@@ -41,10 +41,13 @@ import {
4141 LoadBalancerV2Origin ,
4242 S3BucketOrigin ,
4343} from "aws-cdk-lib/aws-cloudfront-origins" ;
44+ import { ICertificate } from "aws-cdk-lib/aws-certificatemanager" ;
45+ import { getPrimaryDomainName } from "./shared-resources-stack" ;
4446
4547export interface NetworkProps {
4648 env : string ;
4749 account : string ;
50+ certificate ?: ICertificate ;
4851}
4952
5053export class Network extends Construct {
@@ -96,16 +99,16 @@ export class Network extends Construct {
9699 allowAllOutbound : true ,
97100 description : "No inbound / all outbound" ,
98101 securityGroupName : "noInboundAllOutboundSecurityGroup" ,
99- }
102+ } ,
100103 ) ;
101104 this . noInboundAllOutboundSecurityGroup . addIngressRule (
102105 this . noInboundAllOutboundSecurityGroup ,
103106 Port . tcp ( 8080 ) ,
104- "allow self"
107+ "allow self" ,
105108 ) ;
106109 this . noInboundAllOutboundSecurityGroup . addIngressRule (
107110 Peer . ipv4 ( this . vpc . vpcCidrBlock ) ,
108- Port . tcp ( 8080 )
111+ Port . tcp ( 8080 ) ,
109112 ) ;
110113
111114 this . vpcLink = new VpcLink ( this , "HttpApiVpcLink" , {
@@ -128,7 +131,7 @@ export class Network extends Construct {
128131 {
129132 stringValue : this . noInboundAllOutboundSecurityGroup . securityGroupId ,
130133 parameterName : `/stickerlandia/${ props . env } /shared/vpc-link-sg-id` ,
131- }
134+ } ,
132135 ) ;
133136
134137 this . httpApi = new HttpApi ( this , "StickerlandiaHttpApi" , {
@@ -159,28 +162,37 @@ export class Network extends Construct {
159162 } ) ;
160163 webFrontendBucket . grantRead ( originIdentity ) ;
161164
165+ // If the certificate is passed in, create a domain for that specific environment.
166+ const primaryDomainName = getPrimaryDomainName (
167+ props . certificate ,
168+ props . env ,
169+ ) ;
170+ const domainName = primaryDomainName ? [ primaryDomainName ] : undefined ;
171+
162172 this . distribution = new Distribution ( this , `Stickerlandia-${ props . env } ` , {
173+ certificate : props . certificate ,
174+ domainNames : domainName ,
163175 minimumProtocolVersion : SecurityPolicyProtocol . TLS_V1_2_2021 ,
164176 defaultRootObject : "index.html" ,
177+ // SPA routing: return index.html for any unmatched routes on the frontend
178+ // S3 with OAI returns 403 for non-existent files, so we handle both 403 and 404
179+ // This only applies to the default behavior (S3/frontend), not API routes
180+ errorResponses : [
181+ {
182+ httpStatus : 403 ,
183+ responseHttpStatus : 200 ,
184+ responsePagePath : "/index.html" ,
185+ } ,
186+ {
187+ httpStatus : 404 ,
188+ responseHttpStatus : 200 ,
189+ responsePagePath : "/index.html" ,
190+ } ,
191+ ] ,
165192 defaultBehavior : {
166193 origin : S3BucketOrigin . withOriginAccessIdentity ( webFrontendBucket , {
167194 originAccessIdentity : originIdentity ,
168195 } ) ,
169- // SPA routing: return index.html for any unmatched routes on the frontend
170- // S3 with OAI returns 403 for non-existent files, so we handle both 403 and 404
171- // This only applies to the default behavior (S3/frontend), not API routes
172- errorResponses : [
173- {
174- httpStatus : 403 ,
175- responseHttpStatus : 200 ,
176- responsePagePath : "/index.html" ,
177- } ,
178- {
179- httpStatus : 404 ,
180- responseHttpStatus : 200 ,
181- responsePagePath : "/index.html" ,
182- } ,
183- ] ,
184196 } ,
185197 } ) ;
186198
@@ -192,15 +204,15 @@ export class Network extends Construct {
192204 `${ this . httpApi . apiId } .execute-api.${ region } .amazonaws.com` ,
193205 {
194206 protocolPolicy : OriginProtocolPolicy . HTTPS_ONLY ,
195- }
207+ } ,
196208 ) ,
197209 {
198210 cachePolicy : CachePolicy . CACHING_DISABLED ,
199211 originRequestPolicy : OriginRequestPolicy . ALL_VIEWER_EXCEPT_HOST_HEADER ,
200212 responseHeadersPolicy :
201213 ResponseHeadersPolicy . CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS ,
202214 allowedMethods : AllowedMethods . ALLOW_ALL ,
203- }
215+ } ,
204216 ) ;
205217
206218 this . distribution . addBehavior (
@@ -209,15 +221,15 @@ export class Network extends Construct {
209221 `${ this . httpApi . apiId } .execute-api.${ region } .amazonaws.com` ,
210222 {
211223 protocolPolicy : OriginProtocolPolicy . HTTPS_ONLY ,
212- }
224+ } ,
213225 ) ,
214226 {
215227 cachePolicy : CachePolicy . CACHING_DISABLED ,
216228 originRequestPolicy : OriginRequestPolicy . ALL_VIEWER_EXCEPT_HOST_HEADER ,
217229 responseHeadersPolicy :
218230 ResponseHeadersPolicy . CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS ,
219231 allowedMethods : AllowedMethods . ALLOW_ALL ,
220- }
232+ } ,
221233 ) ;
222234
223235 this . distribution . addBehavior (
@@ -226,15 +238,15 @@ export class Network extends Construct {
226238 `${ this . httpApi . apiId } .execute-api.${ region } .amazonaws.com` ,
227239 {
228240 protocolPolicy : OriginProtocolPolicy . HTTPS_ONLY ,
229- }
241+ } ,
230242 ) ,
231243 {
232244 cachePolicy : CachePolicy . CACHING_DISABLED ,
233245 originRequestPolicy : OriginRequestPolicy . ALL_VIEWER_EXCEPT_HOST_HEADER ,
234246 responseHeadersPolicy :
235247 ResponseHeadersPolicy . CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS ,
236248 allowedMethods : AllowedMethods . ALLOW_ALL ,
237- }
249+ } ,
238250 ) ;
239251
240252 this . distribution . addBehavior (
@@ -243,15 +255,15 @@ export class Network extends Construct {
243255 `${ this . httpApi . apiId } .execute-api.${ region } .amazonaws.com` ,
244256 {
245257 protocolPolicy : OriginProtocolPolicy . HTTPS_ONLY ,
246- }
258+ } ,
247259 ) ,
248260 {
249261 cachePolicy : CachePolicy . CACHING_DISABLED ,
250262 originRequestPolicy : OriginRequestPolicy . ALL_VIEWER_EXCEPT_HOST_HEADER ,
251263 responseHeadersPolicy :
252264 ResponseHeadersPolicy . CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS ,
253265 allowedMethods : AllowedMethods . ALLOW_ALL ,
254- }
266+ } ,
255267 ) ;
256268 }
257269}
0 commit comments