static-website-with-cloudfront.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >
  Resources for hosting a static website (generated with Hugo for example) on
  Amazon Simple Storage Service (S3) & CloudFront.

###############################################################################
Parameters:
###############################################################################

  AcmCertificateArn:
    Type: String
    Description: >
      The ARN of the SSL certificate to use for the CloudFront distribution.

  DomainName:
    Type: String
    Description: The website domain name.
    Default: lroguet.example

  PriceClass:
    Type: String
    Description: The CloudFront distribution price class
    Default: 'PriceClass_All'
    AllowedValues:
      - 'PriceClass_100'
      - 'PriceClass_200'
      - 'PriceClass_All'

###############################################################################
Resources:
###############################################################################

  TheCloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Ref DomainName
        DefaultCacheBehavior:
          Compress: true
          ForwardedValues:
            QueryString: false
          TargetOriginId: the-s3-bucket
          ViewerProtocolPolicy: redirect-to-https
        DefaultRootObject: index.html
        CustomErrorResponses:
          - ErrorCachingMinTTL: 300
            ErrorCode: 403
            ResponseCode: 404
            ResponsePagePath: /404.html
        Enabled: true
        HttpVersion: http2
        Origins:
          - DomainName:
              !Join [ "", [ !Ref TheBucket, ".s3.amazonaws.com" ] ]
            Id: the-s3-bucket
            S3OriginConfig:
              OriginAccessIdentity:
                !Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
        PriceClass: !Ref PriceClass
        ViewerCertificate:
          AcmCertificateArn: !Ref AcmCertificateArn
          MinimumProtocolVersion: TLSv1
          SslSupportMethod: sni-only
      Tags:
        - Key: Domain
          Value: !Ref DomainName

  TheCloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub 'CloudFront OAI for ${DomainName}'

  TheBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          -
            ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      Tags:
        - Key: Domain
          Value: !Ref DomainName

  TheBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TheBucket
      PolicyDocument:
        Statement:
          -
            Action:
              - s3:GetObject
            Effect: Allow
            Resource: !Join [ "", [ "arn:aws:s3:::", !Ref TheBucket, "/*" ] ]
            Principal:
              CanonicalUser: !GetAtt TheCloudFrontOriginAccessIdentity.S3CanonicalUserId
	AWSTemplateFormatVersion: 2010-09-09
	Description: >
	Resources for hosting a static website (generated with Hugo for example) on
	Amazon Simple Storage Service (S3) & CloudFront.

	###############################################################################
	Parameters:
	###############################################################################

	AcmCertificateArn:
	Type: String
	Description: >
	The ARN of the SSL certificate to use for the CloudFront distribution.

	DomainName:
	Type: String
	Description: The website domain name.
	Default: lroguet.example

	PriceClass:
	Type: String
	Description: The CloudFront distribution price class
	Default: 'PriceClass_All'
	AllowedValues:
	- 'PriceClass_100'
	- 'PriceClass_200'
	- 'PriceClass_All'

	###############################################################################
	Resources:
	###############################################################################

	TheCloudFrontDistribution:
	Type: AWS::CloudFront::Distribution
	Properties:
	DistributionConfig:
	Aliases:
	- !Ref DomainName
	DefaultCacheBehavior:
	Compress: true
	ForwardedValues:
	QueryString: false
	TargetOriginId: the-s3-bucket
	ViewerProtocolPolicy: redirect-to-https
	DefaultRootObject: index.html
	CustomErrorResponses:
	- ErrorCachingMinTTL: 300
	ErrorCode: 403
	ResponseCode: 404
	ResponsePagePath: /404.html
	Enabled: true
	HttpVersion: http2
	Origins:
	- DomainName:
	!Join [ "", [ !Ref TheBucket, ".s3.amazonaws.com" ] ]
	Id: the-s3-bucket
	S3OriginConfig:
	OriginAccessIdentity:
	!Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
	PriceClass: !Ref PriceClass
	ViewerCertificate:
	AcmCertificateArn: !Ref AcmCertificateArn
	MinimumProtocolVersion: TLSv1
	SslSupportMethod: sni-only
	Tags:
	- Key: Domain
	Value: !Ref DomainName

	TheCloudFrontOriginAccessIdentity:
	Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
	Properties:
	CloudFrontOriginAccessIdentityConfig:
	Comment: !Sub 'CloudFront OAI for ${DomainName}'

	TheBucket:
	Type: AWS::S3::Bucket
	DeletionPolicy: Retain
	Properties:
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	-
	ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	Tags:
	- Key: Domain
	Value: !Ref DomainName

	TheBucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref TheBucket
	PolicyDocument:
	Statement:
	-
	Action:
	- s3:GetObject
	Effect: Allow
	Resource: !Join [ "", [ "arn:aws:s3:::", !Ref TheBucket, "/*" ] ]
	Principal:
	CanonicalUser: !GetAtt TheCloudFrontOriginAccessIdentity.S3CanonicalUserId