(cloudfront): Add support for ResponseHeadersPolicy

[ayush987goyal]

Description

Add support for ResponseHeadersPolicy as described in the following docs:

1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/creating-response-headers-policies.html
2. https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-cloudfront-supports-cors-security-custom-http-response-headers/

Use Case

We need to be able to configure response CORS, headers and security policies without using cloudfront functions or Lambda@edge.

Proposed Solution

The ResponseHeadersPolicy should be available as a new construct under the @aws-cdk/aws-cloudfront construct library.

Other information

No response

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

[peterwoodworth]

It doesn't look like CloudFormation has made any changes to CloudFront for this, and I don't see any issues for it in the coverage roadmap.

@ayush987goyal you say you might be able to implement this, do you have any plans on how you might do that?

[ayush987goyal]

@peterwoodworth Sorry for jumping the gun and getting too excited too fast. I, or perhaps anyone else, would only be able to implement once the CFN support for it lands of course 😅 .

[peterwoodworth]

Got it 😄 just wanted to make sure I wasn't missing anything

[robertd]

Hot off the press: https://twitter.com/cfnupdates/status/1456452444406358019?s=21

edit: And here is the actual link to the cfn docs. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-responseheaderspolicy.html

[ayush987goyal]

@robertd Awesome! Now waiting on the CFN autogenerated L1 constructs to get updated in the cdk modules.

How frequently does the CFN update happen in CDK @robertd ?

[ayush987goyal]

Well, with the #17350 merged there is AWS::CloudFront::ResponseHeadersPolicy added to the spec but the AWS::CloudFront::Distribution CacheBehavior is not updated with ResponseHeadersPolicyId. Alas, we would need to wait for it to be added in a new spec bump. But we could get started with creating a resource for the ResponseHeadersPolicy at the least

[robertd]

@ayush987goyal Sorry I was out yesterday. I’m glad you figured out how to bump the cfn specs. We’re one step closer now yay 🎉

[ayush987goyal]

@robertd Thanks! Was wondering if it is common for the spec JSON cdn (https://d1uauaxba7bl26.cloudfront.net/latest/gzip/CloudFormationResourceSpecification.json) does not update even though the CFN docs are updated with all the changes?

[ayush987goyal]

Another spec bump PR should now address this: #17482

[dimon89ch]

Guys thanks for working on ResponseHeadersPolicy !

[y4nnick]

Thanks for working on this! :)

In the meantime, is there a way to set the ResponseHeadersPolicy via some Escape hatches as defined here: https://docs.aws.amazon.com/cdk/latest/guide/cfn_layer.html ?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[mspolitaev]

Hi team! As i understnd it's only L1 construct? Don't want rewrite all our L2 to L1. Is it planned make available as L2 too? Or how we can combine L2 Behavior construct with this one ResponseHeaders policy? Thanks.

[robertd]

@mspolitaev It is L2 construct, but it's currently only available in v2.1.0. It should be available in v1.3.5 when it gets released.

[mspolitaev]

@robertd Oh cool, it's 1.134 now latest? Hope soon will be 1.135. We will wait then. Thanks.

[ChrsWoo]

Hi all,

Can I please double check that this has been confirmed to be working as expected according to the docs here: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.ResponseHeadersPolicy.html#static-security_headers

We're seeing our ResponseHeadersPolicy being created but it isn't being applied to our Cloudfront Distribution with this setup:

const responseHeadersPolicy = new ResponseHeadersPolicy(...);

const distribution = new Distribution(this, "DistName", {
    defaultBehavior: {
        origin: new S3Origin(bucket),
        cachePolicy: CachePolicy.CACHING_DISABLED,
        responseHeadersPolicy: responseHeadersPolicy,
    }
});

Just wanted to check whether others have had success with a setup like this?

[austin-payne]

We're seeing our ResponseHeadersPolicy being created but it isn't being applied to our Cloudfront Distribution

Same here, and even if set manually it's reset when the stack is deployed again

[robertd]

@ChrsWoo Can you please create new GitHub issue for better visibility.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.