aghadiry / serverless-cloudfront-invalidate Goto Github PK

View Code? Open in Web Editor NEW

29.0 1.0 21.0 125 KB

Serverless plugin that allows you to invalidate Cloudfront Cache

License: MIT License

JavaScript 100.00%

serverless-cloudfront-invalidate's Introduction

serverless-cloudfront-invalidate

Serverless plugin that allows you to invalidate Cloudfront Cache

Install

Run npm install in your Serverless project.

$ npm install --save serverless-cloudfront-invalidate

Setup

Add the plugin to your serverless.yml file as the last plugin

plugins:
  - serverless-cloudfront-invalidate # add as the last plugin

If the CDN is created as part of same serverless.yml then you can specify the distributionIdKey and output the DomainId (as shown in the sample below).

custom:
  cloudfrontInvalidate:
    - distributionId: "CLOUDFRONT_DIST_ID" #conditional, distributionId or distributionIdKey is required.
      distributionIdKey: "CDNDistributionId" #conditional, distributionId or distributionIdKey is required.
      autoInvalidate: true # Can be set to false to avoid automatic invalidation after the deployment. Useful if you want to manually trigger the invalidation later. Defaults to true.
      items: # one or more paths required
        - "/index.html"
      stage: "dev"  # conditional, the stage that this cloudfront invalidation should be created
            # this should match the provider's stage you declared, e.g. "dev" but not "prod" in this case
            # an invalidation for this distribution will be created when executing `sls deploy --stage dev`
    - distributionId: "CLOUDFRONT_DIST_ID" #conditional, distributionId or distributionIdKey is required.
      distributionIdKey: "CDNDistributionId" #conditional, distributionId or distributionIdKey is required.
      items: # one or more paths required
        - "/index.html"
      # `stage` is omitted, an invalidation will be created for this distribution at all stages
resources:
  Resources:
    CDN:
      Type: "AWS::CloudFront::Distribution"
      Properties: ....
  Outputs:
    CDNDistributionId:
      Description: CDN distribution id.
      Value:
        Ref: CDN

Usage

Run sls deploy. After the deployment a Cloudfront Invalidation will be started. Run sls cloudfrontInvalidate to do a standalone invalidation

Options

The following options are supported:

cacert

Used to specify a cacert file for the AWS commands. This is useful for self signed certificates. You will need to specify the self signed cert in 2 places, one for the serverless execution and one for the AWS execution.

Use export cafile=<path to cert file> to use self signed cert for serverless execution
Run sls cloudfrontInvalidate --cacert=<path to ca cert file> to use self signed cert for AWS execution

Proxy

You can communicate with AWS even if you are using a proxy by setting the proxy to the environment variable of the execution environment.

Correspond to the following environment variable names
- proxy
- HTTP_PROXY
- http_proxy
- HTTPS_PROXY
- https_proxy
example

windows: set HTTP_PROXY=http://localhost:8080

mac: export HTTP_PROXY=http://localhost:8080

serverless-cloudfront-invalidate's People

Contributors

Stargazers

Watchers

serverless-cloudfront-invalidate's Issues

Changelog?

Is there a changelog to determine what's changed and what needs to be updated if I'm upgrading?

Thanks.

[Bug] Assumptions about the stackName break this plugins

I started to get:

DistributionIdKey: WebAppCloudFrontDistribution
Failed to get DistributionId from stack output. Please check your serverless template.

The resaon are that I set my stack name in provider.stackName. You assume the stackname but there are a API for that. See: https://github.com/serverless/serverless/blob/3408a4ee15562e2249951f3d76d08e9ce6ff70cc/lib/plugins/aws/lib/naming.js

Proxy-agent vulnerability

#27

Invalidation does not start after sls deploy

Running sls deploy does not run the invalidation at the end of the deployment of the project.
I have to separately run sls cloudfrontInvalidate after each deployment.

I have defined serverless-cloudfront-invalidate as the last plugin

plugins:
  - ...
  - serverless-cloudfront-invalidate

And I have configured it this way:

custom: 
  ...
  cloudfrontInvalidate:
    distributionIdKey: CDNDistributionId
    items:
      - "/*"

In the Resources block, my distribution is defined as follows:

    CloudFrontDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        ...

In the Outputs block, I have the following:

  Outputs:
    CDNDistributionId:
      Description: CDN distribution id.
      Value:
        Ref: CloudFrontDistribution

With sls cloudfrontInvalidate all works

Some additional information:

Serverless Version: 1.66.0
Node Version: v13.6.0
NPM Version: 6.13.4
OS: macOS 10.15.3 (Catalina)

Can we have an option to conditionally disable or enable this plugin?

I sometimes want to invalidate the cache only if the CI is deploying from the master branch. It would be convenient to be able to disable this plugin conditionally.

I can take a stab at this 😃

Netmask vulnerability

This library depends on proxy-agent > pac-proxy-agent > pac-resolver > netmask

TooTallNate/node-pac-resolver@1d1a92e#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519
Here is fixed netmask vulnerability.
Please update

I forked this branch until the owner updates it

I created a fork off of this repo and published on NPM for anyone that is tired of the vm2 issue. I'll try and keep it up to date if anything else comes up but this guy still did 99% of the work so use this one if they get it back up.

https://github.com/thwalker6/serverless-cloudfront-invalidate
just put the below library in its place and no more vm2 issue. I noticed there are other ones as well and I will address them but for now here you go.
serverless-cf-invalidate-proxy

AWS Credentials are not loaded from the serverless configuration

When I use the cloudfront invalidate, I have noticed that it is using the credentials as set in my environment variables rather than using the credentials specified in serverless's configuration.

This is not normally an issue for CI/CD since it likely already is setup with the environment variables, however when different developers in a team are testing it out, they may not necessarily have cloudfront invalidate permissions on their own AWS keys.

I will submit a PR to fix this issue

Invalidate multiple cloudfront distribution

Hi
How do you invalidate multiple CF. I am able to do one but need to do two in the same script.

Thanks

Can you release a new version?

The latest version on npm does not work with distributionId

Does not invalidate main.js

Do I need to add every single file under items? Does this plug in check if a file has since been updated and the conditionally invalidate?

items:
- '/index.html'

Option to wait for invalidation to complete

It seems that currently plugin starts an invalidation, but doesn't wait for it to be finished.

It would be helpful to have an option for that.

My use case is that CI deploys new files to cloudfront and then runs e2e tests on them.
But I need to be sure that files have been updated.

Security: Transitive remote code execution vulnerabiility through proxy-agent -> ... -> vm2 (CVE-2023-37903)

https://www.cve.org/CVERecord?id=CVE-2023-37903

The vm2 library is vulnerable to a remote code execution attack, and the library is discontinued and no further updates are expected there to fix this.

The dependency chain for this is:

[email protected] › [email protected] › [email protected] › [email protected] › [email protected] › [email protected]

The fix for serverless-cloudfront-invalidate would be to upgrade to proxy-agent 6.3.0 or newer. Proxy-agent 6.3.0 transitions away from vm2 to quickjs-emscripten.

https://github.com/TooTallNate/proxy-agents/releases/tag/proxy-agent%406.3.0

https://github.com/TooTallNate/proxy-agents/releases/tag/pac-proxy-agent%407.0.0

There is a fix waiting in PR #43 already.

TypeError: elements.map is not a function on running serverless cloudfrontInvalidate

On running serverless cloudfrontInvalidate I get the following error

Environment: linux, node 14.21.3, framework 3.35.2, plugin 7.0.2, SDK 4.4.0
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues
Error:
TypeError: elements.map is not a function
    at CloudfrontInvalidate.invalidateElements (/opt/atlassian/pipelines/agent/build/node_modules/serverless-cloudfront-invalidate/index.js:100:43)
    at CloudfrontInvalidate.invalidate (/opt/atlassian/pipelines/agent/build/node_modules/serverless-cloudfront-invalidate/index.js:161:17)
    at PluginManager.runHooks (/usr/local/lib/node_modules/serverless/lib/classes/plugin-manager.js:530:15)
    at PluginManager.invoke (/usr/local/lib/node_modules/serverless/lib/classes/plugin-manager.js:564:20)
    at async PluginManager.run (/usr/local/lib/node_modules/serverless/lib/classes/plugin-manager.js:604:7)
    at async Serverless.run (/usr/local/lib/node_modules/serverless/lib/serverless.js:179:5)
    at async /usr/local/lib/node_modules/serverless/scripts/serverless.js:819:9

This is my serverless.yml file

service: Lebara-Frontend


provider:
  name: aws
  runtime: nodejs18.x
  stage: ${opt:stage, 'dev'}
  region: ${env:AWS_DEFAULT_REGION, '*****'}
  bucketName: ${env:AWS_BUCKET_NAME, '******'} 

plugins:
  - serverless-finch
  - serverless-cloudfront-invalidate

custom:
  client:
    bucketName: ${self:provider.bucketName}
    distributionFolder: build
    indexDocument: index.html
    errorDocument: index.html
    objectHeaders:
      'static/':
        - name: Cache-Control
          value: 'max-age=31536000'
      '*.png':
        - name: Cache-Control
          value: 'max-age=31536000'
  cloudfrontInvalidate:
    distributionId: ${env:DISTRIBUTION_ID}
    items: # one or more paths required 
      - "/*"

Failing on initial deploy

On a freshly deployed stack, this plugin seems to be throwing a fit:

 Deploying <app> to stage <fresh-deploy> (us-east-1)
Using deployment bucket '<deployment-bucket>'
DistributionIdKey: CloudFrontDistributionOutput
{"code":"AWS_CLOUD_FRONT_CREATE_INVALIDATION_MISSING_REQUIRED_PARAMETER","providerError":{"message":"Missing required key 'DistributionId' in params","code":"MissingRequiredParameter","time":"2023-05-15T19:36:01.821Z"},"providerErrorCodeExtension":"MISSING_REQUIRED_PARAMETER"}
CloudfrontInvalidate: Invalidation failed
Failed to get DistributionId from stack output. Please check your serverless template.

Relevant parts of my serverless.yml:

service: <app>
frameworkVersion: '3.30.1'

provider:
  name: aws
  runtime: nodejs16.x

plugins:
  - serverless-cloudfront-invalidate # This plugins is the last one listed

custom:
  cloudfrontInvalidate:
    - distributionIdKey: 'CloudFrontDistributionOutput'
      autoInvalidate: true
      items:
        - '/*'
        - '/'

resources:
  Resources:
    CloudFrontDistribution:
      Type: AWS::CloudFront::Distribution

  Outputs:
    CloudFrontDistributionOutput:
      Value:
        'Ref': CloudFrontDistribution

I get the feeling that this is a race condition or something else caused by the plugin attempting to run before the CloudFront distribution is actually created, because it appears that running the deploy again results in a success.