runway.blueprints.staticsite.auth_at_edge module

Blueprint for the Authorization@Edge implementation of a Static Site.

Described in detail in this blogpost: https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/

class runway.blueprints.staticsite.auth_at_edge.AuthAtEdge[source]

Bases: runway.blueprints.staticsite.staticsite.StaticSite

Auth@Edge Blueprint.

__init__(name: str, context: runway.context.CfnginContext, mappings: Optional[Dict[str, Dict[str, Any]]] = None, description: Optional[str] = None) None[source]

Initialize the Blueprint.

Parameters
  • name – A name for the blueprint.

  • context – Context the blueprint is being executed under.

  • mappings – CloudFormation Mappings to be used in the template.

  • description – Used to describe the resulting CloudFormation template.

create_template() None[source]

Create the Blueprinted template for Auth@Edge.

get_auth_at_edge_lambda_and_ver(title: str, description: str, handle: str, role: troposphere.iam.Role) Dict[str, Any][source]

Create a lambda function and its version.

Parameters
  • title – The name of the function in PascalCase.

  • description – Description to be displayed in the lambda panel.

  • handle – The underscore separated representation of the name of the lambda. This handle is used to determine the handler for the lambda as well as identify the correct Code hook_data information.

  • role – The Lambda Execution Role.

get_auth_at_edge_lambda(title: str, description: str, handler: str, role: troposphere.iam.Role) troposphere.awslambda.Function[source]

Create an Auth@Edge lambda resource.

Parameters
  • title – The name of the function in PascalCase.

  • description – Description to be displayed in the lambda panel.

  • handler – The underscore separated representation of the name of the lambda. This handle is used to determine the handler for the lambda as well as identify the correct Code hook_data information.

  • role – The Lambda Execution Role.

add_version(title: str, lambda_function: troposphere.awslambda.Function) troposphere.awslambda.Version[source]

Create a version association with a Lambda@Edge function.

In order to ensure different versions of the function are appropriately uploaded a hash based on the code of the lambda is appended to the name. As the code changes so will this hash value.

Parameters
  • title – The name of the function in PascalCase.

  • lambda_function – The Lambda function.

get_distribution_options(bucket: troposphere.s3.Bucket, oai: troposphere.cloudfront.CloudFrontOriginAccessIdentity, lambda_funcs: List[troposphere.cloudfront.LambdaFunctionAssociation], check_auth_lambda_version: troposphere.awslambda.Version, http_headers_lambda_version: troposphere.awslambda.Version, parse_auth_lambda_version: troposphere.awslambda.Version, refresh_auth_lambda_version: troposphere.awslambda.Version, sign_out_lambda_version: troposphere.awslambda.Version) Dict[str, Any][source]

Retrieve the options for our CloudFront distribution.

Keyword Arguments
  • bucket – The bucket resource.

  • oai – The origin access identity resource.

  • lambda_funcs – List of Lambda Function associations.

  • check_auth_lambda_version – Lambda Function Version to use.

  • http_headers_lambda_version – Lambda Function Version to use.

  • parse_auth_lambda_version – Lambda Function Version to use.

  • refresh_auth_lambda_version – Lambda Function Version to use.

  • sign_out_lambda_version – Lambda Function Version to use.

Returns

The CloudFront Distribution Options.

__new__(**kwargs)
property acm_certificate_specified: bool

ACM Certification specified conditional.

add_acm_cert() Union[cloudfront.ViewerCertificate, Ref]

Add ACM cert.

add_aliases() Union[List[str], Ref]

Add aliases.

add_bucket() troposphere.s3.Bucket

Add the bucket resource along with an output of it’s name / website url.

Returns

The bucket resource.

add_bucket_policy(bucket: troposphere.s3.Bucket) troposphere.s3.BucketPolicy

Add a policy to the bucket if CloudFront is disabled. Ensure PublicRead.

Parameters

bucket – The bucket resource to place the policy.

Returns

The Bucket Policy Resource.

add_cloudfront_bucket_policy(bucket: troposphere.s3.Bucket, oai: troposphere.cloudfront.CloudFrontOriginAccessIdentity) troposphere.s3.BucketPolicy

Given a bucket and oai resource add cloudfront access to the bucket.

Keyword Arguments
  • bucket – A bucket resource.

  • oai – An Origin Access Identity resource.

Returns

The CloudFront Bucket access resource.

add_cloudfront_directory_index_rewrite(role: troposphere.iam.Role) troposphere.awslambda.Function

Add an index CloudFront directory index rewrite lambda function to the template.

Keyword Arguments

role – The index rewrite role resource.

Returns

The CloudFront directory index rewrite lambda function resource.

add_cloudfront_directory_index_rewrite_version(directory_index_rewrite: troposphere.awslambda.Function) troposphere.awslambda.Version

Add a specific version to the directory index rewrite lambda.

Parameters

directory_index_rewrite – The directory index rewrite lambda resource.

Returns

The CloudFront directory index rewrite version.

add_cloudfront_distribution(bucket_policy: troposphere.s3.BucketPolicy, cloudfront_distribution_options: Dict[str, Any]) troposphere.cloudfront.Distribution

Add the CloudFront distribution to the template / output the id and domain name.

Parameters
  • bucket_policy – Bucket policy to allow CloudFront access.

  • cloudfront_distribution_options – The distribution options.

Returns

The CloudFront Distribution resource

add_lambda_execution_role(name: str = 'LambdaExecutionRole', function_name: str = '') troposphere.iam.Role

Create the Lambda@Edge execution role.

Parameters
  • name – Name for the Lambda Execution Role.

  • function_name – Name of the Lambda Function the Role will be attached to.

add_logging_bucket() Union[cloudfront.Logging, Ref]

Add Logging Bucket.

add_origin_access_identity() troposphere.cloudfront.CloudFrontOriginAccessIdentity

Add the origin access identity resource to the template.

add_output(name: str, value: Any) None

Add an output to the template.

Wrapper for self.template.add_output(Output(name, Value=value)).

Parameters
  • name – The name of the output to create.

  • value – The value to put in the output.

add_web_acl() Union[str, Ref]

Add Web ACL.

property aliases_specified: bool

Aliases are specified conditional.

property cf_enabled: bool

CloudFront enabled conditional.

property cf_logging_enabled: bool

CloudFront Logging specified conditional.

property cfn_parameters: Dict[str, Union[List[Any], str]]

Return a dict of variables with type CFNType.

New in version 2.0.0.

Returns

Variables that need to be submitted as CloudFormation Parameters.

property defined_variables: Dict[str, BlueprintVariableTypeDef]

Return a copy of VARIABLES to avoid accidental modification of the ClassVar.

Changed in version 2.0.0: Changed from a method to a property.

property directory_index_specified: bool

Directory Index specified conditional.

get_cfn_parameters() Dict[str, Union[List[Any], str]]

Return a dictionary of variables with type CFNType.

Deprecated since version 2.0.0: Replaced by cfn_parameters.

Returns

Variables that need to be submitted as CloudFormation Parameters.

get_cloudfront_distribution_options(bucket: troposphere.s3.Bucket, oai: troposphere.cloudfront.CloudFrontOriginAccessIdentity, lambda_function_associations: List[troposphere.cloudfront.LambdaFunctionAssociation]) Dict[str, Any]

Retrieve the options for our CloudFront distribution.

Parameters
  • bucket – The bucket resource

  • oai – The origin access identity resource.

  • lambda_function_associations – List of Lambda Function associations.

Returns

The CloudFront Distribution Options.

static get_directory_index_lambda_association(lambda_associations: List[troposphere.cloudfront.LambdaFunctionAssociation], directory_index_rewrite_version: troposphere.awslambda.Version) List[troposphere.cloudfront.LambdaFunctionAssociation]

Retrieve the directory index lambda associations with the added rewriter.

Parameters
  • lambda_associations – The lambda associations.

  • directory_index_rewrite_version – The directory index rewrite version.

get_lambda_associations() List[troposphere.cloudfront.LambdaFunctionAssociation]

Retrieve any lambda associations from the instance variables.

get_output_definitions() Dict[str, Dict[str, Any]]

Get the output definitions.

Deprecated since version 2.0.0: Replaced by output_definitions.

Returns

Output definitions. Keys are output names, the values are dicts containing key/values for various output properties.

get_parameter_definitions() Dict[str, BlueprintVariableTypeDef]

Get the parameter definitions to submit to CloudFormation.

Any variable definition whose type is an instance of CFNType will be returned as a CloudFormation Parameter.

Deprecated since version 2.0.0: Replaced by parameter_definitions.

Returns

Parameter definitions. Keys are parameter names, the values are dicts containing key/values for various parameter properties.

get_parameter_values() Dict[str, Union[List[Any], str]]

Return a dict of variables with type CFNType.

Deprecated since version 2.0.0: Replaced by parameter_values.

Returns

Variables that need to be submitted as CloudFormation Parameters. Will be a dictionary of <parameter name>: <parameter value>.

get_required_parameter_definitions() Dict[str, BlueprintVariableTypeDef]

Return all template parameters that do not have a default value.

Deprecated since version 2.0.0: Replaced by required_parameter_definitions.

Returns

Dict of required CloudFormation Parameters for the blueprint. Will be a dictionary of <parameter name>: <parameter attributes>.

get_variables() Dict[str, Any]

Return a dictionary of variables available to the template.

These variables will have been defined within VARIABLES or self.defined_variables. Any variable value that contains a lookup will have been resolved.

Deprecated since version 2.0.0: Replaced by variables.

Returns

Variables available to the template.

Raises

UnresolvedBlueprintVariables – If variables are unresolved.

import_mappings() None

Import mappings from CFNgin config to the blueprint.

property output_definitions: Dict[str, Dict[str, Any]]

Get the output definitions.

New in version 2.0.0.

Returns

Output definitions. Keys are output names, the values are dicts containing key/values for various output properties.

property parameter_definitions: Dict[str, BlueprintVariableTypeDef]

Get the parameter definitions to submit to CloudFormation.

Any variable definition whose type is an instance of CFNType will be returned as a CloudFormation Parameter.

New in version 2.0.0.

Returns

Parameter definitions. Keys are parameter names, the values are dicts containing key/values for various parameter properties.

property parameter_values: Dict[str, Union[List[Any], str]]

Return a dict of variables with type CFNType.

New in version 2.0.0.

Returns

Variables that need to be submitted as CloudFormation Parameters. Will be a dictionary of <parameter name>: <parameter value>.

read_user_data(user_data_path: str) str

Read and parse a user_data file.

Parameters

user_data_path – Path to the userdata file.

render_template() Tuple[str, str]

Render the Blueprint to a CloudFormation template.

property rendered: str

Return rendered blueprint.

property required_parameter_definitions: Dict[str, BlueprintVariableTypeDef]

Return all template parameters that do not have a default value.

New in version 2.0.0.

Returns

Dict of required CloudFormation Parameters for the blueprint. Will be a dictionary of <parameter name>: <parameter attributes>.

property requires_change_set: bool

Return true if the underlying template has transforms.

reset_template() None

Reset template.

resolve_variables(provided_variables: List[runway.variables.Variable]) None

Resolve the values of the blueprint variables.

This will resolve the values of the VARIABLES with values from the env file, the config, and any lookups resolved.

Parameters

provided_variables – List of provided variables.

property role_boundary_specified: bool

IAM Role Boundary specified conditional.

set_template_description(description: str) None

Add a description to the Template.

Parameters

description – A description to be added to the resulting template.

setup_parameters() None

Add any CloudFormation parameters to the template.

to_json(variables: Optional[Dict[str, Any]] = None) str

Render the blueprint and return the template in json form.

Parameters

variables – Dictionary providing/overriding variable values.

property variables: Dict[str, Any]

Return a Dict of variables available to the Template.

These variables will have been defined within VARIABLES or defined_variables. Any variable value that contains a Lookup will have been resolved.

New in version 2.0.0.

Returns

Variables available to the Template.

Raises

UnresolvedBlueprintVariables – If variables are unresolved.

property version: str

Template version.

property waf_name_specified: bool

WAF name specified conditional.