Skip to content

Instantly share code, notes, and snippets.

@carlosroman
Last active November 30, 2017 13:45
Show Gist options
  • Save carlosroman/94d2b620d366f255d823b8f19a740b8e to your computer and use it in GitHub Desktop.
Save carlosroman/94d2b620d366f255d823b8f19a740b8e to your computer and use it in GitHub Desktop.
ansible origin access
---
- name: Create/update CloudFront origin access identity
command: aws cloudfront create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config "CallerReference={{ site }},Comment=access-identity-{{ site }}.site.s3.amazonaws.com"
environment:
AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
AWS_DEFAULT_REGION: "{{ aws_region }}"
no_log: true
register: aws_cli_out
- name: Get Origin Access Identity Id
set_fact:
origin_access_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}"
vars:
query: CloudFrontOriginAccessIdentity.Id
- name: Get Origin Access Identity S3 Canonical User Id
set_fact:
S3_canonical_user_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}"
vars:
query: CloudFrontOriginAccessIdentity.S3CanonicalUserId
- name: Debug statment origin_access_id
debug:
msg: "origin_access_id: '{{ origin_access_id }}'"
- name: Debug statment S3_canonical_user_id
debug:
msg: "S3_canonical_user_id: '{{ S3_canonical_user_id }}'"
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket and Cloudfront for hosting a static website
Parameters:
DomainParameter:
Type: String
Description: Domain for site.
AllowedPattern: "^(\\*\\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$"
ConstraintDescription: "must be a valid domain name"
CertARNParameter:
Type: String
Description: ARN for the cert to use on cloudfront.
AllowedPattern: "arn:aws:acm:us-east-1:819206333881:certificate/.*"
ConstraintDescription: "must be an ACM cert ARN"
OriginAccessIdParameter:
Type: String
Description: The Origin Access Identifier
AllowedPattern: "^[E][A-Z0-9]+$"
ConstraintDescription: "must be a valid Origin Access Identifier"
S3CanonicalUserIdParameter:
Type: String
Description: The Origin Access Identifier
AllowedPattern: "^[a-f0-9]+$"
ConstraintDescription: "must be a valid Origin Access Identifier"
Resources:
SiteBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Join [ '.', [ !Ref DomainParameter, 'site'] ]
LoggingConfiguration:
DestinationBucketName: !Ref LogsBucket
LogFilePrefix: S3/
VersioningConfiguration:
Status: Enabled
Tags:
- { Key: "site", Value: !Ref DomainParameter }
SiteBucketOriginPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref SiteBucket
PolicyDocument:
Statement:
- Action: ['s3:GetObject']
Effect: "Allow"
Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket, '/*' ] ]
Principal:
CanonicalUser: !Ref S3CanonicalUserIdParameter
- Action: ['s3:ListBucket']
Effect: "Allow"
Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket ] ]
Principal:
CanonicalUser: !Ref S3CanonicalUserIdParameter
LogsBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Join [ '.', [ !Ref DomainParameter, 'logs'] ]
AccessControl: LogDeliveryWrite
Tags:
- { Key: "site", Value: !Ref DomainParameter }
SiteDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref DomainParameter
- !Join [ '.', [ 'www', !Ref DomainParameter] ]
Comment: !Join [ ' ', [ 'CDN for', !Ref DomainParameter, '.'] ]
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: s3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
CustomErrorResponses:
- ErrorCode: '404'
ResponsePagePath: '/404.html'
ResponseCode: '404'
ErrorCachingMinTTL: '60'
Enabled: 'true'
HttpVersion: http2
Logging:
IncludeCookies: 'false'
Bucket: !GetAtt [LogsBucket, DomainName]
Prefix: CloudFront/
Origins:
- DomainName: !GetAtt [SiteBucket, DomainName]
Id: s3Origin
S3OriginConfig:
OriginAccessIdentity: !Join [ '', ['origin-access-identity/cloudfront/', !Ref OriginAccessIdParameter ] ]
PriceClass: PriceClass_100
ViewerCertificate:
AcmCertificateArn: !Ref CertARNParameter
SslSupportMethod: sni-only
Outputs:
SiteBucketName:
Value: !Ref SiteBucket
Description: The S3 bucket name for the site
SiteBucketARN:
Value: !GetAtt [SiteBucket, Arn]
Description: The S3 bucket ARN for the site
SiteDistributionID:
Value: !Ref SiteDistribution
Description: The CloudFront distribution ID
SiteDistributionDomainName:
Value: !GetAtt [SiteDistribution, DomainName]
Description: The CloudFront distribution domain name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment