armenr/cdn-cloudformation-template.yml

## cdn-cloudformation-template.yml
AWSTemplateFormatVersion: "2010-09-09"
# revisit this: https://github.com/aws-amplify/amplify-cli/issues/3240#issuecomment-623080190
Parameters:
  env:
    Type: String
    Description: The environment name. e.g. Dev, Test, or Production.
    Default: NONE
  authRoleName:
    Type: String
    Description: Name of authRole
    Default: NONE
  # backendName:
  #   Type: String
  #   Description: Name of Amplify backend environment
  #   Default: !Select [2, !Split ["-", !Ref authRoleName]]
  # pBucketName:
  #   Type: String
  #   Description: ProjectName
  #   AllowedPattern: "[a-zA-Z][a-zA-Z0-9-_]*"
  #   Default: beepos
  # pBucketUrl:
  #   Type: String
  #   Description: ProjectName
  #   Default: DefaultName
  # pOriginAccessIdentity:
  #   Type: String
  #   Description: Policy for bucket
  #   Default: NA
  pPolicyName:
    Type: String
    Description: Policy name for allowing uploads from all auth users
    Default: S3UploadPolicy
  # CertificateArn:
  #   Type: String

Resources:
  OutputBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketName: !Sub
        - "${stackname}-uploads"
        - { stackname: !Select [2, !Split ["-", !Ref authRoleName]] }
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders: ["*"]
            AllowedMethods: ["GET", "HEAD", "PUT", "POST", "DELETE"]
            AllowedOrigins: ["*"]
            ExposedHeaders:
              [
                "x-amz-server-side-encryption",
                "x-amz-request-id",
                "x-amz-id-2",
                "ETag",
              ]
            MaxAge: 3000

  UploadPolicy:
    Type: AWS::IAM::Policy
    DependsOn:
      - OutputBucket
    Properties:
      PolicyName: !Ref pPolicyName
      Roles:
        - !Ref authRoleName
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - s3:PutObject
            Resource: !Sub
              - "${bucketArn}/*"
              - { bucketArn: !GetAtt OutputBucket.Arn }

  S3AuthGet:
    Type: AWS::IAM::Policy
    DependsOn:
      - OutputBucket
    Properties:
      PolicyName: AuthGet
      Roles:
        - !Ref authRoleName
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - "s3:GetObject"
            Resource:
              - !Join
                - ""
                - - arn:aws:s3:::'
                  - !Ref OutputBucket
                  - "/${cognito-identity.amazonaws.com:sub}/*"

  OriginAccessIdentity:
    Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
    DependsOn:
      - OutputBucket
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub "OAI created by ${AWS::StackName} in ${AWS::Region}"

  S3Policy:
    Type: AWS::S3::BucketPolicy
    DependsOn:
      - OutputBucket
      - OriginAccessIdentity
    Properties:
      Bucket: !Sub
        - "${stackname}-uploads"
        # - { stackname: !Select [2, !Split ["/", !Ref AWS::StackId]] }
        - { stackname: !Select [2, !Split ["-", !Ref authRoleName]] }
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:getObject"
            Effect: Allow
            Resource: !Sub "arn:aws:s3:::${OutputBucket}/*"
            Principal:
              AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentity}"

  rCloudFrontDist:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - S3Policy
      - S3AuthGet
    Properties:
      Tags:
        - Key: amplify-video
          Value: amplify-video
      DistributionConfig:
        DefaultCacheBehavior:
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
            Headers:
              - "Origin"
              - "Access-Control-Request-Method"
              - "Access-Control-Request-Headers"
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: "vodS3Origin"
          ViewerProtocolPolicy: "allow-all"
        Origins:
          - DomainName: !GetAtt OutputBucket.RegionalDomainName
            Id: vodS3Origin
            S3OriginConfig:
              OriginAccessIdentity: !Sub
                - "origin-access-identity/cloudfront/${OAIID}"
                - { OAIID: !Ref OriginAccessIdentity }
        Enabled: true
        PriceClass: PriceClass_All

Outputs:
  oOutputBucketArn:
    Value: !GetAtt OutputBucket.Arn
    Description: BucketArn
  oOutputBucketName:
    Value: !Ref OutputBucket
    Description: S3 Bucket Created
  oOriginAccessIdentity:
    Value: !Ref OriginAccessIdentity
    Description: Origin Access Identity for Cloudfront
  oOutputUrl:
    Value: !GetAtt OutputBucket.RegionalDomainName
    Description: URL for the bucket
  oCFDomain:
    Value: !GetAtt rCloudFrontDist.DomainName
    Description: Domain for our videos
	AWSTemplateFormatVersion: "2010-09-09"
	# revisit this: https://github.com/aws-amplify/amplify-cli/issues/3240#issuecomment-623080190
	Parameters:
	env:
	Type: String
	Description: The environment name. e.g. Dev, Test, or Production.
	Default: NONE
	authRoleName:
	Type: String
	Description: Name of authRole
	Default: NONE
	# backendName:
	# Type: String
	# Description: Name of Amplify backend environment
	# Default: !Select [2, !Split ["-", !Ref authRoleName]]
	# pBucketName:
	# Type: String
	# Description: ProjectName
	# AllowedPattern: "[a-zA-Z][a-zA-Z0-9-_]*"
	# Default: beepos
	# pBucketUrl:
	# Type: String
	# Description: ProjectName
	# Default: DefaultName
	# pOriginAccessIdentity:
	# Type: String
	# Description: Policy for bucket
	# Default: NA
	pPolicyName:
	Type: String
	Description: Policy name for allowing uploads from all auth users
	Default: S3UploadPolicy
	# CertificateArn:
	# Type: String

	Resources:
	OutputBucket:
	Type: AWS::S3::Bucket
	DeletionPolicy: Retain
	Properties:
	BucketName: !Sub
	- "${stackname}-uploads"
	- { stackname: !Select [2, !Split ["-", !Ref authRoleName]] }
	CorsConfiguration:
	CorsRules:
	- AllowedHeaders: ["*"]
	AllowedMethods: ["GET", "HEAD", "PUT", "POST", "DELETE"]
	AllowedOrigins: ["*"]
	ExposedHeaders:
	[
	"x-amz-server-side-encryption",
	"x-amz-request-id",
	"x-amz-id-2",
	"ETag",
	]
	MaxAge: 3000

	UploadPolicy:
	Type: AWS::IAM::Policy
	DependsOn:
	- OutputBucket
	Properties:
	PolicyName: !Ref pPolicyName
	Roles:
	- !Ref authRoleName
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Action:
	- s3:PutObject
	Resource: !Sub
	- "${bucketArn}/*"
	- { bucketArn: !GetAtt OutputBucket.Arn }

	S3AuthGet:
	Type: AWS::IAM::Policy
	DependsOn:
	- OutputBucket
	Properties:
	PolicyName: AuthGet
	Roles:
	- !Ref authRoleName
	PolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Action:
	- "s3:GetObject"
	Resource:
	- !Join
	- ""
	- - arn:aws:s3:::'
	- !Ref OutputBucket
	- "/${cognito-identity.amazonaws.com:sub}/*"

	OriginAccessIdentity:
	Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
	DependsOn:
	- OutputBucket
	Properties:
	CloudFrontOriginAccessIdentityConfig:
	Comment: !Sub "OAI created by ${AWS::StackName} in ${AWS::Region}"

	S3Policy:
	Type: AWS::S3::BucketPolicy
	DependsOn:
	- OutputBucket
	- OriginAccessIdentity
	Properties:
	Bucket: !Sub
	- "${stackname}-uploads"
	# - { stackname: !Select [2, !Split ["/", !Ref AWS::StackId]] }
	- { stackname: !Select [2, !Split ["-", !Ref authRoleName]] }
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Action:
	- "s3:getObject"
	Effect: Allow
	Resource: !Sub "arn:aws:s3:::${OutputBucket}/*"
	Principal:
	AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentity}"

	rCloudFrontDist:
	Type: AWS::CloudFront::Distribution
	DependsOn:
	- S3Policy
	- S3AuthGet
	Properties:
	Tags:
	- Key: amplify-video
	Value: amplify-video
	DistributionConfig:
	DefaultCacheBehavior:
	ForwardedValues:
	QueryString: false
	Cookies:
	Forward: none
	Headers:
	- "Origin"
	- "Access-Control-Request-Method"
	- "Access-Control-Request-Headers"
	AllowedMethods:
	- GET
	- HEAD
	- OPTIONS
	TargetOriginId: "vodS3Origin"
	ViewerProtocolPolicy: "allow-all"
	Origins:
	- DomainName: !GetAtt OutputBucket.RegionalDomainName
	Id: vodS3Origin
	S3OriginConfig:
	OriginAccessIdentity: !Sub
	- "origin-access-identity/cloudfront/${OAIID}"
	- { OAIID: !Ref OriginAccessIdentity }
	Enabled: true
	PriceClass: PriceClass_All

	Outputs:
	oOutputBucketArn:
	Value: !GetAtt OutputBucket.Arn
	Description: BucketArn
	oOutputBucketName:
	Value: !Ref OutputBucket
	Description: S3 Bucket Created
	oOriginAccessIdentity:
	Value: !Ref OriginAccessIdentity
	Description: Origin Access Identity for Cloudfront
	oOutputUrl:
	Value: !GetAtt OutputBucket.RegionalDomainName
	Description: URL for the bucket
	oCFDomain:
	Value: !GetAtt rCloudFrontDist.DomainName
	Description: Domain for our videos