-
Notifications
You must be signed in to change notification settings - Fork 5
/
template.yaml
161 lines (152 loc) · 4.87 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
A serverless website with SAM on AWS: https://izifortune.com/serverless-website-sam-aws/
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 3
Resources:
LambdaEdgeFunctionRole:
Type: "AWS::IAM::Role"
Properties:
Path: '/'
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
- "edgelambda.amazonaws.com"
RewriteLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: rewrite/
Description: 'Serverless rewrite lambda'
Handler: app.lambdaHandler
Runtime: nodejs12.x
MemorySize: 128
Timeout: 1
Role: !GetAtt LambdaEdgeFunctionRole.Arn
AutoPublishAlias: live
SecureHeadersLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: secure-headers/
Description: 'Add security headers to index.html response'
Handler: app.lambdaHandler
Runtime: nodejs10.x
MemorySize: 128
Timeout: 1
Role: !GetAtt LambdaEdgeFunctionRole.Arn
AutoPublishAlias: live
CloudFrontOriginAccessIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: 'Serverless website Origin access identity serverless website'
WebsiteCloudfrontDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
Aliases:
- <ADD YOU ALIASES HERE>
Comment: "Cloudfront distribution for serverless website"
ViewerCertificate:
AcmCertificateArn: <CERT HERE>
MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only
DefaultRootObject: "index.html"
Enabled: true
HttpVersion: http2
Origins:
- Id: s3-website
DomainName: !GetAtt Bucket.DomainName
S3OriginConfig:
OriginAccessIdentity:
Fn::Sub: 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
DefaultCacheBehavior:
Compress: 'true'
AllowedMethods:
- GET
- HEAD
- OPTIONS
ForwardedValues:
QueryString: false
TargetOriginId: s3-website
ViewerProtocolPolicy : redirect-to-https
LambdaFunctionAssociations:
- EventType: origin-request
LambdaFunctionARN: !Ref RewriteLambda.Version
- EventType: viewer-response
LambdaFunctionARN: !Ref SecureHeadersLambda.Version
Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: <YOURSWEBSITE.COM>
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Statement:
-
Effect: Allow
Action: 's3:GetObject'
Resource:
- !Sub "arn:aws:s3:::${Bucket}/*"
Principal:
AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}"
HostedZone:
Type: AWS::Route53::HostedZone
Properties:
HostedZoneConfig:
Comment: yourwebsite.com hosted zone
Name: yourwebsite.com
RecordA:
Type: AWS::Route53::RecordSet
DependsOn: WebsiteCloudfrontDistribution
Properties:
HostedZoneId: !Ref HostedZone
Name: <yourwebsite>.com
Type: A
AliasTarget:
DNSName: !GetAtt WebsiteCloudfrontDistribution.DomainName
HostedZoneId: !Ref HostedZone
RecordAAAA:
Type: AWS::Route53::RecordSet
DependsOn: WebsiteCloudfrontDistribution
Properties:
HostedZoneId: !Ref HostedZone
Name: <yourwebsite>.com
Type: AAAA
AliasTarget:
DNSName: !GetAtt WebsiteCloudfrontDistribution.DomainName
HostedZoneId: !Ref HostedZone
RecordWWWA:
Type: AWS::Route53::RecordSet
DependsOn: WebsiteCloudfrontDistribution
Properties:
HostedZoneId: !Ref HostedZone
Name: www.<yourwebsite>.com
Type: A
AliasTarget:
DNSName: !GetAtt WebsiteCloudfrontDistribution.DomainName
HostedZoneId: !Ref HostedZone
RecordWWWAAAA:
Type: AWS::Route53::RecordSet
DependsOn: WebsiteCloudfrontDistribution
Properties:
HostedZoneId: !Ref HostedZone
Name: www.<yourwebsite>.com
Type: AAAA
AliasTarget:
DNSName: !GetAtt WebsiteCloudfrontDistribution.DomainName
HostedZoneId: !Ref HostedZone