Skip to content

Instantly share code, notes, and snippets.

@ugurcemozturk
Created August 17, 2020 15:59
Show Gist options
  • Save ugurcemozturk/2374732d34c42bc0331d75def761293c to your computer and use it in GitHub Desktop.
Save ugurcemozturk/2374732d34c42bc0331d75def761293c to your computer and use it in GitHub Desktop.
Cloudformation template to create an API gateway that triggers a lambda to get a signed url of a S3 object from cloudfront
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: "Stack to create signed URLs through API Gateway"
Parameters:
ImagesBucket:
Type: String
Description: Bucket name of the images
UrlExpire:
Type: Number
Description: Expire of signed image url in miliseconds
Default: 1200000
ImageFolder:
Type: String
Description: Expire of signed image url in miliseconds
Default: images-hd
ImagesDomainName:
Type: String
Description: URL of the Cloudfront that points to images bucket
Environment:
Type: String
Description: Environment name to be deployed
Resources:
ApiGateway:
Type: AWS::Serverless::Api
Properties:
Name:
Fn::Sub: APP-${Environment} Serverless API
StageName: !Ref Environment
GetImageLambda:
Type: AWS::Serverless::Function
Properties:
Runtime: nodejs12.x
CodeUri: handlers/GetImage/
Handler: index.GetImage
Environment:
Variables:
CLOUDFRONT_KEY_ID: "{{resolve:ssm:CLOUDFRONT_KEY_ID:1}}"
URL_EXPIRE: !Ref "UrlExpire"
IMAGE_FOLDER: !Ref "ImageFolder"
CLOUDFRONT_DOMAIN_NAME: !Ref ImagesDomainName
Events:
ApiGateway:
Type: Api
Properties:
RestApiId:
Ref: ApiGateway
Path: /Image
Method: GET
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: ImagesBucket
PolicyDocument:
Statement:
- Sid: AllowCloudFrontAccessIdentity
Effect: Allow
Action:
- s3:GetObject
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: ImagesBucket
- /*
Principal:
AWS:
Fn::Join:
- " "
- - arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
- Ref: OAI
OAI:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: S3 content protection
CFDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName:
Fn::Sub: ${ImagesBucket}.s3.amazonaws.com
Id: S3BucketOrigin
S3OriginConfig:
OriginAccessIdentity:
Fn::Join:
- ""
- - origin-access-identity/cloudfront/
- Ref: OAI
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3BucketOrigin
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
Aliases:
- !Ref ImagesDomainName
Enabled: true
HttpVersion: http2
PriceClass: PriceClass_100
ApiGatewayCloudWatchLogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: API_GW_Logs_Policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvents
Resource: "*"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment