From f6766fd9b5153ecbd2201a9bd6fa43484bf9fa69 Mon Sep 17 00:00:00 2001
From: Lennart Nordgreen <lennart.nordgreen@uib.no>
Date: Tue, 11 Feb 2020 12:44:55 +0100
Subject: [PATCH] Draft 2 - beta.ordbok.uib.no_stack.yaml
---
aws/beta.ordbok.uib.no_stack.yaml | 102 +++++++++---------------------
1 file changed, 29 insertions(+), 73 deletions(-)
diff --git a/aws/beta.ordbok.uib.no_stack.yaml b/aws/beta.ordbok.uib.no_stack.yaml
index 7e8d83e..e793944 100644
--- a/aws/beta.ordbok.uib.no_stack.yaml
+++ b/aws/beta.ordbok.uib.no_stack.yaml
@@ -26,9 +26,6 @@ Parameters:
- 'PriceClass_100'
#- 'PriceClass_200'
#- 'PriceClass_All'
-
- SecretArn:
- Type: String
CertificateArn:
Type: String
@@ -57,7 +54,9 @@ Resources:
HostedZoneTags:
- Key: Application
Value: beta.ordbok.uib.no
-
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
WebBucket:
Type: "AWS::S3::Bucket"
@@ -65,14 +64,6 @@ Resources:
BucketName: !Sub "${AWS::StackName}.aws.uib.no"
VersioningConfiguration:
Status: Enabled
- AccessControl: !If
- - UseDomain
- - !Ref "AWS::NoValue"
- - "PublicRead"
- WebsiteConfiguration: !If
- - UseDomain
- - !Ref "AWS::NoValue"
- - IndexDocument: index.html
Tags:
- Key: Application
Value: !Ref DomainName
@@ -81,29 +72,23 @@ Resources:
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
+ Bucket: !Ref WebBucket
PolicyDocument:
Id: MyPolicy
Version: 2012-10-17
Statement:
- Sid: PublicReadForGetBucketObjects
Effect: Allow
- Principal: !If
- - UseDomain
+ Action: s3:GetObject
+ Resource: !Join ['', ['arn:aws:s3:::', !Ref 'WebsiteBucket', /*]]
+ Principal:
- CanonicalUser: !GetAtt CloudFrontOriginIdentity.S3CanonicalUserId
- - "*"
- Action: !If
- - UseDomain
- - 's3:*'
- - 's3:GetObject'
- Resource: !Join
- - ''
- - - 'arn:aws:s3:::'
- - !Ref WebBucket
- - /*
- Bucket: !Ref WebBucket
-
+
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
- ItaIpSet:
+ ITAIpSet:
Type: "AWS::WAF::IPSet"
Condition: UseDomain
Properties:
@@ -111,7 +96,9 @@ Resources:
- Type: "IPV4"
Value: "129.177.0.0/16"
Name: "allowed IPs"
-
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
ITARule:
Type: "AWS::WAF::Rule"
@@ -122,8 +109,10 @@ Resources:
Predicates:
- Type: "IPMatch"
Negated: false
- DataId: !Ref ItaIpSet
-
+ DataId: !Ref ITAIpSet
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
ACL:
Type: "AWS::WAF::WebACL"
@@ -138,7 +127,9 @@ Resources:
Type: "ALLOW"
Priority: 1
RuleId: !Ref ITARule
-
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
Distribution:
Type: "AWS::CloudFront::Distribution"
@@ -181,53 +172,18 @@ Resources:
AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only
- WebACLId: !If
- - UseDomain
+ WebACLId:
- !Ref ACL
- !Ref "AWS::NoValue"
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
CloudFrontOriginIdentity:
Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity"
-
- XRayPolicy:
- Type: 'AWS::IAM::ManagedPolicy'
- Properties:
- ManagedPolicyName: !Sub "${AWS::StackName}-XRayPolicy"
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- - Action:
- - 'xray:PutTelemetryRecords'
- - 'xray:PutTraceSegments'
- Effect: Allow
- Resource: '*'
-
-
- S3LambdaRole:
- Type: "AWS::IAM::Role"
- Properties:
- AssumeRolePolicyDocument:
- Version: "2012-10-17"
- Statement:
- - Effect: "Allow"
- Principal:
- Service:
- - "lambda.amazonaws.com"
- Action:
- - "sts:AssumeRole"
- ManagedPolicyArns:
- - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
- - !Ref XRayPolicy
- Policies:
- - PolicyName: !Sub "${AWS::StackName}-SecretsPolicy"
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- - Action: 'secretsmanager:GetSecretValue'
- Effect: Allow
- Resource: !Ref SecretArn
- RoleName: !Sub "${AWS::StackName}-S3LambdaRole"
-
+ Tags:
+ - Key: Application
+ Value: !Ref DomainName
--
GitLab