-
Notifications
You must be signed in to change notification settings - Fork 0
/
static_cloudfront_site.yml
99 lines (99 loc) · 3.39 KB
/
static_cloudfront_site.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
Parameters:
DomainCertificateArn:
Description: Because there's no way to automate ACM's validation E2E without custom resources, do it offline (and then cut a feature request).
Type: String
DomainName:
Description: The top-level domain *without* the trailing dot (NOT the FQDN), and WITHOUT any subdomain. E.g., "example.com"
Type: String
MaxLength: 1024
CreateHostedZone:
Description: Toggle to enable creation of the root hosted zone. Leave disabled when the domain was registered with Amazon Registrar.
Type: String
AllowedValues: ["true", "false"]
Default: false
Subdomain:
Description: Additional subdomain that should be handled by the same bucket/distribution.
Type: String
Default: "www"
Conditions:
CreateHostedZoneCondition:
!Equals [true, !Ref CreateHostedZone]
HasSubdomainCondition:
!Not [{ 'Fn::Equals': ["", { Ref: Subdomain }] }]
Resources:
DomainZone:
Type: AWS::Route53::HostedZone
Condition: CreateHostedZoneCondition
Properties:
Name: !Ref DomainName
DomainRecords:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneName: !Sub '${DomainName}.'
RecordSets:
- Name: !Ref DomainName
Type: A
AliasTarget:
DNSName: !GetAtt Distribution.DomainName
HostedZoneId: Z2FDTNDATAQYW2
SubdomainRecords:
Type: AWS::Route53::RecordSetGroup
Condition: HasSubdomainCondition
Properties:
HostedZoneName: !Sub '${DomainName}.'
RecordSets:
- Name: !Sub '${Subdomain}.${DomainName}'
Type: A
AliasTarget:
DNSName: !GetAtt Distribution.DomainName
HostedZoneId: Z2FDTNDATAQYW2
StaticFilesBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref StaticFilesBucket
PolicyDocument:
Version: 2012-10-17
Statement:
Effect: Allow
Principal: { Service: 'cloudfront.amazonaws.com' }
Action: s3:GetObject
Resource: !Sub 'arn:aws:s3:::${StaticFilesBucket}/*'
Condition:
StringEquals: { 'AWS:SourceArn': !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${Distribution.Id}'}
StaticFilesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref DomainName
DistributionAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: !Sub 'AccessControl${DomainName}'
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
Distribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
HttpVersion: http2
DefaultRootObject: index.html
DefaultCacheBehavior:
ForwardedValues:
QueryString: false
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
ViewerCertificate:
SslSupportMethod: sni-only
AcmCertificateArn: !Ref DomainCertificateArn
MinimumProtocolVersion: TLSv1.2_2018
Aliases:
- !Ref DomainName
- !Sub '${Subdomain}.${DomainName}'
Origins:
- Id: S3Origin
DomainName: !GetAtt StaticFilesBucket.RegionalDomainName
OriginAccessControlId: !Ref DistributionAccessControl
S3OriginConfig:
OriginAccessIdentity: ''