Enforce origin traffic via CloudFront.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for almadevelopers from gravatar.com almadevelopers

Unverified details

These details have not been verified by PyPI
Meta
  • License: OSI Approved (Apache-2.0)
  • Author: Alma Media<opensource@almamedia.dev>
  • Requires: Python ~=3.9
Classifiers
Report project as malware

Project description



Alma CDK Origin Verify 

npm i -D @alma-cdk/origin-verify

Enforce API Gateway REST API, AppSync GraphQL API, or Application Load Balancer traffic via CloudFront by generating a Secrets Manager secret value which is used as a CloudFront Origin Custom header and a WAFv2 WebACL header match rule.



diagram


Essentially this is an implementation of AWS SolutionEnhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager” without the secret rotation.


🚧   Project Stability

experimental

This construct is still versioned with v0 major version and breaking changes might be introduced if necessary (without a major version bump), though we aim to keep the API as stable as possible (even within v0 development). We aim to publish v1.0.0 soon and after that breaking changes will be introduced via major version bumps.


Getting Started

import { OriginVerify } from '@alma-cdk/origin-verify';
import { Distribution } from 'aws-cdk-lib/aws-cloudfront';

const api: RestApi; // TODO: implement the RestApi
const apiDomain: string; // TODO: implement the domain

const verification = new OriginVerify(this, 'OriginVerify', {
  origin: api.deploymentStage,
});

new Distribution(this, 'CDN', {
  defaultBehavior: {
    origin: new HttpOrigin(apiDomain, {
      customHeaders: {
        [verification.headerName]: verification.headerValue,
      },
      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
    })
  },
})

For more detailed example usage see /examples directory.


Custom Secret Value

Additionally, you may pass in custom secretValue if you don't want to use a generated secret (which you should use in most cases):

const myCustomValue = SecretValue.unsafePlainText('foobar');

const verification = new OriginVerify(this, 'OriginVerify', {
  origin: api.deploymentStage,
  secretValue: myCustomValue,
});

Notes

Use OriginProtocolPolicy.HTTPS_ONLY!

In your CloudFront distribution Origin configuration use OriginProtocolPolicy.HTTPS_ONLY to avoid exposing the verification.headerValue secret to the world.

Why secretValue.unsafeUnwrap()?

Internally this construct creates the headerValue by using AWS Secrets Manager but the secret value is exposed directly by using secretValue.unsafeUnwrap() method: This is:

  • required, because we must be able to set it into the WAFv2 WebACL rule
  • required, because you must be able to set it into the CloudFront Origin Custom Header
  • okay, because it's meant to protect the API externally and it's not considered as a secret that should be kept – well – secret within your AWS account

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for almadevelopers from gravatar.com almadevelopers

Unverified details

These details have not been verified by PyPI
Meta
  • License: OSI Approved (Apache-2.0)
  • Author: Alma Media<opensource@almamedia.dev>
  • Requires: Python ~=3.9
Classifiers

Release history Release notifications | RSS feed

This version

1.0.1

1.0.0

1.0.0b2 pre-release

1.0.0b1 pre-release

0.0.34

0.0.33

0.0.32

0.0.31

0.0.30

0.0.29

0.0.28

0.0.27

0.0.26

0.0.25

0.0.24

0.0.23

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alma_cdk_origin_verify-1.0.1.tar.gz (133.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alma_cdk_origin_verify-1.0.1-py3-none-any.whl (132.5 kB view details)

Uploaded Python 3

File details

Details for the file alma_cdk_origin_verify-1.0.1.tar.gz.

File metadata

  • Download URL: alma_cdk_origin_verify-1.0.1.tar.gz
  • Upload date:
  • Size: 133.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.14.3

File hashes

Hashes for alma_cdk_origin_verify-1.0.1.tar.gz
Algorithm Hash digest
SHA256 56061f00542f7948f9ebe697830fedffd21c595f19c50d10da65202fa7d9a4af
MD5 ebf47551cfea9e0ac6cdd90f93eb803a
BLAKE2b-256 fa97c5122cdd9fa97cdc18bb15104f405aea5e3251b814aac6870629a1603c8e

See more details on using hashes here.

Provenance

The following attestation bundles were made for alma_cdk_origin_verify-1.0.1.tar.gz:

Publisher: release.yml on alma-cdk/origin-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alma_cdk_origin_verify-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for alma_cdk_origin_verify-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c6b89b760207339d1dc10c26dacf68ea4286a4d55dbc81e055304af810ead252
MD5 1e2c14f4465ed50e785019d30707e11e
BLAKE2b-256 20286b9c76c6f7d098354e17722763e3f7e639ef62c41b4c2a0218bbde389f9a

See more details on using hashes here.

Provenance

The following attestation bundles were made for alma_cdk_origin_verify-1.0.1-py3-none-any.whl:

Publisher: release.yml on alma-cdk/origin-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page