Created
May 20, 2021 18:24
-
-
Save armenr/3928b57e92df9845c8f967c577545906 to your computer and use it in GitHub Desktop.
CloudFormation Template for Amplify Custom Resource (S3 + CDN w/out hosting)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: "2010-09-09" | |
# revisit this: https://github.com/aws-amplify/amplify-cli/issues/3240#issuecomment-623080190 | |
Parameters: | |
env: | |
Type: String | |
Description: The environment name. e.g. Dev, Test, or Production. | |
Default: NONE | |
authRoleName: | |
Type: String | |
Description: Name of authRole | |
Default: NONE | |
# backendName: | |
# Type: String | |
# Description: Name of Amplify backend environment | |
# Default: !Select [2, !Split ["-", !Ref authRoleName]] | |
# pBucketName: | |
# Type: String | |
# Description: ProjectName | |
# AllowedPattern: "[a-zA-Z][a-zA-Z0-9-_]*" | |
# Default: beepos | |
# pBucketUrl: | |
# Type: String | |
# Description: ProjectName | |
# Default: DefaultName | |
# pOriginAccessIdentity: | |
# Type: String | |
# Description: Policy for bucket | |
# Default: NA | |
pPolicyName: | |
Type: String | |
Description: Policy name for allowing uploads from all auth users | |
Default: S3UploadPolicy | |
# CertificateArn: | |
# Type: String | |
Resources: | |
OutputBucket: | |
Type: AWS::S3::Bucket | |
DeletionPolicy: Retain | |
Properties: | |
BucketName: !Sub | |
- "${stackname}-uploads" | |
- { stackname: !Select [2, !Split ["-", !Ref authRoleName]] } | |
CorsConfiguration: | |
CorsRules: | |
- AllowedHeaders: ["*"] | |
AllowedMethods: ["GET", "HEAD", "PUT", "POST", "DELETE"] | |
AllowedOrigins: ["*"] | |
ExposedHeaders: | |
[ | |
"x-amz-server-side-encryption", | |
"x-amz-request-id", | |
"x-amz-id-2", | |
"ETag", | |
] | |
MaxAge: 3000 | |
UploadPolicy: | |
Type: AWS::IAM::Policy | |
DependsOn: | |
- OutputBucket | |
Properties: | |
PolicyName: !Ref pPolicyName | |
Roles: | |
- !Ref authRoleName | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Effect: Allow | |
Action: | |
- s3:PutObject | |
Resource: !Sub | |
- "${bucketArn}/*" | |
- { bucketArn: !GetAtt OutputBucket.Arn } | |
S3AuthGet: | |
Type: AWS::IAM::Policy | |
DependsOn: | |
- OutputBucket | |
Properties: | |
PolicyName: AuthGet | |
Roles: | |
- !Ref authRoleName | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Action: | |
- "s3:GetObject" | |
Resource: | |
- !Join | |
- "" | |
- - arn:aws:s3:::' | |
- !Ref OutputBucket | |
- "/${cognito-identity.amazonaws.com:sub}/*" | |
OriginAccessIdentity: | |
Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity" | |
DependsOn: | |
- OutputBucket | |
Properties: | |
CloudFrontOriginAccessIdentityConfig: | |
Comment: !Sub "OAI created by ${AWS::StackName} in ${AWS::Region}" | |
S3Policy: | |
Type: AWS::S3::BucketPolicy | |
DependsOn: | |
- OutputBucket | |
- OriginAccessIdentity | |
Properties: | |
Bucket: !Sub | |
- "${stackname}-uploads" | |
# - { stackname: !Select [2, !Split ["/", !Ref AWS::StackId]] } | |
- { stackname: !Select [2, !Split ["-", !Ref authRoleName]] } | |
PolicyDocument: | |
Version: "2012-10-17" | |
Statement: | |
- Action: | |
- "s3:getObject" | |
Effect: Allow | |
Resource: !Sub "arn:aws:s3:::${OutputBucket}/*" | |
Principal: | |
AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentity}" | |
rCloudFrontDist: | |
Type: AWS::CloudFront::Distribution | |
DependsOn: | |
- S3Policy | |
- S3AuthGet | |
Properties: | |
Tags: | |
- Key: amplify-video | |
Value: amplify-video | |
DistributionConfig: | |
DefaultCacheBehavior: | |
ForwardedValues: | |
QueryString: false | |
Cookies: | |
Forward: none | |
Headers: | |
- "Origin" | |
- "Access-Control-Request-Method" | |
- "Access-Control-Request-Headers" | |
AllowedMethods: | |
- GET | |
- HEAD | |
- OPTIONS | |
TargetOriginId: "vodS3Origin" | |
ViewerProtocolPolicy: "allow-all" | |
Origins: | |
- DomainName: !GetAtt OutputBucket.RegionalDomainName | |
Id: vodS3Origin | |
S3OriginConfig: | |
OriginAccessIdentity: !Sub | |
- "origin-access-identity/cloudfront/${OAIID}" | |
- { OAIID: !Ref OriginAccessIdentity } | |
Enabled: true | |
PriceClass: PriceClass_All | |
Outputs: | |
oOutputBucketArn: | |
Value: !GetAtt OutputBucket.Arn | |
Description: BucketArn | |
oOutputBucketName: | |
Value: !Ref OutputBucket | |
Description: S3 Bucket Created | |
oOriginAccessIdentity: | |
Value: !Ref OriginAccessIdentity | |
Description: Origin Access Identity for Cloudfront | |
oOutputUrl: | |
Value: !GetAtt OutputBucket.RegionalDomainName | |
Description: URL for the bucket | |
oCFDomain: | |
Value: !GetAtt rCloudFrontDist.DomainName | |
Description: Domain for our videos |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment