Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

1170 lines (1103 sloc) 37.3 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: |
Static web site stack with CodePipeline and CodeBuild deployment from
CodeCommit repository. Includes redirect from www to base domain, access
logs written to S3, SSL via Amazon Certificate Manager, CloudFront CDN, and
Route 53 DNS entries. S3 access logs analysis and visualization using Elasticsearch and Kibana.
Parameters:
# Domain: example-com
ProjectName:
Type: String
Description: "The project name"
MinLength: 4
MaxLength: 253
AllowedPattern: "[a-z0-9]+[-.a-z0-9]*"
ConstraintDescription: |
Provide a valid project name using only lowercase letters,
numbers, and dash (-).
# Domain: example.com
DomainName:
Type: String
Description: "The base domain name for the web site (no 'www')"
MinLength: 4
MaxLength: 253
AllowedPattern: "[a-z0-9]+[-.a-z0-9]*(\\.[a-z][a-z]+)+"
ConstraintDescription: |
Provide a valid domain name using only lowercase letters,
numbers, ., and dash (-)
DefaultTTL:
Type: Number
Description: "CloudFront default cache lifetime in seconds"
Default: 30
MinimumTTL:
Description: "CloudFront minimum cache lifetime in seconds"
Default: 5
Type: Number
PriceClass:
Description: "CloudFront price class. Default is US-only, PriceClass_All is worldwide but more expensive."
Default: PriceClass_100
AllowedValues:
- PriceClass_100
- PriceClass_200
- PriceClass_All
Type: String
LogExpirationInDays:
Description: "How long to hold site access logs in S3."
Default: 30
Type: Number
PreExistingLogsBucket:
Description: |
Optional pre-existing access logs bucket.
Leave empty to have access logs bucket created and managed by this stack.
Type: String
Default: ""
PreExistingSiteBucket:
Description: |
Optional pre-existing website bucket.
Leave empty to have website bucket created and managed by this stack.
Type: String
Default: ""
PreExistingRedirectBucket:
Description: |
Optional pre-existing redirect bucket.
Leave empty to have redirect bucket created and managed by this stack.
Type: String
Default: ""
PreExistingCodeCommitRepository:
Description: |
Optional pre-existing CodeCommit repository.
Leave empty to have repository created and managed by this stack.
Type: String
Default: ""
PreExistingCodePipelineBucket:
Description: |
Optional name of pre-existing CodePipeline artifact bucket.
Leave empty to have CodePipeline bucket created and managed by this stack.
Type: String
Default: ""
PreExistingHostedZoneDomain:
Description: |
Optional pre-existing Route 53 hosted zone.
Leave empty to have hosted zone created and managed by this stack.
Type: String
Default: ""
PreExistingHostedZoneId:
Description: |
Optional pre-existing Route 53 hosted zone id.
Fill it if you already have a hosted zone.
Leave empty to have hosted zone id created and managed by this stack.
Type: String
Default: ""
ESIndexExpirationinDays:
Description: How long to hold indexes in Elasticsearch.
Type: Number
Default: 0
PreExistingCertificate:
Description: |
Optional pre-existing Certificate.
Leave empty to have certificate created and managed by this stack.
Type: String
Default: ""
Conditions:
NeedsNewLogsBucket: !Equals [!Ref PreExistingLogsBucket, ""]
NeedsNewRedirectBucket: !Equals [!Ref PreExistingRedirectBucket, ""]
NeedsNewSiteBucket: !Equals [!Ref PreExistingSiteBucket, ""]
NeedsNewCodePipelineBucket: !Equals [!Ref PreExistingCodePipelineBucket, ""]
NeedsNewCodeCommitRepository:
!Equals [!Ref PreExistingCodeCommitRepository, ""]
NeedsNewHostedZone: !Equals [!Ref PreExistingHostedZoneDomain, ""]
NeedsNewCertificate: !Equals [!Ref PreExistingCertificate, ""]
Mappings:
RegionMap:
ap-northeast-1:
S3hostedzoneID: "Z2M4EHUR26P7ZW"
websiteendpoint: "s3-website-ap-northeast-1.amazonaws.com"
ap-northeast-2:
S3hostedzoneID: "Z3W03O7B5YMIYP"
websiteendpoint: "s3-website.ap-northeast-2.amazonaws.com"
ap-south-1:
S3hostedzoneID: "Z11RGJOFQNVJUP"
websiteendpoint: "s3-website.ap-south-1.amazonaws.com"
ap-southeast-1:
S3hostedzoneID: "Z3O0J2DXBE1FTB"
websiteendpoint: "s3-website-ap-southeast-1.amazonaws.com"
ap-southeast-2:
S3hostedzoneID: "Z1WCIGYICN2BYD"
websiteendpoint: "s3-website-ap-southeast-2.amazonaws.com"
eu-central-1:
S3hostedzoneID: "Z21DNDUVLTQW6Q"
websiteendpoint: "s3-website.eu-central-1.amazonaws.com"
eu-west-1:
S3hostedzoneID: "Z1BKCTXD74EZPE"
websiteendpoint: "s3-website-eu-west-1.amazonaws.com"
sa-east-1:
S3hostedzoneID: "Z7KQH4QJS55SO"
websiteendpoint: "s3-website-sa-east-1.amazonaws.com"
us-east-1:
S3hostedzoneID: "Z3AQBSTGFYJSTF"
websiteendpoint: "s3-website-us-east-1.amazonaws.com"
us-east-2:
S3hostedzoneID: "Z2O1EMRO9K5GLX"
websiteendpoint: "s3-website.us-east-2.amazonaws.com"
us-west-1:
S3hostedzoneID: "Z2F56UZL2M1ACD"
websiteendpoint: "s3-website-us-west-1.amazonaws.com"
us-west-2:
S3hostedzoneID: "Z3BJ6K6RIION7M"
Resources:
# Bucket for CloudFront and S3 access logs: logs-example-com
LogsBucket:
Condition: NeedsNewLogsBucket
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "logs-${ProjectName}"
AccessControl: LogDeliveryWrite
LifecycleConfiguration:
Rules:
- Id: "LogExpirationRule"
Status: "Enabled"
ExpirationInDays: !Ref LogExpirationInDays
NotificationConfiguration:
LambdaConfigurations:
- Event: "s3:ObjectCreated:*"
Function: !GetAtt LogsToCloudwatchLambda.Arn
DeletionPolicy: Delete
DependsOn: PermissionForS3ToInvokeLogsToCloudwatchLambda
# Bucket to redirect to example.com: www.example.com
RedirectBucket:
Condition: NeedsNewRedirectBucket
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "www.${DomainName}"
AccessControl: BucketOwnerFullControl
# logs.example.com/logs/s3/www.example.com/
LoggingConfiguration:
DestinationBucketName:
!If [NeedsNewLogsBucket, !Ref LogsBucket, !Ref PreExistingLogsBucket]
LogFilePrefix: !Sub "logs/s3/www.${DomainName}/"
WebsiteConfiguration:
RedirectAllRequestsTo:
HostName: !Ref DomainName
Protocol: https
DeletionPolicy: Delete
# Bucket for site content: example.com
SiteBucket:
Condition: NeedsNewSiteBucket
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Ref DomainName
AccessControl: PublicRead
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
# logs.example.com/logs/s3/example.com/
LoggingConfiguration:
DestinationBucketName:
!If [NeedsNewLogsBucket, !Ref LogsBucket, !Ref PreExistingLogsBucket]
LogFilePrefix: !Sub "logs/s3/${DomainName}/"
DeletionPolicy: Delete
# Site bucket policy
SiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref SiteBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
Effect: Allow
Principal: "*"
Action: s3:GetObject
Resource: !Sub arn:aws:s3:::${SiteBucket}/*
# Permission for s3 to invoke lambda which will fetch the logs from s3 and store in cloudwatch
PermissionForS3ToInvokeLogsToCloudwatchLambda:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt LogsToCloudwatchLambda.Arn
Principal: "s3.amazonaws.com"
SourceArn: !Join ["", ["arn:aws:s3:::", !Sub "logs-${ProjectName}"]]
# Lambda to move logs from S3 logs bucket to cloudwatch
LogsToCloudwatchLambda:
Type: AWS::Lambda::Function
Properties:
Description: Lambda to move logs from S3 logs bucket to cloudwatch
Handler: readS3Logs.handler
Role: !GetAtt LogsToCloudwatchLambdaExecutionRole.Arn
Code:
S3Bucket: !Join
- ""
- - !ImportValue LambdaCodeBucket
S3Key: "lambdas/readS3Logs.zip"
Environment:
Variables:
S3_LOG_GROUP: !Ref SiteLogGroup
CF_LOG_GROUP: !Ref CloudfrontLogGroup
Timeout: 30
Runtime: nodejs6.10
# Role for Lambda to access objects within S3 Logs bucket
LogsToCloudwatchLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal: { Service: [lambda.amazonaws.com] }
Action: ["sts:AssumeRole"]
Path: /
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: S3Policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "S3:GetObject"
- "s3:PutObject"
- "S3:DeleteObject"
Resource: !Sub "arn:aws:s3:::logs-${ProjectName}/*"
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:GetLogEvents"
- "logs:DescribeLogStreams"
Resource: "arn:aws:logs:*:*:*"
# Log group for s3 access logs
SiteLogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Sub "${ProjectName}S3Logs"
# Log group for Cloudfront logs
CloudfrontLogGroup:
Type: "AWS::Logs::LogGroup"
Properties:
LogGroupName: !Sub "${ProjectName}CFLogs"
# Git repository
CodeCommitRepository:
Condition: NeedsNewCodeCommitRepository
Type: "AWS::CodeCommit::Repository"
Properties:
RepositoryDescription: !Sub "Git repository for ${DomainName}"
RepositoryName: !Ref ProjectName
DeletionPolicy: Delete
# Role for CodeBuild
CodeBuildServiceRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "codebuild.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess"
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
- "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
- "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess"
# CodeBuild Project
CodeBuildProject:
Type: AWS::CodeBuild::Project
Properties:
Name: !Ref ProjectName
ServiceRole: !GetAtt CodeBuildServiceRole.Arn
Artifacts:
Type: NO_ARTIFACTS
Environment:
Type: linuxContainer
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/nodejs:8.11.0
EnvironmentVariables:
- Name: SITE_BUCKET
Value: !Ref SiteBucket
Source:
Location: !Sub "https://git-codecommit.${AWS::Region}.amazonaws.com/v1/repos/${ProjectName}"
Type: CODECOMMIT
BuildSpec: |
version: 0.1
phases:
install:
commands:
- sudo npm install
build:
commands:
- sudo node_modules/.bin/hexo clean
- sudo node_modules/.bin/hexo algolia
- sudo node_modules/.bin/hexo generate
post_build:
commands:
- aws s3 sync public/ s3://$SITE_BUCKET/ --delete
TimeoutInMinutes: 10
# Role for CodePipeline
CodePipelineRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "codepipeline.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess"
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
- "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
- "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess"
# Bucket for CodePipeline artifact storage: codepipeline.example.com
CodePipelineBucket:
Condition: NeedsNewCodePipelineBucket
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "codepipeline-${ProjectName}"
VersioningConfiguration:
Status: Enabled
DeletionPolicy: Delete
# CodePipeline for the static website
CodePipeline:
Type: "AWS::CodePipeline::Pipeline"
Properties:
Name: !Sub "${ProjectName}-codepipeline"
ArtifactStore:
Type: S3
Location:
!If [
NeedsNewCodePipelineBucket,
!Ref CodePipelineBucket,
!Ref PreExistingCodePipelineBucket,
]
RestartExecutionOnUpdate: false
RoleArn: !GetAtt CodePipelineRole.Arn
Stages:
- Name: Source
Actions:
- Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeCommit
Version: 1
Configuration:
RepositoryName:
!If [
NeedsNewCodeCommitRepository,
!Ref ProjectName,
!Ref PreExistingCodeCommitRepository,
]
BranchName: master
OutputArtifacts:
- Name: SiteSource
RunOrder: 1
- Name: Build
Actions:
- Name: InvokeAction
InputArtifacts:
- Name: SiteSource
ActionTypeId:
Category: Build
Owner: AWS
Provider: CodeBuild
Version: 1
Configuration:
ProjectName: !Ref ProjectName
OutputArtifacts:
- Name: SiteContent
RunOrder: 1
# Create and validate certificate role
CertificateLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Path: /
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: CFNCertificateDomainResourceRecordProvider
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- acm:RequestCertificate
- acm:DescribeCertificate
- acm:UpdateCertificateOptions
- acm:DeleteCertificate
Resource:
- "*"
- Effect: Allow
Action:
- route53:ChangeResourceRecordSets
Resource:
!Join [
"",
[
"arn:aws:route53:::hostedzone/",
!If [
NeedsNewHostedZone,
!Ref Route53HostedZone,
!Ref PreExistingHostedZoneId,
],
],
]
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
# Lambda to create and validate certificate
CreateAndValidateCertificateLambda:
Type: AWS::Lambda::Function
Properties:
Description: Lambda to create and validate certificate
Handler: certificateValidator.handler
Role: !GetAtt CertificateLambdaRole.Arn
Code:
S3Bucket: !Join
- ""
- - !ImportValue LambdaCodeBucket
S3Key: "lambdas/certificateValidator.zip"
Environment:
Variables:
EXEC_THRESHOLD_SECONDS: 200
Timeout: 300
Runtime: nodejs6.10
# Certificate for HTTPS accesss through CloudFront
Certificate:
Type: Custom::Certificate
Properties:
DomainName: !Ref DomainName
ValidationMethod: DNS
ServiceToken: !GetAtt CreateAndValidateCertificateLambda.Arn
# Check ACM Certificate validity status
IssuedCertificate:
Type: Custom::IssuedCertificate
Properties:
CertificateArn: !GetAtt Certificate.CertificateArn
LambdaArn: !GetAtt CreateAndValidateCertificateLambda.Arn
Region: !Ref "AWS::Region"
ServiceToken: !GetAtt CreateAndValidateCertificateLambda.Arn
DependsOn: DomainValidationRecord
# Generates DNS Record for certificate
CertificateDNSRecord:
Type: Custom::CertificateDNSRecord
Properties:
CertificateArn: !GetAtt Certificate.CertificateArn
ServiceToken: !GetAtt CreateAndValidateCertificateLambda.Arn
# Validates certificate by adding record in DNS.
DomainValidationRecord:
Type: AWS::Route53::RecordSetGroup
Properties:
HostedZoneId:
!If [
NeedsNewHostedZone,
!Ref Route53HostedZone,
!Ref PreExistingHostedZoneId,
]
RecordSets:
- Name: !GetAtt CertificateDNSRecord.Name
Type: "CNAME"
TTL: 300
ResourceRecords:
- !GetAtt CertificateDNSRecord.Value
# CDN serves S3 content over HTTPS for example.com
CloudFrontDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
Enabled: true
Aliases:
- !Ref DomainName
DefaultRootObject: index.html
PriceClass: !Ref PriceClass
Origins:
- DomainName:
!Join [
"",
[
!Ref DomainName,
".",
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
],
]
Id: S3Origin
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: http-only
DefaultCacheBehavior:
TargetOriginId: S3Origin
AllowedMethods:
- GET
- HEAD
Compress: true
DefaultTTL: !Ref DefaultTTL
MinTTL: !Ref MinimumTTL
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
# logs.example.com/logs/cloudfront/example.com/
Logging:
Bucket:
!Join [
"",
[
!If [
NeedsNewLogsBucket,
!Ref LogsBucket,
!Ref PreExistingLogsBucket,
],
".s3.amazonaws.com",
],
]
Prefix: !Sub "logs/cloudfront/${DomainName}/"
IncludeCookies: false
ViewerCertificate:
AcmCertificateArn: !GetAtt IssuedCertificate.CertificateArn
SslSupportMethod: sni-only
# CDN serves S3 content over HTTPS for www.example.com
RedirectCloudFrontDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
Enabled: true
Aliases:
- !If [
NeedsNewRedirectBucket,
!Ref RedirectBucket,
!Ref PreExistingRedirectBucket,
]
PriceClass: PriceClass_100
Origins:
- DomainName:
!Join [
"",
[
!If [
NeedsNewRedirectBucket,
!Ref RedirectBucket,
!Ref PreExistingRedirectBucket,
],
".",
!FindInMap [RegionMap, !Ref "AWS::Region", websiteendpoint],
],
]
Id: RedirectS3Origin
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: http-only
DefaultCacheBehavior:
TargetOriginId: RedirectS3Origin
AllowedMethods:
- GET
- HEAD
DefaultTTL: !Ref DefaultTTL
MinTTL: !Ref MinimumTTL
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: allow-all
# logs.example.com/logs/cloudfront/www.example.com/
Logging:
Bucket:
!Join [
"",
[
!If [
NeedsNewLogsBucket,
!Ref LogsBucket,
!Ref PreExistingLogsBucket,
],
".s3.amazonaws.com",
],
]
Prefix: !Sub "logs/cloudfront/www.${DomainName}/"
IncludeCookies: false
ViewerCertificate:
AcmCertificateArn: !GetAtt IssuedCertificate.CertificateArn
SslSupportMethod: sni-only
# DNS: example.com, www.example.com
Route53HostedZone:
Condition: NeedsNewHostedZone
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: !Sub "Created by CloudFormation stack: ${AWS::StackName}"
Name: !Ref DomainName
DeletionPolicy: Delete
Route53RecordSetGroup:
Type: "AWS::Route53::RecordSetGroup"
Properties:
HostedZoneId:
!If [NeedsNewHostedZone, !Ref Route53HostedZone, !Ref "AWS::NoValue"]
HostedZoneName:
!If [
NeedsNewHostedZone,
!Ref "AWS::NoValue",
!Sub "${PreExistingHostedZoneDomain}.",
]
RecordSets:
# example.com
- Name: !Sub "${DomainName}."
Type: A
# Resolve to CloudFront distribution
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2 # CloudFront
DNSName: !GetAtt CloudFrontDistribution.DomainName
# www.example.com
- Name: !Sub "www.${DomainName}."
Type: A
# Resolve to Redirect CloudFront distribution
AliasTarget:
HostedZoneId: Z2FDTNDATAQYW2 # CloudFront
DNSName: !GetAtt RedirectCloudFrontDistribution.DomainName
# Elasticsearch for analysis and search to get insights from logs
SiteElasticsearch:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName: !Sub "${ProjectName}"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: !Join
- ":"
- - "arn:aws:iam:"
- !Ref "AWS::AccountId"
- "root"
Action:
- "es:ESHttpGet"
Resource: !Join
- ":"
- - "arn:aws:es"
- !Ref "AWS::Region"
- !Ref "AWS::AccountId"
- !Sub "domain/${ProjectName}/*"
EBSOptions:
EBSEnabled: true
VolumeSize: 10
VolumeType: "gp2"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: 1
InstanceType: "t2.small.elasticsearch"
ZoneAwarenessEnabled: false
ElasticsearchVersion: "6.3"
# Role for Lambda to transform logs and upload to elasticsearch
LogsToElasticsearchLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal: { Service: [lambda.amazonaws.com] }
Action: ["sts:AssumeRole"]
Path: /
Policies:
- PolicyName: "ElasticSearchPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "es:*"
Resource: "arn:aws:es:*:*:*"
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:GetLogEvents"
- "logs:DescribeLogStreams"
Resource: "arn:aws:logs:*:*:*"
# Lambda to move logs from cloudwatch to Elasticsearch
LogsToElasticsearchLambda:
Type: AWS::Lambda::Function
Properties:
Description: "CloudWatch Logs to Amazon ES streaming"
Handler: "logsToElasticsearch.handler"
Role: !GetAtt LogsToElasticsearchLambdaExecutionRole.Arn
Code:
S3Bucket: !Join
- ""
- - !ImportValue LambdaCodeBucket
S3Key: "lambdas/logsToElasticsearch.zip"
Environment:
Variables:
ELASTICSEARCH_ENDPOINT: !GetAtt SiteElasticsearch.DomainEndpoint
Timeout: 60
Runtime: nodejs6.10
# Lambda Elasticsearch Execution Instance profile
LambdaElasticsearchExecutionInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: /
Roles:
- !Ref LogsToElasticsearchLambdaExecutionRole
# Permission to invoke Lambda to move Cloudwatch logs to Elasticsearch.
PermissionForCloudwatchLogsToInvokeLambda:
Type: "AWS::Lambda::Permission"
Properties:
FunctionName: !Ref LogsToElasticsearchLambda
Action: "lambda:InvokeFunction"
Principal: !Sub "logs.${AWS::Region}.amazonaws.com"
SourceArn: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*"
# Cloudwatch logs filter
SubscriptionFilter:
Type: "AWS::Logs::SubscriptionFilter"
Properties:
LogGroupName: !Ref SiteLogGroup
FilterPattern: "[bucketOwner, bucket, timestamp, ip, requester, requesterId, operation, key, requesturi, httpStatus=4*, errorCode, byteSent, objectSize, totalTime, turnaroundTime, referrer, userAgent, versionId]"
DestinationArn: !GetAtt LogsToElasticsearchLambda.Arn
DependsOn: PermissionForCloudwatchLogsToInvokeLambda
# Cloudwatch Cloudfront logs filter
CFSubscriptionFilter:
Type: "AWS::Logs::SubscriptionFilter"
Properties:
LogGroupName: !Ref CloudfrontLogGroup
FilterPattern: "[date, time, xedgelocation, scbytes, cip, csmethod, csHost, csuristem, scstatus, csReferer, csUserAgent, csuriquery, csCookie, xedgeresulttype, xedgerequestid, xhostheader, csprotocol, csbytes, timetaken, xforwardedfor, sslprotocol, sslcipher, xedgeresponseresulttype, csprotocolversion, flestatus, fleencryptedfields]"
DestinationArn: !GetAtt LogsToElasticsearchLambda.Arn
DependsOn: PermissionForCloudwatchLogsToInvokeLambda
# Role for DeleteIndice Lambda to delete logs from Elasticsearch
DeleteESIndexLambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: /
Policies:
- PolicyName: "root"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:*:*"
- Effect: "Allow"
Action:
- "es:*"
Resource: "arn:aws:es:*:*:*"
# Permission for cloudwatch to invoke lambda which will delete elasticsearch indices
PermissionForScheduledRuleToInvokeLambda:
Type: "AWS::Lambda::Permission"
Properties:
FunctionName: !Ref DeleteIndiceJobLambda
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn: !GetAtt OnceADayScheduledRule.Arn
# Rule for delete indice Lambda
OnceADayScheduledRule:
Type: "AWS::Events::Rule"
Properties:
Name: !Sub "once-a-day-${ProjectName}"
Description: "execute once a day"
State: "ENABLED"
ScheduleExpression: "rate(1 day)"
Targets:
- Arn: !GetAtt DeleteIndiceJobLambda.Arn
Id: "DeleteIndiceJobLambda"
# Delete Indice Lambda
DeleteIndiceJobLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
S3Bucket: !Join
- ""
- - !ImportValue LambdaCodeBucket
S3Key: "lambdas/deleteElasticSearchIndices.zip"
Description: "keep elasticsearch only 30 days indices for free tier"
Environment:
Variables:
ELASTICSEARCH_ENDPOINT: !GetAtt SiteElasticsearch.DomainEndpoint
DAYS_TOKEEP: !Ref ESIndexExpirationinDays
Handler: "deleteElasticSearchIndices.handler"
Role: !GetAtt DeleteESIndexLambdaExecutionRole.Arn
Runtime: nodejs6.10
Timeout: 30
# Lambda instance profile
DeleteESindexLambdaExecutionInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: /
Roles:
- !Ref DeleteESIndexLambdaExecutionRole
# Creates a user pool in cognito for your app to auth against
CognitoUserPool:
Type: AWS::Cognito::UserPool
Properties:
UserPoolName: !Sub "KibanaUsers${ProjectName}"
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UsernameAttributes:
- email
AutoVerifiedAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 8
Schema:
- Name: email
AttributeDataType: String
DeveloperOnlyAttribute: false
Mutable: true
Required: true
# Creates a federated Identity pool
CognitoIdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: !Sub "KibanaIDPool${ProjectName}"
AllowUnauthenticatedIdentities: true
# CognitoIdentityProviders:
# - ClientId: !Ref UserPoolClient
# ProviderName: !Sub "cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}"
# Cognito policy to access ElasticSearch
CognitoAuthenticatedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "es:ESHttp*"
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
- "cognito-identity:*"
Resource:
- "*"
# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invocation
# Only allows users in the previously created Identity Pool
CognitoAuthenticatedRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "sts:AssumeRoleWithWebIdentity"
Principal:
Federated: cognito-identity.amazonaws.com
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref CognitoIdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
ManagedPolicyArns:
- !Ref CognitoAuthenticatedPolicy
# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
CognitoUnAuthenticatedRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref CognitoIdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: "CognitoUnauthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
Resource: "*"
# Assigns the roles to the Identity Pool
CognitoRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref CognitoIdentityPool
Roles:
authenticated: !GetAtt CognitoAuthenticatedRole.Arn
unauthenticated: !GetAtt CognitoUnAuthenticatedRole.Arn
# Custom resource to create UserPool domain so that Kibana could use it for authentication.
CognitoUserPoolDomain:
Type: "Custom::CognitoUserPoolDomain"
Properties:
Domain: !Ref ProjectName
UserPoolId: !Ref CognitoUserPool
ServiceToken: !GetAtt CognitoUserPoolDomainLambda.Arn
DependsOn: CognitoUserPool
# Enable Cognito options for AWS Elasticsearch Kibana authentication.
SiteElasticsearchCognitoOption:
Type: "Custom::ElasticsearchCognitoOption"
Properties:
ESDomain: !Ref SiteElasticsearch
RoleArn: !GetAtt CognitoAccessForAmazonESRole.Arn
UserPoolId: !Ref CognitoUserPool
IdentityPoolId: !Ref CognitoIdentityPool
ServiceToken: !GetAtt CognitoUserPoolDomainLambda.Arn
DependsOn: SiteElasticsearch
# Lambda to create UserPool domain.
CognitoUserPoolDomainLambda:
Type: "AWS::Lambda::Function"
Properties:
Code:
S3Bucket: !Join
- ""
- - !ImportValue LambdaCodeBucket
S3Key: "lambdas/cognitoForES.zip"
Handler: cognitoForES.handler
Role: !GetAtt CognitoUserPoolDomainLambdaExecutionRole.Arn
Timeout: 300
Runtime: nodejs6.10
# Lambda Role for UserPool domain and update ES domain with cognito options
CognitoUserPoolDomainLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal: { Service: [lambda.amazonaws.com] }
Action: ["sts:AssumeRole"]
Policies:
- PolicyName: "UserPoolDomainCognitoOptionsPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "cognito-idp:CreateUserPoolDomain"
Resource: "arn:aws:cognito-idp:*:*:userpool/*"
- Effect: Allow
Action: "cognito-idp:DeleteUserPoolDomain"
Resource: "arn:aws:cognito-idp:*:*:userpool/*"
- Effect: Allow
Action: "cognito-idp:DescribeUserPoolDomain"
Resource: "*"
- Effect: "Allow"
Action:
- "es:*"
Resource: "arn:aws:es:*:*:*"
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- "iam:GetRole"
- "iam:PassRole"
Resource: "*"
# Lambda Cognito UserPool domain Instance profile
CognitoUserPoolDomainLambdaInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: /
Roles:
- !Ref CognitoUserPoolDomainLambdaExecutionRole
# Amazon Elasticsearch role for Kibana authentication.
CognitoAccessForAmazonESRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal: { Service: [es.amazonaws.com] }
Action: ["sts:AssumeRole"]
Policies:
- PolicyName: "CognitoAccessForESPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-idp:DescribeUserPool"
- "cognito-idp:CreateUserPoolClient"
- "cognito-idp:DeleteUserPoolClient"
- "cognito-idp:DescribeUserPoolClient"
- "cognito-idp:AdminInitiateAuth"
- "cognito-idp:AdminUserGlobalSignOut"
- "cognito-idp:ListUserPoolClients"
- "cognito-identity:DescribeIdentityPool"
- "cognito-identity:UpdateIdentityPool"
- "cognito-identity:SetIdentityPoolRoles"
- "cognito-identity:GetIdentityPoolRoles"
Resource: "*"
- Effect: Allow
Action: "iam:PassRole"
Resource: "*"
Condition:
StringLike:
"iam:PassedToService": "cognito-identity.amazonaws.com"
Outputs:
WebsiteURL:
Value: !GetAtt
- SiteBucket
- WebsiteURL
Description: URL for website hosted on S3
S3BucketSecureURL:
Value: !Join
- ""
- - "https://"
- !GetAtt
- SiteBucket
- DomainName
Description: HTTPS url of S3 bucket.
S3BucketName:
Value: !Ref SiteBucket
Description: Name of S3 bucket to hold website content.
GitCloneURL:
Value: !GetAtt CodeCommitRepository.CloneUrlHttp
Description: Code commit url for clone.
ElasticSearchDomain:
Value: !Join
- ""
- - "https://"
- !GetAtt
- SiteElasticsearch
- DomainEndpoint
Description: Domain endpoint of elasticsearch
KibanaEndpoint:
Value: !Join
- ""
- - "https://"
- !GetAtt
- SiteElasticsearch
- DomainEndpoint
- "/_plugin/kibana/"
Description: Kibana endpoint url
UserPoolId:
Value: !Ref CognitoUserPool
Description: UserPoolID of kibana users.
You can’t perform that action at this time.