('/images/*.jpg', cloudfront.Origin.fromBucket(myOtherBucket), {
  viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  defaultTtl: cdk.Duration.days(7),
});

These behaviors can also be specified at distribution creation time.

const bucketOrigin = cloudfront.Origin.fromBucket(myBucket);
new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: {
    origin: bucketOrigin,
    allowedMethods: AllowedMethods.ALLOW_ALL,
    viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  },
  additionalBehaviors: {
    '/images/*.jpg': {
      origin: bucketOrigin,
      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
      defaultTtl: cdk.Duration.days(7),
    },
  },
});

CloudFrontWebDistribution API - Stable

A CloudFront construct - for setting up the AWS CDN with ease!

Example usage:

const sourceBucket = new Bucket(this, 'Bucket');

const distribution = new CloudFrontWebDistribution(this, 'MyDistribution', {
    originConfigs: [
        {
            s3OriginSource: {
                s3BucketSource: sourceBucket
            },
            behaviors : [ {isDefaultBehavior: true}]
        }
    ]
 });

Viewer certificate

By default, CloudFront Web Distributions will answer HTTPS requests with CloudFront's default certificate, only containing the distribution domainName (e.g. d111111abcdef8.cloudfront.net). You can customize the viewer certificate property to provide a custom certificate and/or list of domain name aliases to fit your needs.

See Using Alternate Domain Names and HTTPS in the CloudFront User Guide.

Default certificate

You can customize the default certificate aliases. This is intended to be used in combination with CNAME records in your DNS zone.

Example:

create a distrubution with an default certificiate example

ACM certificate

You can change the default certificate by one stored AWS Certificate Manager, or ACM. Those certificate can either be generated by AWS, or purchased by another CA imported into ACM.

For more information, see the aws-certificatemanager module documentation or Importing Certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide.

Example:

create a distrubution with an acm certificate example

IAM certificate

You can also import a certificate into the IAM certificate store.

See Importing an SSL/TLS Certificate in the CloudFront User Guide.

Example:

create a distrubution with an iam certificate example

Restrictions

CloudFront supports adding restrictions to your distribution.

See Restricting the Geographic Distribution of Your Content in the CloudFront User Guide.

Example:

new cloudfront.CloudFrontWebDistribution(stack, 'MyDistribution', {
   //...
    geoRestriction: GeoRestriction.whitelist('US', 'UK')
});

Connection behaviors between CloudFront and your origin

CloudFront provides you even more control over the connection behaviors between CloudFront and your origin. You can now configure the number of connection attempts CloudFront will make to your origin and the origin connection timeout for each attempt.

See Origin Connection Attempts

See Origin Connection Timeout

Example usage:

const distribution = new CloudFrontWebDistribution(this, 'MyDistribution', {
    originConfigs: [
        {
            ...,
            connectionAttempts: 3,
            connectionTimeout: cdk.Duration.seconds(10),
        }
    ]
});

Changelog

1.52.0 (2020-07-18)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• rds: the property 'version' has been changed from string to an engine-specific version class; use VersionClass.of() if you need to create a specific version of an engine from a string
• rds: the property ParameterGroupProps.family has been renamed to engine, and its type changed from string to IEngine
• rds: the property engineVersion in IClusterEngine changed from a string to EngineVersion
• rds: the property engineVersion in IInstanceEngine changed from a string to EngineVersion
• rds: the property parameterGroupFamily in IClusterEngine changed from required to optional
• rds: the property parameterGroupFamily in IInstanceEngine changed from required to optional
• rds: the class ClusterParameterGroup has been removed - use ParameterGroup instead
• rds: DatabaseProxyProps.secret => DatabaseProxyProps.secrets[]
• apigateway: defaultMethodOptions, defaultCorsPreflightOptions and defaultIntegration have been removed from SpecRestApiProps. These can be specifed directly in the OpenAPI spec or via addMethod() and addResource() APIs.
• glue: The default location of glue data will be the root of an s3 bucket, instead of /data
• rds: the class DatabaseClusterEngine has been replaced with the interface IClusterEngine in the type of DatabaseClusterProps.engine
• rds: the class DatabaseInstanceEngine has been replaced with the interface IInstanceEngine in the type of DatabaseInstanceSourceProps.engine
• rds: DatabaseClusterProps.engineVersion has been removed; instead, create an IClusterEngine with a specific version using the static factory methods in DatabaseClusterEngine
• rds: DatabaseInstanceSourceProps.engineVersion has been removed; instead, create an IInstanceEngine with a specific version using the static factory methods in DatabaseInstanceEngine
• rds: the property majorEngineVersion can no longer be passed when creating an OptionGroup; instead, create an IInstanceEngine with a specific version using the static factory methods in DatabaseInstanceEngine

Features

• aws-stepfunctions-tasks: allow lambda invocations to combine input and function results (#9022) (846a222), closes #8943
• certificatemanager: native CloudFormation DNS validated certificate (#8552) (337279f), closes #5831 #5835 #6081 #6516 #7150 #7941 #7995 #7996 #8282 #8659 #8783
• cfn-include: add support for nested stacks (#8980) (bf12456), closes #8978
• cloudfront: Initial CloudFront redesign (#8982) (d30fa9d)
• codepipeline: add support for a StepFunctions invoke action (#8931) (499776d)
• core: cloudformation resource metadata (#9063) (b0f8729), closes #8788
• core: Duration.plus for adding durations (a127048)
• custom-resources: custom resource provider log retention (#9024) (18c024c)
• glue: default data location for tables is the root of the bucket (#8999) (28949bd), closes #8472
• lambda: codeguru profiling groups (#8852) (8c01420)
• lambda-nodejs: support build args (#9035) (e27658e), closes #8117
• rds: Allow multiple secrets to be passed to an RDS Proxy (#9103) (2ab329f), closes #9098
• rds: introduce type-safe engine versions (#9016) (fab7e28), closes #6532
• rds: the RDS Construct Library is now in Developer Preview (#9119) (92e620c)
• rds: unify ParameterGroup and ClusterParameterGroup (#8959) (17b690b), closes #8932
• stepfunctions-tasks: assign boolean value in DynamoDB from state input (Json path) (#9088) (7b8ef5b), closes #9007

Bug Fixes

• appsync: erroneous api key created when additional authorization is not configured (#9057) (6f934e9), closes #9054
• cfn-include: fix issues in Conditions handling (#9142) (e8d0776)
• cli: diff against multiple stacks do not always fail if any have a diff (#7690) (85f4a83), closes #7492
• cli: unable to update stacks in UPDATE_ROLLBACK_COMPLETE (#8948) (72ec59b), closes #8779 /github.com/aws/aws-cdk/pull/8779#issuecomment-655258569 #8126 #5151
• core: fix Duration.toIsoString() for millseconds (#9042) (8559117)
• core: use any type for context (#9014) (375335e), closes #8865
• custom-resources: Fix typo in README (#9126) (1e16a7f), closes #9024
• ec2: Remove validation of availabilityZone from Volume (#9082) (8d470b2)
• eks: cluster creation fails due to missing ec2:DescribeVpcs permission (#9029) (4a714ee)
• lambda-event-sources: use of CfnParameter for maxBatchSize, retryAttempts & parallelizationFactor fails (#9064) (4470e89), closes #9044
• lambda-nodejs: parcel tries to install @babel/core (#9067) (8d4c635), closes #9032
• stepfunctions: Choice state does not allow state input as a condition (#8991) (db9d29b), closes #8990
• stepfunctions: Map state does not render JSON paths from state input (#9008) (767da12), closes #8992
• apigateway: remove default properties from SpecRestApi (#9099) (06842d6), closes #8347 /github.com/aws/aws-cdk/issues/8347#issuecomment-651900511 /github.com/aws/aws-cdk/issues/8347#issuecomment-652779763
• rds: change the way Engines are modeled (#8686) (63cc1b4), closes #2213 #2512 #4150 #5126 #7072