carlosroman/origin_access.yml

## origin_access.yml
---

- name: Create/update CloudFront origin access identity
  command: aws cloudfront create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config "CallerReference={{ site }},Comment=access-identity-{{ site }}.site.s3.amazonaws.com"
  environment:
    AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
    AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
    AWS_DEFAULT_REGION: "{{ aws_region }}"
  no_log: true
  register: aws_cli_out

- name: Get Origin Access Identity Id
  set_fact:
    origin_access_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}"
  vars:
    query: CloudFrontOriginAccessIdentity.Id

- name: Get Origin Access Identity S3 Canonical User Id
  set_fact:
    S3_canonical_user_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}"
  vars:
    query: CloudFrontOriginAccessIdentity.S3CanonicalUserId
- name: Debug statment origin_access_id
  debug:
    msg: "origin_access_id: '{{ origin_access_id }}'"

- name: Debug statment S3_canonical_user_id
  debug:
    msg: "S3_canonical_user_id: '{{ S3_canonical_user_id }}'"

## site_cf.yml
AWSTemplateFormatVersion: 2010-09-09

Description: S3 bucket and Cloudfront for hosting a static website

Parameters:
  DomainParameter:
    Type: String
    Description: Domain for site.
    AllowedPattern: "^(\\*\\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$"
    ConstraintDescription: "must be a valid domain name"

  CertARNParameter:
    Type: String
    Description: ARN for the cert to use on cloudfront.
    AllowedPattern: "arn:aws:acm:us-east-1:819206333881:certificate/.*"
    ConstraintDescription: "must be an ACM cert ARN"

  OriginAccessIdParameter:
    Type: String
    Description: The Origin Access Identifier
    AllowedPattern: "^[E][A-Z0-9]+$"
    ConstraintDescription: "must be a valid Origin Access Identifier"

  S3CanonicalUserIdParameter:
    Type: String
    Description: The Origin Access Identifier
    AllowedPattern: "^[a-f0-9]+$"
    ConstraintDescription: "must be a valid Origin Access Identifier"

Resources:
  SiteBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Join [ '.', [ !Ref DomainParameter, 'site'] ]
      LoggingConfiguration:
        DestinationBucketName: !Ref LogsBucket
        LogFilePrefix: S3/
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - { Key: "site", Value: !Ref DomainParameter }

  SiteBucketOriginPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket: !Ref SiteBucket
      PolicyDocument:
        Statement:
          - Action: ['s3:GetObject']
            Effect: "Allow"
            Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket, '/*' ] ]
            Principal:
              CanonicalUser: !Ref S3CanonicalUserIdParameter
          - Action: ['s3:ListBucket']
            Effect: "Allow"
            Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket ] ]
            Principal:
              CanonicalUser: !Ref S3CanonicalUserIdParameter

  LogsBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Join [ '.', [ !Ref DomainParameter, 'logs'] ]
      AccessControl: LogDeliveryWrite
      Tags:
        - { Key: "site", Value: !Ref DomainParameter }

  SiteDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref DomainParameter
          - !Join [ '.', [ 'www', !Ref DomainParameter] ]
        Comment: !Join [ ' ', [ 'CDN for', !Ref DomainParameter, '.'] ]
        DefaultCacheBehavior:
          AllowedMethods:
          - GET
          - HEAD
          - OPTIONS
          TargetOriginId: s3Origin
          ForwardedValues:
            QueryString: 'false'
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        CustomErrorResponses:
          - ErrorCode: '404'
            ResponsePagePath: '/404.html'
            ResponseCode: '404'
            ErrorCachingMinTTL: '60'
        Enabled: 'true'
        HttpVersion: http2
        Logging:
          IncludeCookies: 'false'
          Bucket: !GetAtt [LogsBucket, DomainName]
          Prefix: CloudFront/
        Origins:
        - DomainName: !GetAtt [SiteBucket, DomainName]
          Id: s3Origin
          S3OriginConfig:
            OriginAccessIdentity: !Join [ '', ['origin-access-identity/cloudfront/', !Ref OriginAccessIdParameter ] ]
        PriceClass: PriceClass_100
        ViewerCertificate:
          AcmCertificateArn: !Ref CertARNParameter
          SslSupportMethod: sni-only

Outputs:
  SiteBucketName:
    Value: !Ref SiteBucket
    Description: The S3 bucket name for the site

  SiteBucketARN:
    Value: !GetAtt [SiteBucket, Arn]
    Description: The S3 bucket ARN for the site

  SiteDistributionID:
    Value: !Ref SiteDistribution
    Description: The CloudFront distribution ID

  SiteDistributionDomainName:
    Value: !GetAtt [SiteDistribution, DomainName]
    Description: The CloudFront distribution domain name
	---

	- name: Create/update CloudFront origin access identity
	command: aws cloudfront create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config "CallerReference={{ site }},Comment=access-identity-{{ site }}.site.s3.amazonaws.com"
	environment:
	AWS_ACCESS_KEY_ID: "{{ aws_access_key }}"
	AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}"
	AWS_DEFAULT_REGION: "{{ aws_region }}"
	no_log: true
	register: aws_cli_out

	- name: Get Origin Access Identity Id
	set_fact:
	origin_access_id: "{{ aws_cli_out.stdout \| from_json \| json_query(query) }}"
	vars:
	query: CloudFrontOriginAccessIdentity.Id

	- name: Get Origin Access Identity S3 Canonical User Id
	set_fact:
	S3_canonical_user_id: "{{ aws_cli_out.stdout \| from_json \| json_query(query) }}"
	vars:
	query: CloudFrontOriginAccessIdentity.S3CanonicalUserId
	- name: Debug statment origin_access_id
	debug:
	msg: "origin_access_id: '{{ origin_access_id }}'"

	- name: Debug statment S3_canonical_user_id
	debug:
	msg: "S3_canonical_user_id: '{{ S3_canonical_user_id }}'"
	AWSTemplateFormatVersion: 2010-09-09

	Description: S3 bucket and Cloudfront for hosting a static website

	Parameters:
	DomainParameter:
	Type: String
	Description: Domain for site.
	AllowedPattern: "^(\\*\\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$"
	ConstraintDescription: "must be a valid domain name"

	CertARNParameter:
	Type: String
	Description: ARN for the cert to use on cloudfront.
	AllowedPattern: "arn:aws:acm:us-east-1:819206333881:certificate/.*"
	ConstraintDescription: "must be an ACM cert ARN"

	OriginAccessIdParameter:
	Type: String
	Description: The Origin Access Identifier
	AllowedPattern: "^[E][A-Z0-9]+$"
	ConstraintDescription: "must be a valid Origin Access Identifier"

	S3CanonicalUserIdParameter:
	Type: String
	Description: The Origin Access Identifier
	AllowedPattern: "^[a-f0-9]+$"
	ConstraintDescription: "must be a valid Origin Access Identifier"

	Resources:
	SiteBucket:
	Type: 'AWS::S3::Bucket'
	Properties:
	BucketName: !Join [ '.', [ !Ref DomainParameter, 'site'] ]
	LoggingConfiguration:
	DestinationBucketName: !Ref LogsBucket
	LogFilePrefix: S3/
	VersioningConfiguration:
	Status: Enabled
	Tags:
	- { Key: "site", Value: !Ref DomainParameter }

	SiteBucketOriginPolicy:
	Type: "AWS::S3::BucketPolicy"
	Properties:
	Bucket: !Ref SiteBucket
	PolicyDocument:
	Statement:
	- Action: ['s3:GetObject']
	Effect: "Allow"
	Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket, '/*' ] ]
	Principal:
	CanonicalUser: !Ref S3CanonicalUserIdParameter
	- Action: ['s3:ListBucket']
	Effect: "Allow"
	Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket ] ]
	Principal:
	CanonicalUser: !Ref S3CanonicalUserIdParameter

	LogsBucket:
	Type: 'AWS::S3::Bucket'
	Properties:
	BucketName: !Join [ '.', [ !Ref DomainParameter, 'logs'] ]
	AccessControl: LogDeliveryWrite
	Tags:
	- { Key: "site", Value: !Ref DomainParameter }

	SiteDistribution:
	Type: AWS::CloudFront::Distribution
	Properties:
	DistributionConfig:
	Aliases:
	- !Ref DomainParameter
	- !Join [ '.', [ 'www', !Ref DomainParameter] ]
	Comment: !Join [ ' ', [ 'CDN for', !Ref DomainParameter, '.'] ]
	DefaultCacheBehavior:
	AllowedMethods:
	- GET
	- HEAD
	- OPTIONS
	TargetOriginId: s3Origin
	ForwardedValues:
	QueryString: 'false'
	Cookies:
	Forward: none
	ViewerProtocolPolicy: redirect-to-https
	DefaultRootObject: index.html
	CustomErrorResponses:
	- ErrorCode: '404'
	ResponsePagePath: '/404.html'
	ResponseCode: '404'
	ErrorCachingMinTTL: '60'
	Enabled: 'true'
	HttpVersion: http2
	Logging:
	IncludeCookies: 'false'
	Bucket: !GetAtt [LogsBucket, DomainName]
	Prefix: CloudFront/
	Origins:
	- DomainName: !GetAtt [SiteBucket, DomainName]
	Id: s3Origin
	S3OriginConfig:
	OriginAccessIdentity: !Join [ '', ['origin-access-identity/cloudfront/', !Ref OriginAccessIdParameter ] ]
	PriceClass: PriceClass_100
	ViewerCertificate:
	AcmCertificateArn: !Ref CertARNParameter
	SslSupportMethod: sni-only

	Outputs:
	SiteBucketName:
	Value: !Ref SiteBucket
	Description: The S3 bucket name for the site

	SiteBucketARN:
	Value: !GetAtt [SiteBucket, Arn]
	Description: The S3 bucket ARN for the site

	SiteDistributionID:
	Value: !Ref SiteDistribution
	Description: The CloudFront distribution ID

	SiteDistributionDomainName:
	Value: !GetAtt [SiteDistribution, DomainName]
	Description: The CloudFront distribution domain name