-
Notifications
You must be signed in to change notification settings - Fork 398
/
cdn-resources.yml
157 lines (152 loc) · 5.63 KB
/
cdn-resources.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
{{- if or .CDNConfig.ImportedCertificate .DelegateDNS}}
UniqueJSONValuesFunctionRole:
Metadata:
'aws:copilot:description': 'An IAM Role {{- if .PermissionsBoundary}} with permissions boundary {{.PermissionsBoundary}} {{- end}} for the unique json values lambda'
Type: AWS::IAM::Role
Condition: CreateALB
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /
{{- if .PermissionsBoundary}}
PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/{{.PermissionsBoundary}}'
{{- end}}
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
UniqueJSONValuesFunction:
Type: AWS::Lambda::Function
Condition: CreateALB
Properties:
{{- with $cr := index .CustomResources "UniqueJSONValuesFunction" }}
Code:
S3Bucket: {{$cr.Bucket}}
S3Key: {{$cr.Key}}
{{- end}}
Handler: "index.handler"
Timeout: 600
MemorySize: 512
Role: !GetAtt 'UniqueJSONValuesFunctionRole.Arn'
Runtime: nodejs20.x
UniqueAliasesAction:
Metadata:
'aws:copilot:description': 'An action to get unique custom aliases for services in your environment'
Condition: CreateALB
Type: Custom::UniqueJSONValuesFunction
Properties:
ServiceToken: !GetAtt UniqueJSONValuesFunction.Arn
Aliases: !Ref Aliases
{{- if .CDNConfig.Static}}
AdditionalStrings: [{{.CDNConfig.Static.Alias}}]
{{- end}}
FilterFor: !Ref ALBWorkloads
{{- end}}{{/* endif or .CDNConfig.ImportedCertificate .DelegateDNS */}}
{{- if .CDNConfig.Static}}
CloudFrontOriginAccessControl:
Metadata:
'aws:copilot:description': 'Access control to make the content in the S3 bucket only accessible through CloudFront'
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Description: Access control for static s3 origin
Name: !Sub 'copilot-${AppName}-${EnvironmentName}-origin-access-control'
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
{{- end}}
CloudFrontDistribution:
Metadata:
'aws:copilot:description': 'A CloudFront distribution for global content delivery'
Condition: CreateALB
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
{{- if or .CDNConfig.ImportedCertificate .DelegateDNS}}
Aliases: !GetAtt UniqueAliasesAction.UniqueValues
{{- end}}
DefaultCacheBehavior:
AllowedMethods: ["GET", "HEAD", "OPTIONS", "PUT", "PATCH", "POST", "DELETE"]
CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # See https://go.aws/3bJid3k
TargetOriginId: !Sub 'copilot-${AppName}-${EnvironmentName}-origin'
OriginRequestPolicyId: 216adef6-5c7f-47e4-b989-5492eafa07d3 # See https://go.aws/3BIE8CP
{{- if .CDNConfig.TerminateTLS}}
ViewerProtocolPolicy: redirect-to-https
{{- else}}
ViewerProtocolPolicy: allow-all
{{- end}}
Enabled: true
IPV6Enabled: true
Origins:
- Id: !Sub 'copilot-${AppName}-${EnvironmentName}-origin'
DomainName: !GetAtt PublicLoadBalancer.DNSName
CustomOriginConfig:
{{- if .CDNConfig.TerminateTLS}}
OriginProtocolPolicy: http-only
{{- else}}
OriginProtocolPolicy: match-viewer
{{- end}}
{{- if .CDNConfig.Static}}
- Id: !Sub 'copilot-${AppName}-${EnvironmentName}-s3'
{{- if .CDNConfig.Static.ImportedBucket}}
DomainName: {{.CDNConfig.Static.ImportedBucket}}
{{- end}}
OriginAccessControlId: !Ref CloudFrontOriginAccessControl
# Workaround for using Origin Access Control as Origin Access Identity is still
# required when the origin is an S3 bucket.
S3OriginConfig:
OriginAccessIdentity: ''
CacheBehaviors:
- AllowedMethods: ["GET", "HEAD", "OPTIONS", "PUT", "PATCH", "POST", "DELETE"]
ViewerProtocolPolicy: allow-all
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # See https://go.aws/3bJid3k
TargetOriginId: !Sub 'copilot-${AppName}-${EnvironmentName}-s3'
PathPattern: '{{.CDNConfig.Static.Path}}'
{{- end}}
{{- if .CDNConfig.ImportedCertificate}}
ViewerCertificate:
AcmCertificateArn: {{.CDNConfig.ImportedCertificate}}
MinimumProtocolVersion: TLSv1
SslSupportMethod: sni-only
{{- else}}
{{- if not .PublicHTTPConfig.ImportedCertARNs}}
ViewerCertificate:
!If
- DelegateDNS
- AcmCertificateArn: !Ref CertificateReplicator
MinimumProtocolVersion: TLSv1
SslSupportMethod: sni-only
- !Ref AWS::NoValue
CertificateReplicatorFunction:
Type: AWS::Lambda::Function
Condition: DelegateDNS
Properties:
{{- with $cr := index .CustomResources "CertificateReplicatorFunction" }}
Code:
S3Bucket: {{$cr.Bucket}}
S3Key: {{$cr.Key}}
{{- end}}
Handler: "index.certificateReplicateHandler"
Timeout: 900
MemorySize: 512
Role: !GetAtt 'CustomResourceRole.Arn'
Runtime: nodejs20.x
CertificateReplicator:
Metadata:
'aws:copilot:description': 'Replicate certificate to us-east-1'
Condition: DelegateDNS
Type: Custom::CertificateReplicatorFunction
Properties:
ServiceToken: !GetAtt CertificateReplicatorFunction.Arn
AppName: !Ref AppName
EnvName: !Ref EnvironmentName
TargetRegion: "us-east-1"
EnvRegion: !Ref AWS::Region
CertificateArn: !Ref HTTPSCert
{{- end}}
{{- end}}