Enforce origin traffic via CloudFront.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for almadevelopers from gravatar.com almadevelopers

Unverified details

These details have not been verified by PyPI
Meta
  • License: OSI Approved (Apache-2.0)
  • Author: Alma Media<opensource@almamedia.dev>
  • Requires: Python ~=3.9
Classifiers
Report project as malware

Project description



Alma CDK Origin Verify 

npm i -D @alma-cdk/origin-verify

Enforce API Gateway REST API, AppSync GraphQL API, or Application Load Balancer traffic via CloudFront by generating a Secrets Manager secret value which is used as a CloudFront Origin Custom header and a WAFv2 WebACL header match rule.



diagram


Essentially this is an implementation of AWS SolutionEnhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager” without the secret rotation.


🚧   Project Stability

experimental

This construct is still versioned with v0 major version and breaking changes might be introduced if necessary (without a major version bump), though we aim to keep the API as stable as possible (even within v0 development). We aim to publish v1.0.0 soon and after that breaking changes will be introduced via major version bumps.


Getting Started

import { OriginVerify } from '@alma-cdk/origin-verify';
import { Distribution } from 'aws-cdk-lib/aws-cloudfront';

const api: RestApi; // TODO: implement the RestApi
const apiDomain: string; // TODO: implement the domain

const verification = new OriginVerify(this, 'OriginVerify', {
  origin: api.deploymentStage,
});

new Distribution(this, 'CDN', {
  defaultBehavior: {
    origin: new HttpOrigin(apiDomain, {
      customHeaders: {
        [verification.headerName]: verification.headerValue,
      },
      protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
    })
  },
})

For more detailed example usage see /examples directory.


Custom Secret Value

Additionally, you may pass in custom secretValue if you don't want to use a generated secret (which you should use in most cases):

const myCustomValue = SecretValue.unsafePlainText('foobar');

const verification = new OriginVerify(this, 'OriginVerify', {
  origin: api.deploymentStage,
  secretValue: myCustomValue,
});

Notes

Use OriginProtocolPolicy.HTTPS_ONLY!

In your CloudFront distribution Origin configuration use OriginProtocolPolicy.HTTPS_ONLY to avoid exposing the verification.headerValue secret to the world.

Why secretValue.unsafeUnwrap()?

Internally this construct creates the headerValue by using AWS Secrets Manager but the secret value is exposed directly by using secretValue.unsafeUnwrap() method: This is:

  • required, because we must be able to set it into the WAFv2 WebACL rule
  • required, because you must be able to set it into the CloudFront Origin Custom Header
  • okay, because it's meant to protect the API externally and it's not considered as a secret that should be kept – well – secret within your AWS account

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for almadevelopers from gravatar.com almadevelopers

Unverified details

These details have not been verified by PyPI
Meta
  • License: OSI Approved (Apache-2.0)
  • Author: Alma Media<opensource@almamedia.dev>
  • Requires: Python ~=3.9
Classifiers

Release history Release notifications | RSS feed

1.0.1

This version

1.0.0

1.0.0b2 pre-release

1.0.0b1 pre-release

0.0.34

0.0.33

0.0.32

0.0.31

0.0.30

0.0.29

0.0.28

0.0.27

0.0.26

0.0.25

0.0.24

0.0.23

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

alma_cdk_origin_verify-1.0.0.tar.gz (133.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

alma_cdk_origin_verify-1.0.0-py3-none-any.whl (132.5 kB view details)

Uploaded Python 3

File details

Details for the file alma_cdk_origin_verify-1.0.0.tar.gz.

File metadata

  • Download URL: alma_cdk_origin_verify-1.0.0.tar.gz
  • Upload date:
  • Size: 133.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.14.3

File hashes

Hashes for alma_cdk_origin_verify-1.0.0.tar.gz
Algorithm Hash digest
SHA256 2976e0fb5dfbb0d3773a583251fc31ad86b2166ede281f3591be8294edb1e27b
MD5 001c2ce9530af8e7a37194a9ac642e31
BLAKE2b-256 b3855372b1982b5a8726dee7fcb339753e83446982d6f5ba7e76b9717c7b0666

See more details on using hashes here.

Provenance

The following attestation bundles were made for alma_cdk_origin_verify-1.0.0.tar.gz:

Publisher: release.yml on alma-cdk/origin-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file alma_cdk_origin_verify-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for alma_cdk_origin_verify-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 98704da7f153c16aebe400498b8366f82f0611537d350d88b068f9b0ffbf4704
MD5 39a2cb3716f103de0653edbbf5cf1235
BLAKE2b-256 13f05dbefdafeaca3316445d9e810f3b2508a3aedb9d89e61d9a360655893530

See more details on using hashes here.

Provenance

The following attestation bundles were made for alma_cdk_origin_verify-1.0.0-py3-none-any.whl:

Publisher: release.yml on alma-cdk/origin-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page