Add optional CloudFront distribution for app server (#35)

* add (optional) CloudFront distribution for app server

* add IAM policy to allow cloudfront api access from the app servers

* add CloudFront app distribution support for the Dokku stack

* forward only the Host header to the origin in the CloudFront AppDistribution (forwarding all headers breaks caching)

* add missing Ref()

* Revert "add CloudFront app distribution support for the Dokku stack"

This reverts commit a26c081.

* re-enable CloudFront AppDistribution for ELB-enabled Dokku stack

* fix ARN + permissions for AppDistributionInvalidationPolicy

* enable all HTTP methods for AppDistribution

* resource-level IAM permissions aren't supported by CloudFront, so disable them

* clean up conditional imports in __init__.py

* remove unused imports

* allow configuring ViewerProtocolPolicy for app server CloudFront distribution

* modernize CloudFront configuration

* update changelog

* separate cloudfront to its own stack

* restore accidentally deleted code

* update changelog

* use new cache policy method

Co-authored-by: Ronard <[email protected]>

---------

Co-authored-by: Colin Copeland <[email protected]>
Co-authored-by: Ronard <[email protected]>

Author: 3 people

CHANGELOG.rst

@@ -4,7 +4,7 @@ Change Log
 `X.Y.Z`_ (TBD-DD-DD)
 ---------------------
 
-* TBD
+* Add support for CloudFront Distribution in front of the application server via a separate CloudFormation stack (must be deployed on its own, after the main stack creation)
 
 
 `2.2.0`_ (2024-08-01)

Makefile

@@ -14,6 +14,7 @@ templates:
 	# USE_DOKKU=on USE_NAT_GATEWAY=on python -c 'import stack' > content/dokku-nat.yaml (disabled; need to SSH to instance to deploy)
 	USE_GOVCLOUD=on python -c 'import stack' > content/gc-no-nat.yaml
 	USE_GOVCLOUD=on USE_NAT_GATEWAY=on python -c 'import stack' > content/gc-nat.yaml
+	USE_CLOUDFRONT=on python -c 'import stack' > content/cloudfront.yaml
 
 versioned_templates: templates
 	# version must be passed via the command-line, e.g., make VERSION=x.y.z versioned_templates

stack/__init__.py

@@ -8,8 +8,11 @@
 USE_EKS = os.environ.get("USE_EKS") == "on"
 USE_GOVCLOUD = os.environ.get("USE_GOVCLOUD") == "on"
 USE_NAT_GATEWAY = os.environ.get("USE_NAT_GATEWAY") == "on"
+USE_CLOUDFRONT = os.environ.get("USE_CLOUDFRONT") == "on"
 
-if USE_EKS:
+if USE_CLOUDFRONT:
+    from . import cdn  # noqa: F401
+elif USE_EKS:
     from . import assets  # noqa: F401
     from . import cache  # noqa: F401
     from . import database  # noqa: F401

stack/assets.py

@@ -41,7 +41,7 @@
     use_aes256_encryption_cond,
     use_cmk_arn
 )
-from .domain import domain_name, domain_name_alternates, no_alt_domains
+from .domain import all_domains_list
 from .sftp import use_sftp_condition, use_sftp_with_kms_condition
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
@@ -71,18 +71,9 @@
     DeletionPolicy="Retain",
     CorsConfiguration=CorsConfiguration(
         CorsRules=[CorsRules(
-            AllowedOrigins=Split(";", Join("", [
-                "https://", domain_name,
-                If(
-                    no_alt_domains,
-                    # if we don't have any alternate domains, return an empty string
-                    "",
-                    # otherwise, return the ';https://' that will be needed by the first domain
-                    ";https://",
-                ),
-                # then, add all the alternate domains, joined together with ';https://'
-                Join(";https://", domain_name_alternates),
-                # now that we have a string of origins separated by ';', Split() is used to make it into a list again
+            AllowedOrigins=Split(';', Join('', [
+                'https://',
+                Join(';https://', all_domains_list)
             ])),
             AllowedMethods=[
                 "POST",
@@ -283,7 +274,7 @@
         Parameter(
             "AssetsCloudFrontDomain",
             Description="A custom domain name (CNAME) for your CloudFront distribution, e.g., "
-                        "\"static.example.com\".",
+                        "\"static.example.com\" (optional).",
             Type="String",
             Default="",
         ),

stack/bastion.py

@@ -15,12 +15,8 @@
 )
 
 from . import USE_EKS
-from .common import (
-    cmk_arn,
-    dont_create_value,
-    use_aes256_encryption,
-    use_cmk_arn
-)
+from .common import cmk_arn, use_aes256_encryption, use_cmk_arn
+from .constants import dont_create_value
 from .template import template
 from .vpc import public_subnet_a, vpc
 

stack/cache.py

@@ -17,11 +17,11 @@
 
 from .common import (
     cmk_arn,
-    dont_create_value,
     use_aes256_encryption,
     use_aes256_encryption_cond,
     use_cmk_arn
 )
+from .constants import dont_create_value
 from .template import template
 from .utils import ParameterWithDefaults as Parameter
 from .vpc import (

stack/cdn.py

@@ -0,0 +1,263 @@
+from troposphere import (
+    AWS_REGION,
+    Equals,
+    GetAtt,
+    If,
+    Join,
+    Not,
+    Output,
+    Parameter,
+    Ref,
+    iam
+)
+from troposphere.cloudfront import (
+    CacheCookiesConfig,
+    CacheHeadersConfig,
+    CachePolicy,
+    CachePolicyConfig,
+    CacheQueryStringsConfig,
+    CustomOriginConfig,
+    DefaultCacheBehavior,
+    Distribution,
+    DistributionConfig,
+    Origin,
+    ParametersInCacheKeyAndForwardedToOrigin,
+    ViewerCertificate
+)
+
+from .certificates import application as app_certificate
+from .domain import all_domains_list
+from .template import template
+
+origin_domain_name = Ref(
+    template.add_parameter(
+        Parameter(
+            "AppCloudFrontOriginDomainName",
+            Description="Domain name of the origin server",
+            Type="String",
+            Default="",
+        ),
+        group="Application Server",
+        label="CloudFront Origin Domain Name",
+    )
+)
+
+instance_role = Ref(
+    template.add_parameter(
+        Parameter(
+            "AppCloudFrontRoleArn",
+            Description="ARN of the role to add IAM permissions for invalidating this distribution",
+            Type="String",
+            Default="",
+        ),
+        group="Application Server",
+        label="CloudFront Role ARN",
+    )
+)
+
+origin_request_policy_id = Ref(
+    template.add_parameter(
+        Parameter(
+            "AppCloudFrontOriginRequestPolicyId",
+            Description="The unique identifier of the origin request policy to attach to the app cache behavior",
+            Type="String",
+            # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer
+            # Recommended for custom origins
+            Default="216adef6-5c7f-47e4-b989-5492eafa07d3",
+        ),
+        group="Application Server",
+        label="Origin Request Policy ID",
+    )
+)
+
+app_protocol_policy = template.add_parameter(
+    Parameter(
+        "AppCloudFrontProtocolPolicy",
+        Description="The protocols allowed by the application server's CloudFront distribution. See: "
+        "http://docs.aws.amazon.com/cloudfront/latest/APIReference/API_DefaultCacheBehavior.html",
+        Type="String",
+        AllowedValues=["redirect-to-https", "https-only", "allow-all"],
+        Default="redirect-to-https",
+    ),
+    group="Application Server",
+    label="CloudFront Protocol Policy",
+)
+
+app_forwarded_headers = template.add_parameter(
+    Parameter(
+        "AppCloudFrontForwardedHeaders",
+        Description=(
+            "The CachePolicy headers that will be forwarded to the origin and used in the cache key. "
+            "The 'Host' header is required for SSL on an Elastic Load Balancer, but it "
+            "should NOT be passed to a Lambda Function URL."
+        ),
+        Type="CommaDelimitedList",
+        Default="",
+    ),
+    group="Application Server",
+    label="CloudFront Forwarded Headers",
+)
+app_forwarded_headers_condition = "AppCloudFrontForwardedHeadersCondition"
+template.add_condition(
+    app_forwarded_headers_condition,
+    Not(Equals(Join("", Ref(app_forwarded_headers)), "")),
+)
+
+# Currently, you can specify only certificates that are in the US East (N. Virginia) region.
+# http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig-viewercertificate.html
+us_east_1_condition = "UsEast1Condition"
+template.add_condition(
+    us_east_1_condition,
+    Equals(Ref(AWS_REGION), "us-east-1"),
+)
+
+app_certificate_arn = template.add_parameter(
+    Parameter(
+        "AppCloudFrontCertArn",
+        Description="If your stack is NOT in the us-east-1 you must manually create an ACM certificate for "
+        "your application domain in the us-east-1 region and provide its ARN here.",
+        Type="String",
+    ),
+    group="Application Server",
+    label="CloudFront SSL Certificate ARN",
+)
+app_certificate_arn_condition = "AppCloudFrontCertArnCondition"
+template.add_condition(
+    app_certificate_arn_condition, Not(Equals(Ref(app_certificate_arn), ""))
+)
+
+cache_policy = template.add_resource(
+    CachePolicy(
+        "AppCloudFrontCachePolicy",
+        CachePolicyConfig=CachePolicyConfig(
+            Name="AppCachePolicy",
+            DefaultTTL=86400,  # 1 day
+            MaxTTL=31536000,  # 1 year
+            MinTTL=0,
+            ParametersInCacheKeyAndForwardedToOrigin=ParametersInCacheKeyAndForwardedToOrigin(
+                CookiesConfig=CacheCookiesConfig(
+                    CookieBehavior="none",
+                ),
+                EnableAcceptEncodingGzip=True,
+                EnableAcceptEncodingBrotli=True,
+                HeadersConfig=If(
+                    app_forwarded_headers_condition,
+                    CacheHeadersConfig(
+                        # Determines whether any HTTP headers are included in the
+                        # cache key and in requests that CloudFront sends to the
+                        # origin
+                        # * whitelist: Only the HTTP headers that are listed in the
+                        #   Headers type are included in the cache key and in
+                        #   requests that CloudFront sends to the origin.
+                        HeaderBehavior="whitelist",
+                        Headers=Ref(app_forwarded_headers),
+                    ),
+                    CacheHeadersConfig(
+                        HeaderBehavior="none",
+                    ),
+                ),
+                QueryStringsConfig=CacheQueryStringsConfig(
+                    # Determines whether any URL query strings in viewer
+                    # requests are included in the cache key and in requests
+                    # that CloudFront sends to the origin
+                    QueryStringBehavior="all",
+                ),
+            ),
+        ),
+    )
+)
+
+# Create a CloudFront CDN distribution
+app_distribution = template.add_resource(
+    Distribution(
+        "AppCloudFrontDistribution",
+        DistributionConfig=DistributionConfig(
+            Aliases=all_domains_list,
+            HttpVersion="http2",
+            # If we're in us-east-1, use the application certificate tied to the load balancer, otherwise,
+            # use the manually-created cert
+            ViewerCertificate=If(
+                us_east_1_condition,
+                ViewerCertificate(
+                    AcmCertificateArn=app_certificate,
+                    SslSupportMethod="sni-only",
+                    # Default/recommended on the AWS console, as of May, 2023
+                    MinimumProtocolVersion="TLSv1.2_2021",
+                ),
+                If(
+                    app_certificate_arn_condition,
+                    ViewerCertificate(
+                        AcmCertificateArn=Ref(app_certificate_arn),
+                        SslSupportMethod="sni-only",
+                        MinimumProtocolVersion="TLSv1.2_2021",
+                    ),
+                    Ref("AWS::NoValue"),
+                ),
+            ),
+            Origins=[
+                Origin(
+                    Id="ApplicationServer",
+                    DomainName=origin_domain_name,
+                    CustomOriginConfig=CustomOriginConfig(
+                        OriginProtocolPolicy="https-only",
+                    ),
+                )
+            ],
+            DefaultCacheBehavior=DefaultCacheBehavior(
+                TargetOriginId="ApplicationServer",
+                Compress="true",
+                AllowedMethods=[
+                    "DELETE",
+                    "GET",
+                    "HEAD",
+                    "OPTIONS",
+                    "PATCH",
+                    "POST",
+                    "PUT",
+                ],
+                CachePolicyId=Ref(cache_policy),
+                CachedMethods=["HEAD", "GET"],
+                OriginRequestPolicyId=origin_request_policy_id,
+                ViewerProtocolPolicy=Ref(app_protocol_policy),
+            ),
+            Enabled=True,
+        ),
+    )
+)
+
+invalidation_policy = template.add_resource(
+    iam.PolicyType(
+        "AppCloudFrontInvalidationPolicy",
+        PolicyName="AppCloudFrontInvalidationPolicy",
+        PolicyDocument=dict(
+            Statement=[
+                dict(
+                    Effect="Allow",
+                    Action=[
+                        "cloudfront:GetDistribution",
+                        "cloudfront:GetDistributionConfig",
+                        "cloudfront:ListDistributions",
+                        "cloudfront:ListCloudFrontOriginAccessIdentities",
+                        "cloudfront:CreateInvalidation",
+                        "cloudfront:GetInvalidation",
+                        "cloudfront:ListInvalidations",
+                    ],
+                    Resource="*",
+                    # TODO: if/when CloudFront supports resource-level IAM permissions, enable them, e.g.:
+                    # Resource=Join("", [arn_prefix, ":cloudfront:::distribution/", Ref(app_distribution)]),
+                    # See: https://stackoverflow.com/a/29563986/166053
+                ),
+            ],
+        ),
+        Roles=[instance_role],
+    )
+)
+
+# Output CloudFront url
+template.add_output(
+    Output(
+        "AppCloudFrontDomainName",
+        Description="The app CDN domain name",
+        Value=GetAtt(app_distribution, "DomainName"),
+    )
+)

stack/certificates.py

@@ -4,7 +4,7 @@
 from troposphere import Equals, If, Not, Or, Ref
 from troposphere.certificatemanager import Certificate, DomainValidationOption
 
-from .common import dont_create_value
+from .constants import dont_create_value
 from .domain import domain_name, domain_name_alternates, no_alt_domains
 from .template import template
 from .utils import ParameterWithDefaults as Parameter

stack/common.py

@@ -1,3 +1,5 @@
+import os
+
 from troposphere import AWS_REGION, Equals, If, Not, Ref
 
 from . import USE_DOKKU, USE_EB, USE_EC2, USE_ECS, USE_GOVCLOUD
@@ -6,6 +8,12 @@
 
 dont_create_value = "(none)"
 
+# TODO: clean up naming for this role so it's the same for all configurations
+if os.environ.get('USE_EB') == 'on':
+    instance_role = "WebServerRole"
+else:
+    instance_role = "ContainerInstanceRole"
+
 in_govcloud_region = "InGovCloudRegion"
 template.add_condition(in_govcloud_region, Equals(Ref(AWS_REGION), "us-gov-west-1"))
 arn_prefix = If(in_govcloud_region, "arn:aws-us-gov", "arn:aws")

stack/constants.py

@@ -0,0 +1 @@
+dont_create_value = "(none)"