Newer
Older
AWSTemplateFormatVersion: '2010-09-09'
Description: >
Script to create S3 bucket, DNS (Route53) and Cloudfront distribution.
###############################################################################
Parameters:
###############################################################################
DomainName:
Type: String
Description: The domain name.
Default: 'ordbok.aws.uib.no'
AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
ConstraintDescription: must be a valid DNS zone name
DomainPrefix:
Type: String
Default: beta
PriceClass:
Type: String
Description: The CloudFront distribution price class
Default: 'PriceClass_100'
AllowedValues:
- 'PriceClass_100'
#- 'PriceClass_200'
#- 'PriceClass_All'
CertificateArn:
Type: String
Default: ''
###############################################################################
Resources:
###############################################################################
DNS:
Type: "AWS::Route53::RecordSet"
Properties:
HostedZoneConfig:
Comment: !Join ['', ['Hosted zone for ', !Ref 'DomainName']]
HostedZoneName: !Join ['.', [!Ref DomainName, '']]
Name: !Join ['.', [!Ref DomainPrefix, !Ref DomainName, '']]
Type: A
AliasTarget:
HostedZoneId: xxxxxxxxxxx
DNSName: !GetAtt Distribution.DomainName
HostedZoneTags:
- Key: Application
Value: beta.ordbok.uib.no
Tags:
- Key: Application
Value: !Ref DomainName
WebBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: !Sub "${AWS::StackName}.aws.uib.no"
VersioningConfiguration:
Status: Enabled
Tags:
- Key: Application
Value: !Ref DomainName
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'WebBucket', /*]]
- CanonicalUser: !GetAtt CloudFrontOriginIdentity.S3CanonicalUserId
Tags:
- Key: Application
Value: !Ref DomainName
Type: "AWS::WAF::IPSet"
Properties:
IPSetDescriptors:
- Type: "IPV4"
Value: "129.177.0.0/16"
Name: "allowed IPs"
Tags:
- Key: Application
Value: !Ref DomainName
ITARule:
Type: "AWS::WAF::Rule"
Properties:
MetricName: "ITARule"
Name: "ITARule"
Predicates:
- Type: "IPMatch"
Negated: false
DataId: !Ref ITAIpSet
Tags:
- Key: Application
Value: !Ref DomainName
ACL:
Type: "AWS::WAF::WebACL"
Properties:
DefaultAction:
Type: "BLOCK"
Name: "intern ITA"
MetricName: "WebACL"
Rules:
- Action:
Type: "ALLOW"
Priority: 1
RuleId: !Ref ITARule
Tags:
- Key: Application
Value: !Ref DomainName
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
Distribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
Enabled: true
HttpVersion: http2
PriceClass: !Ref PriceClass
DefaultRootObject: index.html
Origins:
- DomainName: !Sub "${WebBucket}.s3-${AWS::Region}.amazonaws.com"
Id: s3ProductionBucket
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"
Aliases:
- !Join ['.', [!Ref DomainPrefix, !Ref DomainName]]
CustomErrorResponses:
- ErrorCachingMinTTL: 300
ErrorCode: 403
ResponseCode: 200
ResponsePagePath: /index.html
- ErrorCachingMinTTL: 300
ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
Compress: true
TargetOriginId: s3ProductionBucket
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
ViewerCertificate:
AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only
- !Ref ACL
- !Ref "AWS::NoValue"
Tags:
- Key: Application
Value: !Ref DomainName
CloudFrontOriginIdentity:
Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity"
Tags:
- Key: Application
Value: !Ref DomainName