Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFront: OriginGroup configuration is ignored by CDK #32450

Closed
1 task
emre-gon opened this issue Dec 9, 2024 · 4 comments
Closed
1 task

CloudFront: OriginGroup configuration is ignored by CDK #32450

emre-gon opened this issue Dec 9, 2024 · 4 comments
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. p3

Comments

@emre-gon
Copy link

emre-gon commented Dec 9, 2024

Describe the bug

OriginGroup configuration is ignored by CDK. Instead distribution gets to be associated to the primary origin only.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

After deploying the stack, distribution should have the origin group as the origin

Current Behavior

After deploying the stack, distribution gets origin1 as the origin

Reproduction Steps

  • Create two origins with names 'origin1' and 'origin2'

    this.origin1 = S3BucketOrigin.withOriginAccessControl(this.originBucket, {
    originId: 'origin1',
    originAccessControlId: this.oac.ref,
    });
    this.origin2 = S3BucketOrigin.withOriginAccessControl(this.originBucket, {
    originId: 'origin2',
    originAccessControlId: this.oac.ref,
    });

  • Create an origin group with primary=origin1 and fallbackOrigin=origin2

    this.originGroup = new OriginGroup({
    primaryOrigin: this.origin1,
    fallbackOrigin: this.origin2,
    fallbackStatusCodes: [403, 404, 500, 502],
    });

  • Create a distribution, associate the origin group as the origin of the default

    const distribution = new Distribution(this, 'Distribution', {
    priceClass: PriceClass.PRICE_CLASS_ALL,
    enabled: true,
    defaultBehavior: {
    origin: this.originGroup,
    allowedMethods: AllowedMethods.ALLOW_ALL,
    }
    });

Possible Solution

Probably related to OriginGroup not having a Name/Id field
#32449

Additional Information/Context

No response

CDK CLI Version

2.162.1

Framework Version

No response

Node.js Version

18

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response
@emre-gon emre-gon added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 9, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Dec 9, 2024
@ashishdhingra ashishdhingra self-assigned this Dec 9, 2024
@ashishdhingra ashishdhingra added p2 needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 9, 2024
@ashishdhingra
Copy link
Contributor

@emre-gon Good afternoon. Thanks for opening the issue. Unfortunately, I'm unable to reproduce the issue using CDK version 2.171.1 (build a95560c). Below is the code:

import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
import * as cforigins from 'aws-cdk-lib/aws-cloudfront-origins';

export class CdktestStackNew extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const originBucket = new s3.Bucket(this, 'OriginBucket', {
      bucketName: `${cdk.Stack.of(this).stackName.toLowerCase()}-oacbucket`,
      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
      accessControl: s3.BucketAccessControl.PRIVATE,
      enforceSSL: true,
    });

    const origin1 = cforigins.S3BucketOrigin.withOriginAccessControl(originBucket, {
      originId: 'origin1'
    });

    const origin2 = cforigins.S3BucketOrigin.withOriginAccessControl(originBucket, {
      originId: 'origin2'
    });

    const originGroup = new cforigins.OriginGroup({
      primaryOrigin: origin1,
      fallbackOrigin: origin2,
      fallbackStatusCodes: [403, 404, 500, 502],
    });


    const distribution = new cloudfront.Distribution(this, 'Distribution', {
      priceClass: cloudfront.PriceClass.PRICE_CLASS_ALL,
      enabled: true,
      defaultBehavior: {
        origin: originGroup,
        allowedMethods: cloudfront.AllowedMethods.ALLOW_GET_HEAD_OPTIONS,
      }
    });
  }
}

Running cdk synth synthesizes the below CloudFormation template:

{
 "Resources": {
  "OriginBucketCA772B8F": {
   "Type": "AWS::S3::Bucket",
   "Properties": {
    "AccessControl": "Private",
    "BucketName": "cdkteststacknew-oacbucket",
    "PublicAccessBlockConfiguration": {
     "BlockPublicAcls": true,
     "BlockPublicPolicy": true,
     "IgnorePublicAcls": true,
     "RestrictPublicBuckets": true
    }
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/OriginBucket/Resource"
   }
  },
  "OriginBucketPolicyFD67BA59": {
   "Type": "AWS::S3::BucketPolicy",
   "Properties": {
    "Bucket": {
     "Ref": "OriginBucketCA772B8F"
    },
    "PolicyDocument": {
     "Statement": [
      {
       "Action": "s3:*",
       "Condition": {
        "Bool": {
         "aws:SecureTransport": "false"
        }
       },
       "Effect": "Deny",
       "Principal": {
        "AWS": "*"
       },
       "Resource": [
        {
         "Fn::GetAtt": [
          "OriginBucketCA772B8F",
          "Arn"
         ]
        },
        {
         "Fn::Join": [
          "",
          [
           {
            "Fn::GetAtt": [
             "OriginBucketCA772B8F",
             "Arn"
            ]
           },
           "/*"
          ]
         ]
        }
       ]
      },
      {
       "Action": "s3:GetObject",
       "Condition": {
        "StringEquals": {
         "AWS:SourceArn": {
          "Fn::Join": [
           "",
           [
            "arn:",
            {
             "Ref": "AWS::Partition"
            },
            ":cloudfront::",
            {
             "Ref": "AWS::AccountId"
            },
            ":distribution/",
            {
             "Ref": "Distribution830FAC52"
            }
           ]
          ]
         }
        }
       },
       "Effect": "Allow",
       "Principal": {
        "Service": "cloudfront.amazonaws.com"
       },
       "Resource": {
        "Fn::Join": [
         "",
         [
          {
           "Fn::GetAtt": [
            "OriginBucketCA772B8F",
            "Arn"
           ]
          },
          "/*"
         ]
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    }
   },
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/OriginBucket/Policy/Resource"
   }
  },
  "DistributionOrigin1S3OriginAccessControlEB606076": {
   "Type": "AWS::CloudFront::OriginAccessControl",
   "Properties": {
    "OriginAccessControlConfig": {
     "Name": "CdktestStackNewDistributionOrigin1S3OriginAccessControl546947F0",
     "OriginAccessControlOriginType": "s3",
     "SigningBehavior": "always",
     "SigningProtocol": "sigv4"
    }
   },
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/Distribution/Origin1/S3OriginAccessControl/Resource"
   }
  },
  "DistributionOrigin2S3OriginAccessControlDC470594": {
   "Type": "AWS::CloudFront::OriginAccessControl",
   "Properties": {
    "OriginAccessControlConfig": {
     "Name": "CdktestStackNewDistributionOrigin2S3OriginAccessControlEFC91E57",
     "OriginAccessControlOriginType": "s3",
     "SigningBehavior": "always",
     "SigningProtocol": "sigv4"
    }
   },
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/Distribution/Origin2/S3OriginAccessControl/Resource"
   }
  },
  "Distribution830FAC52": {
   "Type": "AWS::CloudFront::Distribution",
   "Properties": {
    "DistributionConfig": {
     "DefaultCacheBehavior": {
      "AllowedMethods": [
       "GET",
       "HEAD",
       "OPTIONS"
      ],
      "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
      "Compress": true,
      "TargetOriginId": "CdktestStackNewDistributionOriginGroup1861F5C9B",
      "ViewerProtocolPolicy": "allow-all"
     },
     "Enabled": true,
     "HttpVersion": "http2",
     "IPV6Enabled": true,
     "OriginGroups": {
      "Items": [
       {
        "FailoverCriteria": {
         "StatusCodes": {
          "Items": [
           403,
           404,
           500,
           502
          ],
          "Quantity": 4
         }
        },
        "Id": "CdktestStackNewDistributionOriginGroup1861F5C9B",
        "Members": {
         "Items": [
          {
           "OriginId": "origin1"
          },
          {
           "OriginId": "origin2"
          }
         ],
         "Quantity": 2
        }
       }
      ],
      "Quantity": 1
     },
     "Origins": [
      {
       "DomainName": {
        "Fn::GetAtt": [
         "OriginBucketCA772B8F",
         "RegionalDomainName"
        ]
       },
       "Id": "origin1",
       "OriginAccessControlId": {
        "Fn::GetAtt": [
         "DistributionOrigin1S3OriginAccessControlEB606076",
         "Id"
        ]
       },
       "S3OriginConfig": {
        "OriginAccessIdentity": ""
       }
      },
      {
       "DomainName": {
        "Fn::GetAtt": [
         "OriginBucketCA772B8F",
         "RegionalDomainName"
        ]
       },
       "Id": "origin2",
       "OriginAccessControlId": {
        "Fn::GetAtt": [
         "DistributionOrigin2S3OriginAccessControlDC470594",
         "Id"
        ]
       },
       "S3OriginConfig": {
        "OriginAccessIdentity": ""
       }
      }
     ],
     "PriceClass": "PriceClass_All"
    }
   },
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/Distribution/Resource"
   }
  },
  "CDKMetadata": {
   "Type": "AWS::CDK::Metadata",
   "Properties": {
    "Analytics": "v2:deflate64:H4sIAAAAAAAA/3WLQQ6CMBBFz8K+jBZMdKu418ABDJRiBmon6bQS0/TuhmCiG1fv/5e8AuRegszamXPVT7nBDmLjWzWJduZb5BLiKahJe1EN9rNWXMmgen31+pNQhkI/OLIe4hnZO+yCR7KiKS8O72iPSmnmiqx3ZJb+j/6NU1pMrZmCUzoJS72GkTdPeYBiC7tsZMTcBevxoaFe+QYgp9Xa3QAAAA=="
   },
   "Metadata": {
    "aws:cdk:path": "CdktestStackNew/CDKMetadata/Default"
   }
  }
 },
 "Parameters": {
  "BootstrapVersion": {
   "Type": "AWS::SSM::Parameter::Value<String>",
   "Default": "/cdk-bootstrap/hnb659fds/version",
   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
  }
 },
 "Rules": {
  "CheckBootstrapVersion": {
   "Assertions": [
    {
     "Assert": {
      "Fn::Not": [
       {
        "Fn::Contains": [
         [
          "1",
          "2",
          "3",
          "4",
          "5"
         ],
         {
          "Ref": "BootstrapVersion"
         }
        ]
       }
      ]
     },
     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
    }
   ]
  }
 }
}

Deploying it shows the below result in CloudFormation console:
Screenshot 2024-12-09 at 3 27 44 PM

Also, I'm unsure how you are able to use allowedMethods: AllowedMethods.ALLOW_ALL for your Distribution since CloudFront fails over to the secondary origin only when the HTTP method of the viewer request is GET, HEAD, or OPTIONS. Using it gives me error Resource handler returned message: "Invalid request provided: AWS::CloudFront::Distribution: The parameter AllowedMethods cannot include POST, PUT, PATCH, or DELETE for a cached behavior associated with an origin group.. Probably since you reported the issue using older version of CDK, it's not actually creating an origin group.

Please try using the latest version of CDK and verify if it fixes the issue at your end.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed p2 needs-reproduction This issue needs reproduction. labels Dec 9, 2024
@emre-gon
Copy link
Author

Thanks for validation. You can resolve the ticket as it looks like this can be categorized as a feature request rather than a bug.

I described my current issue in detail here: #32449 (comment)

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Dec 10, 2024
@ashishdhingra
Copy link
Contributor

Thanks for validation. You can resolve the ticket as it looks like this can be categorized as a feature request rather than a bug.

I described my current issue in detail here: #32449 (comment)

@emre-gon Closing this issue assuming that the issue is not reproducible using the latest version of CDK (as validated in #32450 (comment)).

@ashishdhingra ashishdhingra closed this as not planned Won't fix, can't repro, duplicate, stale Dec 10, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emre-gon @ashishdhingra