Skip to content

Instantly share code, notes, and snippets.

@haranjackson
Last active November 2, 2024 17:35
Show Gist options
  • Save haranjackson/1d3d4bf31c160ca10c477b177e558ba9 to your computer and use it in GitHub Desktop.
Save haranjackson/1d3d4bf31c160ca10c477b177e558ba9 to your computer and use it in GitHub Desktop.
An AWS CloudFormation template for a static website hosted on S3, served over HTTPS with CloudFront. "www." redirects to the naked domain.
DOMAIN= # insert your domain here (e.g. example.com)
STACK= # choose a name for your stack
REGION=us-east-1 # the ACM certificate must be in us-east-1
aws cloudformation deploy --template-file https_s3_website.yaml \
--stack-name $STACK \
--region $REGION \
--parameter-overrides DomainName=$DOMAIN
# push the website source to the s3 bucket - assuming it is contained in src/
aws s3 sync src/ s3://$DOMAIN --delete
AWSTemplateFormatVersion: 2010-09-09
Parameters:
DomainName:
Type: String
Resources:
#############################
# S3
#############################
Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Ref DomainName
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Id: PublicReadS3Policy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: "*"
Action: s3:GetObject
Resource: !Sub arn:aws:s3:::${Bucket}/*
WwwBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: !Sub www.${DomainName}
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref DomainName
Protocol: https
#############################
# CLOUDFRONT
#############################
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: Origin Access Identity for Serverless Static with Basic Auth
Distribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
ForwardedValues:
Cookies:
Forward: none
QueryString: false
TargetOriginId: s3Origin
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: true
Origins:
- DomainName: !GetAtt Bucket.DomainName
Id: s3Origin
S3OriginConfig:
OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
ViewerCertificate:
AcmCertificateArn: !Ref AcmCertificate
SslSupportMethod: sni-only
WwwDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Sub www.${DomainName}
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
ForwardedValues:
Cookies:
Forward: none
QueryString: false
TargetOriginId: s3Origin
ViewerProtocolPolicy: allow-all
Enabled: true
Origins:
- CustomOriginConfig:
OriginProtocolPolicy: http-only
DomainName: !Select [1, !Split ["//", !GetAtt WwwBucket.WebsiteURL]]
Id: s3Origin
ViewerCertificate:
AcmCertificateArn: !Ref AcmCertificate
SslSupportMethod: sni-only
#############################
# NETWORKING
#############################
HostedZone:
Type: AWS::Route53::HostedZone
Properties:
Name: !Ref DomainName
RecordSet:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2 # required
DNSName: !GetAtt Distribution.DomainName
HostedZoneName: !Sub ${DomainName}.
Name: !Ref DomainName
Type: A
WwwRecordSet:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2 # required
DNSName: !GetAtt WwwDistribution.DomainName
HostedZoneName: !Sub ${DomainName}.
Name: !Sub www.${DomainName}
Type: A
AcmCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Ref DomainName
ValidationMethod: DNS
WwwAcmCertificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Sub www.${DomainName}
ValidationMethod: DNS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment