AWS production Deploy without CORS

Hi everyone. This is my very first post here.

I’m working in a big project that in the future may have critical performance concerns, and I’m studying the deployment part. After past discussions we decide to move to AWS, where we can use other services in the same VPC, with less cost and full control.

After setup serverless deployment and do the first one, nothing works because of CORS. I hadn’t thought about it until then, but it was predictable. So I started to search how to avoid to deal with CORS with the services that we were using. I was sure that it would be easy to implement a reverse proxy on CloudFront, but it was not. I read this, this, this and much more, CloudFront screenshots seems to be outdated, and to be honest I saw CloudFront working as expected for few minutes, but:

  1. Stopped working without changes, with 403 errors with another cause than this
  2. We might have conflict with manual steps and serverless CloudFormation deployment

So I decided to undeploy the frontend and use AWS Amplify to host it. And it works easily. I’m late to making this post because what I want to know is if someone had success with cloudfront and reverse proxy recently and whether there may be known problems using AWS Amplify.

Hi @gilliard Welcome!

CORS can be challenging indeed. A couple suggestions and resources for you. (Note: I have zero experience with AWS Amplify.)

Build-in Deployment Configuration
For AWS, Redwood has support for Serverless and Flightcontrol. You should check out both of those setups and how they work (Fargate vs. Lamdbas + Cloudfront).

You might also want to look into Baremetal, which is a simple EC2 option.

Example CORS using dbAuth
We have deployment CI for all our supported providers, which use dbAuth. You can explore the projects to see how we had to handle CORS for each. Check out API files like graphql function and the dbAuth auth function. Also look at provider specific config.


Serverless Framework

1 Like

Thanks for your reply and the links @thedavid ! I appreciate the examples. In our side, since we want to make calls without cors to avoid double-request, code changes and configuration, we need to choose another way. I hope to soon describe our deployment journey in detail and help those who have the same goals.

1 Like