tb_pulumi.cloudfront

Infrastructural patterns related to AWS CloudFront.

class tb_pulumi.cloudfront.CloudFrontDistribution(name: str, project: ThunderbirdPulumiProject, logging_bucket_name: str, distribution: dict = {}, forcibly_destroy_bucket: bool = False, opts: ResourceOptions = None, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:cloudfront:CloudFrontDistribution

Builds a CloudFront Distribution with logging to an S3 bucket.

Produces the following resources:

  • cloudfront_distribution - aws.cloudfront.Distribution that serves the service bucket content over a CDN and produces output logs in the logging bucket.

  • invalidation_policy - aws.iam.Policy that allows an IAM entity to create cache invalidations in the CloudFront Distribution, which must be done when the contents of the service bucket are updated. This is not attached to any entities; it exists for developer use when setting up CI flows.

  • logging_bucket - aws.s3.Bucket in which to store the access logs for the service bucket.

  • logging_bucket_acl - aws.s3.BucketAclV2 allowing CloudFront to control the logging bucket via the AWS account’s canonical user.

  • logging_bucket_ownership - aws.s3.BucketOwnershipControls which allow CloudFront to upload logs into the logging bucket.

Parameters:

  • name (str) – A string identifying this set of resources.

  • project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

  • logging_bucket_name (str) – Name of the S3 bucket which holds access logs for the distribution.

  • distribution (dict, optional) – A mapping of CloudFront Distribution Resource inputs . Defaults to {}.

  • forcibly_destroy_bucket (bool, optional) – When True, pulumi actions which destroy the logging bucket will cause the bucket to be fully emptied beforehand, permanently destroying all data in the bucket. Defaults to False.

  • opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

  • kwargs – Any other keyword arguments which will be passed as inputs to the ThunderbirdComponentResource resource.

class tb_pulumi.cloudfront.CloudFrontS3Service(name: str, project: ThunderbirdPulumiProject, certificate_arn: str, service_bucket_name: str, default_function_associations: dict = {}, distribution: dict = {}, forcibly_destroy_buckets: bool = False, origins: list[dict] = [], opts: ResourceOptions = None, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:cloudfront:CloudFrontS3Service

Serve the static contents of an S3 bucket over a CloudFront Distribution.

Produces the following resources:

  • service_bucket - aws.s3.Bucket in which to store the static content to be served over the CloudFront Distribution.

  • logging_bucket - aws.s3.Bucket in which to store the access logs for the service bucket.

  • logging_bucket_ownership - aws.s3.BucketOwnershipControls which allow CloudFront to upload logs into the logging bucket.

  • logging_bucket_acl - aws.s3.BucketAclV2 allowing CloudFront to control the logging bucket via the AWS account’s canonical user.

  • origin_access_control - aws.cloudfront.OriginAccessControl allowing the CloudFront Distribution to serve the service bucket’s content via CDN.

  • cloudfront_distribution - aws.cloudfront.Distribution that serves the service bucket content over a CDN and produces output logs in the logging bucket.

  • service_bucket_policy - aws.s3.BucketPolicy allowing the CloudFront Distribution read access to the objects in the service bucket.

  • invalidation_policy - aws.iam.Policy that allows an IAM entity to create cache invalidations in the CloudFront Distribution, which must be done when the contents of the service bucket are updated. This is not attached to any entities; it exists for developer use when setting up CI flows.

Parameters:

  • name (str) – A string identifying this set of resources.

  • project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

  • certificate_arn (str) – The ARN of the ACM certificate used for TLS in this distribution. AWS CloudFront SSL requires that this certificate exist in the us-east-1 region.

  • service_bucket_name (str) – The name of the S3 bucket to store the static content in. This must be globally unique within the entire S3 ecosystem.

  • default_function_associations (list[dict]) – Defines the function associations for the default cache behavior.

  • distribution (dict, optional) – Additional parameters to pass to the aws.cloudfront.Distribution constructor. Defaults to {}.

  • forcibly_destroy_buckets (bool, optional) – When True, the service bucket and logging bucket will both be forcibly emptied - all their contents destroyed beyond recovery - when the bucket resource is destroyed. This is dangerous, as it bypasses protections against data loss. Only enable this for volatile environments. Defaults to False.

  • origins (list[dict], optional) – List of DistributionOrigin objects to add. This list should not include any references to the S3 bucket, which is managed by this module. Defaults to [].

  • opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

  • kwargs – Any other keyword arguments which will be passed as inputs to the ThunderbirdComponentResource resource.