Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/alma-cdk/origin-verify
AWS CDK Construct to Enforce API Gateway or Application Load Balancer traffic via CloudFront.
https://github.com/alma-cdk/origin-verify
alb api-gateway aws aws-cdk aws-cdk-construct awscdk cloud-development-kit cloudfront
Last synced: 9 days ago
JSON representation
AWS CDK Construct to Enforce API Gateway or Application Load Balancer traffic via CloudFront.
- Host: GitHub
- URL: https://github.com/alma-cdk/origin-verify
- Owner: alma-cdk
- License: apache-2.0
- Created: 2022-05-16T13:23:46.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-03-21T13:52:38.000Z (9 months ago)
- Last Synced: 2024-11-30T11:16:19.047Z (22 days ago)
- Topics: alb, api-gateway, aws, aws-cdk, aws-cdk-construct, awscdk, cloud-development-kit, cloudfront
- Language: TypeScript
- Homepage: https://constructs.dev/packages/@alma-cdk/origin-verify/
- Size: 502 KB
- Stars: 4
- Watchers: 7
- Forks: 2
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
```sh
npm i -D @alma-cdk/origin-verify
```
Enforce API Gateway REST API, AppSync GraphQL API, or Application Load Balancer traffic via CloudFront by generating a Secrets Manager secret value which is used as a CloudFront Origin Custom header and a WAFv2 WebACL header match rule.
Essentially this is an implementation of _AWS Solution_ “[Enhance Amazon CloudFront Origin Security with AWS WAF and AWS Secrets Manager](https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/)” without the secret rotation.
## 🚧 Project Stability
This construct is still versioned with `v0` major version and breaking changes might be introduced if necessary (without a major version bump), though we aim to keep the API as stable as possible (even within `v0` development). We aim to publish `v1.0.0` soon and after that breaking changes will be introduced via major version bumps.
## Getting Started
```ts
import { OriginVerify } from '@alma-cdk/origin-verify';
import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
```
```ts
const api: RestApi; // TODO: implement the RestApi
const apiDomain: string; // TODO: implement the domain
const verification = new OriginVerify(this, 'OriginVerify', {
origin: api.deploymentStage,
});
new Distribution(this, 'CDN', {
defaultBehavior: {
origin: new HttpOrigin(apiDomain, {
customHeaders: {
[verification.headerName]: verification.headerValue,
},
protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY,
})
},
})
```
For more detailed example usage see [`/examples`](https://github.com/alma-cdk/origin-verify/tree/main/examples/) directory.
## Custom Secret Value
Additionally, you may pass in custom `secretValue` if you don't want to use a generated secret (which you should use in most cases):
```ts
const myCustomValue = SecretValue.unsafePlainText('foobar');
const verification = new OriginVerify(this, 'OriginVerify', {
origin: api.deploymentStage,
secretValue: myCustomValue,
});
```
## Notes
### Use `OriginProtocolPolicy.HTTPS_ONLY`!
In your CloudFront distribution Origin configuration use `OriginProtocolPolicy.HTTPS_ONLY` to avoid exposing the `verification.headerValue` secret to the world.
### Why `secretValue.unsafeUnwrap()`?
Internally this construct creates the `headerValue` by using AWS Secrets Manager but the secret value is exposed directly by using `secretValue.unsafeUnwrap()` method: This is:
- **required**, because we must be able to set it into the WAFv2 WebACL rule
- **required**, because you must be able to set it into the CloudFront Origin Custom Header
- **okay**, because it's meant to protect the API externally and it's _not_ considered as a secret that should be kept – well – secret within _your_ AWS account