Skip to content
Snippets Groups Projects
Commit f6766fd9 authored by Lennart Nordgreen's avatar Lennart Nordgreen :speech_balloon:
Browse files

Draft 2 - beta.ordbok.uib.no_stack.yaml

parent 0d8aca3a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
aws/beta.ordbok.uib.no_stack.yaml
+ 29
73
View file @ f6766fd9
...@@ -26,9 +26,6 @@ Parameters: ...@@ -26,9 +26,6 @@ Parameters:
- 'PriceClass_100' - 'PriceClass_100'
#- 'PriceClass_200' #- 'PriceClass_200'
#- 'PriceClass_All' #- 'PriceClass_All'
SecretArn:
Type: String
CertificateArn: CertificateArn:
Type: String Type: String
...@@ -57,7 +54,9 @@ Resources: ...@@ -57,7 +54,9 @@ Resources:
HostedZoneTags: HostedZoneTags:
- Key: Application - Key: Application
Value: beta.ordbok.uib.no Value: beta.ordbok.uib.no
Tags:
- Key: Application
Value: !Ref DomainName
WebBucket: WebBucket:
Type: "AWS::S3::Bucket" Type: "AWS::S3::Bucket"
...@@ -65,14 +64,6 @@ Resources: ...@@ -65,14 +64,6 @@ Resources:
BucketName: !Sub "${AWS::StackName}.aws.uib.no" BucketName: !Sub "${AWS::StackName}.aws.uib.no"
VersioningConfiguration: VersioningConfiguration:
Status: Enabled Status: Enabled
AccessControl: !If
- UseDomain
- !Ref "AWS::NoValue"
- "PublicRead"
WebsiteConfiguration: !If
- UseDomain
- !Ref "AWS::NoValue"
- IndexDocument: index.html
Tags: Tags:
- Key: Application - Key: Application
Value: !Ref DomainName Value: !Ref DomainName
...@@ -81,29 +72,23 @@ Resources: ...@@ -81,29 +72,23 @@ Resources:
BucketPolicy: BucketPolicy:
Type: "AWS::S3::BucketPolicy" Type: "AWS::S3::BucketPolicy"
Properties: Properties:
Bucket: !Ref WebBucket
PolicyDocument: PolicyDocument:
Id: MyPolicy Id: MyPolicy
Version: 2012-10-17 Version: 2012-10-17
Statement: Statement:
- Sid: PublicReadForGetBucketObjects - Sid: PublicReadForGetBucketObjects
Effect: Allow Effect: Allow
Principal: !If Action: s3:GetObject
- UseDomain Resource: !Join ['', ['arn:aws:s3:::', !Ref 'WebsiteBucket', /*]]
Principal:
- CanonicalUser: !GetAtt CloudFrontOriginIdentity.S3CanonicalUserId - CanonicalUser: !GetAtt CloudFrontOriginIdentity.S3CanonicalUserId
- "*"
Action: !If Tags:
- UseDomain - Key: Application
- 's3:*' Value: !Ref DomainName
- 's3:GetObject'
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref WebBucket
- /*
Bucket: !Ref WebBucket
ItaIpSet: ITAIpSet:
Type: "AWS::WAF::IPSet" Type: "AWS::WAF::IPSet"
Condition: UseDomain Condition: UseDomain
Properties: Properties:
...@@ -111,7 +96,9 @@ Resources: ...@@ -111,7 +96,9 @@ Resources:
- Type: "IPV4" - Type: "IPV4"
Value: "129.177.0.0/16" Value: "129.177.0.0/16"
Name: "allowed IPs" Name: "allowed IPs"
Tags:
- Key: Application
Value: !Ref DomainName
ITARule: ITARule:
Type: "AWS::WAF::Rule" Type: "AWS::WAF::Rule"
...@@ -122,8 +109,10 @@ Resources: ...@@ -122,8 +109,10 @@ Resources:
Predicates: Predicates:
- Type: "IPMatch" - Type: "IPMatch"
Negated: false Negated: false
DataId: !Ref ItaIpSet DataId: !Ref ITAIpSet
Tags:
- Key: Application
Value: !Ref DomainName
ACL: ACL:
Type: "AWS::WAF::WebACL" Type: "AWS::WAF::WebACL"
...@@ -138,7 +127,9 @@ Resources: ...@@ -138,7 +127,9 @@ Resources:
Type: "ALLOW" Type: "ALLOW"
Priority: 1 Priority: 1
RuleId: !Ref ITARule RuleId: !Ref ITARule
Tags:
- Key: Application
Value: !Ref DomainName
Distribution: Distribution:
Type: "AWS::CloudFront::Distribution" Type: "AWS::CloudFront::Distribution"
...@@ -181,53 +172,18 @@ Resources: ...@@ -181,53 +172,18 @@ Resources:
AcmCertificateArn: !Ref CertificateArn AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.1_2016 MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only SslSupportMethod: sni-only
WebACLId: !If WebACLId:
- UseDomain
- !Ref ACL - !Ref ACL
- !Ref "AWS::NoValue" - !Ref "AWS::NoValue"
Tags:
- Key: Application
Value: !Ref DomainName
CloudFrontOriginIdentity: CloudFrontOriginIdentity:
Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity" Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
Properties: Properties:
CloudFrontOriginAccessIdentityConfig: CloudFrontOriginAccessIdentityConfig:
Comment: "origin identity" Comment: "origin identity"
Tags:
XRayPolicy: - Key: Application
Type: 'AWS::IAM::ManagedPolicy' Value: !Ref DomainName
Properties:
ManagedPolicyName: !Sub "${AWS::StackName}-XRayPolicy"
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'xray:PutTelemetryRecords'
- 'xray:PutTraceSegments'
Effect: Allow
Resource: '*'
S3LambdaRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonS3FullAccess"
- !Ref XRayPolicy
Policies:
- PolicyName: !Sub "${AWS::StackName}-SecretsPolicy"
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: 'secretsmanager:GetSecretValue'
Effect: Allow
Resource: !Ref SecretArn
RoleName: !Sub "${AWS::StackName}-S3LambdaRole"
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment