/
template.yaml
141 lines (141 loc) · 5.18 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: SAM configuration for cloudfront-auth function
Parameters:
BucketName:
Type: String
Description: The name of the Static Content S3 Bucket to Create
LogBucketName:
Type: String
Description: The name of the Log Content S3 Bucket already existing
SecretKeyArn:
Type: String
Description: The ARN of the Secret in Secrets manager for the OIDC configuaration (e.g. okta-configuration-v4cw9Z)
MinimumTLSVersion:
Type: String
Description: The minimum version to use for CloudFront TLS
Default: TLSv1.2_2018
Resources:
LoggingBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: LogDeliveryWrite
BucketName: !Ref LogBucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
-
ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
-
ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: "accessLogs/"
ReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Action: 's3:GetObject'
Effect: Allow
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Ref S3Bucket
CFDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
MinimumProtocolVersion: !Ref MinimumTLSVersion
Logging:
Bucket: !GetAtt LoggingBucket.DomainName
IncludeCookies : "true"
Prefix: "cloudfront/"
Enabled: 'true'
Origins:
- DomainName: !GetAtt S3Bucket.DomainName
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
Enabled: 'true'
Comment: Amazon CloudFront Distribution Secured by OIDC
DefaultRootObject: index.html
DefaultCacheBehavior:
TargetOriginId: myS3Origin
LambdaFunctionAssociations:
-
EventType: viewer-request
LambdaFunctionARN: !Ref CloudFrontAuthFunction.Version
ForwardedValues:
QueryString: 'false'
Headers:
- Origin
Cookies:
Forward: none
ViewerProtocolPolicy:
"allow-all"
CloudFrontAuthFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/js/
Role: !GetAtt LambdaEdgeFunctionRole.Arn
Runtime: nodejs20.x
Handler: auth.handler
Timeout: 5
AutoPublishAlias: LIVE
LambdaEdgeFunctionRole:
Type: AWS::IAM::Role
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: !Sub "Lambda-${AWS::StackName}"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:GetResourcePolicy"
- "secretsmanager:GetSecretValue"
- "secretsmanager:DescribeSecret"
- "secretsmanager:ListSecretVersionIds"
Resource: !Ref SecretKeyArn
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
- "edgelambda.amazonaws.com"
Outputs:
CloudFrontDomainName:
Description: The Domain name of the Amazon CloudFront Distribution
Value: !GetAtt CFDistribution.DomainName
CloudFrontAuthFunction:
Description: Lambda@Edge CloudFront Auth Function ARN
Value: !GetAtt CloudFrontAuthFunction.Arn
CloudFrontAuthFunctionVersion:
Description: Lambda@Edge CloudFront Auth Function ARN with Version
Value: !Ref CloudFrontAuthFunction.Version