Skip to content

Instantly share code, notes, and snippets.

@heitorlessa
Last active Jun 23, 2018
Embed
What would you like to do?
AWSTemplateFormatVersion : '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: |
Some infrastructure
Resources:
S3HomeBucket:
Type: 'AWS::S3::Bucket'
Properties:
AccessControl: PublicRead
BucketName: the-site-home
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Id: S3HomeBucketPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Principal: '*'
Action: 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3HomeBucket
- /*
Bucket: !Ref S3HomeBucket
homePageDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: !Sub ${S3HomeBucket}.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/my-id
Enabled: True
Comment: the static home page cdn
DefaultRootObject: index.html
Aliases:
- the.info
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: False
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
PriceClass: PriceClass_100
ViewerCertificate:
CloudFrontDefaultCertificate: True
CloudfrontInvalidatingFunction:
Type: AWS::Serverless::Function
Properties:
Runtime: nodejs8.10
Handler: invalidateStaticFiles.handler
Timeout: 60
# This Environment block creates the circular dependency
## CF needs S3 to be created first
#### Lambda needs CF and S3 to be created first
##### S3 needs S3->Lambda permission to be created first
###### [Fails] S3->Lambda permission needs Lambda to be created first
###### --> This circles back to point 2
Environment:
Variables:
DISTRIBUTION_ID: !Ref homePageDistribution
Events:
AnyChange:
Type: S3
Properties:
Bucket: !Ref S3HomeBucket
Events: s3:*
CloudfrontFunctionPermissions:
Type: "AWS::IAM::Policy"
Properties:
PolicyName: "CloudfrontCacheInvalidation"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "cloudfront:CreateInvalidation"
Resource: !Sub "arn:aws:cloudfront:${AWS::Region}::${AWS::AccountId}:${homePageDistribution}"
Roles:
- !Ref CloudfrontInvalidatingFunctionRole
Outputs:
SiteBucketName:
Description: the name of the s3 bucket referenced by cloudfront
Value: !Ref S3HomeBucket
Export:
Name: the-site-home-bucket-name
CloudFrontId:
Description: the id of the cloudfront distribution for the
Value: !Ref homePageDistribution
Export:
Name: the-site-cloudfront-distribution-id
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Some infrastructure
'
Outputs:
CloudFrontId:
Description: the id of the cloudfront distribution for the
Export:
Name: the-site-cloudfront-distribution-id
Value:
Ref: homePageDistribution
SiteBucketName:
Description: the name of the s3 bucket referenced by cloudfront
Export:
Name: the-site-home-bucket-name
Value:
Ref: S3HomeBucket
Resources:
BucketPolicy:
Properties:
Bucket:
Ref: S3HomeBucket
PolicyDocument:
Id: S3HomeBucketPolicy
Statement:
- Action: s3:GetObject
Effect: Allow
Principal: '*'
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: S3HomeBucket
- /*
Sid: PublicReadForGetBucketObjects
Version: 2012-10-17
Type: AWS::S3::BucketPolicy
CloudfrontFunctionPermissions:
Properties:
PolicyDocument:
Statement:
- Action: cloudfront:CreateInvalidation
Effect: Allow
Resource:
Fn::Sub: arn:aws:cloudfront:${AWS::Region}::${AWS::AccountId}:${homePageDistribution}
Version: '2012-10-17'
PolicyName: CloudfrontCacheInvalidation
Roles:
- Ref: CloudfrontInvalidatingFunctionRole
Type: AWS::IAM::Policy
CloudfrontInvalidatingFunction:
Properties:
Code:
S3Bucket: bucket
S3Key: value
Environment:
Variables:
DISTRIBUTION_ID:
Ref: homePageDistribution
Handler: invalidateStaticFiles.handler
Role:
Fn::GetAtt:
- CloudfrontInvalidatingFunctionRole
- Arn
Runtime: nodejs8.10
Tags:
- Key: lambda:createdBy
Value: SAM
Timeout: 60
Type: AWS::Lambda::Function
CloudfrontInvalidatingFunctionAnyChangePermission:
Properties:
Action: lambda:invokeFunction
FunctionName:
Ref: CloudfrontInvalidatingFunction
Principal: s3.amazonaws.com
SourceAccount:
Ref: AWS::AccountId
Type: AWS::Lambda::Permission
CloudfrontInvalidatingFunctionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Type: AWS::IAM::Role
S3HomeBucket:
DependsOn:
- CloudfrontInvalidatingFunctionAnyChangePermission
Properties:
AccessControl: PublicRead
BucketName: the-site-home
NotificationConfiguration:
LambdaConfigurations:
- Event: s3:*
Function:
Fn::GetAtt:
- CloudfrontInvalidatingFunction
- Arn
Type: AWS::S3::Bucket
homePageDistribution:
Properties:
DistributionConfig:
Aliases:
- the.info
Comment: the static home page cdn
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
ForwardedValues:
Cookies:
Forward: none
QueryString: false
TargetOriginId: myS3Origin
ViewerProtocolPolicy: allow-all
DefaultRootObject: index.html
Enabled: true
Origins:
- DomainName:
Fn::Sub: ${S3HomeBucket}.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/my-id
PriceClass: PriceClass_100
ViewerCertificate:
CloudFrontDefaultCertificate: true
Type: AWS::CloudFront::Distribution
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment