-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
116 lines (101 loc) · 3.25 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: A Cloud Formation Stack for Authenticating Requests to an S3 bucket
Parameters:
Stage:
Description: "The deployed environment"
Default: dev
Type: String
AllowedValues:
- dev
- prod
ConstraintDescription: "You must specify dev or prod."
Bucket:
Description: "The name of the S3 bucket to serve files from"
Type: String
Conditions:
IsProductionEnv: !Equals [ !Ref Stage, prod ]
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: 'true'
Comment: !Join ["my-cloud-front-distribution", ["", "-", !Ref Stage] ]
HttpVersion: http2
Origins:
- Id: !Ref S3Bucket
DomainName: !GetAtt S3Bucket.DomainName
S3OriginConfig:
OriginAccessIdentity: !Join [ "", [ "origin-access-identity/cloudfront/", !Ref CloudFrontOriginAccessIdentity ] ]
DefaultCacheBehavior:
TargetOriginId: !Ref S3Bucket
# Lambda@Edge configuration requires a function version not alias
LambdaFunctionAssociations:
- EventType: origin-request
LambdaFunctionARN: !Ref LambdaEdge.Version
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
Headers:
- "Authorization"
ViewerProtocolPolicy: allow-all
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !GetAtt S3Bucket.DomainName
S3Bucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Join ["", [!Ref Bucket, "-", !Ref Stage] ]
VersioningConfiguration:
Status: Enabled
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Effect: "Allow"
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
Resource: !Sub '${S3Bucket.Arn}/*'
Action: "s3:GetObject"
LambdaEdge:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/src.zip
Role: !GetAtt LambdaEdgeRole.Arn
Runtime: nodejs12.x
Handler: index.handler
AutoPublishAlias: !Ref Stage
Timeout: 5
LambdaEdgeRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
- "edgelambda.amazonaws.com"
Outputs:
LambdaEdge:
Description: Lambda@Edge ARN
Value: !GetAtt LambdaEdge.Arn
LambdaEdgeVersion:
Description: Lambda@Edge ARN with Version
Value: !Ref LambdaEdge.Version
CloudFrontDistribution:
Description: Cloudfront Distribution Domain Name
Value: !GetAtt CloudFrontDistribution.DomainName