Last active
November 2, 2024 17:35
-
-
Save haranjackson/1d3d4bf31c160ca10c477b177e558ba9 to your computer and use it in GitHub Desktop.
An AWS CloudFormation template for a static website hosted on S3, served over HTTPS with CloudFront. "www." redirects to the naked domain.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DOMAIN= # insert your domain here (e.g. example.com) | |
STACK= # choose a name for your stack | |
REGION=us-east-1 # the ACM certificate must be in us-east-1 | |
aws cloudformation deploy --template-file https_s3_website.yaml \ | |
--stack-name $STACK \ | |
--region $REGION \ | |
--parameter-overrides DomainName=$DOMAIN | |
# push the website source to the s3 bucket - assuming it is contained in src/ | |
aws s3 sync src/ s3://$DOMAIN --delete |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Parameters: | |
DomainName: | |
Type: String | |
Resources: | |
############################# | |
# S3 | |
############################# | |
Bucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
AccessControl: Private | |
BucketName: !Ref DomainName | |
BucketPolicy: | |
Type: AWS::S3::BucketPolicy | |
Properties: | |
Bucket: !Ref Bucket | |
PolicyDocument: | |
Id: PublicReadS3Policy | |
Version: 2012-10-17 | |
Statement: | |
- Sid: PublicReadForGetBucketObjects | |
Effect: Allow | |
Principal: "*" | |
Action: s3:GetObject | |
Resource: !Sub arn:aws:s3:::${Bucket}/* | |
WwwBucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
AccessControl: PublicRead | |
BucketName: !Sub www.${DomainName} | |
WebsiteConfiguration: | |
RedirectAllRequestsTo: | |
HostName: !Ref DomainName | |
Protocol: https | |
############################# | |
# CLOUDFRONT | |
############################# | |
CloudFrontOriginAccessIdentity: | |
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity | |
Properties: | |
CloudFrontOriginAccessIdentityConfig: | |
Comment: Origin Access Identity for Serverless Static with Basic Auth | |
Distribution: | |
Type: AWS::CloudFront::Distribution | |
Properties: | |
DistributionConfig: | |
Aliases: | |
- !Ref DomainName | |
DefaultCacheBehavior: | |
AllowedMethods: | |
- GET | |
- HEAD | |
ForwardedValues: | |
Cookies: | |
Forward: none | |
QueryString: false | |
TargetOriginId: s3Origin | |
ViewerProtocolPolicy: redirect-to-https | |
DefaultRootObject: index.html | |
Enabled: true | |
Origins: | |
- DomainName: !GetAtt Bucket.DomainName | |
Id: s3Origin | |
S3OriginConfig: | |
OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity} | |
ViewerCertificate: | |
AcmCertificateArn: !Ref AcmCertificate | |
SslSupportMethod: sni-only | |
WwwDistribution: | |
Type: AWS::CloudFront::Distribution | |
Properties: | |
DistributionConfig: | |
Aliases: | |
- !Sub www.${DomainName} | |
DefaultCacheBehavior: | |
AllowedMethods: | |
- GET | |
- HEAD | |
ForwardedValues: | |
Cookies: | |
Forward: none | |
QueryString: false | |
TargetOriginId: s3Origin | |
ViewerProtocolPolicy: allow-all | |
Enabled: true | |
Origins: | |
- CustomOriginConfig: | |
OriginProtocolPolicy: http-only | |
DomainName: !Select [1, !Split ["//", !GetAtt WwwBucket.WebsiteURL]] | |
Id: s3Origin | |
ViewerCertificate: | |
AcmCertificateArn: !Ref AcmCertificate | |
SslSupportMethod: sni-only | |
############################# | |
# NETWORKING | |
############################# | |
HostedZone: | |
Type: AWS::Route53::HostedZone | |
Properties: | |
Name: !Ref DomainName | |
RecordSet: | |
Type: AWS::Route53::RecordSet | |
Properties: | |
AliasTarget: | |
HostedZoneId: Z2FDTNDATAQYW2 # required | |
DNSName: !GetAtt Distribution.DomainName | |
HostedZoneName: !Sub ${DomainName}. | |
Name: !Ref DomainName | |
Type: A | |
WwwRecordSet: | |
Type: AWS::Route53::RecordSet | |
Properties: | |
AliasTarget: | |
HostedZoneId: Z2FDTNDATAQYW2 # required | |
DNSName: !GetAtt WwwDistribution.DomainName | |
HostedZoneName: !Sub ${DomainName}. | |
Name: !Sub www.${DomainName} | |
Type: A | |
AcmCertificate: | |
Type: AWS::CertificateManager::Certificate | |
Properties: | |
DomainName: !Ref DomainName | |
ValidationMethod: DNS | |
WwwAcmCertificate: | |
Type: AWS::CertificateManager::Certificate | |
Properties: | |
DomainName: !Sub www.${DomainName} | |
ValidationMethod: DNS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment