resources.yml

---
AWSTemplateFormatVersion: "2010-09-09"
Description: gognito Lambda@Edge basic auth

Parameters:
  S3BucketName:
    Type: String
    Default: ${{env:S3_BUCKET_NAME}}
  AcmIdentifier:
    Type: String
    Default: ${{env:ACM_IDENTIFIER}}
  HostedZoneId:
    Type: AWS::Route53::HostedZone::Id
    Default: ${{env:HOSTED_ZONE_ID}}
Resources:
  WebsiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: 
        Ref: S3BucketName
      AccessControl: Private
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
  WebsiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
    DependsOn:
      - WebsiteBucket
      - WebsiteOriginAccessIdentity
    Properties:
      Bucket: 
        Ref: WebsiteBucket
      PolicyDocument:
        Statement:
          -
            Action:
              - "s3:GetObject"
            Effect: Allow
            Resource: 
              Fn::Sub: ${WebsiteBucket.Arn}/*
            Principal:
              AWS: 
                Fn::Sub: "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${WebsiteOriginAccessIdentity}"
  WebsiteOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 
          Ref: WebsiteBucket
  WebsiteDistribution:
    Type: AWS::CloudFront::Distribution
    DependsOn: 
      - WebsiteBucket
      - WebsiteOriginAccessIdentity
    Properties:
      DistributionConfig:
        Enabled: true
        Comment: 
          Ref: AWS::StackName
        PriceClass: 'PriceClass_200'
        Aliases:
          - Ref: S3BucketName
        DefaultRootObject: 'index.html'
        HttpVersion: 'http2'
        ViewerCertificate:
          SslSupportMethod: sni-only
          AcmCertificateArn:
            Fn::Sub: "arn:aws:acm:${AWS::Region}:${AWS::AccountId}:certificate/${AcmIdentifier}"
        Origins:
          - Id: 
              Fn::Sub: S3-${WebsiteBucket}
            DomainName: 
              Fn::GetAtt: WebsiteBucket.DomainName
            S3OriginConfig:
              OriginAccessIdentity: 
                Fn::Sub: "origin-access-identity/cloudfront/${WebsiteOriginAccessIdentity}"
        DefaultCacheBehavior:
          AllowedMethods: [ "GET", "HEAD", "OPTIONS" ]
          CachedMethods:  [ "GET", "HEAD", "OPTIONS" ]
          TargetOriginId: 
            Fn::Sub: S3-${WebsiteBucket}
          ViewerProtocolPolicy: redirect-to-https
          DefaultTTL: 0
          MaxTTL: 0
          MinTTL: 0
          Compress: true
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: 'all'
        CustomErrorResponses:
          -
            ErrorCode: '400'
            ErrorCachingMinTTL: 1
          -
            ErrorCode: '404'
            ErrorCachingMinTTL: 1
          -
            ErrorCode: '500'
            ErrorCachingMinTTL: 1
          -
            ErrorCode: '502'
            ErrorCachingMinTTL: 1
  WebSiteRecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneId: 
        Ref: HostedZoneId
      Name: 
        Ref: S3BucketName
      Type: A
      AliasTarget:
        HostedZoneId: Z2FDTNDATAQYW2
        DNSName:
          Fn::GetAtt: [ WebsiteDistribution, DomainName ]
Outputs:
  WebSiteURL:
    Value: 
      Fn::Sub: https://${S3BucketName}
    Description: "URL for website via CloudFront"