Reduce the amount of code in AWS CDK: Apply OAC in Amazon CloudFront L2 constructs

Yasuyuki Sato - Nov 7 - - Dev Community

This post is a translation for Dev.to of a blog originally posted in Japanese.

I have been working on my AWS certifications of late: SysOps Administrator - Associate in May, Data Engineer - Associate in June, Machine Learning - Specialty in July, Advanced Networking - Specialty in September, and AI Practitioner in November. The rush to take AWS certifications is beginning to slow down.

A new AWS CDK L2 construct is now available for Amazon CloudFront Origin Access Control (OAC)!

I have confirmed that the new L2 construct is available in our environment with CDK version 2.165.0.

I immediately migrated our personal static hosting site to the new L2 construct for OAC, and we describe below how to write the new AWS CDK L2 construct and how it compares to the previous one!

What makes you happy about the new AWS CDK L2 construct for OAC?

Until the new AWS CDK L2 construct for OAC was available, the legacy configuration, written as Origin Access Identity (OAI), then using the escape hatch to use Origin Access Control (OAC) The OAC was then customized to use Origin Access Control (OAC) using an escape hatch.

    // Code before new AWS CDK L2 constructs for OAC were available
    // Defining CloudFront Distribution
    const distribution = new aws_cloudfront.Distribution(this, 'Distribution', {
      defaultRootObject: 'index.html',
      defaultBehavior: {
        origin: new aws_cloudfront_origins.S3Origin(originS3Bucket),
      },
    });

    // Origin Access Control (OAC) Definition
    const originAccessControl = new aws_cloudfront.CfnOriginAccessControl(this, 'OriginAccessControl', {
      originAccessControlConfig: {
        name: 'OriginAccessControlForOriginS3Bucket',
        originAccessControlOriginType: 's3',
        signingBehavior: 'always',
        signingProtocol: 'sigv4',
        description: 'Access Control',
      },
    });

    // Convert CloudFront distribution to L1 construct
    const cfnDistribution = distribution.node.defaultChild as aws_cloudfront.CfnDistribution

    // Customization by Escape Hatch
    cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', originAccessControl.getAtt('Id'))
    cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.DomainName', originS3Bucket.bucketRegionalDomainName)
    cfnDistribution.addOverride('Properties.DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity', "")
    cfnDistribution.addPropertyDeletionOverride('DistributionConfig.Origins.0.CustomOriginConfig')
Enter fullscreen mode Exit fullscreen mode

In addition to writing the above code, a bucket policy for S3 buckets in static hosting was also required. Since the above code was written once for OAI and customized by escape hatch, there was a situation where unused OAI resources would continue to exist.

The above code description by the escape hatch method is completely unnecessary. The following code is all that is needed to implement OAC.

    // Code using the new AWS CDK L2 construct for OAC
    const distribution = new aws_cloudfront.Distribution(this, 'Distribution', {
      defaultBehavior: {
        origin: aws_cloudfront_origins.S3BucketOrigin.withOriginAccessControl(originS3Bucket)
      }
    })
Enter fullscreen mode Exit fullscreen mode

... The difference in the amount of description is amazing. It looks like black magic. ... It is very useful if you know the type of resources to create and update in your CloudFront distribution.

The old description method is deprecated

The S3Origin description method has been deprecated. Refactoring will be required when updating the aws-cdk-lib package.

The old description method is deprecated

To avoid downtime when migrating from OAI, it is desirable to write a temporary S3 bucket policy that allows both OAI and OAC.

Amount of CDK code description reduced to 60%.

What is surprising is the amount of code written for CDK: we compared the number of lines before and after using the OAC for CDK L2 constructs. (This line count is based on the entire stack of lines for the simple static hosting site we use.)

CDK L2 Construct OAC number of lines
Before use 106
After use 73

The amount of code written was reduced by 60%, and the amount of code written was reduced by 40%. The escape hatch, which is difficult to understand at a glance, has also been eliminated.

Summary

The new AWS CDK L2 construct for Amazon CloudFront Origin Access Control (OAC) eliminates the escape hatch (customization) that was previously required when applying OAC, allowing for concise code. Since this L2 construct creates multiple resources such as OAC and S3 bucket policies, it is desirable to use it after understanding the contents of the resources to be created. We would like to make positive use of this service.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .