Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
101 lines (91 sloc) 3.02 KB
AWSTemplateFormatVersion: 2010-09-09
Description: >
Resources for hosting a static website (generated with Hugo for example) on
Amazon Simple Storage Service (S3) & CloudFront.
###############################################################################
Parameters:
###############################################################################
AcmCertificateArn:
Type: String
Description: >
The ARN of the SSL certificate to use for the CloudFront distribution.
DomainName:
Type: String
Description: The website domain name.
Default: lroguet.example
PriceClass:
Type: String
Description: The CloudFront distribution price class
Default: 'PriceClass_All'
AllowedValues:
- 'PriceClass_100'
- 'PriceClass_200'
- 'PriceClass_All'
###############################################################################
Resources:
###############################################################################
TheCloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: false
TargetOriginId: the-s3-bucket
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
CustomErrorResponses:
- ErrorCachingMinTTL: 300
ErrorCode: 403
ResponseCode: 404
ResponsePagePath: /404.html
Enabled: true
HttpVersion: http2
Origins:
- DomainName:
!Join [ "", [ !Ref TheBucket, ".s3.amazonaws.com" ] ]
Id: the-s3-bucket
S3OriginConfig:
OriginAccessIdentity:
!Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
PriceClass: !Ref PriceClass
ViewerCertificate:
AcmCertificateArn: !Ref AcmCertificateArn
MinimumProtocolVersion: TLSv1
SslSupportMethod: sni-only
Tags:
- Key: Domain
Value: !Ref DomainName
TheCloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Sub 'CloudFront OAI for ${DomainName}'
TheBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
-
ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
Tags:
- Key: Domain
Value: !Ref DomainName
TheBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TheBucket
PolicyDocument:
Statement:
-
Action:
- s3:GetObject
Effect: Allow
Resource: !Join [ "", [ "arn:aws:s3:::", !Ref TheBucket, "/*" ] ]
Principal:
CanonicalUser: !GetAtt TheCloudFrontOriginAccessIdentity.S3CanonicalUserId