Skip to main content

Defined in: src/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:288

CloudFront distribution fronting an API Gateway REST API, with DNS, logging, and optional monitoring integration.

Remarks

This construct:

  • Creates a centralized S3 access logs bucket (with OBJECT_WRITER ownership) for the distribution.
  • Provisions a cloudFront.Distribution with secure defaults (HTTP/3, HTTPS-only, TLSv1.2_2021), disabled caching for dynamic APIs, and a managed CORS with preflight response headers policy.
  • Optionally associates a Lambda@Edge version (e.g., at VIEWER_REQUEST).
  • Creates a Route 53 A-alias record targeting the distribution.
  • Applies RemovalPolicy.DESTROY to the distribution and alias record for easy teardown in ephemeral stages.
  • Adds cdk-nag suppressions for rules that are intentionally deferred (CFR1/CFR2) and for the central logs bucket (to avoid recursive S3 server access logging).
  • Monitoring integration: If ApiCloudFrontDistributionProps.monitoringFacade is provided, the construct will automatically register the created distribution by calling monitoringFacade.monitorCloudFrontDistribution({ distribution }). Use this to attach metrics, alarms, and dashboards without additional wiring in your stacks.

Important constraints

Defaults & opinions

  • AllowedMethods: ALLOW_ALL (APIs often use non-GET methods).
  • CachePolicy: CACHING_DISABLED (typical for dynamic APIs; adjust if your API is cacheable).
  • OriginRequestPolicy: ALL_VIEWER_EXCEPT_HOST_HEADER (forwards common viewer data minus Host).
  • ViewerProtocolPolicy: REDIRECT_TO_HTTPS.
  • ResponseHeadersPolicy: CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT (managed policy).
  • HttpVersion: HTTP3 enabled.
  • PriceClass: defaults to PRICE_CLASS_100 unless overridden in props.
  • Access logging is enabled and written to the construct-managed logs bucket.

Example

const zone = route53.HostedZone.fromHostedZoneAttributes(this, 'Zone', {
  hostedZoneId: 'Z1234567890', zoneName: 'example.com',
});

const cert = acm.Certificate.fromCertificateArn(this, 'Cert',
  'arn:aws:acm:us-east-1:123456789012:certificate/xxxx-xxxx-xxxx-xxxx'
);

const api = new apigw.RestApi(this, 'Api', {
  deployOptions: { stageName: 'dev' },
});

// Optional monitoring facade provided by your monitoring library
const facade = new monitoring.MonitoringFacade(this, 'Monitoring', { /\* ... */ });

new ApiCloudFrontDistribution(this, 'ApiDist', {
  stageName: 'dev',
  domainHostedZone: zone,
  apiSubDomain: 'api.example.com',
  domainCertificate: cert,
  api,
  enabled: true,
  priceClass: cloudFront.PriceClass.PRICE_CLASS_100,
  comment: 'dev api distribution',
  // Optional Lambda@Edge version (must be us-east-1)
  // edgeFunction: lambda.Version.fromVersionArn(this, 'EdgeVer', 'arn:aws:lambda:us-east-1:111111111111:function:name:1'),
  monitoringFacade: facade, // <-- distribution is auto-registered here
});

See

  • ApiCloudFrontDistributionProps
  • monitoring.MonitoringFacade
  • cloudFront.Distribution
  • route53.ARecord

Extends

  • Construct

Constructors

Constructor

new ApiCloudFrontDistribution(scope, id, props): ApiCloudFrontDistribution

Defined in: src/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:312

Create a new API-fronted CloudFront distribution with DNS, logging, and optional monitoring integration.

Parameters

scope

Construct

The construct scope.

id

string

Logical ID for this construct.

props

ApiCloudFrontDistributionProps

ApiCloudFrontDistributionProps controlling domain, certificate, API origin, optional edge function, and optional monitoring facade registration.

Returns

ApiCloudFrontDistribution

Overrides

Construct.constructor

Properties

accessLogsBucket

readonly accessLogsBucket: Bucket

Defined in: src/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:301

Centralized S3 bucket receiving CloudFront access logs.

Remarks

  • Created with objectOwnership: OBJECT_WRITER so S3 can deliver logs.
  • RemovalPolicy.DESTROY and autoDeleteObjects: true are set for ephemeral environments.
  • The construct adds a cdk-nag suppression for AwsSolutions-S1 to avoid recursive logging on the log bucket itself.

distribution

readonly distribution: Distribution

Defined in: src/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:292

The CloudFront distribution created by this construct.

node

readonly node: Node

Defined in: node_modules/.pnpm/constructs@10.4.2/node_modules/constructs/lib/construct.d.ts:266

The tree node.

Inherited from

Construct.node

Methods

toString()

toString(): string

Defined in: node_modules/.pnpm/constructs@10.4.2/node_modules/constructs/lib/construct.d.ts:279

Returns a string representation of this construct.

Returns

string

Inherited from

Construct.toString

isConstruct()

static isConstruct(x): x is Construct

Defined in: node_modules/.pnpm/constructs@10.4.2/node_modules/constructs/lib/construct.d.ts:262

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters

x

any

Any object

Returns

x is Construct

true if x is an object created from a class which extends Construct.

Inherited from

Construct.isConstruct