Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(cloudfront.Distribution): (default_behavior does nothing with origin_access_identity set to oai) #27801

Closed
aramatev opened this issue Nov 1, 2023 · 3 comments
Closed

(cloudfront.Distribution): (default_behavior does nothing with origin_access_identity set to oai) #27801

aramatev opened this issue Nov 1, 2023 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@aramatev
Copy link

aramatev commented Nov 1, 2023

Describe the bug

Not only does it not set the legacy setting using OAI, but there is no way to use the new OAC method. Specifically it does not work in python cdk, may be it works in typescript.

You can do the legacy Origin access using CloudFrontWebDistribution (but we're told this is deprecated and to use cloudfront.Distribution), so thats fine, but that still does not mean allow the API to take OAI and do nothing.
Also there is no way to set it to OAC which is the recommended method.
See this page about OAI vs OAC, https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-oac-permission-to-access-s3.

this code block does not work, does not set the origin identity

# Create an OAI (Origin Access Identity)
oai = cloudfront.OriginAccessIdentity(self, "OAI")

# # Setup CloudFront distribution
        distribution = cloudfront.Distribution(self, "WebsiteDistribution",
            default_behavior=cloudfront.BehaviorOptions(
                origin=origins.S3Origin(bucket, origin_access_identity=oai),
                viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
            ),
            domain_names=[self.domain_name, "www." + self.domain_name],
            certificate=self.certificate,

As for OAC, there is no documentation how to even do that with CloudFront distribution, I guess this I can post in a feature request issue.

Expected Behavior

Expected behavior is to have Legacy access set to the origin OAI you just created,

image

Current Behavior

Current behavior is to set nothing, and thus the distribution doesnt link to your S3.
image

Reproduction Steps

I already provided the code in the description to reproduce.
But you also need an s3 bucket,

bucket = s3.Bucket(self, "MyBucket",
                           bucket_name=self.resource_name('s3'),
                           website_index_document=self.index_page
                           )
        s3_deployment = s3deploy.BucketDeployment(self, 'DeployWebsite',
            sources=[s3deploy.Source.asset('./homepage')],
            destination_bucket=bucket
        )

Possible Solution

I'm not sure whats broken but i see online documentation for typescript, https://aws-cdk.com/deploying-a-static-website-using-s3-and-cloudfront, but somehow it does not work to do it in python.

Additional Information/Context

No response

CDK CLI Version

aws-cdk-lib==2.99.1

Framework Version

python

Node.js Version

v20.8.0

OS

mac os

Language

Python

Language Version

Python 3.9.13

Other information

No response
@aramatev aramatev added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 1, 2023
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Nov 1, 2023
@shorn
Copy link

shorn commented Nov 4, 2023
edited
Loading

OAI will only work if you "remove the website configuration from the bucket": #22451 (comment)
I use TypeScript, but I had the same issue until I removed the website config from the bucket, then it worked.

OAC support has an open issue, but it looks like it's gotten derailed: #21771

@pahud
Copy link
Contributor

pahud commented Nov 10, 2023

@shorn thank you for chiming in.

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 10, 2023
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Nov 12, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shorn @pahud @aramatev