From 8d6302e6405065ec4e604d3c562add413debed41 Mon Sep 17 00:00:00 2001 From: Jonathon Herbert Date: Wed, 10 Apr 2024 08:56:46 +0100 Subject: [PATCH 1/3] Don't cache the checker healthcheck endpoint --- cdk/lib/index.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cdk/lib/index.ts b/cdk/lib/index.ts index 36987df6a..c5b2db31f 100644 --- a/cdk/lib/index.ts +++ b/cdk/lib/index.ts @@ -214,14 +214,16 @@ EOF parameters.CheckerCertificate.valueAsString ); + const checkerOrigin = new LoadBalancerV2Origin(checkerApp.loadBalancer, { + protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY, + }); + const checkerCloudFrontDistro = new Distribution( this, "typerighter-cloudfront", { defaultBehavior: { - origin: new LoadBalancerV2Origin(checkerApp.loadBalancer, { - protocolPolicy: OriginProtocolPolicy.HTTPS_ONLY, - }), + origin: checkerOrigin, allowedMethods: AllowedMethods.ALLOW_ALL, cachePolicy: new CachePolicy( this, @@ -248,6 +250,8 @@ EOF } ); + checkerCloudFrontDistro.addBehavior("/healthcheck", checkerOrigin, { cachePolicy: CachePolicy.CACHING_DISABLED }); + const checkerDnsRecord = new GuDnsRecordSet(this, "checker-dns-records", { name: checkerDomain, recordType: RecordType.CNAME, From 1a9dd9dc0bd7a0c8aec5ca42f200e131ee6ba677 Mon Sep 17 00:00:00 2001 From: Jonathon Herbert Date: Wed, 10 Apr 2024 09:02:36 +0100 Subject: [PATCH 2/3] Remove caching from cloudfront distribution --- cdk/lib/__snapshots__/index.test.ts.snap | 37 +----------------------- cdk/lib/index.ts | 23 ++------------- 2 files changed, 3 insertions(+), 57 deletions(-) diff --git a/cdk/lib/__snapshots__/index.test.ts.snap b/cdk/lib/__snapshots__/index.test.ts.snap index 542f8e815..3c2f87c8b 100644 --- a/cdk/lib/__snapshots__/index.test.ts.snap +++ b/cdk/lib/__snapshots__/index.test.ts.snap @@ -1767,39 +1767,6 @@ exports[`The typerighter stack matches the snapshot 1`] = ` }, "Type": "AWS::EC2::SecurityGroupEgress", }, - "checkercloudfrontcachepolicyC5791389": { - "Properties": { - "CachePolicyConfig": { - "DefaultTTL": 86400, - "MaxTTL": 31536000, - "MinTTL": 0, - "Name": "checker-cloudfront-cache-policy-TEST", - "ParametersInCacheKeyAndForwardedToOrigin": { - "CookiesConfig": { - "CookieBehavior": "all", - }, - "EnableAcceptEncodingBrotli": false, - "EnableAcceptEncodingGzip": false, - "HeadersConfig": { - "HeaderBehavior": "whitelist", - "Headers": [ - "Host", - "Origin", - "Access-Control-Request-Headers", - "Access-Control-Request-Method", - "X-Gu-Tools-HMAC-Token", - "X-Gu-Tools-HMAC-Date", - "X-Gu-Tools-Service-Name", - ], - }, - "QueryStringsConfig": { - "QueryStringBehavior": "all", - }, - }, - }, - }, - "Type": "AWS::CloudFront::CachePolicy", - }, "checkerdnsrecords": { "Properties": { "Name": "checker.test.dev-gutools.co.uk", @@ -2325,9 +2292,7 @@ EOF "POST", "DELETE", ], - "CachePolicyId": { - "Ref": "checkercloudfrontcachepolicyC5791389", - }, + "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad", "Compress": true, "TargetOriginId": "typerightertyperightercloudfrontOrigin1DFFB56FA", "ViewerProtocolPolicy": "allow-all", diff --git a/cdk/lib/index.ts b/cdk/lib/index.ts index c5b2db31f..dae706f4e 100644 --- a/cdk/lib/index.ts +++ b/cdk/lib/index.ts @@ -225,33 +225,14 @@ EOF defaultBehavior: { origin: checkerOrigin, allowedMethods: AllowedMethods.ALLOW_ALL, - cachePolicy: new CachePolicy( - this, - "checker-cloudfront-cache-policy", - { - cachePolicyName: `checker-cloudfront-cache-policy-${this.stage}`, - cookieBehavior: CacheCookieBehavior.all(), - headerBehavior: CacheHeaderBehavior.allowList( - "Host", - "Origin", - "Access-Control-Request-Headers", - "Access-Control-Request-Method", - "X-Gu-Tools-HMAC-Token", - "X-Gu-Tools-HMAC-Date", - "X-Gu-Tools-Service-Name" - ), - queryStringBehavior: CacheQueryStringBehavior.all(), - } - ), + cachePolicy: CachePolicy.CACHING_DISABLED }, domainNames: [checkerDomain], logBucket: cloudfrontBucket, certificate: checkerCertificate, } ); - - checkerCloudFrontDistro.addBehavior("/healthcheck", checkerOrigin, { cachePolicy: CachePolicy.CACHING_DISABLED }); - + const checkerDnsRecord = new GuDnsRecordSet(this, "checker-dns-records", { name: checkerDomain, recordType: RecordType.CNAME, From aca4db0754fc5c23855eff2993581c2c5ec94776 Mon Sep 17 00:00:00 2001 From: Jonathon Herbert Date: Thu, 23 Jan 2025 12:34:24 +0000 Subject: [PATCH 3/3] Add ALL_VIEWER OriginRequestPolicy, necessary to pass request params on to LB --- cdk/lib/__snapshots__/index.test.ts.snap | 1 + cdk/lib/index.ts | 8 +++----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/cdk/lib/__snapshots__/index.test.ts.snap b/cdk/lib/__snapshots__/index.test.ts.snap index 3c2f87c8b..b893d8d33 100644 --- a/cdk/lib/__snapshots__/index.test.ts.snap +++ b/cdk/lib/__snapshots__/index.test.ts.snap @@ -2294,6 +2294,7 @@ EOF ], "CachePolicyId": "4135ea2d-6df8-44a3-9df3-4b5a84be39ad", "Compress": true, + "OriginRequestPolicyId": "216adef6-5c7f-47e4-b989-5492eafa07d3", "TargetOriginId": "typerightertyperightercloudfrontOrigin1DFFB56FA", "ViewerProtocolPolicy": "allow-all", }, diff --git a/cdk/lib/index.ts b/cdk/lib/index.ts index dae706f4e..d38b8a07c 100644 --- a/cdk/lib/index.ts +++ b/cdk/lib/index.ts @@ -3,7 +3,6 @@ import { Duration, RemovalPolicy, SecretValue, - Tags, } from "aws-cdk-lib"; import { Certificate } from "aws-cdk-lib/aws-certificatemanager"; import type { GuStackProps } from "@guardian/cdk/lib/constructs/core/stack"; @@ -22,12 +21,10 @@ import { InstanceType, Port, SubnetType } from "aws-cdk-lib/aws-ec2"; import { GuS3Bucket } from "@guardian/cdk/lib/constructs/s3"; import { AllowedMethods, - CacheCookieBehavior, - CacheHeaderBehavior, CachePolicy, - CacheQueryStringBehavior, Distribution, OriginProtocolPolicy, + OriginRequestPolicy, } from "aws-cdk-lib/aws-cloudfront"; import { LoadBalancerV2Origin } from "aws-cdk-lib/aws-cloudfront-origins"; import { @@ -225,7 +222,8 @@ EOF defaultBehavior: { origin: checkerOrigin, allowedMethods: AllowedMethods.ALLOW_ALL, - cachePolicy: CachePolicy.CACHING_DISABLED + cachePolicy: CachePolicy.CACHING_DISABLED, + originRequestPolicy: OriginRequestPolicy.ALL_VIEWER }, domainNames: [checkerDomain], logBucket: cloudfrontBucket,