如何通过AWS Lambda通过AWS_PROXY模式通过API Gateway和CloudFront返回二进制内容?

huangapple go评论161阅读模式
英文:

How can one return binary content via AWS Lambda through API Gateway and CloudFront using AWS_PROXY mode?

问题

如何使用CloudFormation创建一个由CloudFront前端和AWS Lambda函数后端支持的AWS API Gateway(以便进行HTTP到HTTPS重定向),并使用AWS_PROXY集成类型?

以下是一个CloudFormation模板示例,展示了我尝试过的内容。它包括:

  • 一个简单的Lambda函数,该函数以AWS_PROXY模式返回Lambda的预期输出格式。这个输出格式中isBase64Encoded设置为True。
  • 一个AWS::ApiGateway::RestApi CloudFormation资源,其中包含一个BinaryMediaTypes属性,其值为*~1*。在此AWS文档页面CloudFormation文档中建议将二进制媒体类型设置为*/*,并解释了Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list

我已阅读了这篇AWS论坛帖子,AWS_PROXY和二进制响应,但尚未弄清楚我的问题所在。该论坛帖子包括有关AWS_PROXY模式以及其他模式的帖子,因此有点令人困惑。

这篇AWS文档页面,在API Gateway中支持二进制负载,我认为是在讨论AWS_PROXY以外的模式,因为它提到设置IntegrationResponses属性,该属性要求使用与MethodResponse StatusCode匹配的StatusCode。

以下是一个展示问题的CloudFormation模板。您可以按照以下步骤重现它:

  1. 为您的帐户中现有的Route53区域中的DNS域名创建ACM证书。
  2. 将域名、以“.”字符结尾的区域名称以及ACM ARN作为CloudFormation堆栈的参数。
  3. 使用下面的模板启动CloudFormation堆栈(因为它使用了CloudFront,这可能需要30分钟)。
  4. 使用API Gateway的URL进行curl请求。

如果这个过程正确执行,您应该会收到一个二进制png的HTTP响应,而不是一个base64响应。

# 在这里是您的CloudFormation模板,包括Lambda函数、API Gateway和CloudFront的定义

希望这有助于您创建所需的AWS架构。

英文:

How can I provision an AWS API Gateway, fronted by CloudFront (so that I can have HTTP to HTTPS redirects) and backed by an AWS Lambda function using the AWS_PROXY integration type using CloudFormation?

Below is a CloudFormation template showing what I've tried. It includes

  • A simple Lambda function which returns the expected output format for Lambda in AWS_PROXY mode.
    • This has isBase64Encoded set to True.
  • A AWS::ApiGateway::RestApi CloudFormation resource that includes a BinaryMediaTypes property containing a value of *~1*.
    • Setting the Binary Media Type of */* is suggested in this AWS doc page and the CloudFormation docs explain that Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list

I've read through this AWS Forum post, AWS_PROXY and binary responses but haven't figured out what I'm doing wrong. The forum post includes people posting both about AWS_PROXY mode as well as other modes so it gets a bit confusing.

This AWS doc page, Support Binary Payloads in API Gateway , is, I believe, talking about modes other than AWS_PROXY as it talks about setting the IntegrationResponses property which requires using a StatusCode which matches a MethodResponse StatusCode.

Here is a CloudFormation template that exhibits the problem. You can reproduce it with these steps

  1. Provision an ACM certificate for a DNS domain name in an existing Route53 zone in your account
  2. Provide the domain name, the zone name (ending in a "." character) and the ACM ARN as parameters to the CloudFormation stack
  3. Spin up the CloudFormation stack using the template below (because it uses CloudFront this can take 30 minutes)
  4. curl the URL of the API Gateway

If this worked correctly you'd get back a binary png HTTP response, instead you get back a base64 response.

AWSTemplateFormatVersion: 2010-09-09
Description: Test binary responses with AWS_PROXY mode
Parameters:
  CustomDomainName:
    Type: String
    Description: The custom domain name to use for the API
    Default: ''
    # AWS::ApiGateway::DomainName can not contain any uppercase characters
    AllowedPattern: '^[^A-Z]*$'
    ConstraintDescription: must not contain any uppercase characters
  DomainNameZone:
    Type: String
    Description: The Route53 DNS zone containing the custom domain name
    Default: ''
  CertificateArn:
    Type: String
    Description: The ARN of the AWS ACM Certificate for your custom domain name
    Default: ''
Resources:
  TestFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowLambdaLogging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'
  TestFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Test Function
      Code:
        ZipFile: |
          def lambda_handler(event, context):
            body = 'iVBORw0KGgoAAAANSUhEUgAAABEAAAAKCAYAAABSfLWiAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAA0gAAANIBBp0MHQAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAHgSURBVCiRlY47aFNxGEfP97/p05SWYhXfEHMjNZobuChYk1iwUCKKiqSjj0XpIM46uDgUQdxqk0lUHJwsiEPtoEmtgxhMIx2StFJBhA4tOCTVPO7n0C5uesbDj8NPAEJO4oXCLqDHU3PbktYJhM/lwty07SRmEHlQKWRn7Uh8VlRvqDFpoEdgo7yQO+0DqP80V1ZW3v0KOcMxI95dMFOqnD8YGfoAckCUZMCNlWhKvxoGxaNWLuZGAQUQwNhOfEJFjhqPugo7u7RzZEN+50HvgO4R5KKKPkVlb9VXfbit5X+Cp2FBn5WLc/dNyBkeAkksFXJnWurdA6xi8U0VqIBc89R6q0hVPLmgtF7+yOdrlUI2ZdXb4hhzKRQ95frENL6qZ+2zo/FHqHQAA6RSlpZWp0WYWC5mF4NO4j3C1aWF+UXbiZ0VZKxFo4pitTcbywAE3JHeQDRhAxIOh9vZxITDw34A13Xbdrtu95Yn4Mb2HzoSjwSDyQ4A0SlOyjjz/Af6mE7q3AQGgW4D1DTDc01zWTP0/lPlG02ULxgmUfoEQCfx4+MWMI5SQvi0NVpDWcejC6EfsBGOA4cR0vh4RZNz8tfNzVgSYRTlGLADGADWge/AR4QZ+ngtY9Q1w3aus/YHPCW0c1bW92YAAAAASUVORK5CYII='
            return {
              'headers': {'Content-Type': 'image/png'},
              'statusCode': 200,
              'isBase64Encoded': True,
              'body': body}          
      Handler: index.lambda_handler
      Runtime: python3.7
      Role: !GetAtt TestFunctionRole.Arn
      Timeout: 900
  TestFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      # Let's hope that the Lambda function doesn't execute before this LogGroup
      # resource is created, creating the LogGroup with no expiration and
      # preventing this resource from creating
      LogGroupName: !Join [ '/', ['/aws/lambda', !Ref 'TestFunction' ] ]
      RetentionInDays: 1
  TestRoute53RecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt TestCloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget-1.html
      Comment: Bind the custom domain name to the Test CloudFront fronted API Gateway
      HostedZoneName: !Ref DomainNameZone
      Name: !Ref CustomDomainName
      Type: A
  TestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Test
      BinaryMediaTypes:
        - '*~1*'
      Description: Test API
      FailOnWarnings: true
      EndpointConfiguration:
        Types:
          - REGIONAL
  TestApiGatewayDomainName:
    # The ApiGateway requires a custom domain name, despite sitting behind
    # CloudFront. This is because we want to pass all ( * ) HTTP headers
    # through CloudFront and onto API Gateway. If we didn't set a custom domain
    # name on the API Gateway, the "Host" header passed through from CloudFront
    # to API Gateway would be for the custom domain, but API Gateway, which uses
    # SNI, wouldn't know which TLS certificate to use in the handshake because
    # API Gateway would have no record of that Host header. This would result in
    # API Gateway being unable to setup a TLS connection with the inbound
    # CloudFront connection attempt, API Gateway writing no logs about this
    # fact, and CloudFront returning to the user an error of
    # {"message":"Forbidden"}
    # If we weren't passing the "Host" header from CloudFront to API Gateway
    # this resource wouldn't be needed
    Type: AWS::ApiGateway::DomainName
    Properties:
      # Uppercase letters are not supported in DomainName
      DomainName: !Ref CustomDomainName
      EndpointConfiguration:
        Types:
          - REGIONAL
      RegionalCertificateArn: !Ref CertificateArn
      SecurityPolicy: TLS_1_2
  TestBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      # BasePath:   # Not specifying this so that we have no base path
      DomainName: !Ref TestApiGatewayDomainName
      RestApiId: !Ref TestApi
      Stage: !Ref TestApiStage
  TestLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:invokeFunction
      FunctionName: !GetAtt TestFunction.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join [ '', [ 'arn:aws:execute-api:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', !Ref 'TestApi', '/*/*' ] ]
  TestApiStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId: !Ref TestApiDeployment
      MethodSettings:
        - DataTraceEnabled: true
          HttpMethod: '*'
          ResourcePath: /*
      RestApiId: !Ref TestApi
  TestApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
      - TestRequest
    Properties:
      RestApiId: !Ref TestApi
      StageName: DummyStage
      # Deployment with an Empty Embedded Stage
      # The following instructional text is no longer present in the AWS
      # documentation for AWS::ApiGateway::Deployment StageName and it's not
      # clear if it still applies.
      #
      # "Note This property is required by API Gateway. We recommend that you
      # specify a name using any value (see Examples) and that you don’t use
      # this stage. We recommend not using this stage because it is tied to
      # this deployment, which means you can’t delete one without deleting the
      # other. For example, if you delete this deployment, API Gateway also
      # deletes this stage, which you might want to keep. Instead, use the
      # AWS::ApiGateway::Stage resource to create and associate a stage with
      # this deployment."
  TestResource:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: !Ref TestApi
      ParentId: !GetAtt TestApi.RootResourceId
      PathPart: '{proxy+}'
  TestRequest:
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        Type: AWS_PROXY
        # IntegrationHttpMethod is POST regardless of the HttpMethod for this resource
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # "For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations."
        IntegrationHttpMethod: POST
        Uri: !Join [ '', [ 'arn:aws:apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt 'TestFunction.Arn', '/invocations' ] ]
      ResourceId: !Ref TestResource
      RestApiId: !Ref TestApi
  TestPOSTRequest:
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: POST
      Integration:
        Type: AWS_PROXY
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # "For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations."
        IntegrationHttpMethod: POST
        Uri: !Join [ '', [ 'arn:aws:apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt 'TestFunction.Arn', '/invocations' ] ]
      ResourceId: !Ref TestResource
      RestApiId: !Ref TestApi
  TestRootRequest:
    # This resource is necessary to get API Gateway to respond to requests for the '/' path
    # Without it API Gateway will respond to requests for '/' with the error
    # {"message":"Missing Authentication Token"}
    # https://stackoverflow.com/q/46578615/168874
    # https://stackoverflow.com/q/52909329/168874
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        Type: AWS_PROXY
        # IntegrationHttpMethod is POST regardless of the HttpMethod for this resource
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # "For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations."
        IntegrationHttpMethod: POST
        Uri: !Join [ '', [ 'arn:aws:apigateway:', !Ref 'AWS::Region', ':lambda:path/2015-03-31/functions/', !GetAtt 'TestFunction.Arn', '/invocations' ] ]
      # ResourceId must use the RootResourceId attribute of the AWS::ApiGateway::RestApi
      # https://stackoverflow.com/a/56121914/168874
      ResourceId: !GetAtt TestApi.RootResourceId
      RestApiId: !Ref TestApi
  TestCloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Comment: !Join [ ':', [!Ref 'AWS::StackName', 'Test']]
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - POST
            - DELETE
            - OPTIONS
            - PUT
            - PATCH
          Compress: true
          DefaultTTL: 0
          MinTTL: 0
          MaxTTL: 0
          ForwardedValues:
            Cookies:
              Forward: all
            QueryString: true
            Headers:
              - '*'
          TargetOriginId: TestCloudFrontOriginId
          ViewerProtocolPolicy: redirect-to-https
        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-defaultrootobject
        DefaultRootObject: ''  # "If you don't want to specify a default root object when you create a distribution, include an empty DefaultRootObject element."
        Enabled: true
        Aliases:
          - !Ref CustomDomainName
        HttpVersion: http2
        IPV6Enabled: true
        #Logging:
        #  Logging
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: https-only
              OriginSSLProtocols:
                - TLSv1.2
            DomainName: !GetAtt TestApiGatewayDomainName.RegionalDomainName
            Id: TestCloudFrontOriginId
            # OriginPath: !Join [ '', [ '/', !Ref 'TestApiStage' ] ]
        PriceClass: PriceClass_100  # US, Canada, Europe, Israel
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.2_2018
          SslSupportMethod: sni-only

答案1

得分: 2

我联系了AWS支持,经过多次来回沟通,发现问题出在AWS文档中。

AWS::ApiGateway::RestApi CloudFormation资源类型的文档页面错误地说明:

> 斜杠必须用~1进行转义。例如,image/png应该在BinaryMediaTypes列表中写为image~1png。

事实证明这是不正确的,您应该在BinaryMediaTypes字段中放置的值是*/*,而不是*~1*。这使得字段看起来像这样:

Resources:
  TestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Test
      BinaryMediaTypes:
        - '*/*'

所以,通过对问题中的模板进行这个更改,生成的堆栈将正确地提供二进制资源。

我已确认此AWS文档页面 Support Binary Payloads in API Gateway 确实讨论的是AWS_PROXY以外的模式,并且不适用于我的问题。

已确认有效的带有修复的模板如下:

AWSTemplateFormatVersion: 2010-09-09
Description: Test binary responses with AWS_PROXY mode
Parameters:
  CustomDomainName:
    Type: String
    Description: The custom domain name to use for the API
    Default: ''
    # AWS::ApiGateway::DomainName can not contain any uppercase characters
    AllowedPattern: '^[^A-Z]*$'
    ConstraintDescription: must not contain any uppercase characters
  DomainNameZone:
    Type: String
    Description: The Route53 DNS zone containing the custom domain name
    Default: ''
  CertificateArn:
    Type: String
    Description: The ARN of the AWS ACM Certificate for your custom domain name
    Default: ''
Resources:
  TestFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowLambdaLogging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: '*'
  TestFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Test Function
      Code:
        ZipFile: |
          def lambda_handler(event, context):
            body = 'iVBORw0KGgoAAAANSUhEUgAAABEAAAAKCAYAAABSfLWiAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAA0gAAANIBBp0MHQAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAHgSURBVCiRlY47aFNxGEfP97/p05SWYhXfEHMjNZobuChYk1iwUCKKiqSjj0XpIM46uDgUQdxqk0lUHJwsiEPtoEmtgxhMIx2StFJBhA4tOCTVPO7n0C5uesbDj8NPAEJO4oXCLqDHU3PbktYJhM/lwty07SRmEHlQKWRn7Uh8VlRvqDFpoEdgo7yQO+0DqP80V1ZW3v0KOcMxI95dMFOqnD8YGfoAckCUZMCNlWhKvxoGxaNWLuZGAQUQwNhOfEJFjhqPugo7u7RzZEN+50HvgO4R5KKKPkVlb9VXfbit5X+Cp2FBn5WLc/dNyBkeAkksFXJnWurdA6xi8U0VqIBc89R6q0hVPLmgtF7+yOdrlUI2ZdXb4hhzKRQ95frENL6qZ+2zo/FHqHQAA6RSlpZWp0WYWC5mF4NO4j3C1aWF+UXbiZ0VZKxFo4pitTcbywAE3JHeQDRhAxIOh9vZxITDw34A13Xbdrtu95Yn4Mb2HzoSjwSDyQ4A0SlOyjjz/Af6mE7q3AQGgW4D1DTDc01zWTP0/lPlG02ULxgmUfoEQCfx4+MWMI5SQvi0NVpDWcejC6EfsBGOA4cR0vh4RZNz8tfNzVgSYRTlGLADGADWge/AR4QZ+ngtY9Q1w3aus/YHPCW0c1bW92YAAAAASUVORK5CYII='
            return {
              'headers': {'Content-Type': 'image/png'},
              'statusCode': 200,
              'isBase64Encoded': True,
              'body': body}          
      Handler: index.lambda_handler
      Runtime: python3.7
      Role: !GetAtt TestFunctionRole.Arn
      Timeout: 900
  TestFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      # Let's hope that the Lambda function doesn't execute before this LogGroup
      # resource is created, creating the LogGroup with no expiration and
      # preventing this resource from creating
      LogGroupName: !Join [ '/', ['/aws/lambda', !Ref 'TestFunction'] ]
      RetentionInDays: 1
  TestRoute53RecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt TestCloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget-1.html
      Comment: Bind the custom domain name to the Test CloudFront fronted API Gateway
      HostedZoneName: !Ref DomainNameZone
      Name: !Ref CustomDomainName
      Type: A
  TestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Test
      Binary

<details>
<summary>英文:</summary>

I contacted AWS Support and after many back and forths found that the problem is in the AWS documentation.

The documentation page on the [`AWS::ApiGateway::RestApi` CloudFormation resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-binarymediatypes) incorrectly states

&gt; Slashes must be escaped with ~1. For example, image/png would be image~1png in the BinaryMediaTypes list.

It turns out this is not true and the value that you should put in the `BinaryMediaTypes` field is `*/*` not `*~1*`. This makes the field look like this

```yaml
Resources:
  TestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Test
      BinaryMediaTypes:
        - &#39;*/*&#39;

So with that change to the template in the question, the resulting stack correctly serves up binary resources.

I've confirmed that this AWS doc page, Support Binary Payloads in API Gateway , is indeed talking about modes other than AWS_PROXY and doesn't apply to my question.

The template with the fix that I've confirmed works is this

AWSTemplateFormatVersion: 2010-09-09
Description: Test binary responses with AWS_PROXY mode
Parameters:
  CustomDomainName:
    Type: String
    Description: The custom domain name to use for the API
    Default: &#39;&#39;
    # AWS::ApiGateway::DomainName can not contain any uppercase characters
    AllowedPattern: &#39;^[^A-Z]*$&#39;
    ConstraintDescription: must not contain any uppercase characters
  DomainNameZone:
    Type: String
    Description: The Route53 DNS zone containing the custom domain name
    Default: &#39;&#39;
  CertificateArn:
    Type: String
    Description: The ARN of the AWS ACM Certificate for your custom domain name
    Default: &#39;&#39;
Resources:
  TestFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AllowLambdaLogging
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: &#39;*&#39;
  TestFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: Test Function
      Code:
        ZipFile: |
          def lambda_handler(event, context):
            body = &#39;iVBORw0KGgoAAAANSUhEUgAAABEAAAAKCAYAAABSfLWiAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAA0gAAANIBBp0MHQAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAHgSURBVCiRlY47aFNxGEfP97/p05SWYhXfEHMjNZobuChYk1iwUCKKiqSjj0XpIM46uDgUQdxqk0lUHJwsiEPtoEmtgxhMIx2StFJBhA4tOCTVPO7n0C5uesbDj8NPAEJO4oXCLqDHU3PbktYJhM/lwty07SRmEHlQKWRn7Uh8VlRvqDFpoEdgo7yQO+0DqP80V1ZW3v0KOcMxI95dMFOqnD8YGfoAckCUZMCNlWhKvxoGxaNWLuZGAQUQwNhOfEJFjhqPugo7u7RzZEN+50HvgO4R5KKKPkVlb9VXfbit5X+Cp2FBn5WLc/dNyBkeAkksFXJnWurdA6xi8U0VqIBc89R6q0hVPLmgtF7+yOdrlUI2ZdXb4hhzKRQ95frENL6qZ+2zo/FHqHQAA6RSlpZWp0WYWC5mF4NO4j3C1aWF+UXbiZ0VZKxFo4pitTcbywAE3JHeQDRhAxIOh9vZxITDw34A13Xbdrtu95Yn4Mb2HzoSjwSDyQ4A0SlOyjjz/Af6mE7q3AQGgW4D1DTDc01zWTP0/lPlG02ULxgmUfoEQCfx4+MWMI5SQvi0NVpDWcejC6EfsBGOA4cR0vh4RZNz8tfNzVgSYRTlGLADGADWge/AR4QZ+ngtY9Q1w3aus/YHPCW0c1bW92YAAAAASUVORK5CYII=&#39;
            return {
              &#39;headers&#39;: {&#39;Content-Type&#39;: &#39;image/png&#39;},
              &#39;statusCode&#39;: 200,
              &#39;isBase64Encoded&#39;: True,
              &#39;body&#39;: body}          
      Handler: index.lambda_handler
      Runtime: python3.7
      Role: !GetAtt TestFunctionRole.Arn
      Timeout: 900
  TestFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      # Let&#39;s hope that the Lambda function doesn&#39;t execute before this LogGroup
      # resource is created, creating the LogGroup with no expiration and
      # preventing this resource from creating
      LogGroupName: !Join [ &#39;/&#39;, [&#39;/aws/lambda&#39;, !Ref &#39;TestFunction&#39; ] ]
      RetentionInDays: 1
  TestRoute53RecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt TestCloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget-1.html
      Comment: Bind the custom domain name to the Test CloudFront fronted API Gateway
      HostedZoneName: !Ref DomainNameZone
      Name: !Ref CustomDomainName
      Type: A
  TestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: Test
      BinaryMediaTypes:
        - &#39;*/*&#39;
      Description: Test API
      FailOnWarnings: true
      EndpointConfiguration:
        Types:
          - REGIONAL
  TestApiGatewayDomainName:
    # The ApiGateway requires a custom domain name, despite sitting behind
    # CloudFront. This is because we want to pass all ( * ) HTTP headers
    # through CloudFront and onto API Gateway. If we didn&#39;t set a custom domain
    # name on the API Gateway, the &quot;Host&quot; header passed through from CloudFront
    # to API Gateway would be for the custom domain, but API Gateway, which uses
    # SNI, wouldn&#39;t know which TLS certificate to use in the handshake because
    # API Gateway would have no record of that Host header. This would result in
    # API Gateway being unable to setup a TLS connection with the inbound
    # CloudFront connection attempt, API Gateway writing no logs about this
    # fact, and CloudFront returning to the user an error of
    # {&quot;message&quot;:&quot;Forbidden&quot;}
    # If we weren&#39;t passing the &quot;Host&quot; header from CloudFront to API Gateway
    # this resource wouldn&#39;t be needed
    Type: AWS::ApiGateway::DomainName
    Properties:
      # Uppercase letters are not supported in DomainName
      DomainName: !Ref CustomDomainName
      EndpointConfiguration:
        Types:
          - REGIONAL
      RegionalCertificateArn: !Ref CertificateArn
      SecurityPolicy: TLS_1_2
  TestBasePathMapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      # BasePath:   # Not specifying this so that we have no base path
      DomainName: !Ref TestApiGatewayDomainName
      RestApiId: !Ref TestApi
      Stage: !Ref TestApiStage
  TestLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:invokeFunction
      FunctionName: !GetAtt TestFunction.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Join [ &#39;&#39;, [ &#39;arn:aws:execute-api:&#39;, !Ref &#39;AWS::Region&#39;, &#39;:&#39;, !Ref &#39;AWS::AccountId&#39;, &#39;:&#39;, !Ref &#39;TestApi&#39;, &#39;/*/*&#39; ] ]
  TestApiStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      DeploymentId: !Ref TestApiDeployment
      MethodSettings:
        - DataTraceEnabled: true
          HttpMethod: &#39;*&#39;
          ResourcePath: /*
      RestApiId: !Ref TestApi
  TestApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
      - TestRequest
    Properties:
      RestApiId: !Ref TestApi
      StageName: DummyStage
      # Deployment with an Empty Embedded Stage
      # The following instructional text is no longer present in the AWS
      # documentation for AWS::ApiGateway::Deployment StageName and it&#39;s not
      # clear if it still applies.
      #
      # &quot;Note This property is required by API Gateway. We recommend that you
      # specify a name using any value (see Examples) and that you don’t use
      # this stage. We recommend not using this stage because it is tied to
      # this deployment, which means you can’t delete one without deleting the
      # other. For example, if you delete this deployment, API Gateway also
      # deletes this stage, which you might want to keep. Instead, use the
      # AWS::ApiGateway::Stage resource to create and associate a stage with
      # this deployment.&quot;
  TestResource:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: !Ref TestApi
      ParentId: !GetAtt TestApi.RootResourceId
      PathPart: &#39;{proxy+}&#39;
  TestRequest:
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        Type: AWS_PROXY
        # IntegrationHttpMethod is POST regardless of the HttpMethod for this resource
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # &quot;For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations.&quot;
        IntegrationHttpMethod: POST
        Uri: !Join [ &#39;&#39;, [ &#39;arn:aws:apigateway:&#39;, !Ref &#39;AWS::Region&#39;, &#39;:lambda:path/2015-03-31/functions/&#39;, !GetAtt &#39;TestFunction.Arn&#39;, &#39;/invocations&#39; ] ]
      ResourceId: !Ref TestResource
      RestApiId: !Ref TestApi
  TestPOSTRequest:
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: POST
      Integration:
        Type: AWS_PROXY
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # &quot;For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations.&quot;
        IntegrationHttpMethod: POST
        Uri: !Join [ &#39;&#39;, [ &#39;arn:aws:apigateway:&#39;, !Ref &#39;AWS::Region&#39;, &#39;:lambda:path/2015-03-31/functions/&#39;, !GetAtt &#39;TestFunction.Arn&#39;, &#39;/invocations&#39; ] ]
      ResourceId: !Ref TestResource
      RestApiId: !Ref TestApi
  TestRootRequest:
    # This resource is necessary to get API Gateway to respond to requests for the &#39;/&#39; path
    # Without it API Gateway will respond to requests for &#39;/&#39; with the error
    # {&quot;message&quot;:&quot;Missing Authentication Token&quot;}
    # https://stackoverflow.com/q/46578615/168874
    # https://stackoverflow.com/q/52909329/168874
    DependsOn: TestLambdaPermission
    Type: AWS::ApiGateway::Method
    Properties:
      AuthorizationType: NONE
      HttpMethod: GET
      Integration:
        Type: AWS_PROXY
        # IntegrationHttpMethod is POST regardless of the HttpMethod for this resource
        # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#set-up-lambda-proxy-integration-using-cli
        # &quot;For Lambda integrations, you must use the HTTP method of POST for the
        # integration request, according to the specification of the Lambda service
        # action for function invocations.&quot;
        IntegrationHttpMethod: POST
        Uri: !Join [ &#39;&#39;, [ &#39;arn:aws:apigateway:&#39;, !Ref &#39;AWS::Region&#39;, &#39;:lambda:path/2015-03-31/functions/&#39;, !GetAtt &#39;TestFunction.Arn&#39;, &#39;/invocations&#39; ] ]
      # ResourceId must use the RootResourceId attribute of the AWS::ApiGateway::RestApi
      # https://stackoverflow.com/a/56121914/168874
      ResourceId: !GetAtt TestApi.RootResourceId
      RestApiId: !Ref TestApi
  TestCloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Comment: !Join [ &#39;:&#39;, [!Ref &#39;AWS::StackName&#39;, &#39;Test&#39;]]
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - POST
            - DELETE
            - OPTIONS
            - PUT
            - PATCH
          Compress: true
          DefaultTTL: 0
          MinTTL: 0
          MaxTTL: 0
          ForwardedValues:
            Cookies:
              Forward: all
            QueryString: true
            Headers:
              - &#39;*&#39;
          TargetOriginId: TestCloudFrontOriginId
          ViewerProtocolPolicy: redirect-to-https
        # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-defaultrootobject
        DefaultRootObject: &#39;&#39;  # &quot;If you don&#39;t want to specify a default root object when you create a distribution, include an empty DefaultRootObject element.&quot;
        Enabled: true
        Aliases:
          - !Ref CustomDomainName
        HttpVersion: http2
        IPV6Enabled: true
        #Logging:
        #  Logging
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: https-only
              OriginSSLProtocols:
                - TLSv1.2
            DomainName: !GetAtt TestApiGatewayDomainName.RegionalDomainName
            Id: TestCloudFrontOriginId
            # OriginPath: !Join [ &#39;&#39;, [ &#39;/&#39;, !Ref &#39;TestApiStage&#39; ] ]
        PriceClass: PriceClass_100  # US, Canada, Europe, Israel
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.2_2018
          SslSupportMethod: sni-only

In case AWS updates this documentation page to fix this you can see the original page here

huangapple
  • 本文由 发表于 2020年1月7日 00:49:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/59615948.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定