v1.1.0-rc.68

v1.1.0-rc.68 (2024-06-14)

Breaking

• feat!: configure cloudfront with origin access control (proposal) (#376)

Issue

No relevant github issue but in MCP, setting a default root object is
required which this work helps to address.

What?

• enable logging (this was added in another merged
  PR)
• configure cloudfront to use origin access control and delete the
  origin access identity that gets created
• set default root object to index.html
• use flag to enable/disable featureVEDA_CLOUDFRONT_OAC

Why?

• currently, our MCP deployments need to be manually updated in order
  for the cloudfront distribution to work properly with S3 buckets that
  block public access

Testing?

• deployed these changes to UAH dev and MCP test

Other

• I opted to not add policy configuration in this PR since there is no
  way to tell via CDK if a policy on a bucket already exists. In order for
  this to work, the S3 browser bucket must allow cloudfront to GetObject

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::ACCOUNT:distribution/DISTRIBUTION_ID"
                }
            }
        }
    ]

Misc

In order to properly configure this for our UAH stacks, we will need to
update the buckets to block public access, not use static website
hosting, and to include the bucket policy like above. These changes are
required because our current UAH buckets do use static website hosting
and therefore don't have the above policy and allow read access. (3a20ef2)

Feature

• feat: add flag to enable cf oac (d5c8fb5)

Fix

• fix: lint (f4b89c7)