From 9de586e82a15c3c274292b635a12f532a93810cd Mon Sep 17 00:00:00 2001 From: Krishan Thisera Date: Thu, 19 Oct 2023 11:22:20 +1030 Subject: [PATCH 1/4] DO-1554: use task role instead of the access key pair to access the s3 bucket --- packages/prerender-fargate/index.ts | 7 ++++++- .../prerender-fargate/lib/prerender-fargate.ts | 16 ++++------------ 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/packages/prerender-fargate/index.ts b/packages/prerender-fargate/index.ts index ea3f8229..10b6b010 100644 --- a/packages/prerender-fargate/index.ts +++ b/packages/prerender-fargate/index.ts @@ -1,4 +1,9 @@ import { PrerenderFargate } from "./lib/prerender-fargate"; import { PrerenderFargateOptions } from "./lib/prerender-fargate-options"; +import { PrerenderTokenUrlAssociationProps as PrerenderTokenUrlAssociationOptions } from "./lib/recaching/prerender-tokens"; -export { PrerenderFargate, PrerenderFargateOptions }; +export { + PrerenderFargate, + PrerenderFargateOptions, + PrerenderTokenUrlAssociationOptions, +}; diff --git a/packages/prerender-fargate/lib/prerender-fargate.ts b/packages/prerender-fargate/lib/prerender-fargate.ts index bd8e0b49..e17fe81c 100644 --- a/packages/prerender-fargate/lib/prerender-fargate.ts +++ b/packages/prerender-fargate/lib/prerender-fargate.ts @@ -115,15 +115,6 @@ export class PrerenderFargate extends Construct { blockPublicAccess: BlockPublicAccess.BLOCK_ALL, }); - // Configure access to the bucket for the container - const user = new User(this, "PrerenderAccess"); - this.bucket.grantReadWrite(user); - - const accessKey = new AccessKey(this, "PrerenderAccessKey", { - user: user, - serial: 1, - }); - const vpcLookup = vpcId ? { vpcId: vpcId } : { isDefault: true }; const vpc = ec2.Vpc.fromLookup(this, "vpc", vpcLookup); @@ -165,8 +156,6 @@ export class PrerenderFargate extends Construct { containerPort: 3000, environment: { S3_BUCKET_NAME: this.bucket.bucketName, - AWS_ACCESS_KEY_ID: accessKey.accessKeyId, - AWS_SECRET_ACCESS_KEY: accessKey.secretAccessKey.unsafeUnwrap(), AWS_REGION: Stack.of(this).region, ENABLE_REDIRECT_CACHE: enableRedirectCache || "false", TOKEN_LIST: tokenList.toString(), @@ -188,7 +177,10 @@ export class PrerenderFargate extends Construct { ), } ); - + + // Grant S3 Bucket access to the task role + this.bucket.grantReadWrite(fargateService.taskDefinition.taskRole); + // As the prerender service will return a 401 on all unauthorised requests // It should be considered healthy when receiving a 401 response fargateService.targetGroup.configureHealthCheck({ From 560b055f3b7e9f66d0db02609feb9265fe621cd3 Mon Sep 17 00:00:00 2001 From: Krishan Thisera Date: Thu, 19 Oct 2023 12:32:59 +1030 Subject: [PATCH 2/4] DO-1554: remove unused imports --- packages/prerender-fargate/lib/prerender-fargate.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/prerender-fargate/lib/prerender-fargate.ts b/packages/prerender-fargate/lib/prerender-fargate.ts index e17fe81c..43d76a18 100644 --- a/packages/prerender-fargate/lib/prerender-fargate.ts +++ b/packages/prerender-fargate/lib/prerender-fargate.ts @@ -6,7 +6,6 @@ import { Certificate } from "aws-cdk-lib/aws-certificatemanager"; import { HostedZone } from "aws-cdk-lib/aws-route53"; import { Bucket, BlockPublicAccess } from "aws-cdk-lib/aws-s3"; import * as ecrAssets from "aws-cdk-lib/aws-ecr-assets"; -import { AccessKey, User } from "aws-cdk-lib/aws-iam"; import { Duration, RemovalPolicy, Stack } from "aws-cdk-lib"; import * as path from "path"; import { PrerenderTokenUrlAssociation } from "./recaching/prerender-tokens"; From fd0e7d5db7a43cd6c78b0ca4f8fe12fa166ffa5b Mon Sep 17 00:00:00 2001 From: Krishan Thisera Date: Thu, 19 Oct 2023 12:38:38 +1030 Subject: [PATCH 3/4] DO-1554: fix some formatting issues --- packages/prerender-fargate/lib/prerender-fargate.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/prerender-fargate/lib/prerender-fargate.ts b/packages/prerender-fargate/lib/prerender-fargate.ts index 43d76a18..2868112e 100644 --- a/packages/prerender-fargate/lib/prerender-fargate.ts +++ b/packages/prerender-fargate/lib/prerender-fargate.ts @@ -176,10 +176,10 @@ export class PrerenderFargate extends Construct { ), } ); - + // Grant S3 Bucket access to the task role this.bucket.grantReadWrite(fargateService.taskDefinition.taskRole); - + // As the prerender service will return a 401 on all unauthorised requests // It should be considered healthy when receiving a 401 response fargateService.targetGroup.configureHealthCheck({ From ccafe9f0623caf9a19089be14180d843b4233d41 Mon Sep 17 00:00:00 2001 From: Krishan Thisera Date: Thu, 19 Oct 2023 13:10:25 +1030 Subject: [PATCH 4/4] DO-1554: fix some inconsistencies on variable naming --- packages/prerender-fargate/index.ts | 2 +- packages/prerender-fargate/lib/prerender-fargate-options.ts | 4 ++-- packages/prerender-fargate/lib/recaching/prerender-tokens.ts | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/prerender-fargate/index.ts b/packages/prerender-fargate/index.ts index 10b6b010..e00f084e 100644 --- a/packages/prerender-fargate/index.ts +++ b/packages/prerender-fargate/index.ts @@ -1,6 +1,6 @@ import { PrerenderFargate } from "./lib/prerender-fargate"; import { PrerenderFargateOptions } from "./lib/prerender-fargate-options"; -import { PrerenderTokenUrlAssociationProps as PrerenderTokenUrlAssociationOptions } from "./lib/recaching/prerender-tokens"; +import { PrerenderTokenUrlAssociationOptions } from "./lib/recaching/prerender-tokens"; export { PrerenderFargate, diff --git a/packages/prerender-fargate/lib/prerender-fargate-options.ts b/packages/prerender-fargate/lib/prerender-fargate-options.ts index e71f728f..a90a320c 100644 --- a/packages/prerender-fargate/lib/prerender-fargate-options.ts +++ b/packages/prerender-fargate/lib/prerender-fargate-options.ts @@ -1,4 +1,4 @@ -import { PrerenderTokenUrlAssociationProps } from "./recaching/prerender-tokens"; +import { PrerenderTokenUrlAssociationOptions } from "./recaching/prerender-tokens"; /** * Options for configuring the Prerender Fargate construct. @@ -77,5 +77,5 @@ export interface PrerenderFargateOptions { * } * ``` */ - tokenUrlAssociation?: PrerenderTokenUrlAssociationProps; + tokenUrlAssociation?: PrerenderTokenUrlAssociationOptions; } diff --git a/packages/prerender-fargate/lib/recaching/prerender-tokens.ts b/packages/prerender-fargate/lib/recaching/prerender-tokens.ts index 0153f4c5..ff36d3b0 100644 --- a/packages/prerender-fargate/lib/recaching/prerender-tokens.ts +++ b/packages/prerender-fargate/lib/recaching/prerender-tokens.ts @@ -12,7 +12,7 @@ interface TokenUrlAssociation { /** * Interface for associating a token with a URL for prerendering. */ -export interface PrerenderTokenUrlAssociationProps extends StackProps { +export interface PrerenderTokenUrlAssociationOptions extends StackProps { /** * Object containing the token and its associated URL. * ### Example @@ -46,7 +46,7 @@ export class PrerenderTokenUrlAssociation extends Stack { constructor( scope: Construct, id: string, - props: PrerenderTokenUrlAssociationProps + props: PrerenderTokenUrlAssociationOptions ) { super(scope, id, props);