rustack_cloudfront_model/types.rs
1//! Domain types for CloudFront resources.
2//!
3//! The types here form a minimal but faithful representation of the wire
4//! schema. Each resource record is a single struct that owns its configuration
5//! plus bookkeeping (ETag, timestamps, status, etc.). Optional fields that
6//! CloudFront always emits (even as `<Quantity>0</Quantity>`) are modelled as
7//! `Vec<T>` rather than `Option<Vec<T>>` so the XML renderer can use the same
8//! code path for "present but empty" and "present with items".
9
10use chrono::{DateTime, Utc};
11use serde::{Deserialize, Serialize};
12
13use crate::tags::TagSet;
14
15// ---------------------------------------------------------------------------
16// Common enums
17// ---------------------------------------------------------------------------
18
19/// Distribution / invalidation lifecycle states.
20#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
21pub enum ResourceStatus {
22 /// Change is propagating.
23 #[default]
24 InProgress,
25 /// Deployed to the edge.
26 Deployed,
27 /// Invalidation has finished.
28 Completed,
29}
30
31impl ResourceStatus {
32 /// Wire-format string.
33 #[must_use]
34 pub fn as_wire(self) -> &'static str {
35 match self {
36 Self::InProgress => "InProgress",
37 Self::Deployed => "Deployed",
38 Self::Completed => "Completed",
39 }
40 }
41}
42
43// ---------------------------------------------------------------------------
44// Distribution
45// ---------------------------------------------------------------------------
46
47/// Full distribution record persisted in the store.
48#[derive(Debug, Clone, Serialize, Deserialize)]
49pub struct Distribution {
50 /// CloudFront-assigned distribution ID (14 chars).
51 pub id: String,
52 /// ARN — for CloudFront, region is empty: `arn:aws:cloudfront::{account}:distribution/{id}`.
53 pub arn: String,
54 /// Current lifecycle status.
55 pub status: ResourceStatus,
56 /// Last modification wall-clock time.
57 pub last_modified_time: DateTime<Utc>,
58 /// CloudFront-assigned `{id}.cloudfront.net` FQDN.
59 pub domain_name: String,
60 /// Number of invalidation batches currently running for this distribution.
61 pub in_progress_invalidation_batches: i32,
62 /// Active trusted signers (always disabled in Rustack; stored for echo).
63 pub active_trusted_signers_enabled: bool,
64 /// Active trusted key groups (always disabled in Rustack; stored for echo).
65 pub active_trusted_key_groups_enabled: bool,
66 /// Distribution configuration (echoed back in GET/Create responses).
67 pub config: DistributionConfig,
68 /// Tags (for Tag-enabled distributions).
69 pub tags: TagSet,
70 /// ETag (monotonic version token).
71 pub etag: String,
72 /// A/B testing weight — stored for completeness, unused in data plane.
73 pub alias_icp_recordal: Vec<AliasIcpRecordal>,
74}
75
76/// Alternate-domain ICP recordal entry (PRC compliance).
77#[derive(Debug, Clone, Default, Serialize, Deserialize)]
78pub struct AliasIcpRecordal {
79 /// Alias FQDN.
80 pub cname: String,
81 /// Status, e.g. `APPROVED`.
82 pub icp_recordal_status: String,
83}
84
85/// Distribution configuration.
86///
87/// Mirrors AWS `DistributionConfig`. Optional subsections that AWS always emits
88/// (like `Aliases`, `CustomErrorResponses`, `Restrictions`) are modelled as
89/// default-constructible structs rather than `Option<T>`.
90#[derive(Debug, Clone, Default, Serialize, Deserialize)]
91pub struct DistributionConfig {
92 /// Idempotency token supplied by the caller.
93 pub caller_reference: String,
94 /// Alternate CNAMEs.
95 pub aliases: Vec<String>,
96 /// Default root object (e.g. `index.html`).
97 pub default_root_object: String,
98 /// Origin list.
99 pub origins: Vec<Origin>,
100 /// Origin groups (failover pairs).
101 pub origin_groups: Vec<OriginGroup>,
102 /// Catch-all cache behavior.
103 pub default_cache_behavior: CacheBehavior,
104 /// Ordered prefixed cache behaviors.
105 pub cache_behaviors: Vec<CacheBehavior>,
106 /// Custom error response overrides.
107 pub custom_error_responses: Vec<CustomErrorResponse>,
108 /// Optional comment.
109 pub comment: String,
110 /// Logging settings.
111 pub logging: LoggingConfig,
112 /// `PriceClass_All`, `PriceClass_100`, `PriceClass_200`.
113 pub price_class: String,
114 /// Whether the distribution is enabled.
115 pub enabled: bool,
116 /// Viewer certificate settings.
117 pub viewer_certificate: ViewerCertificate,
118 /// Geo restrictions.
119 pub restrictions: Restrictions,
120 /// ARN of WAF WebACL (stored only).
121 pub web_acl_id: String,
122 /// HTTP version (`http1.1`, `http2`, `http2and3`, `http3`).
123 pub http_version: String,
124 /// Whether IPv6 is enabled.
125 pub is_ipv6_enabled: bool,
126 /// Continuous deployment policy ID (stored only).
127 pub continuous_deployment_policy_id: String,
128 /// Whether this is a staging distribution.
129 pub staging: bool,
130 /// Anycast IP list ID (stored only).
131 pub anycast_ip_list_id: String,
132 /// Connection mode: `direct` or `tenant-only`.
133 pub connection_mode: String,
134 /// TenantConfig parameter definitions (stored only).
135 pub tenant_config_parameters: Vec<TenantConfigParameter>,
136}
137
138/// CloudFront origin.
139#[derive(Debug, Clone, Default, Serialize, Deserialize)]
140pub struct Origin {
141 /// Caller-supplied ID, referenced by `TargetOriginId`.
142 pub id: String,
143 /// Origin FQDN (e.g. `my-bucket.s3.us-east-1.amazonaws.com`).
144 pub domain_name: String,
145 /// Optional directory prefix prepended to every request.
146 pub origin_path: String,
147 /// Headers appended to every origin request.
148 pub custom_headers: Vec<CustomHeader>,
149 /// Present if this is an S3 origin.
150 pub s3_origin_config: Option<S3OriginConfig>,
151 /// Present if this is a custom HTTP origin.
152 pub custom_origin_config: Option<CustomOriginConfig>,
153 /// Connection attempts (default 3).
154 pub connection_attempts: i32,
155 /// Connection timeout in seconds (default 10).
156 pub connection_timeout: i32,
157 /// Origin Shield configuration.
158 pub origin_shield: Option<OriginShield>,
159 /// Origin Access Control ID (OAC — modern).
160 pub origin_access_control_id: String,
161 /// VPC origin configuration.
162 pub vpc_origin_config: Option<VpcOriginConfig>,
163}
164
165/// S3 origin configuration.
166#[derive(Debug, Clone, Default, Serialize, Deserialize)]
167pub struct S3OriginConfig {
168 /// Origin Access Identity (OAI — legacy), format `origin-access-identity/cloudfront/{Id}` or
169 /// empty.
170 pub origin_access_identity: String,
171}
172
173/// Custom (HTTP) origin configuration.
174#[derive(Debug, Clone, Default, Serialize, Deserialize)]
175pub struct CustomOriginConfig {
176 /// HTTP port.
177 pub http_port: i32,
178 /// HTTPS port.
179 pub https_port: i32,
180 /// `http-only`, `https-only`, `match-viewer`.
181 pub origin_protocol_policy: String,
182 /// List of allowed SSL/TLS versions.
183 pub origin_ssl_protocols: Vec<String>,
184 /// Read timeout in seconds.
185 pub origin_read_timeout: i32,
186 /// Keep-alive timeout in seconds.
187 pub origin_keepalive_timeout: i32,
188}
189
190/// VPC origin configuration.
191#[derive(Debug, Clone, Default, Serialize, Deserialize)]
192pub struct VpcOriginConfig {
193 /// VPC origin ID.
194 pub vpc_origin_id: String,
195 /// Read timeout in seconds.
196 pub origin_read_timeout: i32,
197 /// Keep-alive timeout in seconds.
198 pub origin_keepalive_timeout: i32,
199}
200
201/// Origin Shield configuration.
202#[derive(Debug, Clone, Default, Serialize, Deserialize)]
203pub struct OriginShield {
204 /// Whether Origin Shield is enabled.
205 pub enabled: bool,
206 /// Origin Shield region.
207 pub origin_shield_region: String,
208}
209
210/// Origin group (primary/failover).
211#[derive(Debug, Clone, Default, Serialize, Deserialize)]
212pub struct OriginGroup {
213 /// Group ID (referenced by `TargetOriginId`).
214 pub id: String,
215 /// Failover trigger status codes.
216 pub failover_status_codes: Vec<i32>,
217 /// Member origin IDs in priority order.
218 pub member_origins: Vec<String>,
219 /// Selection criteria: `default`, `media-quality-based`.
220 pub selection_criteria: String,
221}
222
223/// Arbitrary HTTP header `(name, value)` pair.
224#[derive(Debug, Clone, Default, Serialize, Deserialize)]
225pub struct CustomHeader {
226 /// Header name.
227 pub header_name: String,
228 /// Header value.
229 pub header_value: String,
230}
231
232/// Cache behavior (default or prefixed).
233#[derive(Debug, Clone, Default, Serialize, Deserialize)]
234pub struct CacheBehavior {
235 /// Glob path pattern (empty for `DefaultCacheBehavior`).
236 pub path_pattern: String,
237 /// Referenced `Origin.id`.
238 pub target_origin_id: String,
239 /// `allow-all`, `https-only`, `redirect-to-https`.
240 pub viewer_protocol_policy: String,
241 /// Methods the distribution accepts.
242 pub allowed_methods: Vec<String>,
243 /// Subset of `allowed_methods` whose responses are cached.
244 pub cached_methods: Vec<String>,
245 /// Whether SmoothStreaming is enabled.
246 pub smooth_streaming: bool,
247 /// Whether to compress responses.
248 pub compress: bool,
249 /// Field-level encryption config ID.
250 pub field_level_encryption_id: String,
251 /// Realtime log config ARN.
252 pub realtime_log_config_arn: String,
253 /// Cache policy ID.
254 pub cache_policy_id: String,
255 /// Origin request policy ID.
256 pub origin_request_policy_id: String,
257 /// Response headers policy ID.
258 pub response_headers_policy_id: String,
259 /// Grpc config.
260 pub grpc_enabled: bool,
261 /// Trusted signers (legacy).
262 pub trusted_signers: Vec<String>,
263 /// Trusted signers enabled flag.
264 pub trusted_signers_enabled: bool,
265 /// Trusted key groups (modern).
266 pub trusted_key_groups: Vec<String>,
267 /// Trusted key groups enabled flag.
268 pub trusted_key_groups_enabled: bool,
269 /// Lambda@Edge associations.
270 pub lambda_function_associations: Vec<LambdaFunctionAssociation>,
271 /// CloudFront Function associations.
272 pub function_associations: Vec<FunctionAssociation>,
273 /// Legacy forwarded values (when no CachePolicy is set).
274 pub forwarded_values: Option<ForwardedValues>,
275 /// Legacy MinTTL (when no CachePolicy is set).
276 pub min_ttl: i64,
277 /// Legacy DefaultTTL.
278 pub default_ttl: i64,
279 /// Legacy MaxTTL.
280 pub max_ttl: i64,
281}
282
283/// Lambda@Edge association entry.
284#[derive(Debug, Clone, Default, Serialize, Deserialize)]
285pub struct LambdaFunctionAssociation {
286 /// Lambda function version ARN.
287 pub lambda_function_arn: String,
288 /// `viewer-request`, `viewer-response`, `origin-request`, `origin-response`.
289 pub event_type: String,
290 /// Whether the function receives the body.
291 pub include_body: bool,
292}
293
294/// CloudFront Function association entry.
295#[derive(Debug, Clone, Default, Serialize, Deserialize)]
296pub struct FunctionAssociation {
297 /// Function ARN.
298 pub function_arn: String,
299 /// `viewer-request` or `viewer-response`.
300 pub event_type: String,
301}
302
303/// Legacy forwarded-values configuration (pre-CachePolicy).
304#[derive(Debug, Clone, Default, Serialize, Deserialize)]
305pub struct ForwardedValues {
306 /// Whether to forward query strings as cache keys.
307 pub query_string: bool,
308 /// Cookie forwarding.
309 pub cookies: CookiePreference,
310 /// Headers to forward.
311 pub headers: Vec<String>,
312 /// Whitelisted query string names.
313 pub query_string_cache_keys: Vec<String>,
314}
315
316/// Cookie forwarding configuration.
317#[derive(Debug, Clone, Default, Serialize, Deserialize)]
318pub struct CookiePreference {
319 /// `none`, `whitelist`, `all`, `allExcept`.
320 pub forward: String,
321 /// Whitelisted cookie names.
322 pub whitelisted_names: Vec<String>,
323}
324
325/// Custom error response override.
326#[derive(Debug, Clone, Default, Serialize, Deserialize)]
327pub struct CustomErrorResponse {
328 /// HTTP error code to match.
329 pub error_code: i32,
330 /// Path to the replacement response page.
331 pub response_page_path: String,
332 /// Replacement response status code.
333 pub response_code: String,
334 /// Min TTL for caching error responses.
335 pub error_caching_min_ttl: i64,
336}
337
338/// Access-log configuration.
339#[derive(Debug, Clone, Default, Serialize, Deserialize)]
340pub struct LoggingConfig {
341 /// Whether logging is enabled.
342 pub enabled: bool,
343 /// Whether to include cookies in the log.
344 pub include_cookies: bool,
345 /// S3 bucket (`mylog-bucket.s3.amazonaws.com`).
346 pub bucket: String,
347 /// Prefix within the bucket.
348 pub prefix: String,
349}
350
351/// Viewer certificate settings.
352#[derive(Debug, Clone, Default, Serialize, Deserialize)]
353pub struct ViewerCertificate {
354 /// Whether to use the default CloudFront certificate.
355 pub cloud_front_default_certificate: bool,
356 /// ACM certificate ARN.
357 pub acm_certificate_arn: String,
358 /// IAM certificate ID.
359 pub iam_certificate_id: String,
360 /// Minimum TLS protocol version (e.g. `TLSv1.2_2021`).
361 pub minimum_protocol_version: String,
362 /// `sni-only`, `vip`, `static-ip`.
363 pub ssl_support_method: String,
364 /// Legacy fields.
365 pub certificate: String,
366 /// Legacy source: `cloudfront` | `iam` | `acm`.
367 pub certificate_source: String,
368}
369
370/// Geo restriction settings.
371#[derive(Debug, Clone, Default, Serialize, Deserialize)]
372pub struct Restrictions {
373 /// Geo restriction block.
374 pub geo_restriction: GeoRestriction,
375}
376
377/// Geo restriction details.
378#[derive(Debug, Clone, Default, Serialize, Deserialize)]
379pub struct GeoRestriction {
380 /// `blacklist`, `whitelist`, `none`.
381 pub restriction_type: String,
382 /// Country codes.
383 pub locations: Vec<String>,
384}
385
386/// Tenant config parameter (for tenant-only distributions).
387#[derive(Debug, Clone, Default, Serialize, Deserialize)]
388pub struct TenantConfigParameter {
389 /// Parameter name.
390 pub name: String,
391}
392
393// ---------------------------------------------------------------------------
394// Invalidation
395// ---------------------------------------------------------------------------
396
397/// Invalidation record.
398#[derive(Debug, Clone, Serialize, Deserialize)]
399pub struct Invalidation {
400 /// CloudFront-assigned invalidation ID.
401 pub id: String,
402 /// Status (starts `InProgress`, becomes `Completed`).
403 pub status: ResourceStatus,
404 /// Create time.
405 pub create_time: DateTime<Utc>,
406 /// Parent distribution ID.
407 pub distribution_id: String,
408 /// Invalidation batch input.
409 pub batch: InvalidationBatch,
410}
411
412/// Invalidation batch input.
413#[derive(Debug, Clone, Default, Serialize, Deserialize)]
414pub struct InvalidationBatch {
415 /// Paths to invalidate.
416 pub paths: Vec<String>,
417 /// Idempotency token.
418 pub caller_reference: String,
419}
420
421// ---------------------------------------------------------------------------
422// Origin Access Control (OAC)
423// ---------------------------------------------------------------------------
424
425/// Origin Access Control record.
426#[derive(Debug, Clone, Serialize, Deserialize)]
427pub struct OriginAccessControl {
428 /// CloudFront-assigned OAC ID.
429 pub id: String,
430 /// Configuration (echoed on GET).
431 pub config: OriginAccessControlConfig,
432 /// ETag.
433 pub etag: String,
434}
435
436/// Origin Access Control configuration.
437#[derive(Debug, Clone, Default, Serialize, Deserialize)]
438pub struct OriginAccessControlConfig {
439 /// OAC name (required, unique per account).
440 pub name: String,
441 /// Description (optional).
442 pub description: String,
443 /// Signing protocol: `sigv4`.
444 pub signing_protocol: String,
445 /// Signing behavior: `always`, `never`, `no-override`.
446 pub signing_behavior: String,
447 /// Origin type: `s3`, `mediastore`, `lambda`, `mediapackagev2`.
448 pub origin_access_control_origin_type: String,
449}
450
451// ---------------------------------------------------------------------------
452// Origin Access Identity (OAI, legacy)
453// ---------------------------------------------------------------------------
454
455/// CloudFront Origin Access Identity (legacy — still used by Terraform).
456#[derive(Debug, Clone, Serialize, Deserialize)]
457pub struct CloudFrontOriginAccessIdentity {
458 /// OAI ID (14 chars, E-prefixed).
459 pub id: String,
460 /// Canonical user ID used in S3 bucket policies.
461 pub s3_canonical_user_id: String,
462 /// Configuration.
463 pub config: CloudFrontOriginAccessIdentityConfig,
464 /// ETag.
465 pub etag: String,
466}
467
468/// OAI configuration.
469#[derive(Debug, Clone, Default, Serialize, Deserialize)]
470pub struct CloudFrontOriginAccessIdentityConfig {
471 /// Caller reference.
472 pub caller_reference: String,
473 /// Comment.
474 pub comment: String,
475}
476
477// ---------------------------------------------------------------------------
478// Cache / OriginRequest / ResponseHeaders Policies
479// ---------------------------------------------------------------------------
480
481/// Cache policy record.
482#[derive(Debug, Clone, Serialize, Deserialize)]
483pub struct CachePolicy {
484 /// Policy ID.
485 pub id: String,
486 /// Last-modified timestamp.
487 pub last_modified_time: DateTime<Utc>,
488 /// Configuration.
489 pub config: CachePolicyConfig,
490 /// ETag.
491 pub etag: String,
492 /// Whether this is an AWS-managed policy (immutable).
493 pub managed: bool,
494}
495
496/// Cache policy configuration.
497#[derive(Debug, Clone, Default, Serialize, Deserialize)]
498pub struct CachePolicyConfig {
499 /// Optional comment.
500 pub comment: String,
501 /// Policy name.
502 pub name: String,
503 /// Default TTL in seconds.
504 pub default_ttl: i64,
505 /// Maximum TTL in seconds.
506 pub max_ttl: i64,
507 /// Minimum TTL in seconds.
508 pub min_ttl: i64,
509 /// Parameters contributing to the cache key.
510 pub parameters_in_cache_key_and_forwarded_to_origin: ParamsInCacheKey,
511}
512
513/// Parameters controlling cache-key composition.
514#[derive(Debug, Clone, Default, Serialize, Deserialize)]
515pub struct ParamsInCacheKey {
516 /// Whether gzip is permitted in the cache key.
517 pub enable_accept_encoding_gzip: bool,
518 /// Whether brotli is permitted in the cache key.
519 pub enable_accept_encoding_brotli: bool,
520 /// Headers forwarded to origin and included in key.
521 pub headers_config: CachePolicyHeadersConfig,
522 /// Cookies forwarded/included.
523 pub cookies_config: CachePolicyCookiesConfig,
524 /// Query strings forwarded/included.
525 pub query_strings_config: CachePolicyQueryStringsConfig,
526}
527
528/// Header cache-key configuration.
529#[derive(Debug, Clone, Default, Serialize, Deserialize)]
530pub struct CachePolicyHeadersConfig {
531 /// `none`, `whitelist`.
532 pub header_behavior: String,
533 /// Whitelisted header names.
534 pub headers: Vec<String>,
535}
536
537/// Cookie cache-key configuration.
538#[derive(Debug, Clone, Default, Serialize, Deserialize)]
539pub struct CachePolicyCookiesConfig {
540 /// `none`, `whitelist`, `allExcept`, `all`.
541 pub cookie_behavior: String,
542 /// Cookie name list.
543 pub cookies: Vec<String>,
544}
545
546/// Query-string cache-key configuration.
547#[derive(Debug, Clone, Default, Serialize, Deserialize)]
548pub struct CachePolicyQueryStringsConfig {
549 /// `none`, `whitelist`, `allExcept`, `all`.
550 pub query_string_behavior: String,
551 /// Whitelist.
552 pub query_strings: Vec<String>,
553}
554
555/// Origin request policy record.
556#[derive(Debug, Clone, Serialize, Deserialize)]
557pub struct OriginRequestPolicy {
558 /// Policy ID.
559 pub id: String,
560 /// Last-modified timestamp.
561 pub last_modified_time: DateTime<Utc>,
562 /// Configuration.
563 pub config: OriginRequestPolicyConfig,
564 /// ETag.
565 pub etag: String,
566 /// AWS-managed flag.
567 pub managed: bool,
568}
569
570/// Origin request policy config.
571#[derive(Debug, Clone, Default, Serialize, Deserialize)]
572pub struct OriginRequestPolicyConfig {
573 /// Comment.
574 pub comment: String,
575 /// Policy name.
576 pub name: String,
577 /// Headers forwarded to origin.
578 pub headers_config: OriginRequestPolicyHeadersConfig,
579 /// Cookies forwarded to origin.
580 pub cookies_config: OriginRequestPolicyCookiesConfig,
581 /// Query strings forwarded to origin.
582 pub query_strings_config: OriginRequestPolicyQueryStringsConfig,
583}
584
585/// Origin request headers config.
586#[derive(Debug, Clone, Default, Serialize, Deserialize)]
587pub struct OriginRequestPolicyHeadersConfig {
588 /// `none`, `whitelist`, `allViewer`, `allViewerAndWhitelistCloudFront`, `allExcept`.
589 pub header_behavior: String,
590 /// List.
591 pub headers: Vec<String>,
592}
593
594/// Origin request cookies config.
595#[derive(Debug, Clone, Default, Serialize, Deserialize)]
596pub struct OriginRequestPolicyCookiesConfig {
597 /// `none`, `whitelist`, `all`, `allExcept`.
598 pub cookie_behavior: String,
599 /// List.
600 pub cookies: Vec<String>,
601}
602
603/// Origin request query-strings config.
604#[derive(Debug, Clone, Default, Serialize, Deserialize)]
605pub struct OriginRequestPolicyQueryStringsConfig {
606 /// `none`, `whitelist`, `all`, `allExcept`.
607 pub query_string_behavior: String,
608 /// List.
609 pub query_strings: Vec<String>,
610}
611
612/// Response headers policy record.
613#[derive(Debug, Clone, Serialize, Deserialize)]
614pub struct ResponseHeadersPolicy {
615 /// Policy ID.
616 pub id: String,
617 /// Last-modified timestamp.
618 pub last_modified_time: DateTime<Utc>,
619 /// Configuration.
620 pub config: ResponseHeadersPolicyConfig,
621 /// ETag.
622 pub etag: String,
623 /// AWS-managed flag.
624 pub managed: bool,
625}
626
627/// Response headers policy configuration.
628#[derive(Debug, Clone, Default, Serialize, Deserialize)]
629pub struct ResponseHeadersPolicyConfig {
630 /// Comment.
631 pub comment: String,
632 /// Policy name.
633 pub name: String,
634 /// CORS configuration.
635 pub cors_config: Option<ResponseHeadersPolicyCorsConfig>,
636 /// Security header configuration.
637 pub security_headers_config: Option<ResponseHeadersPolicySecurityHeadersConfig>,
638 /// Server-Timing.
639 pub server_timing_headers_config: Option<ServerTimingHeadersConfig>,
640 /// Custom user-supplied headers.
641 pub custom_headers_config: Vec<ResponseHeaderOverride>,
642 /// Headers to strip from the upstream response.
643 pub remove_headers_config: Vec<String>,
644}
645
646/// CORS config portion of a response headers policy.
647#[derive(Debug, Clone, Default, Serialize, Deserialize)]
648pub struct ResponseHeadersPolicyCorsConfig {
649 /// `Access-Control-Allow-Credentials`.
650 pub access_control_allow_credentials: bool,
651 /// Allowed origins.
652 pub access_control_allow_origins: Vec<String>,
653 /// Allowed headers.
654 pub access_control_allow_headers: Vec<String>,
655 /// Allowed methods.
656 pub access_control_allow_methods: Vec<String>,
657 /// Exposed headers.
658 pub access_control_expose_headers: Vec<String>,
659 /// Max-age in seconds.
660 pub access_control_max_age_sec: i64,
661 /// Whether these override upstream headers.
662 pub origin_override: bool,
663}
664
665/// Security header configuration.
666#[derive(Debug, Clone, Default, Serialize, Deserialize)]
667pub struct ResponseHeadersPolicySecurityHeadersConfig {
668 /// XSS protection header settings.
669 pub xss_protection: Option<XssProtection>,
670 /// Frame options.
671 pub frame_options: Option<FrameOptions>,
672 /// Referrer policy.
673 pub referrer_policy: Option<ReferrerPolicy>,
674 /// Content security policy.
675 pub content_security_policy: Option<ContentSecurityPolicy>,
676 /// `X-Content-Type-Options: nosniff`.
677 pub content_type_options: Option<ContentTypeOptions>,
678 /// Strict-Transport-Security.
679 pub strict_transport_security: Option<StrictTransportSecurity>,
680}
681
682/// XSS protection header.
683#[derive(Debug, Clone, Default, Serialize, Deserialize)]
684pub struct XssProtection {
685 /// `X-XSS-Protection` value `1`.
686 pub protection: bool,
687 /// `mode=block`.
688 pub mode_block: bool,
689 /// Whether to override upstream.
690 pub override_upstream: bool,
691 /// Optional report URI.
692 pub report_uri: String,
693}
694
695/// `X-Frame-Options`.
696#[derive(Debug, Clone, Default, Serialize, Deserialize)]
697pub struct FrameOptions {
698 /// `DENY` or `SAMEORIGIN`.
699 pub frame_option: String,
700 /// Whether to override upstream.
701 pub override_upstream: bool,
702}
703
704/// `Referrer-Policy`.
705#[derive(Debug, Clone, Default, Serialize, Deserialize)]
706pub struct ReferrerPolicy {
707 /// Referrer-Policy value.
708 pub referrer_policy: String,
709 /// Whether to override upstream.
710 pub override_upstream: bool,
711}
712
713/// `Content-Security-Policy`.
714#[derive(Debug, Clone, Default, Serialize, Deserialize)]
715pub struct ContentSecurityPolicy {
716 /// The policy.
717 pub content_security_policy: String,
718 /// Whether to override upstream.
719 pub override_upstream: bool,
720}
721
722/// `X-Content-Type-Options`.
723#[derive(Debug, Clone, Default, Serialize, Deserialize)]
724pub struct ContentTypeOptions {
725 /// Whether to override upstream.
726 pub override_upstream: bool,
727}
728
729/// `Strict-Transport-Security`.
730#[derive(Debug, Clone, Default, Serialize, Deserialize)]
731pub struct StrictTransportSecurity {
732 /// Whether to override upstream.
733 pub override_upstream: bool,
734 /// `includeSubDomains` directive.
735 pub include_subdomains: bool,
736 /// `preload` directive.
737 pub preload: bool,
738 /// Max-age seconds.
739 pub access_control_max_age_sec: i64,
740}
741
742/// Server-Timing header config.
743#[derive(Debug, Clone, Default, Serialize, Deserialize)]
744pub struct ServerTimingHeadersConfig {
745 /// Whether enabled.
746 pub enabled: bool,
747 /// Sampling rate 0.0–100.0.
748 pub sampling_rate: f64,
749}
750
751/// Single custom header override entry.
752#[derive(Debug, Clone, Default, Serialize, Deserialize)]
753pub struct ResponseHeaderOverride {
754 /// Header name.
755 pub header: String,
756 /// Header value.
757 pub value: String,
758 /// Whether to override any value from origin.
759 pub override_upstream: bool,
760}
761
762// ---------------------------------------------------------------------------
763// Key material
764// ---------------------------------------------------------------------------
765
766/// Key group record.
767#[derive(Debug, Clone, Serialize, Deserialize)]
768pub struct KeyGroup {
769 /// Key group ID.
770 pub id: String,
771 /// Last-modified timestamp.
772 pub last_modified_time: DateTime<Utc>,
773 /// Configuration.
774 pub config: KeyGroupConfig,
775 /// ETag.
776 pub etag: String,
777}
778
779/// Key group configuration.
780#[derive(Debug, Clone, Default, Serialize, Deserialize)]
781pub struct KeyGroupConfig {
782 /// Key group name.
783 pub name: String,
784 /// List of public-key IDs in this group.
785 pub items: Vec<String>,
786 /// Optional comment.
787 pub comment: String,
788}
789
790/// Public key record.
791#[derive(Debug, Clone, Serialize, Deserialize)]
792pub struct PublicKey {
793 /// Public key ID.
794 pub id: String,
795 /// Create time.
796 pub created_time: DateTime<Utc>,
797 /// Configuration.
798 pub config: PublicKeyConfig,
799 /// ETag.
800 pub etag: String,
801}
802
803/// Public key configuration.
804#[derive(Debug, Clone, Default, Serialize, Deserialize)]
805pub struct PublicKeyConfig {
806 /// Caller reference.
807 pub caller_reference: String,
808 /// Name.
809 pub name: String,
810 /// PEM-encoded public key.
811 pub encoded_key: String,
812 /// Comment.
813 pub comment: String,
814}
815
816// ---------------------------------------------------------------------------
817// Functions
818// ---------------------------------------------------------------------------
819
820/// CloudFront Function record.
821#[derive(Debug, Clone, Serialize, Deserialize)]
822pub struct CloudFrontFunction {
823 /// Function name.
824 pub name: String,
825 /// Function ARN.
826 pub arn: String,
827 /// Last-modified.
828 pub last_modified_time: DateTime<Utc>,
829 /// `DEVELOPMENT` or `LIVE`.
830 pub stage: String,
831 /// Metadata.
832 pub metadata: FunctionMetadata,
833 /// Configuration.
834 pub config: FunctionConfig,
835 /// Source code (stored as opaque bytes).
836 pub code: Vec<u8>,
837 /// ETag.
838 pub etag: String,
839 /// Status text.
840 pub status: String,
841}
842
843/// Function configuration.
844#[derive(Debug, Clone, Default, Serialize, Deserialize)]
845pub struct FunctionConfig {
846 /// Comment.
847 pub comment: String,
848 /// Runtime (e.g. `cloudfront-js-1.0`).
849 pub runtime: String,
850 /// KeyValueStore associations.
851 pub key_value_store_associations: Vec<String>,
852}
853
854/// Function metadata.
855#[derive(Debug, Clone, Serialize, Deserialize)]
856pub struct FunctionMetadata {
857 /// Function ARN.
858 pub function_arn: String,
859 /// `DEVELOPMENT` or `LIVE`.
860 pub stage: String,
861 /// Created time.
862 pub created_time: DateTime<Utc>,
863 /// Last-modified time.
864 pub last_modified_time: DateTime<Utc>,
865}
866
867// ---------------------------------------------------------------------------
868// FLE (Field-Level Encryption)
869// ---------------------------------------------------------------------------
870
871/// FLE configuration record.
872#[derive(Debug, Clone, Serialize, Deserialize)]
873pub struct FieldLevelEncryption {
874 /// Config ID.
875 pub id: String,
876 /// Last-modified.
877 pub last_modified_time: DateTime<Utc>,
878 /// Config.
879 pub config: FieldLevelEncryptionConfig,
880 /// ETag.
881 pub etag: String,
882}
883
884/// FLE config.
885#[derive(Debug, Clone, Default, Serialize, Deserialize)]
886pub struct FieldLevelEncryptionConfig {
887 /// Caller reference.
888 pub caller_reference: String,
889 /// Comment.
890 pub comment: String,
891 /// Query-argument profile config.
892 pub query_arg_profile_config_enabled: bool,
893 /// Content-type profile config.
894 pub content_type_profile_config_enabled: bool,
895}
896
897/// FLE profile record.
898#[derive(Debug, Clone, Serialize, Deserialize)]
899pub struct FieldLevelEncryptionProfile {
900 /// Profile ID.
901 pub id: String,
902 /// Last-modified.
903 pub last_modified_time: DateTime<Utc>,
904 /// Config.
905 pub config: FieldLevelEncryptionProfileConfig,
906 /// ETag.
907 pub etag: String,
908}
909
910/// FLE profile config.
911#[derive(Debug, Clone, Default, Serialize, Deserialize)]
912pub struct FieldLevelEncryptionProfileConfig {
913 /// Name.
914 pub name: String,
915 /// Caller reference.
916 pub caller_reference: String,
917 /// Comment.
918 pub comment: String,
919}
920
921// ---------------------------------------------------------------------------
922// Monitoring / KVStore / RealtimeLog
923// ---------------------------------------------------------------------------
924
925/// Monitoring subscription record.
926#[derive(Debug, Clone, Serialize, Deserialize)]
927pub struct MonitoringSubscription {
928 /// Distribution ID.
929 pub distribution_id: String,
930 /// Whether realtime metrics are enabled.
931 pub realtime_metrics_subscription_status: String,
932}
933
934/// KVStore record.
935#[derive(Debug, Clone, Serialize, Deserialize)]
936pub struct KeyValueStore {
937 /// KVS ID.
938 pub id: String,
939 /// KVS name.
940 pub name: String,
941 /// ARN.
942 pub arn: String,
943 /// Comment.
944 pub comment: String,
945 /// Status.
946 pub status: String,
947 /// Last-modified.
948 pub last_modified_time: DateTime<Utc>,
949 /// ETag.
950 pub etag: String,
951}
952
953/// Realtime log config record.
954#[derive(Debug, Clone, Serialize, Deserialize)]
955pub struct RealtimeLogConfig {
956 /// ARN.
957 pub arn: String,
958 /// Name.
959 pub name: String,
960 /// Sampling rate 1..=100.
961 pub sampling_rate: i64,
962 /// Kinesis endpoint ARN.
963 pub end_points: Vec<EndPoint>,
964 /// Fields logged.
965 pub fields: Vec<String>,
966}
967
968/// Endpoint for realtime log shipping.
969#[derive(Debug, Clone, Default, Serialize, Deserialize)]
970pub struct EndPoint {
971 /// `Kinesis`.
972 pub stream_type: String,
973 /// Kinesis stream ARN + role ARN.
974 pub kinesis_stream_config: KinesisStreamConfig,
975}
976
977/// Kinesis stream config for realtime logging.
978#[derive(Debug, Clone, Default, Serialize, Deserialize)]
979pub struct KinesisStreamConfig {
980 /// Role ARN assumed by CloudFront.
981 pub role_arn: String,
982 /// Target Kinesis stream ARN.
983 pub stream_arn: String,
984}