Updates for v2.0.0

CHANGELOG.md

@@ -4,12 +4,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.0] - 2021-9-27
+### Added 
+- Added new section that explains the minimum IAM permissions a AWS IAM user needs to deploy this CloudFormation template.
+
+### Changed
+- The Amazon CloudFront distribution TTL values were modified to 1 second for all http error codes. 403, 404, 405, 500, 501, 503, and 504.
+- New Amazon CloudFront cache policy that includes the "Origin" header.
+- Updated outdated node.js packages.
+
+### Fixed
+- Removed logging of AWS MediaLive input details since they could contain input passwords.
+- Fixed the AWS CloudWatch Dashboard url on the CloudFormation output page.
+- Removed --silent from npm commands for custom builds to make it so building will not fail silently. 
+- Readme (https://github.com/awslabs/video-on-demand-on-aws-foundations/issues/12)
+
+
 ## [1.2.1] - 2021-7-1
-### Added
+### Fixed
 - Updated CFN template for aws-cloudfront-mediastore CDK. 
 - MediaStore policy is now retricting to only requests from Amazon CloudFront.
-- Updated the README file.
-- Dependbot updates to glob-parent and y18n. 
+- Updated README.
+
 
 ## [1.2.0] - 2020-12-21
 ### Added

NOTICE.txt

@@ -1,6 +1,6 @@
 Live Streaming on AWS with MediaStore
 
-Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

README.md

@@ -45,19 +45,19 @@ The solution includes an Amazon CloudWatch Dashboard that is configured to monit
 Before you launch the solution, you must create a MediaStore IAM Role and associated policy to allow MediaStore access to Amazon CloudWatch. The solution will launch successfully but without this Role the Amazon CloudWatch Dashboard deployed as part of the solution will not work. This is a one-time requirement, once created the role will authorize logging for all MediaStore Containers (if enabled). For details please see the [MediaStore documentation](https://docs.aws.amazon.com/mediastore/latest/ug/incident-response.html)
 
 ## Deployment
-The solution can be deployed through the CloudFormation template available on the [solution home page](https://aws.amazon.com/solutions/live-streaming-on-aws/). 
+The solution can be deployed through the CloudFormation template available on the [solution home page](https://aws.amazon.com/solutions/live-streaming-on-aws/).
 
 ## Creating a custom build
 
 ### Prerequisites:
 * [AWS Command Line Interface](https://aws.amazon.com/cli/)
 * Node.js 12.x or later
-* AWS CDK 1.73.0
+* AWS CDK 1.102.0
 
 The are 2 options for deploying the solution: using the CDK deployment tools or running the build script to generate a CFN template and the packaged lambda code.
 
 ### Options 1: Deploying through the CDK.
-This option simply follows the standard CDK deployment process, for easy of use we have included the deployment/build-cdk-deploy.sh BASH script that will run the lambda unit tests, run the cdk unit tests and then run `cdk deploy` in the source/cdk folder. You will need to run `cdk bootstrap` before you run cdk deply the first time to setup the cdk resource in your AWS account. Details on using the CDK can be found [here].
+This options simply flollows the standard CDK deployment process, for easy of use we have included the deployment/build-cdk-deploy.sh BASH script that will run the lambda unit tests, run the cdk unit tests and then run `cdk deploy` in the source/cdk folder. You will need to run `cdk bootstrap` before you run cdk deply the first time to setup the cdk resource in your AWS account. Details on using the CDK can be found [here].
 
 1. Download or clone the repo and make the required changes to the source code.
 2. installl the dependecies for the lambda function and construct.
@@ -95,26 +95,38 @@ aws s3 mb s3://my-bucket-us-east-1
 Build the distributable:
 ```
 chmod +x ./build-s3-dist.sh
-./build-s3-dist.sh <bucketname> live-streaming-on-aws-with-mediastore <version>
+./build-s3-dist.sh <my-bucket> live-streaming-on-aws-with-mediastore <version>
 ```
 
-> **Notes**: The _build-s3-dist_ script expects the bucket name as one of its parameters, and this value should not include the region suffix
+> **Notes**: The _build-s3-dist_ script expects the bucket name as one of its parameters. This value should not have the region suffix (remove the -us-east-1)
+
+Ensure that you are owner of the AWS S3 bucket. 
+```
+aws s3api head-bucket --bucket my-bucket-us-east-1 --expected-bucket-owner YOUR-AWS-ACCOUNT-NUMBER
+```
 
 Deploy the distributable to the Amazon S3 bucket in your account:
 ```
-aws s3 sync ./regional-s3-assets/ s3://my-bucket-us-east-1/live-streaming-on-aws-with-mediastore/<version>/ --acl public-read
-aws s3 sync ./global-s3-assets/ s3://my-bucket-us-east-1/live-streaming-on-aws-with-mediastore/<version>/ --acl public-read
+aws s3 sync ./regional-s3-assets/ s3://my-bucket-us-east-1/live-streaming-on-aws-with-mediastore/<version>/ 
+aws s3 sync ./global-s3-assets/ s3://my-bucket-us-east-1/live-streaming-on-aws-with-mediastore/<version>/ 
 ```
 
 ### 5. Launch the CloudFormation template.
 * Get the link of the live-streaming-on-aws-with-mediastore.template uploaded to your Amazon S3 bucket.
 * Deploy the solution.
 
+
+## Deploying with minimum permissions
+
+When deploying this solution you may have a DevOps operator IAM user that deploys this CloudFormation template. The json file located at the following directory is the minimum IAM permissions that an AWS IAM user needs to be able to deploy the CloudFormation template successfully. 
+
+`deployment/min_user_iam_deploy.json`
+
 ## License
 
 * This project is licensed under the terms of the Apache 2.0 license. See `LICENSE`.
 
+
 This solution collects anonymous operational metrics to help AWS improve the
 quality of features of the solution. For more information, including how to disable
-this capability, please see the [implementation guide](https://docs.aws.amazon.com/solutions/latest/live-streaming-on-aws-with-mediastore/collection-of-operational-metrics.html). 
-
+this capability, please see the [implementation guide](_https://docs.aws.amazon.com/solutions/latest/live-streaming-on-aws-with-mediastore/collection-of-operational-metrics.html_). 

deployment/build-s3-dist.sh

@@ -101,12 +101,11 @@ for d in `find . -mindepth 1 -maxdepth 1 -type d`; do
     pfname="$(basename -- $d)"
     fname="$(echo $pfname | sed -e 's/\.//g')"
     mv $d $fname
-
     # Zip artifacts from asset folder
     cd $fname
     rm -rf node_modules/
     rm -rf coverage/
-    npm ci --silent --production
+    npm ci --production
     zip -rq ../$fname.zip *
     cd ..
 

deployment/cdk-solution-helper/README.md

@@ -149,4 +149,4 @@ After:
   ```
 
 ***
-© Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+© Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

deployment/cdk-solution-helper/index.js

@@ -1,5 +1,5 @@
 /**
- *  Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
  *
  *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
  *  with the License. A copy of the License is located at

source/constructs/.gitignore

@@ -1,3 +1,6 @@
+package-lock.json
+.DS_Store
+.vscode/
 *.js
 !jest.config.js
 *.d.ts

source/constructs/bin/live-streaming.ts

@@ -1,4 +1,17 @@
 #!/usr/bin/env node
+/*********************************************************************************************************************
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.                                           *
+ *                                                                                                                    *
+ *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance    *
+ *  with the License. A copy of the License is located at                                                             *
+ *                                                                                                                    *
+ *      http://www.apache.org/licenses/LICENSE-2.0                                                                    *
+ *                                                                                                                    *
+ *  or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES *
+ *  OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions    *
+ *  and limitations under the License.                                                                                *
+ *********************************************************************************************************************/
+
 import 'source-map-support/register';
 import * as cdk from '@aws-cdk/core';
 import { LiveStreaming } from '../lib/live-streaming';

source/constructs/lib/live-streaming.ts

@@ -1,5 +1,5 @@
 /*********************************************************************************************************************
- *  Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.                                           *
+ *  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.                                           *
  *                                                                                                                    *
  *  Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance    *
  *  with the License. A copy of the License is located at                                                             *
@@ -18,6 +18,7 @@ import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 
 //Solution construct
 import { CloudFrontToMediaStore } from '@aws-solutions-constructs/aws-cloudfront-mediastore';
+import { CachePolicy } from '@aws-cdk/aws-cloudfront';
 
 export class LiveStreaming extends cdk.Stack {
     constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
@@ -144,7 +145,22 @@ export class LiveStreaming extends cdk.Stack {
          * Disabling the default settings for security headers and update the lifecycle policy to delete expired
          * .ts segments after 5 minutes.
          */
-        const distibution = new CloudFrontToMediaStore(this,'CloudFrontToMediaStore',{
+        const cachePolicy = new CachePolicy(this, 'CachePolicy', {
+            headerBehavior: {
+              behavior: 'whitelist',
+              headers: ['Origin']
+            }
+        });
+
+        const distibution = new CloudFrontToMediaStore(this, 'CloudFrontToMediaStore', {
+            cloudFrontDistributionProps: {
+              defaultBehavior: {
+                cachePolicy
+              },
+              errorResponses: [400, 403, 404, 405, 414, 416, 500, 501, 502, 503, 504].map((httpStatus: number) => {
+                return { httpStatus, ttl: cdk.Duration.seconds(1) };
+              })
+            },
             insertHttpSecurityHeaders: false
         });
         distibution.mediaStoreContainer.lifecyclePolicy = JSON.stringify({
@@ -197,6 +213,9 @@ export class LiveStreaming extends cdk.Stack {
             runtime: lambda.Runtime.NODEJS_12_X,
             handler: 'index.handler',
             description: 'CFN Custom resource to copy assets to S3 and get the MediaConvert endpoint',
+            environment: {
+                SOLUTION_IDENTIFIER: 'AwsSolution/SO0109/v2.0.0'
+            },
             code: lambda.Code.fromAsset('../custom-resource'),
             timeout: cdk.Duration.seconds(30),
             initialPolicy: [
@@ -236,6 +255,12 @@ export class LiveStreaming extends cdk.Stack {
                 rules_to_suppress: [{
                     id: 'W58',
                     reason: 'Invalid warning: function has access to cloudwatch'
+                },{
+                    id: 'W89',
+                    reason: 'This CustomResource does not need to be deployed inside a VPC'
+                },{
+                    id: 'W92',
+                    reason: 'This CustomResource does not need to define ReservedConcurrentExecutions to reserve simultaneous executions'
                 }]
             }
         };
@@ -435,7 +460,7 @@ export class LiveStreaming extends cdk.Stack {
             exportName: `${cdk.Aws.STACK_NAME}-MediaStoreConsole`
         });
         new cdk.CfnOutput(this, 'CloudWatchDashboard', {
-            value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/cloudwatch/home?region=${cdk.Aws.REGION}#dashboards:name=${cdk.Aws.STACK_NAME}-MediaStore-Live-Streaming`,
+            value: `https://${cdk.Aws.REGION}.console.aws.amazon.com/cloudwatch/home?region=${cdk.Aws.REGION}#dashboards:name=${cdk.Aws.STACK_NAME}-${cdk.Aws.REGION}`,
             description: 'CloudWatch Dashboard for MediaStore Ingress and Egress',
             exportName: `${cdk.Aws.STACK_NAME}-CloudWatchDashboard`
         });