Last active
November 13, 2024 13:56
-
-
Save t-kigi/f0f104e301b6009a856cee5289cab863 to your computer and use it in GitHub Desktop.
cloudformation for CloudFront +Private S3 hosting plus Signed Cookie Behavior
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: Hosting resource stack creation using Amplify CLI | |
| Parameters: | |
| env: | |
| Type: String | |
| Default: gist | |
| bucketName: | |
| Type: String | |
| Default: cfn-sample-bucketname-20210209000412 | |
| pubkeyCallerReference: | |
| Type: String | |
| Default: 20210209000412.123456 | |
| apiEndpointURL: | |
| Type: String | |
| Default: ss37ickbig.execute-api.ap-northeast-1.amazonaws.com | |
| Conditions: | |
| ShouldNotCreateEnvResources: !Equals | |
| - !Ref 'env' | |
| - NONE | |
| Resources: | |
| S3Bucket: | |
| Type: AWS::S3::Bucket | |
| Properties: | |
| BucketName: !If | |
| - ShouldNotCreateEnvResources | |
| - !Ref 'bucketName' | |
| - !Join | |
| - '' | |
| - - !Ref 'bucketName' | |
| - '-' | |
| - !Ref 'env' | |
| PrivateBucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| DependsOn: OriginAccessIdentity | |
| Properties: | |
| PolicyDocument: | |
| Id: MyPolicy | |
| Version: '2012-10-17' | |
| Statement: | |
| - Sid: APIReadForGetBucketObjects | |
| Effect: Allow | |
| Principal: | |
| CanonicalUser: !GetAtt 'OriginAccessIdentity.S3CanonicalUserId' | |
| Action: s3:GetObject | |
| Resource: !Join | |
| - '' | |
| - - 'arn:aws:s3:::' | |
| - !Ref 'S3Bucket' | |
| - /* | |
| Bucket: !Ref 'S3Bucket' | |
| OriginAccessIdentity: | |
| Type: AWS::CloudFront::CloudFrontOriginAccessIdentity | |
| Properties: | |
| CloudFrontOriginAccessIdentityConfig: | |
| Comment: CloudFrontOriginAccessIdentityConfig | |
| CloudFrontPublicKey: | |
| Type: AWS::CloudFront::PublicKey | |
| Properties: | |
| PublicKeyConfig: | |
| Name: !Join | |
| - '-' | |
| - - cfn-example | |
| - !Ref 'env' | |
| Comment: cfn-example signed public key | |
| CallerReference: !Ref 'pubkeyCallerReference' | |
| EncodedKey: | | |
| -----BEGIN PUBLIC KEY----- | |
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhzuK6zXYY5w3gwubNYh | |
| OPPto8+UuvepM/Yna46eqCTQ+6uNC5zjuindBUEAnY4SUBFqeD8uECXpuKYd9Yf/ | |
| JB0tsC1XGeXYzqS4z5OZbGL28p6Kj4tFcTBz1htCGq0Ldhgsag+ZduWRieZUYsFa | |
| QbfHgFcpJrubqaF4isZLVMTlg0PgT//wkJCDE2KHk/WOBW7hpVo0KDLpztxRKM4s | |
| kVC4Xt4nqV0q/lfw45PW/d3R5CBt8xdnn26pxMRGRLf2v3DJHpFR7rzDU/TQphFW | |
| sYRQEudAJcl+eGkUH08LRYnirDnH7f9zI/1lCVsxmSzr/2jZlsqx0BVe6doyXqR4 | |
| sQIDAQAB | |
| -----END PUBLIC KEY----- | |
| CloudFrontKeyGroup: | |
| Type: AWS::CloudFront::KeyGroup | |
| DependsOn: | |
| - CloudFrontPublicKey | |
| Properties: | |
| KeyGroupConfig: | |
| Name: !Join | |
| - '-' | |
| - - cfn-example | |
| - !Ref 'env' | |
| Comment: cfn-example signed key group | |
| Items: | |
| - !Ref 'CloudFrontPublicKey' | |
| CloudFrontStaticCachePolicy: | |
| Type: AWS::CloudFront::CachePolicy | |
| Properties: | |
| CachePolicyConfig: | |
| Name: !Join | |
| - '-' | |
| - - cfn-example-static | |
| - !Ref 'env' | |
| Comment: static cfn-example | |
| DefaultTTL: 3600 | |
| MaxTTL: 86400 | |
| MinTTL: 600 | |
| ParametersInCacheKeyAndForwardedToOrigin: | |
| EnableAcceptEncodingBrotli: true | |
| EnableAcceptEncodingGzip: true | |
| HeadersConfig: | |
| HeaderBehavior: none | |
| QueryStringsConfig: | |
| QueryStringBehavior: whitelist | |
| QueryStrings: | |
| - v | |
| CookiesConfig: | |
| CookieBehavior: none | |
| CloudFrontApiCachePolicy: | |
| Type: AWS::CloudFront::CachePolicy | |
| Properties: | |
| CachePolicyConfig: | |
| Name: !Join | |
| - '-' | |
| - - cfn-example-api | |
| - !Ref 'env' | |
| Comment: api cfn-example | |
| DefaultTTL: 60 | |
| MaxTTL: 300 | |
| MinTTL: 0 | |
| ParametersInCacheKeyAndForwardedToOrigin: | |
| EnableAcceptEncodingBrotli: true | |
| EnableAcceptEncodingGzip: true | |
| HeadersConfig: | |
| HeaderBehavior: none | |
| QueryStringsConfig: | |
| QueryStringBehavior: whitelist | |
| QueryStrings: | |
| - v | |
| CookiesConfig: | |
| CookieBehavior: none | |
| CloudFrontApiOriginRequestPolicy: | |
| Type: AWS::CloudFront::OriginRequestPolicy | |
| Properties: | |
| OriginRequestPolicyConfig: | |
| Name: !Join | |
| - '-' | |
| - - cfn-example-api | |
| - !Ref 'env' | |
| Comment: cfn-example-api | |
| CookiesConfig: | |
| CookieBehavior: all | |
| HeadersConfig: | |
| HeaderBehavior: none | |
| QueryStringsConfig: | |
| QueryStringBehavior: all | |
| CloudFrontDistribution: | |
| Type: AWS::CloudFront::Distribution | |
| DependsOn: | |
| - S3Bucket | |
| - OriginAccessIdentity | |
| - CloudFrontKeyGroup | |
| - CloudFrontStaticCachePolicy | |
| - CloudFrontApiCachePolicy | |
| - CloudFrontApiOriginRequestPolicy | |
| Properties: | |
| DistributionConfig: | |
| HttpVersion: http2 | |
| DefaultRootObject: index.html | |
| Comment: !Join | |
| - ' ' | |
| - - cfn-example | |
| - !Ref 'env' | |
| Origins: | |
| - DomainName: !GetAtt 'S3Bucket.DomainName' | |
| Id: hostingS3Bucket | |
| S3OriginConfig: | |
| OriginAccessIdentity: !Join | |
| - '' | |
| - - origin-access-identity/cloudfront/ | |
| - !Ref 'OriginAccessIdentity' | |
| - Id: apiv1 | |
| DomainName: !Ref 'apiEndpointURL' | |
| CustomOriginConfig: | |
| OriginProtocolPolicy: https-only | |
| OriginPath: !Join | |
| - '' | |
| - - / | |
| - !Ref 'env' | |
| Enabled: 'true' | |
| PriceClass: PriceClass_200 | |
| CacheBehaviors: | |
| - PathPattern: /m/* | |
| AllowedMethods: | |
| - GET | |
| - HEAD | |
| TargetOriginId: hostingS3Bucket | |
| ViewerProtocolPolicy: redirect-to-https | |
| CachePolicyId: !Ref 'CloudFrontStaticCachePolicy' | |
| Compress: true | |
| TrustedKeyGroups: | |
| - !Ref 'CloudFrontKeyGroup' | |
| - PathPattern: /v1/* | |
| AllowedMethods: | |
| - DELETE | |
| - GET | |
| - HEAD | |
| - OPTIONS | |
| - PATCH | |
| - POST | |
| - PUT | |
| TargetOriginId: apiv1 | |
| ViewerProtocolPolicy: redirect-to-https | |
| CachePolicyId: !Ref 'CloudFrontApiCachePolicy' | |
| OriginRequestPolicyId: !Ref 'CloudFrontApiOriginRequestPolicy' | |
| Compress: true | |
| DefaultCacheBehavior: | |
| AllowedMethods: | |
| - GET | |
| - HEAD | |
| TargetOriginId: hostingS3Bucket | |
| ViewerProtocolPolicy: redirect-to-https | |
| CachePolicyId: !Ref 'CloudFrontStaticCachePolicy' | |
| Compress: true | |
| CustomErrorResponses: | |
| - ErrorCachingMinTTL: 300 | |
| ErrorCode: 400 | |
| ResponseCode: 400 | |
| ResponsePagePath: / | |
| - ErrorCachingMinTTL: 300 | |
| ErrorCode: 403 | |
| ResponseCode: 403 | |
| ResponsePagePath: / | |
| - ErrorCachingMinTTL: 300 | |
| ErrorCode: 404 | |
| ResponseCode: 404 | |
| ResponsePagePath: / | |
| Outputs: | |
| Region: | |
| Value: !Ref 'AWS::Region' | |
| HostingBucketName: | |
| Description: Hosting bucket name | |
| Value: !Ref 'S3Bucket' | |
| WebsiteURL: | |
| Value: !GetAtt 'S3Bucket.WebsiteURL' | |
| Description: URL for website hosted on S3 | |
| S3BucketSecureURL: | |
| Value: !Join | |
| - '' | |
| - - https:// | |
| - !GetAtt 'S3Bucket.DomainName' | |
| Description: Name of S3 bucket to hold website content | |
| CloudFrontDistributionID: | |
| Value: !Ref 'CloudFrontDistribution' | |
| CloudFrontDomainName: | |
| Value: !GetAtt 'CloudFrontDistribution.DomainName' | |
| CloudFrontSecureURL: | |
| Value: !Join | |
| - '' | |
| - - https:// | |
| - !GetAtt 'CloudFrontDistribution.DomainName' | |
| CloudFrontOriginAccessIdentity: | |
| Value: !Ref 'OriginAccessIdentity' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment