runway.blueprints.staticsite.auth_at_edge module

Blueprint for the Authorization@Edge implementation of a Static Site.

Described in detail in this blogpost: https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/

class runway.blueprints.staticsite.auth_at_edge.AuthAtEdge(name, context, mappings=None, description=None)[source]

Bases: runway.blueprints.staticsite.staticsite.StaticSite

Auth@Edge Blueprint.

Initialize the Blueprint.

Parameters
  • name (str) – The name of the stack.

  • context (Context) – The CFNgin Context object.

  • mappings (Union(None, Dict)) – Blueprint mappings.

  • description (Union(None, str)) – The description of the stack.

IAM_ARN_PREFIX = 'arn:aws:iam::aws:policy/service-role/'
AUTH_VARIABLES = {'NonSPAMode': {'default': False, 'description': 'Whether Auth@Edge should omit SPA specific settings', 'type': <class 'bool'>}, 'OAuthScopes': {'default': [], 'description': 'OAuth2 Scopes', 'type': <class 'list'>}, 'PriceClass': {'default': 'PriceClass_100', 'description': 'CF price class for the distribution.', 'type': <class 'str'>}, 'RedirectPathAuthRefresh': {'default': '/refreshauth', 'description': 'The URL path that should handle the JWT refresh request.', 'type': <class 'str'>}, 'RedirectPathSignIn': {'default': '/parseauth', 'description': 'Auth@Edge: The URL that should handle the redirect from Cognito after sign-in.', 'type': <class 'str'>}, 'SignOutUrl': {'default': '/signout', 'description': 'The URL path that you can visit to sign-out.', 'type': <class 'str'>}}
VARIABLES = {}
create_template()[source]

Create the Blueprinted template for Auth@Edge.

get_auth_at_edge_lambda_and_ver(title, description, handle, role)[source]

Create a lambda function and its version.

Parameters
  • title (str) – The name of the function in PascalCase.

  • description (str) – Description to be displayed in the lambda panel.

  • handle (str) – The underscore separated representation of the name of the lambda. This handle is used to determine the handler for the lambda as well as identify the correct Code hook_data information.

  • role (IAM.Role) – The Lambda Execution Role.

get_auth_at_edge_lambda(title, description, handler, role)[source]

Create an Auth@Edge lambda resource.

Parameters
  • title (str) – The name of the function in PascalCase.

  • description (str) – Description to be displayed in the lambda panel.

  • handler (str) – The underscore separated representation of the name of the lambda. This handle is used to determine the handler for the lambda as well as identify the correct Code hook_data information.

  • role (IAM.Role) – The Lambda Execution Role.

add_version(title, lambda_function)[source]

Create a version association with a Lambda@Edge function.

In order to ensure different versions of the function are appropriately uploaded a hash based on the code of the lambda is appended to the name. As the code changes so will this hash value.

Parameters
  • title (str) – The name of the function in PascalCase.

  • lambda_function (awslambda.Function) – The Lambda function.

get_distribution_options(bucket, oai, lambda_funcs, check_auth_lambda_version, http_headers_lambda_version, parse_auth_lambda_version, refresh_auth_lambda_version, sign_out_lambda_version)[source]

Retrieve the options for our CloudFront distribution.

Keyword Arguments
  • bucket – The bucket resource.

  • oai – The origin access identity resource.

  • lambda_funcs – List of Lambda Function associations.

  • check_auth_lambda_version – Lambda Function Version to use.

  • http_headers_lambda_version – Lambda Function Version to use.

  • parse_auth_lambda_version – Lambda Function Version to use.

  • refresh_auth_lambda_version – Lambda Function Version to use.

  • sign_out_lambda_version – Lambda Function Version to use.

Returns

The CloudFront Distribution Options.