-
Notifications
You must be signed in to change notification settings - Fork 0
/
tmpl_s3cf_202303.yaml
95 lines (88 loc) · 3.13 KB
/
tmpl_s3cf_202303.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
AWSTemplateFormatVersion: '2010-09-09'
Description: Sample template for S3Origin CloudFront
Parameters:
CloudFrontPriceClass:
Type: String
Default: PriceClass_200
AllowedValues: [PriceClass_100, PriceClass_200, PriceClass_All]
Resources:
OriginS3Bucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketName: !Sub ${AWS::StackName}-${AWS::AccountId}
PublicAccessBlockConfiguration:
BlockPublicAcls: True
BlockPublicPolicy: True
IgnorePublicAcls: True
RestrictPublicBuckets: True
OriginS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref OriginS3Bucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:s3:::${OriginS3Bucket}/*
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
- Action: s3:ListBucket
Effect: Allow
Resource: !Sub arn:${AWS::Partition}:s3:::${OriginS3Bucket}
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:${AWS::Partition}:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: !Sub 'Created by ${AWS::StackName}'
DefaultCacheBehavior:
TargetOriginId: mainS3Origin
ForwardedValues:
QueryString: false
Cookies:
Forward: 'none'
ViewerProtocolPolicy: redirect-to-https
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized
OriginRequestPolicyId: acba4595-bd28-49b8-b9fe-13317c0390fa # UserAgentRefererHeaders
Compress: true
DefaultRootObject: index.html
Enabled: true
Origins:
- DomainName: !Sub ${OriginS3Bucket}.s3.amazonaws.com
Id: mainS3Origin
S3OriginConfig:
OriginAccessIdentity: ''
OriginAccessControlId: !GetAtt OriginAccessControl.Id
PriceClass: !Ref CloudFrontPriceClass
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- JP
OriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Description: !Sub 'OAC of ${OriginS3Bucket}. Created by ${AWS::StackName}'
Name: !Sub 'OAC-${OriginS3Bucket}'
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
Outputs:
OriginS3BucketName:
Value: !Ref OriginS3Bucket
Export:
Name: !Sub ${AWS::StackName}-OriginS3Bucket
CloudfrontDomainName:
Value: !GetAtt CloudFrontDistribution.DomainName
Export:
Name: !Sub ${AWS::StackName}-CloudfrontDomainName