search

getlift / lift

Expanding Serverless Framework beyond functions using the AWS CDK
MIT License
912 stars 109 forks source link

Add distribution id to server side website #353

Open evo-chris opened 11 months ago

evo-chris commented 11 months ago

Output the Cloudfront Distribution Id so can be used for IAM policies

mnapoli commented 11 months ago

Hi, could you add some tests to cover the new feature?

robchett commented 10 months ago

Hi @mnapoli, I can't see anywhere where there are tests on the existing outputs, url, cname & assetsBucketName or see a way to verify they are accessible in the outputs of runServerless

I've tried to see if I could infer they exist but referencing them in a template

        const { cfTemplate, computeLogicalId } = await runServerless({
            command: "package",
            config: Object.assign(baseConfig, {
                provider: {
                    name: "aws",
                    iam: {
                        role: {
                            statements: [{
                                Effect: "Allow",
                                Action: [
                                    'cloudfront:CreateInvalidation'
                                ],
                                Resource: [
                                    'arn:aws:cloudfront::${aws:accountId}:distribution/${construct:backend.distributionId}'
                                ]
                            }]
                        }
                    }
                },
                constructs: {
                    backend: {
                        type: "server-side-website",
                        assets: {
                            "/assets/*": "public",
                        },
                    },
                },
            }),
        });

but while it will error if I mess with the object itself it doesn't complain about an invalid reference.

I've also tried using a fixture

service: website
configValidationMode: error

provider:
    name: aws
    iam:
        role:
            statements:
                - 
                    Effect: Allow                
                    Action:
                        - 'cloudfront:CreateInvalidation'
                    Resource:
                        - 'arn:aws:cloudfront::${aws:accountId}:distribution/${construct:website.distributionId}'

functions:
    http:
        handler: handler.handler

constructs:
    backend:
        type: server-side-website
        assets:
            "/assets/*": public
        errorPage: error.html

but the variable are not replaced 

 {
                      Effect: 'Allow',
                      Action: [ 'logs:PutLogEvents' ],
                      Resource: [
                        {
                          'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/test-serverSideWebsite-2ol0dc8r-dev*:*:*'
                        }
                      ]
                    },
                    {
                      Effect: 'Allow',
                      Action: [ 'cloudfront:CreateInvalidation' ],
                      Resource: 'arn:aws:cloudfront::${aws:accountId}:distribution/${construct:website.distributionId}'
                    }

Any thoughts on how to go about testing this?

robchett commented 10 months ago

@mnapoli we may have jumped the gun a little with this one, do you know if ${construct:website.*} are resolvable in IAM roles? We've can see it output in Environment variables, but in IAM role it is an Object (Token) not a String.