docs(cloudfront): add migration guide to modern distribution api (#18835)

peterwoodworth · web-flow · commit ea7802b4b5ea · 2022-02-11T20:56:57.000Z
Add guide for migrating from CloudFrontWebDistribution to Distribution

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-cloudfront/README.md b/packages/@aws-cdk/aws-cloudfront/README.md
@@ -91,7 +91,7 @@ your domain name, and provide one (or more) domain names from the certificate fo
 
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
-from SNI only and a minimum protocol version of TLSv1.2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set, and TLSv1.2_2019 otherwise. 
+from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise. 
 
 ```ts
 // To use your own domain name in a Distribution, you must associate a certificate
@@ -539,6 +539,203 @@ const distribution = cloudfront.Distribution.fromDistributionAttributes(this, 'I
 });
 ```
 
+## Migrating from the original CloudFrontWebDistribution to the newer Distribution construct
+
+It's possible to migrate a distribution from the original to the modern API.
+The changes necessary are the following:
+
+### The Distribution
+
+Replace `new CloudFrontWebDistribution` with `new Distribution`. Some
+configuration properties have been changed:
+
+| Old API                        | New API                                                                                        |
+|--------------------------------|------------------------------------------------------------------------------------------------|
+| `originConfigs`                | `defaultBehavior`; use `additionalBehaviors` if necessary                                      |
+| `viewerCertificate`            | `certificate`; use `domainNames` for aliases                                                   |
+| `errorConfigurations`          | `errorResponses`                                                                               |
+| `loggingConfig`                | `enableLogging`; configure with `logBucket` `logFilePrefix` and `logIncludesCookies`           |
+| `viewerProtocolPolicy`         | removed; set on each behavior instead. default changed from `REDIRECT_TO_HTTPS` to `ALLOW_ALL` |
+
+After switching constructs, you need to maintain the same logical ID for the underlying [CfnDistribution](https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-cloudfront.CfnDistribution.html) if you wish to avoid the deletion and recreation of your distribution. 
+To do this, use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override the logical ID created by the new Distribution construct with the logical ID created by the old construct.
+
+Example:
+
+```ts
+declare const sourceBucket: s3.Bucket;
+
+const myDistribution = new cloudfront.Distribution(this, 'MyCfWebDistribution', {
+  defaultBehavior: {
+    origin: new origins.S3Origin(sourceBucket),
+  },
+});
+const cfnDistribution = myDistribution.node.defaultChild as cloudfront.CfnDistribution;
+cfnDistribution.overrideLogicalId('MyDistributionCFDistribution3H55TI9Q');
+```
+
+### Behaviors
+
+The modern API makes use of the [CloudFront Origins](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront_origins-readme.html) module to easily configure your origin. Replace your origin configuration with the relevant CloudFront Origins class. For example, here's a behavior with an S3 origin:
+
+```ts
+declare const sourceBucket: s3.Bucket;
+declare const oai: cloudfront.OriginAccessIdentity;
+
+new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
+  originConfigs: [
+    {
+      s3OriginSource: {
+        s3BucketSource: sourceBucket,
+        originAccessIdentity: oai,
+      },
+      behaviors : [ {isDefaultBehavior: true}],
+    },
+  ],
+});
+```
+
+Becomes:
+
+```ts
+declare const sourceBucket: s3.Bucket;
+
+const distribution = new cloudfront.Distribution(this, 'MyCfWebDistribution', {
+  defaultBehavior: {
+    origin: new origins.S3Origin(sourceBucket) // This class automatically creates an Origin Access Identity
+  },
+});
+```
+
+In the original API all behaviors are defined in the `originConfigs` property. The new API is optimized for a single origin and behavior, so the default behavior and additional behaviors will be defined separately.
+
+```ts
+declare const sourceBucket: s3.Bucket;
+declare const oai: cloudfront.OriginAccessIdentity;
+
+new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
+  originConfigs: [
+    {
+      s3OriginSource: {
+        s3BucketSource: sourceBucket,
+        originAccessIdentity: oai,
+      },
+      behaviors: [ {isDefaultBehavior: true}],
+    },
+    {
+      customOriginSource: {
+        domainName: 'MYALIAS',
+      },
+      behaviors: [{ pathPattern: '/somewhere' }]
+    }
+  ],
+});
+```
+
+Becomes:
+
+```ts
+declare const sourceBucket: s3.Bucket;
+
+const distribution = new cloudfront.Distribution(this, 'MyCfWebDistribution', {
+  defaultBehavior: {
+    origin: new origins.S3Origin(sourceBucket) // This class automatically creates an Origin Access Identity
+  },
+  additionalBehaviors: {
+    '/somewhere': {
+      origin: new origins.HttpOrigin('MYALIAS'),
+    }
+  }
+});
+```
+
+### Certificates
+
+If you are using an ACM certificate, you can pass the certificate directly to the `certificate` prop.
+Any aliases used before in the `ViewerCertificate` class should be passed in to the `domainNames` prop in the modern API.
+
+```ts
+import * as acm from '@aws-cdk/aws-certificatemanager';
+declare const certificate: acm.Certificate;
+declare const sourceBucket: s3.Bucket;
+
+const viewerCertificate = cloudfront.ViewerCertificate.fromAcmCertificate(certificate, {
+  aliases: ['MYALIAS'],
+});
+
+new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
+  originConfigs: [
+    {
+      s3OriginSource: {
+        s3BucketSource: sourceBucket,
+      },
+      behaviors : [ {isDefaultBehavior: true} ],
+    },
+  ],
+  viewerCertificate: viewerCertificate,
+});
+```
+
+Becomes:
+
+```ts
+import * as acm from '@aws-cdk/aws-certificatemanager';
+declare const certificate: acm.Certificate;
+declare const sourceBucket: s3.Bucket;
+
+const distribution = new cloudfront.Distribution(this, 'MyCfWebDistribution', {
+  defaultBehavior: {
+    origin: new origins.S3Origin(sourceBucket),
+  },
+  domainNames: ['MYALIAS'],
+  certificate: certificate,
+});
+```
+
+IAM certificates aren't directly supported by the new API, but can be easily configured through [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html)
+
+```ts
+declare const sourceBucket: s3.Bucket;
+const viewerCertificate = cloudfront.ViewerCertificate.fromIamCertificate('MYIAMROLEIDENTIFIER', {
+  aliases: ['MYALIAS'],
+});
+
+new cloudfront.CloudFrontWebDistribution(this, 'MyCfWebDistribution', {
+  originConfigs: [
+    {
+      s3OriginSource: {
+        s3BucketSource: sourceBucket,
+      },
+      behaviors : [ {isDefaultBehavior: true} ],
+    },
+  ],
+  viewerCertificate: viewerCertificate,
+});
+```
+
+Becomes: 
+
+```ts
+declare const sourceBucket: s3.Bucket;
+const distribution = new cloudfront.Distribution(this, 'MyCfWebDistribution', {
+  defaultBehavior: {
+    origin: new origins.S3Origin(sourceBucket),
+  },
+  domainNames: ['MYALIAS'],
+});
+
+const cfnDistribution = distribution.node.defaultChild as cloudfront.CfnDistribution;
+
+cfnDistribution.addPropertyOverride('ViewerCertificate.IamCertificateId', 'MYIAMROLEIDENTIFIER');
+cfnDistribution.addPropertyOverride('ViewerCertificate.SslSupportMethod', 'sni-only');
+```
+
+### Other changes
+
+A number of default settings have changed on the new API when creating a new distribution, behavior, and origin. 
+After making the major changes needed for the migration, run `cdk diff` to see what settings have changed. 
+If no changes are desired during migration, you will at the least be able to use [escape hatches](https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) to override what the CDK synthesizes, if you can't change the properties directly.
+
 ## CloudFrontWebDistribution API
 
 > The `CloudFrontWebDistribution` construct is the original construct written for working with CloudFront distributions.
