Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudfront_origins: Built-in lookup for CloudFront VPC origin security group? #33812

Open
1 of 2 tasks
athewsey opened this issue Mar 18, 2025 · 1 comment
Open
1 of 2 tasks

cloudfront_origins: Built-in lookup for CloudFront VPC origin security group? #33812

athewsey opened this issue Mar 18, 2025 · 1 comment
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@athewsey
Copy link

Describe the feature

It could really help with my user code readability if the pattern mentioned here for looking up the ID of CloudFront's VPC Security Group, could be embedded directly into the VpcOrigin construct or elsewhere in one of the CloudFront CDK packages?

Use Case

I'm connecting a CloudFront Distribution to an ALB in my VPC using CloudFront VPC Origins, and trying to grant least-privilege ingress access to the ALB's security group via SecurityGroup.addIngressRule(...): Only allowing connections from the CloudFront service.

It's great that the CDK docs mention a pattern for looking up CloudFront's generated SG with a Custom Resource (since the alternative EC2 prefix list approach requires you to know the prefix list ID for your specific AWS Region)... But would be better if this pattern could be pushed into the library itself to simplify usage?

Proposed Solution

As I understand (?) the security group is 1/ only generated if/when VPC origin(s) are configured, and 2/ shared between any CloudFront distributions connecting to that VPC.

Some possible places it could be added I can think of include:

  • A property on Distribution like vpcOriginSecurityGroupId (presumably that does a lazy check during synthesis and throws an error if it's referenced when none of the origins in the distribution are VPC Origins?)
  • A stand-alone construct/resource in aws-cloudfront-origins that takes a distribution and a VPC as props maybe?

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.180.0

Environment details (OS name and version, etc.)

MacOS 15.3
@athewsey athewsey added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Mar 18, 2025
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Mar 18, 2025
@pahud
Copy link
Contributor

pahud commented Mar 18, 2025

Sounds good to me to simplify the usage. We welcome more inputs and any PR is appreciated!

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Mar 18, 2025
@pahud pahud changed the title (aws_cloudfront_origins): Built-in lookup for CloudFront VPC origin security group? cloudfront_origins: Built-in lookup for CloudFront VPC origin security group? Mar 18, 2025
@github-actions github-actions bot mentioned this issue Apr 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @athewsey