StaticS3CloudFront.yml

AWSTemplateFormatVersion: '2010-09-09'
Description: >
  Creates the following resources:
    - An S3 bucket for the website
    - A CloudFront for serving the static assets

Parameters:

  CertificateArn:
    Type: String
    Description: The ARN of the SSL Certificate for Remix

  FQDN:
    Type: String
    Description: The desired FQDN of the website

  EnvType:
    Type: String
    Description: The type of environment to create.
    Default: dev
    AllowedValues:
      - dev
      - prod
    ConstraintDescription: must specify prod or dev.

Mappings:
  CacheSettings:
    dev:
      DefaultTTL: 0
    prod:
      DefaultTTL: 86400

Resources:

  OriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub Static assets in ${AWS::StackName}

  WebBucket:
    Type: AWS::S3::Bucket
    Properties:
      LoggingConfiguration:
        DestinationBucketName: !Ref LogBucket
        LogFilePrefix: !If
          - NoFQDN
          - !Sub s3/${AWS::StackName}/
          - !Sub s3/${FQDN}/

  WebBucketPolicy:
    Type: AWS::S3::BucketPolicy
    DependsOn: OriginAccessIdentity
    Properties:
      Bucket: !Ref WebBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - s3:GetObject
            Resource: !Join
              - ""
              - - !GetAtt WebBucket.Arn
                - "/*"
            Principal:
              CanonicalUser: !GetAtt OriginAccessIdentity.S3CanonicalUserId

  Distribution:
    Type: AWS::CloudFront::Distribution
    DependsOn: OriginAccessIdentity
    Properties:
      DistributionConfig:
        Enabled: true
        HttpVersion: http2
        PriceClass: PriceClass_100
        ViewerCertificate: !If
          - NoSSL
          - !Ref AWS::NoValue
          - AcmCertificateArn: !Ref CertificateArn
            MinimumProtocolVersion: TLSv1.1_2016
            SslSupportMethod: sni-only
        Comment: !If
          - NoFQDN
          - !Ref AWS::NoValue
          - !Ref FQDN
        Aliases: !If
          - NoFQDN
          - !Ref AWS::NoValue
          - - !Ref FQDN
        DefaultRootObject: index.html
        DefaultCacheBehavior:
          ForwardedValues:
            QueryString: false
          AllowedMethods:
            - HEAD
            - GET
            - OPTIONS
          Compress: true
          DefaultTTL: !FindInMap [CacheSettings, !Ref EnvType, "DefaultTTL"]
          ViewerProtocolPolicy: !If
            - NoSSL
            - allow-all
            - redirect-to-https
          TargetOriginId: Bucket
        Origins:
          - Id: Bucket
            DomainName: !GetAtt WebBucket.DomainName
            S3OriginConfig:
              OriginAccessIdentity: !Join
                - /
                - - origin-access-identity
                  - cloudfront
                  - !Ref OriginAccessIdentity
        Logging:
          Bucket: !Join
            - .
            - - !Ref LogBucket
              - s3
              - !Ref AWS::URLSuffix
          Prefix: !If
            - NoFQDN
            - !Sub web/${AWS::StackName}/
            - !Sub web/${FQDN}/
          IncludeCookies: true

  LogBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite
      VersioningConfiguration:
        Status: Suspended
      LifecycleConfiguration:
        Rules:
        - Status: Enabled
          ExpirationInDays: 3653
          NoncurrentVersionExpirationInDays: 1

  SharedLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: !Join [ '-', [ !Ref 'AWS::StackName', 'LogGroup']]


Conditions:

  NoFQDN: !Equals
    - !Ref FQDN
    - ''

  NoSSL: !Equals
    - !Ref CertificateArn
    - ''

Outputs:
  WebBucketArn:
    Description: ARN of S3 bucket hosting the website
    Value: !GetAtt WebBucket.Arn
    Export:
      Name: !Sub '${AWS::StackName}WebBucketArn'
	AWSTemplateFormatVersion: '2010-09-09'
	Description: >
	Creates the following resources:
	- An S3 bucket for the website
	- A CloudFront for serving the static assets

	Parameters:

	CertificateArn:
	Type: String
	Description: The ARN of the SSL Certificate for Remix

	FQDN:
	Type: String
	Description: The desired FQDN of the website

	EnvType:
	Type: String
	Description: The type of environment to create.
	Default: dev
	AllowedValues:
	- dev
	- prod
	ConstraintDescription: must specify prod or dev.

	Mappings:
	CacheSettings:
	dev:
	DefaultTTL: 0
	prod:
	DefaultTTL: 86400

	Resources:

	OriginAccessIdentity:
	Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
	Properties:
	CloudFrontOriginAccessIdentityConfig:
	Comment: !Sub Static assets in ${AWS::StackName}

	WebBucket:
	Type: AWS::S3::Bucket
	Properties:
	LoggingConfiguration:
	DestinationBucketName: !Ref LogBucket
	LogFilePrefix: !If
	- NoFQDN
	- !Sub s3/${AWS::StackName}/
	- !Sub s3/${FQDN}/

	WebBucketPolicy:
	Type: AWS::S3::BucketPolicy
	DependsOn: OriginAccessIdentity
	Properties:
	Bucket: !Ref WebBucket
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- s3:GetObject
	Resource: !Join
	- ""
	- - !GetAtt WebBucket.Arn
	- "/*"
	Principal:
	CanonicalUser: !GetAtt OriginAccessIdentity.S3CanonicalUserId

	Distribution:
	Type: AWS::CloudFront::Distribution
	DependsOn: OriginAccessIdentity
	Properties:
	DistributionConfig:
	Enabled: true
	HttpVersion: http2
	PriceClass: PriceClass_100
	ViewerCertificate: !If
	- NoSSL
	- !Ref AWS::NoValue
	- AcmCertificateArn: !Ref CertificateArn
	MinimumProtocolVersion: TLSv1.1_2016
	SslSupportMethod: sni-only
	Comment: !If
	- NoFQDN
	- !Ref AWS::NoValue
	- !Ref FQDN
	Aliases: !If
	- NoFQDN
	- !Ref AWS::NoValue
	- - !Ref FQDN
	DefaultRootObject: index.html
	DefaultCacheBehavior:
	ForwardedValues:
	QueryString: false
	AllowedMethods:
	- HEAD
	- GET
	- OPTIONS
	Compress: true
	DefaultTTL: !FindInMap [CacheSettings, !Ref EnvType, "DefaultTTL"]
	ViewerProtocolPolicy: !If
	- NoSSL
	- allow-all
	- redirect-to-https
	TargetOriginId: Bucket
	Origins:
	- Id: Bucket
	DomainName: !GetAtt WebBucket.DomainName
	S3OriginConfig:
	OriginAccessIdentity: !Join
	- /
	- - origin-access-identity
	- cloudfront
	- !Ref OriginAccessIdentity
	Logging:
	Bucket: !Join
	- .
	- - !Ref LogBucket
	- s3
	- !Ref AWS::URLSuffix
	Prefix: !If
	- NoFQDN
	- !Sub web/${AWS::StackName}/
	- !Sub web/${FQDN}/
	IncludeCookies: true

	LogBucket:
	Type: AWS::S3::Bucket
	Properties:
	AccessControl: LogDeliveryWrite
	VersioningConfiguration:
	Status: Suspended
	LifecycleConfiguration:
	Rules:
	- Status: Enabled
	ExpirationInDays: 3653
	NoncurrentVersionExpirationInDays: 1

	SharedLogGroup:
	Type: AWS::Logs::LogGroup
	Properties:
	RetentionInDays: 7
	LogGroupName: !Join [ '-', [ !Ref 'AWS::StackName', 'LogGroup']]


	Conditions:

	NoFQDN: !Equals
	- !Ref FQDN
	- ''

	NoSSL: !Equals
	- !Ref CertificateArn
	- ''

	Outputs:
	WebBucketArn:
	Description: ARN of S3 bucket hosting the website
	Value: !GetAtt WebBucket.Arn
	Export:
	Name: !Sub '${AWS::StackName}WebBucketArn'