feat: add CloudFront component

Exposing CloudFront as a independent component adds flexibility and
supports use cases such as multiple origins per distribution.
Three types of behaviors are supported:
- S3, tailored for S3 origins with auto-configuration including cache
policy oriented towards static assets and response headers policy with
security headers.
- LB, tailored for ALB origins with auto-configuration including cache
policy for dynamic content and response headers policy with security
headers.
- Custom, configurable option with by default disabled caching.

Author: droguljic

src/v2/components/cloudfront/index.ts

@@ -0,0 +1,386 @@
+import * as aws from '@pulumi/aws';
+import * as pulumi from '@pulumi/pulumi';
+import { commonTags } from '../../../constants';
+import { AcmCertificate } from '../../../components/acm-certificate';
+import { S3CacheStrategy } from './s3-cache-strategy';
+import { LbCacheStrategy } from './lb-cache-strategy';
+
+export enum BehaviorType {
+  S3 = 's3',
+  LB = 'lb',
+  CUSTOM = 'custom',
+}
+
+export namespace CloudFront {
+  type BehaviorBase = {
+    pathPattern: string;
+  };
+
+  export type S3Behavior = BehaviorBase & {
+    type: BehaviorType.S3;
+    bucket: pulumi.Input<aws.s3.Bucket>;
+    websiteConfig: pulumi.Input<aws.s3.BucketWebsiteConfigurationV2>;
+  };
+
+  export type LbBehavior = BehaviorBase & {
+    type: BehaviorType.LB;
+    loadBalancer: pulumi.Input<aws.lb.LoadBalancer>;
+  };
+
+  export type CustomBehavior = BehaviorBase & {
+    type: BehaviorType.CUSTOM;
+    originId: pulumi.Input<string>;
+    domainName: pulumi.Input<string>;
+    originProtocolPolicy?: pulumi.Input<string>;
+    allowedMethods?: pulumi.Input<pulumi.Input<string>[]>;
+    cachedMethods?: pulumi.Input<pulumi.Input<string>[]>;
+    compress?: pulumi.Input<boolean>;
+    cachePolicyId?: pulumi.Input<string>;
+    originRequestPolicyId?: pulumi.Input<string>;
+    responseHeadersPolicyId?: pulumi.Input<string>;
+  };
+
+  export type Behavior = S3Behavior | LbBehavior | CustomBehavior;
+
+  export type Args = {
+    /**
+     * Behavior is a combination of distribution's origin and cache behavior.
+     * Ordering is important since first encountered behavior is applied,
+     * matched by path.
+     * The default behavior, i.e. path pattern `*` or `/*`, must always be last.
+     * Mapping between behavior and cache is one to one, while origin is mapped
+     * by ID to filter out duplicates while keeping the last occurrence.
+     */
+    behaviors: Behavior[];
+    /**
+     * Domain name for CloudFront distribution. Implies creation of certificate
+     * and alias record. In case of subdomain, i.e., not mapped to a hosted
+     * zone, the `hostedZoneId` argument must be provided.
+     * Mutually exclusive with `certificate`.
+     */
+    domain?: pulumi.Input<string>;
+    /**
+     * ID of hosted zone is needed when the `domain` argument is actually a
+     * subdomain, meaning there is no hosted zone whose name is the domain.
+     */
+    hostedZoneId?: pulumi.Input<string>;
+    /**
+     * Certificate for CloudFront distribution. Domain and alternative domains
+     * are automatically pulled from the certificate.
+     * Mutually exclusive with `domain`.
+     */
+    certificate?: pulumi.Input<aws.acm.Certificate>;
+    tags?: pulumi.Input<{
+      [key: string]: pulumi.Input<string>;
+    }>;
+  };
+}
+
+export class CloudFront extends pulumi.ComponentResource {
+  name: string;
+  distribution: aws.cloudfront.Distribution;
+  acmCertificate?: AcmCertificate;
+  hostedZoneId?: pulumi.Output<string>;
+
+  constructor(
+    name: string,
+    args: CloudFront.Args,
+    opts: pulumi.ComponentResourceOptions = {},
+  ) {
+    super('studion:cf:CloudFront', name, args, opts);
+
+    this.name = name;
+
+    const { behaviors, domain, hostedZoneId, certificate, tags } = args;
+
+    if (domain && certificate) {
+      throw new Error(
+        'Provide either `domain` or `certificate`, but not both.',
+      );
+    }
+
+    const defaultBehavior = behaviors.at(-1);
+    const orderedBehaviors = behaviors.slice(0, -1);
+
+    if (!defaultBehavior || !isDefaultBehavior(defaultBehavior)) {
+      throw new Error('Default behavior must be placed last.');
+    }
+
+    if (domain) {
+      this.hostedZoneId = hostedZoneId
+        ? pulumi.output(hostedZoneId)
+        : aws.route53.getZoneOutput({ name: domain }).apply(zone => zone.id);
+      this.acmCertificate = this.createCertificate(domain);
+    }
+
+    this.distribution = this.createDistribution({
+      origins: this.createDistributionOrigins(behaviors),
+      defaultCache: this.getCacheBehavior(defaultBehavior),
+      orderedCaches: orderedBehaviors.length
+        ? orderedBehaviors.map(it => ({
+            pathPattern: it.pathPattern,
+            ...this.getCacheBehavior(it),
+          }))
+        : undefined,
+      hasDefaultRoot: isS3BehaviorType(defaultBehavior),
+      certificate:
+        certificate || this.acmCertificate
+          ? pulumi.output(certificate ?? this.acmCertificate!.certificate)
+          : undefined,
+      tags,
+    });
+
+    if (domain) {
+      this.createAliasRecord({ domain });
+    }
+
+    this.registerOutputs();
+  }
+
+  private createDistributionOrigins(
+    behaviors: CloudFront.Args['behaviors'],
+  ): pulumi.Output<aws.types.input.cloudfront.DistributionOrigin[]> {
+    return pulumi.all(behaviors.map(b => pulumi.output(b))).apply(entries => {
+      const origins = entries.map(it => {
+        if (isS3BehaviorType(it)) {
+          return getOriginWithDefaults({
+            originId: it.bucket.arn,
+            domainName: it.websiteConfig.websiteEndpoint,
+            customOriginConfig: {
+              originProtocolPolicy: 'http-only',
+            },
+          });
+        } else if (isLbBehaviorType(it)) {
+          return getOriginWithDefaults({
+            originId: it.loadBalancer.arn,
+            domainName: it.loadBalancer.dnsName,
+          });
+        } else if (isCustomBehaviorType(it)) {
+          return getOriginWithDefaults({
+            originId: it.originId,
+            domainName: it.domainName,
+            customOriginConfig: {
+              ...(it.originProtocolPolicy
+                ? { originProtocolPolicy: it.originProtocolPolicy }
+                : undefined),
+            },
+          });
+        } else {
+          throw new Error(
+            'Unknown CloudFront behavior encountered during mapping to distribution origins.',
+          );
+        }
+      });
+
+      // Remove duplicates, keeps the last occurrence of the origin
+      return [...new Map(origins.map(it => [it.originId, it])).values()];
+    });
+  }
+
+  private getCacheBehavior(
+    behavior: CloudFront.Behavior,
+  ): aws.types.input.cloudfront.DistributionDefaultCacheBehavior {
+    const isDefault = isDefaultBehavior(behavior);
+    const getStrategyName = (backend: string) =>
+      `${this.name}-${backend}-${isDefault ? 'default' : 'ordered'}-cache-strategy`;
+
+    if (isS3BehaviorType(behavior)) {
+      const strategy = new S3CacheStrategy(
+        getStrategyName('s3'),
+        { pathPattern: behavior.pathPattern, bucket: behavior.bucket },
+        { parent: this },
+      );
+
+      return strategy.config;
+    } else if (isLbBehaviorType(behavior)) {
+      const strategy = new LbCacheStrategy(
+        getStrategyName('lb'),
+        {
+          pathPattern: behavior.pathPattern,
+          loadBalancer: behavior.loadBalancer,
+        },
+        { parent: this },
+      );
+
+      return strategy.config;
+    } else if (isCustomBehaviorType(behavior)) {
+      return {
+        targetOriginId: behavior.originId,
+        allowedMethods: behavior.allowedMethods ?? [
+          'GET',
+          'HEAD',
+          'OPTIONS',
+          'PUT',
+          'POST',
+          'PATCH',
+          'DELETE',
+        ],
+        cachedMethods: behavior.cachedMethods ?? ['GET', 'HEAD'],
+        ...(behavior.compress != null && { compress: behavior.compress }),
+        viewerProtocolPolicy: 'redirect-to-https',
+        cachePolicyId:
+          behavior.cachePolicyId ??
+          aws.cloudfront
+            .getCachePolicyOutput({ name: 'Managed-CachingDisabled' })
+            .apply(p => p.id!),
+        originRequestPolicyId:
+          behavior.originRequestPolicyId ??
+          aws.cloudfront
+            .getOriginRequestPolicyOutput({ name: 'Managed-AllViewer' })
+            .apply(p => p.id!),
+        responseHeadersPolicyId:
+          behavior.responseHeadersPolicyId ??
+          aws.cloudfront
+            .getResponseHeadersPolicyOutput({
+              name: 'Managed-SecurityHeadersPolicy',
+            })
+            .apply(p => p.id),
+      };
+    } else {
+      throw new Error(
+        'Unknown CloudFront behavior encountered during mapping to distribution cache behaviors.',
+      );
+    }
+  }
+
+  private createCertificate(domain: CloudFront.Args['domain']): AcmCertificate {
+    return new AcmCertificate(
+      `${domain}-acm-certificate`,
+      {
+        domain: domain!,
+        hostedZoneId: this.hostedZoneId!,
+      },
+      { parent: this },
+    );
+  }
+
+  private createDistribution({
+    origins,
+    defaultCache,
+    orderedCaches,
+    certificate,
+    hasDefaultRoot,
+    tags,
+  }: CreateDistributionArgs): aws.cloudfront.Distribution {
+    return new aws.cloudfront.Distribution(
+      `${this.name}-cloudfront-distribution`,
+      {
+        enabled: true,
+        isIpv6Enabled: true,
+        waitForDeployment: true,
+        httpVersion: 'http2and3',
+        ...(hasDefaultRoot && { defaultRootObject: 'index.html' }),
+        ...(certificate
+          ? {
+              aliases: pulumi
+                .all([
+                  certificate.domainName,
+                  certificate.subjectAlternativeNames,
+                ])
+                .apply(([domain, alternativeDomains]) => [
+                  domain,
+                  ...alternativeDomains,
+                ]),
+              viewerCertificate: {
+                acmCertificateArn: certificate.arn,
+                sslSupportMethod: 'sni-only',
+                minimumProtocolVersion: 'TLSv1.2_2025',
+              },
+            }
+          : {
+              viewerCertificate: {
+                cloudfrontDefaultCertificate: true,
+              },
+            }),
+        origins,
+        defaultCacheBehavior: defaultCache,
+        ...(orderedCaches && { orderedCacheBehaviors: orderedCaches }),
+        priceClass: 'PriceClass_100',
+        restrictions: {
+          geoRestriction: { restrictionType: 'none' },
+        },
+        tags: { ...commonTags, ...tags },
+      },
+      { parent: this, aliases: [{ name: `${this.name}-cloudfront` }] },
+    );
+  }
+
+  private createAliasRecord({
+    domain,
+  }: Pick<Required<CloudFront.Args>, 'domain'>) {
+    return new aws.route53.Record(
+      `${this.name}-cloudfront-alias-record`,
+      {
+        type: 'A',
+        name: domain,
+        zoneId: this.hostedZoneId!,
+        aliases: [
+          {
+            name: this.distribution.domainName,
+            zoneId: this.distribution.hostedZoneId,
+            evaluateTargetHealth: true,
+          },
+        ],
+      },
+      { parent: this, aliases: [{ name: `${this.name}-cdn-route53-record` }] },
+    );
+  }
+}
+
+type CreateDistributionArgs = {
+  origins: pulumi.Output<aws.types.input.cloudfront.DistributionOrigin[]>;
+  defaultCache: aws.types.input.cloudfront.DistributionDefaultCacheBehavior;
+  orderedCaches?: aws.types.input.cloudfront.DistributionOrderedCacheBehavior[];
+  certificate?: pulumi.Output<aws.acm.Certificate>;
+  hasDefaultRoot: boolean;
+  tags: CloudFront.Args['tags'];
+};
+
+function isDefaultBehavior(value: CloudFront.Behavior) {
+  return value.pathPattern === '*' || value.pathPattern === '/';
+}
+
+function isS3BehaviorType(
+  value: CloudFront.Behavior,
+): value is CloudFront.S3Behavior {
+  return value.type === BehaviorType.S3;
+}
+
+function isLbBehaviorType(
+  value: CloudFront.Behavior,
+): value is CloudFront.LbBehavior {
+  return value.type === BehaviorType.LB;
+}
+
+function isCustomBehaviorType(
+  value: CloudFront.Behavior,
+): value is CloudFront.CustomBehavior {
+  return value.type === BehaviorType.CUSTOM;
+}
+
+function getOriginWithDefaults({
+  originId,
+  domainName,
+  customOriginConfig,
+}: Pick<
+  aws.types.input.cloudfront.DistributionOrigin,
+  'originId' | 'domainName'
+> & {
+  customOriginConfig?: Partial<
+    aws.types.input.cloudfront.DistributionOrigin['customOriginConfig']
+  >;
+}): aws.types.input.cloudfront.DistributionOrigin {
+  return {
+    originId,
+    domainName,
+    connectionAttempts: 3,
+    connectionTimeout: 10,
+    customOriginConfig: {
+      originProtocolPolicy: 'https-only',
+      httpPort: 80,
+      httpsPort: 443,
+      originSslProtocols: ['TLSv1.2'],
+      ...customOriginConfig,
+    },
+  };
+}