static-website-with-cloudfront-lambda-edge.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >
  Resources for hosting a static website (generated with Hugo for example) on
  Amazon Simple Storage Service (S3), CloudFront & Lambda@Edge for URI
  rewriting.

###############################################################################
Parameters:
###############################################################################

  AcmCertificateArn:
    Type: String
    Description: >
      The ARN of the SSL certificate to use for the CloudFront distribution.

  DomainName:
    Type: String
    Description: The website domain name.
    Default: lroguet.example

  PriceClass:
    Type: String
    Description: The CloudFront distribution price class
    Default: 'PriceClass_All'
    AllowedValues:
      - 'PriceClass_100'
      - 'PriceClass_200'
      - 'PriceClass_All'

###############################################################################
Outputs:
###############################################################################

  TheBucketArn:
    Description: The ARN of the S3 bucket hosting the static content.
    Value: !GetAtt TheBucket.Arn
    Export:
      Name: !Sub ${AWS::StackName}-bucket-arn

###############################################################################
Resources:
###############################################################################

  TheCloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          Compress: true
          ForwardedValues:
            QueryString: false
          TargetOriginId: the-s3-bucket
          ViewerProtocolPolicy: redirect-to-https
          LambdaFunctionAssociations:
            - EventType: origin-request
              LambdaFunctionARN: !Ref TheOriginRequestLambdaFunctionVersion
        DefaultRootObject: index.html
        CustomErrorResponses:
          - ErrorCachingMinTTL: 300
            ErrorCode: 403
            ResponseCode: 404
            ResponsePagePath: /404.html
        Enabled: true
        HttpVersion: http2
        Origins:
          - DomainName:
              !Join [ "", [ !Ref TheBucket, ".s3.amazonaws.com" ] ]
            Id: the-s3-bucket
            S3OriginConfig:
              OriginAccessIdentity:
                !Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
        PriceClass: !Ref PriceClass
        ViewerCertificate:
          AcmCertificateArn: !Ref AcmCertificateArn
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only
      Tags:
        - Key: Domain
          Value: !Ref DomainName

  TheCloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub 'CloudFront OAI for ${DomainName}'

  TheBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          -
            ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      Tags:
        - Key: Domain
          Value: !Ref DomainName

  TheBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TheBucket
      PolicyDocument:
        Statement:
          -
            Action:
              - s3:GetObject
            Effect: Allow
            Resource: !Join [ "", [ "arn:aws:s3:::", !Ref TheBucket, "/*" ] ]
            Principal:
              CanonicalUser: !GetAtt TheCloudFrontOriginAccessIdentity.S3CanonicalUserId

  TheOriginRequestLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Description: >
        Lambda function performing request URI rewriting.
      Code:
        ZipFile: |
          const path = require('path');
          exports.handler = async (event) => {
            var request = event.Records[0].cf.request;
            // Rewrite clean URLs (adding index.html)
            if (!path.extname(request.uri)) {
              request.uri = request.uri.replace(/\/?$/, '\/index.html');
            }
            return request;
          };
      Handler: index.handler
      MemorySize: 128
      Role: !Sub ${TheOriginRequestLambdaFunctionExecutionRole.Arn}
      Runtime: nodejs8.10
      Tags:
        - Key: Domain
          Value: !Ref DomainName

  TheOriginRequestLambdaFunctionVersion:
    Type: AWS::Lambda::Version
    Properties:
      FunctionName: !Ref TheOriginRequestLambdaFunction
      Description: !Sub "URL rewriting for ${DomainName}"

  TheOriginRequestLambdaFunctionExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - edgelambda.amazonaws.com
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
	AWSTemplateFormatVersion: 2010-09-09
	Description: >
	Resources for hosting a static website (generated with Hugo for example) on
	Amazon Simple Storage Service (S3), CloudFront & Lambda@Edge for URI
	rewriting.

	###############################################################################
	Parameters:
	###############################################################################

	AcmCertificateArn:
	Type: String
	Description: >
	The ARN of the SSL certificate to use for the CloudFront distribution.

	DomainName:
	Type: String
	Description: The website domain name.
	Default: lroguet.example

	PriceClass:
	Type: String
	Description: The CloudFront distribution price class
	Default: 'PriceClass_All'
	AllowedValues:
	- 'PriceClass_100'
	- 'PriceClass_200'
	- 'PriceClass_All'

	###############################################################################
	Outputs:
	###############################################################################

	TheBucketArn:
	Description: The ARN of the S3 bucket hosting the static content.
	Value: !GetAtt TheBucket.Arn
	Export:
	Name: !Sub ${AWS::StackName}-bucket-arn

	###############################################################################
	Resources:
	###############################################################################

	TheCloudFrontDistribution:
	Type: AWS::CloudFront::Distribution
	Properties:
	DistributionConfig:
	Aliases:
	- !Ref DomainName
	DefaultCacheBehavior:
	Compress: true
	ForwardedValues:
	QueryString: false
	TargetOriginId: the-s3-bucket
	ViewerProtocolPolicy: redirect-to-https
	LambdaFunctionAssociations:
	- EventType: origin-request
	LambdaFunctionARN: !Ref TheOriginRequestLambdaFunctionVersion
	DefaultRootObject: index.html
	CustomErrorResponses:
	- ErrorCachingMinTTL: 300
	ErrorCode: 403
	ResponseCode: 404
	ResponsePagePath: /404.html
	Enabled: true
	HttpVersion: http2
	Origins:
	- DomainName:
	!Join [ "", [ !Ref TheBucket, ".s3.amazonaws.com" ] ]
	Id: the-s3-bucket
	S3OriginConfig:
	OriginAccessIdentity:
	!Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
	PriceClass: !Ref PriceClass
	ViewerCertificate:
	AcmCertificateArn: !Ref AcmCertificateArn
	MinimumProtocolVersion: TLSv1.1_2016
	SslSupportMethod: sni-only
	Tags:
	- Key: Domain
	Value: !Ref DomainName

	TheCloudFrontOriginAccessIdentity:
	Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
	Properties:
	CloudFrontOriginAccessIdentityConfig:
	Comment: !Sub 'CloudFront OAI for ${DomainName}'

	TheBucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	-
	ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	Tags:
	- Key: Domain
	Value: !Ref DomainName

	TheBucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref TheBucket
	PolicyDocument:
	Statement:
	-
	Action:
	- s3:GetObject
	Effect: Allow
	Resource: !Join [ "", [ "arn:aws:s3:::", !Ref TheBucket, "/*" ] ]
	Principal:
	CanonicalUser: !GetAtt TheCloudFrontOriginAccessIdentity.S3CanonicalUserId

	TheOriginRequestLambdaFunction:
	Type: AWS::Lambda::Function
	Properties:
	Description: >
	Lambda function performing request URI rewriting.
	Code:
	ZipFile: \|
	const path = require('path');
	exports.handler = async (event) => {
	var request = event.Records[0].cf.request;
	// Rewrite clean URLs (adding index.html)
	if (!path.extname(request.uri)) {
	request.uri = request.uri.replace(/\/?$/, '\/index.html');
	}
	return request;
	};
	Handler: index.handler
	MemorySize: 128
	Role: !Sub ${TheOriginRequestLambdaFunctionExecutionRole.Arn}
	Runtime: nodejs8.10
	Tags:
	- Key: Domain
	Value: !Ref DomainName

	TheOriginRequestLambdaFunctionVersion:
	Type: AWS::Lambda::Version
	Properties:
	FunctionName: !Ref TheOriginRequestLambdaFunction
	Description: !Sub "URL rewriting for ${DomainName}"

	TheOriginRequestLambdaFunctionExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Version: 2012-10-17
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- edgelambda.amazonaws.com
	- lambda.amazonaws.com
	Action:
	- sts:AssumeRole
	ManagedPolicyArns:
	- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole