-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
stack.yaml
109 lines (109 loc) · 3.98 KB
/
stack.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Create a static website on S3 served by CloudFront'
Parameters:
DomainName:
Type: String
Description: The domain name for the site
AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
ConstraintDescription: must be a valid DNS zone name.
AcmCertificateArn:
Type: String
Description: the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
AllowedPattern: "arn:aws:acm:.*"
S3BucketName:
Type: String
Description: Name for the bucket
Resources:
S3BucketForWebsiteContent:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref 'S3BucketName'
WebsiteConfiguration:
IndexDocument: index.html
# Redirect
ErrorDocument: /error/404/index.html
RoutingRules:
- RoutingRuleCondition:
HttpErrorCodeReturnedEquals: '404'
KeyPrefixEquals: /
RedirectRule:
HostName: !Ref 'DomainName'
ReplaceKeyPrefixWith: error/404/
WebsiteCloudfront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: Cloudfront Distribution pointing to S3 bucket
Origins:
- DomainName: !Join [ '', !Split [ 'http://', !GetAtt 'S3BucketForWebsiteContent.WebsiteURL' ] ]
Id: S3Origin
CustomOriginConfig:
OriginProtocolPolicy: 'http-only'
Enabled: true
HttpVersion: 'http2'
# DefaultRootObject: index.html
Aliases:
- !Ref 'DomainName'
CustomErrorResponses:
- ErrorCode: 403
ResponseCode: 404
ResponsePagePath: '/error/404/index.html'
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
Compress: true
TargetOriginId: S3Origin
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
ResponseHeadersPolicyId: !Ref WebsiteCloudFrontPolicies
PriceClass: PriceClass_All
ViewerCertificate:
AcmCertificateArn: !Ref 'AcmCertificateArn'
SslSupportMethod: sni-only
WebsiteCloudFrontPolicies:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name: Blog-Security-Header-Policy
Comment: The Vapor Blog security header policy
CustomHeadersConfig:
Items:
- Header: Permissions-Policy
Value: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
Override: false
- Header: server
Value: 'Vapor Blog'
Override: true
SecurityHeadersConfig:
ContentSecurityPolicy:
ContentSecurityPolicy: default-src 'none'; script-src 'self' https://design.vapor.codes; style-src 'self' https://design.vapor.codes; img-src 'self' https://design.vapor.codes; font-src 'self' https://design.vapor.codes; media-src 'self' https://design.vapor.codes; upgrade-insecure-requests; block-all-mixed-content; manifest-src 'self' https://design.vapor.codes
Override: false
ContentTypeOptions:
Override: false
FrameOptions:
FrameOption: DENY
Override: false
ReferrerPolicy:
ReferrerPolicy: strict-origin-when-cross-origin
Override: false
StrictTransportSecurity:
AccessControlMaxAgeSec: 63072000
IncludeSubdomains: true
Preload: false
Override: false
XSSProtection:
ModeBlock: true
Protection: true
Override: false
Outputs:
CloudfrontURL:
Description: 'Cloudfront URL'
Value: !GetAtt WebsiteCloudfront.DomainName
BucketName:
Value: !Ref 'S3BucketForWebsiteContent'
Description: Name of S3 bucket to hold website content