stacks/blog.tpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235

[+ autogen5 template -*- mode: json -*- +]
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Blog of kennyballou.com",
    "Parameters": {
        "DomainName": {
            "Description": "Domain name of site",
            "Type": "String",
            "Default": "kennyballou.com"
        },
        "BlogBucketName": {
            "Description": "Name of S3 Bucket",
            "Type": "String",
            "Default": "blog.kennyballou.com"
        },
        "CloudFrontHostedZone": {
            "Description": "CloudFront Hosted Zone ID",
            "Type": "String",
            "Default": "Z2FDTNDATAQYW2"
        }
    },
    "Resources": {
        "HostedZone": {
            "Type": "AWS::Route53::HostedZone",
            "Properties": {
                "Name": {"Ref": "DomainName"}
            }
        },
        "BlogContentBucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "AccessControl": "Private",
                "BucketName": {"Ref": "BlogBucketName"},
                "LifecycleConfiguration": {
                    "Rules": [
                        {
                            "NoncurrentVersionExpirationInDays": 90,
                            "Status": "Enabled"
                        }
                    ]
                },
                "VersioningConfiguration": {
                    "Status": "Enabled"
                },
                "WebsiteConfiguration": {
                    "IndexDocument": "index.html",
                    "ErrorDocument": "404.html"
                }
            }
        },
        "BlogContentBucketPolicy": {
            "Type": "AWS::S3::BucketPolicy",
            "Properties": {
                "Bucket": {"Ref": "BlogContentBucket"},
                "PolicyDocument": {
                    "Statement": [
                        {
                            "Action": ["s3:GetObject"],
                            "Effect": "Allow",
                            "Resource": [
                                {"Fn::Join": ["/", [
                                    {"Fn::GetAtt": [
                                        "BlogContentBucket", "Arn"]},
                                    "*"
                                ]]}
                            ],
                            "Principal": {
                                "CanonicalUser": {"Fn::GetAtt": [
                                    "OriginAccessId",
                                    "S3CanonicalUserId"]}
                            }
                        }
                    ]
                }
            }
        },
        "SSLCertificate": {
            "Type": "AWS::CertificateManager::Certificate",
            "Properties": {
                "DomainName": {"Ref": "DomainName"}
            }
        },
        "OriginAccessId": {
            "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
            "Properties": {
                "CloudFrontOriginAccessIdentityConfig": {
                    "Comment": "S3 Bucket Access"
                }
            }
        },
        "CFDistribution": {
            "Type": "AWS::CloudFront::Distribution",
            "Properties": {
                "DistributionConfig": {
                    "Aliases": [
                        {"Ref": "DomainName"}
                    ],
                    "DefaultRootObject": "index.html",
                    "Enabled": true,
                    "IPV6Enabled": true,
                    "HttpVersion": "http2",
                    "DefaultCacheBehavior": {
                        "TargetOriginId": {"Fn::Join": [".", [
                            "s3",
                            {"Ref": "BlogBucketName"}]]},
                        "ViewerProtocolPolicy": "redirect-to-https",
                        "MinTTL": 0,
                        "DefaultTTL": 3600,
                        "AllowedMethods": ["HEAD", "GET"],
                        "CachedMethods": ["HEAD", "GET"],
                        "ForwardedValues": {
                            "QueryString": true,
                            "Cookies": {
                                "Forward": "none"
                            }
                        },
                        "LambdaFunctionAssociations": [
                            {
                                "EventType": "origin-request",
                                "LambdaFunctionARN": {
                                    "Ref": "URIRewriteLambdaVersion"
                                }
                            }
                        ]
                    },
                    "Origins": [
                        {
                            "S3OriginConfig": {
                                "OriginAccessIdentity": {"Fn::Join": ["/", [
                                    "origin-access-identity/cloudfront",
                                    {"Ref": "OriginAccessId"}
                                ]]}
                            },
                            "DomainName": {"Fn::Join": [".", [
                                {"Ref": "BlogBucketName"},
                                "s3.amazonaws.com"]]},
                            "Id": {"Fn::Join": [".", [
                                "s3",
                                {"Ref": "BlogBucketName"}]]}
                        }
                    ],
                    "PriceClass": "PriceClass_100",
                    "Restrictions": {
                        "GeoRestriction": {
                            "RestrictionType": "none",
                            "Locations": []
                        }
                    },
                    "ViewerCertificate": {
                        "SslSupportMethod": "sni-only",
                        "MinimumProtocolVersion": "TLSv1.1_2016",
                        "AcmCertificateArn": {"Ref": "SSLCertificate"}
                    }
                }
            }
        },
        "BlogAliasRecord": {
            "Type": "AWS::Route53::RecordSet",
            "Properties": {
                "AliasTarget": {
                    "DNSName": {"Fn::GetAtt": ["CFDistribution", "DomainName"]},
                    "HostedZoneId": {"Ref": "CloudFrontHostedZone"}
                },
                "HostedZoneId": {"Ref": "HostedZone"},
                "Name": {"Ref": "DomainName"},
                "Type": "A"
            }
        },
        "URIRewriteLambdaFunction": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
                "Description": "Lambda Function performing URI rewriting",
                "Code": {
                    "ZipFile": [+ INCLUDE "uri-rewrite.in" +]
                },
                "Handler": "index.handler",
                "MemorySize": 128,
                "Role": {"Fn::GetAtt": ["URIRewriteLambdaRole", "Arn"]},
                "Runtime": "nodejs8.10",
                "Tags": [
                    {"Key": "Domain", "Value": {"Ref": "DomainName"}}
                ]
            }
        },
        "URIRewriteLambdaRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": "sts:AssumeRole",
                            "Principal": {
                                "Service": [
                                    "edgelambda.amazonaws.com",
                                    "lambda.amazonaws.com"
                                ]
                            }
                        }
                    ]
                },
                "Policies": [
                    {
                        "PolicyName": "GrantCloudwatchLogAccess",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "logs:CreateLogGroup",
                                        "logs:CreateLogStream",
                                        "logs:PutLogEvents"
                                    ],
                                    "Resource": [
                                        "arn:aws:logs:*:*:*"
                                    ]
                                }
                            ]
                        }
                    }
                ]
            }
        },
        "URIRewriteLambdaVersion": {
            "Type": "AWS::Lambda::Version",
            "Properties": {
                "FunctionName": {"Fn::GetAtt": [
                    "URIRewriteLambdaFunction", "Arn"]},
                "Description": "Lambda Function performing URI rewriting"
            }
        }
    }
}