Skip to main content

Defined in: src/constructs/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:289

CloudFront distribution fronting an API Gateway REST API, with DNS, logging, and optional monitoring integration.

Remarks

This construct:

  • Creates a centralized S3 access logs bucket (with OBJECT_WRITER ownership) for the distribution.
  • Provisions a cloudFront.Distribution with secure defaults (HTTP/3, HTTPS-only, TLSv1.2_2021), disabled caching for dynamic APIs, and a managed CORS with preflight response headers policy.
  • Optionally associates a Lambda@Edge version (e.g., at VIEWER_REQUEST).
  • Creates a Route 53 A-alias record targeting the distribution.
  • Applies RemovalPolicy.DESTROY to the distribution and alias record for easy teardown in ephemeral stages.
  • Adds cdk-nag suppressions for rules that are intentionally deferred (CFR1/CFR2) and for the central logs bucket (to avoid recursive S3 server access logging).
  • Monitoring integration: If ApiCloudFrontDistributionProps.monitoringFacade is provided, the construct will automatically register the created distribution by calling monitoringFacade.monitorCloudFrontDistribution({ distribution }). Use this to attach metrics, alarms, and dashboards without additional wiring in your stacks.

Important constraints

Defaults & opinions

  • AllowedMethods: ALLOW_ALL (APIs often use non-GET methods).
  • CachePolicy: CACHING_DISABLED (typical for dynamic APIs; adjust if your API is cacheable).
  • OriginRequestPolicy: ALL_VIEWER_EXCEPT_HOST_HEADER (forwards common viewer data minus Host).
  • ViewerProtocolPolicy: REDIRECT_TO_HTTPS.
  • ResponseHeadersPolicy: CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT (managed policy).
  • HttpVersion: HTTP3 enabled.
  • PriceClass: defaults to PRICE_CLASS_100 unless overridden in props.
  • Access logging is enabled and written to the construct-managed logs bucket.

Example

const zone = route53.HostedZone.fromHostedZoneAttributes(this, 'Zone', {
  hostedZoneId: 'Z1234567890', zoneName: 'example.com',
});

const cert = acm.Certificate.fromCertificateArn(this, 'Cert',
  'arn:aws:acm:us-east-1:123456789012:certificate/xxxx-xxxx-xxxx-xxxx'
);

const api = new apigw.RestApi(this, 'Api', {
  deployOptions: { stageName: 'dev' },
});

// Optional monitoring facade provided by your monitoring library
const facade = new monitoring.MonitoringFacade(this, 'Monitoring', { /\* ... */ });

new ApiCloudFrontDistribution(this, 'ApiDist', {
  stageName: 'dev',
  domainHostedZone: zone,
  apiSubDomain: 'api.example.com',
  domainCertificate: cert,
  api,
  enabled: true,
  priceClass: cloudFront.PriceClass.PRICE_CLASS_100,
  comment: 'dev api distribution',
  // Optional Lambda@Edge version (must be us-east-1)
  // edgeFunction: lambda.Version.fromVersionArn(this, 'EdgeVer', 'arn:aws:lambda:us-east-1:111111111111:function:name:1'),
  monitoringFacade: facade, // <-- distribution is auto-registered here
});

See

  • ApiCloudFrontDistributionProps
  • monitoring.MonitoringFacade
  • cloudFront.Distribution
  • route53.ARecord

Extends

  • Construct

Constructors

Constructor

new ApiCloudFrontDistribution(scope, id, props): ApiCloudFrontDistribution

Defined in: src/constructs/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:313

Create a new API-fronted CloudFront distribution with DNS, logging, and optional monitoring integration.

Parameters

scope

Construct

The construct scope.

id

string

Logical ID for this construct.

props

ApiCloudFrontDistributionProps

ApiCloudFrontDistributionProps controlling domain, certificate, API origin, optional edge function, and optional monitoring facade registration.

Returns

ApiCloudFrontDistribution

Overrides

Construct.constructor

Properties

accessLogsBucket

readonly accessLogsBucket: Bucket

Defined in: src/constructs/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:302

Centralized S3 bucket receiving CloudFront access logs.

Remarks

  • Created with objectOwnership: OBJECT_WRITER so S3 can deliver logs.
  • RemovalPolicy.DESTROY and autoDeleteObjects: true are set for ephemeral environments.
  • The construct adds a cdk-nag suppression for AwsSolutions-S1 to avoid recursive logging on the log bucket itself.

distribution

readonly distribution: Distribution

Defined in: src/constructs/api-gateway-cloudfront-distribution/api-cloudfront-distribution.ts:293

The CloudFront distribution created by this construct.

node

readonly node: Node

Defined in: node_modules/.pnpm/constructs@10.0.5/node_modules/constructs/lib/construct.d.ts:305

The tree node.

Stability

stable

Inherited from

Construct.node

Methods

toString()

toString(): string

Defined in: node_modules/.pnpm/constructs@10.0.5/node_modules/constructs/lib/construct.d.ts:319

Returns a string representation of this construct.

Returns

string

Stability

stable

Inherited from

Construct.toString

isConstruct()

static isConstruct(x): x is Construct

Defined in: node_modules/.pnpm/constructs@10.0.5/node_modules/constructs/lib/construct.d.ts:299

(deprecated) Checks if x is a construct.

Parameters

x

any

Any object.

Returns

x is Construct

true if x is an object created from a class which extends Construct.

Deprecated

use x instanceof Construct instead

Inherited from

Construct.isConstruct