Last active
January 4, 2020 20:34
-
-
Save Marcel-G/ba8487307995650fd203a5e2a6f23cfd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Parameters: | |
| RootDomainName: | |
| Description: Domain name for your website (example.com) | |
| Type: String | |
| EnvironmentName: | |
| Description: Name of environment to create | |
| Type: String | |
| Resources: | |
| WebsiteCDN: | |
| Type: 'AWS::CloudFront::Distribution' | |
| Properties: | |
| DistributionConfig: | |
| Comment: CDN for S3-backed website | |
| Aliases: | |
| - !Join [ '.', [!Ref EnvironmentName, !Ref RootDomainName]] | |
| Origins: | |
| - DomainName: !Select [1, !Split [ 'http://', !GetAtt [RootBucket, WebsiteURL] ]] | |
| Id: RootS3Origin | |
| CustomOriginConfig: | |
| OriginProtocolPolicy: http-only | |
| Enabled: 'true' | |
| DefaultRootObject: index.html | |
| Logging: | |
| IncludeCookies: 'false' | |
| Bucket: !GetAtt [LogBucket, DomainName] | |
| Prefix: cdn-logs | |
| DefaultCacheBehavior: | |
| Compress: 'true' | |
| AllowedMethods: | |
| - GET | |
| - HEAD | |
| TargetOriginId: RootS3Origin | |
| ForwardedValues: | |
| QueryString: 'false' | |
| Cookies: | |
| Forward: none | |
| ViewerProtocolPolicy: redirect-to-https | |
| PriceClass: PriceClass_All | |
| ViewerCertificate: | |
| CloudFrontDefaultCertificate: 'true' | |
| DependsOn: | |
| - RootBucket | |
| - LogBucket | |
| RedirectDistribution: | |
| Type: 'AWS::CloudFront::Distribution' | |
| Properties: | |
| DistributionConfig: | |
| Comment: Distribution to redirect to root domain | |
| Aliases: | |
| - !Join ['', ['*.', !Ref EnvironmentName, '.' ,!Ref 'RootDomainName']] | |
| Origins: | |
| - DomainName: !Select [1, !Split [ 'http://', !GetAtt [RedirectBucket, WebsiteURL] ]] | |
| Id: RedirectS3Origin | |
| CustomOriginConfig: | |
| OriginProtocolPolicy: http-only | |
| Enabled: 'true' | |
| DefaultCacheBehavior: | |
| Compress: 'true' | |
| AllowedMethods: | |
| - GET | |
| - HEAD | |
| TargetOriginId: RedirectS3Origin | |
| ForwardedValues: | |
| QueryString: 'false' | |
| Cookies: | |
| Forward: none | |
| ViewerProtocolPolicy: redirect-to-https | |
| PriceClass: PriceClass_All | |
| ViewerCertificate: | |
| CloudFrontDefaultCertificate: 'true' | |
| DependsOn: | |
| - RedirectBucket | |
| RootBucket: | |
| Type: 'AWS::S3::Bucket' | |
| Properties: | |
| BucketName: !Join [ '', [!Ref EnvironmentName, '.', !Ref RootDomainName]] | |
| WebsiteConfiguration: | |
| IndexDocument: index.html | |
| ErrorDocument: index.html | |
| RedirectBucket: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: !Join ['', ['redirect.', !Ref EnvironmentName, '.', !Ref 'RootDomainName']] | |
| AccessControl: BucketOwnerFullControl | |
| WebsiteConfiguration: | |
| RedirectAllRequestsTo: | |
| HostName: !Ref RootBucket | |
| Protocol: https | |
| LogBucket: | |
| Type: 'AWS::S3::Bucket' | |
| Properties: | |
| BucketName: !Join ['', ['logs.', !Ref EnvironmentName, '.', !Ref 'RootDomainName']] | |
| DependsOn: | |
| - RootBucket | |
| RootBucketPolicy: | |
| Type: 'AWS::S3::BucketPolicy' | |
| Properties: | |
| Bucket: !Ref RootBucket | |
| PolicyDocument: | |
| Statement: | |
| - Sid: ReadAccess | |
| Action: | |
| - "s3:GetObject" | |
| Effect: "Allow" | |
| Resource: | |
| - !Join ['', [!GetAtt [RootBucket, Arn], '/*']] | |
| Principal: "*" | |
| - Sid: ListWriteDeleteAccess | |
| Action: | |
| - "s3:ListBucket" | |
| - "s3:PutObject" | |
| - "s3:DeleteObject" | |
| Effect: "Allow" | |
| Resource: | |
| - !Join ['', [!GetAtt [RootBucket, Arn], '/*']] | |
| - !GetAtt [RootBucket, Arn] | |
| Principal: | |
| AWS: | |
| - !GetAtt [StackUser, Arn] | |
| DependsOn: | |
| - StackUser | |
| LogBucketPolicy: | |
| Type: 'AWS::S3::BucketPolicy' | |
| Properties: | |
| Bucket: !Ref LogBucket | |
| PolicyDocument: | |
| Statement: | |
| - Sid: ListReadWriteDeleteAccess | |
| Action: | |
| - "s3:ListBucket" | |
| - "s3:GetObject" | |
| - "s3:PutObject" | |
| - "s3:DeleteObject" | |
| Effect: "Allow" | |
| Resource: | |
| - !Join ['', [!GetAtt [LogBucket, Arn], '/*']] | |
| - !GetAtt [LogBucket, Arn] | |
| Principal: | |
| AWS: | |
| - !GetAtt [StackUser, Arn] | |
| DependsOn: | |
| - StackUser | |
| StackUser: | |
| Type: AWS::IAM::User | |
| Properties: | |
| ManagedPolicyArns: | |
| - arn:aws:iam::aws:policy/AdministratorAccess | |
| - arn:aws:iam::aws:policy/AWSLambdaFullAccess | |
| - arn:aws:iam::aws:policy/AmazonS3FullAccess | |
| - arn:aws:iam::aws:policy/CloudFrontFullAccess | |
| UserName: !Join ['', [!Ref "AWS::StackName", '-stack-user']] | |
| DeploymentAccessKey: | |
| Type: AWS::IAM::AccessKey | |
| Properties: | |
| UserName: !Ref StackUser | |
| DependsOn: | |
| - StackUser | |
| Outputs: | |
| CloudfrontDomainName: | |
| Description: Live url to preview site. | |
| Value: !GetAtt [WebsiteCDN, DomainName] | |
| CloudfrontDistributionId: | |
| Description: CLOUDFRONT_DISTRIBUTION_ID to use in bitbucket pipeline. | |
| Value: !Ref WebsiteCDN | |
| BucketName: | |
| Description: BUCKET_NAME to use in bitbucket pipeline. | |
| Value: !Ref RootBucket | |
| DeploymentSecretAccessKey: | |
| Description: AWS_SECRET_ACCESS_KEY to use in bitbucket pipeline. | |
| Value: !GetAtt [DeploymentAccessKey, SecretAccessKey] | |
| DeploymentAccessKeyId: | |
| Description: AWS_ACCESS_KEY_ID to use in bitbucket pipeline. | |
| Value: !Ref DeploymentAccessKey |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment