-
Notifications
You must be signed in to change notification settings - Fork 0
/
resources-cloudformation.yml
184 lines (184 loc) · 5.89 KB
/
resources-cloudformation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
AWSTemplateFormatVersion: '2010-09-09'
Description: Stack for hosting static files behind CDN
Parameters:
RootDomainName:
Description: Domain name for your website (example.com)
Type: String
AllowedPattern: '(?!-)[a-zA-Z0-9-.]{1,63}(?<!-)'
ConstraintDescription : Must be a valid domain name.
EnvironmentName:
Description: Name of environment to create
Type: String
AllowedPattern: '[a-zA-Z][-a-zA-Z0-9]*'
ConstraintDescription : Should be a single word containing only letters and numbers.
Conditions:
isProduction: !Equals [ !Ref EnvironmentName, production ]
Resources:
WebsiteCDN:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: CDN for S3-backed website
Aliases:
- !Join [ '.', [!Ref EnvironmentName, !Ref RootDomainName]]
- !If [isProduction, !Ref RootDomainName, !Ref 'AWS::NoValue']
Origins:
- DomainName: !Select [1, !Split [ 'http://', !GetAtt [RootBucket, WebsiteURL] ]]
Id: RootS3Origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: 'true'
DefaultRootObject: index.html
Logging:
IncludeCookies: 'false'
Bucket: !GetAtt [LogBucket, DomainName]
Prefix: cdn-logs
DefaultCacheBehavior:
Compress: 'true'
AllowedMethods:
- GET
- HEAD
TargetOriginId: RootS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
DependsOn:
- RootBucket
- LogBucket
RedirectDistribution:
Type: 'AWS::CloudFront::Distribution'
Condition: isProduction
Properties:
DistributionConfig:
Comment: Distribution to redirect to root domain
Aliases:
- !Join ['', ['*.', !Ref 'RootDomainName']]
Origins:
- DomainName: !Select [1, !Split [ 'http://', !GetAtt [RedirectBucket, WebsiteURL] ]]
Id: RedirectS3Origin
CustomOriginConfig:
OriginProtocolPolicy: http-only
Enabled: 'true'
DefaultCacheBehavior:
Compress: 'true'
AllowedMethods:
- GET
- HEAD
TargetOriginId: RedirectS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
PriceClass: PriceClass_All
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
DependsOn:
- RedirectBucket
RootBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join [ '', [!Ref EnvironmentName, '.', !Ref RootDomainName]]
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
RedirectBucket:
Type: AWS::S3::Bucket
Condition: isProduction
Properties:
BucketName: !Join ['', ['redirect.', !Ref 'RootDomainName']]
AccessControl: BucketOwnerFullControl
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref RootDomainName
Protocol: https
LogBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join ['', ['logs.', !Ref EnvironmentName, '.', !Ref 'RootDomainName']]
DependsOn:
- RootBucket
RootBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref RootBucket
PolicyDocument:
Statement:
- Sid: ReadAccess
Action:
- "s3:GetObject"
Effect: "Allow"
Resource:
- !Join ['', [!GetAtt [RootBucket, Arn], '/*']]
Principal: "*"
- Sid: ListWriteDeleteAccess
Action:
- "s3:ListBucket"
- "s3:PutObject"
- "s3:DeleteObject"
Effect: "Allow"
Resource:
- !Join ['', [!GetAtt [RootBucket, Arn], '/*']]
- !GetAtt [RootBucket, Arn]
Principal:
AWS:
- !GetAtt [StackUser, Arn]
DependsOn:
- StackUser
LogBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LogBucket
PolicyDocument:
Statement:
- Sid: ListReadWriteDeleteAccess
Action:
- "s3:ListBucket"
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
Effect: "Allow"
Resource:
- !Join ['', [!GetAtt [LogBucket, Arn], '/*']]
- !GetAtt [LogBucket, Arn]
Principal:
AWS:
- !GetAtt [StackUser, Arn]
DependsOn:
- StackUser
StackUser:
Type: AWS::IAM::User
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
- arn:aws:iam::aws:policy/AWSLambdaFullAccess
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/CloudFrontFullAccess
UserName: !Join ['', [!Ref 'AWS::StackName', '-stack-user']]
DeploymentAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName: !Ref StackUser
DependsOn:
- StackUser
Outputs:
CloudfrontDomainName:
Description: Live url to preview site.
Value: !GetAtt [WebsiteCDN, DomainName]
CloudfrontDistributionId:
Description: CLOUDFRONT_DISTRIBUTION_ID to use in bitbucket pipeline.
Value: !Ref WebsiteCDN
BucketName:
Description: BUCKET_NAME to use in bitbucket pipeline.
Value: !Ref RootBucket
DeploymentSecretAccessKey:
Description: AWS_SECRET_ACCESS_KEY to use in bitbucket pipeline.
Value: !GetAtt [DeploymentAccessKey, SecretAccessKey]
DeploymentAccessKeyId:
Description: AWS_ACCESS_KEY_ID to use in bitbucket pipeline.
Value: !Ref DeploymentAccessKey