template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  ar-admin

  SAM Template for Angular Admin Frontend

Parameters:
  ProjectName:
    Type: String
    Default: ar-admin
    Description: A&R Admin Dev.
  Env:
    Type: String
    Default: dev
    Description: Staging environment.
  AWSRegion:
    Type: String
    Default: ca-central-1
    Description: AWS Region.
  BaseHref:
    Type: String
    Default: "/"
    Description: Base href to use for cloudfront.
  DistOriginPath:
    Type: String
    Default: latest
    Description: Cloudfront distribution origin path.
  ApiGatewayId:
    Type: String
    Default: qdp6hi0i78
    Description: ID for rest API.
  ApiStage:
    Type: String
    Default: api
    Description: API stage.
  EnvDomainName:
    Type: String
    Default: dev-ar.bcparks.ca
  DomainCertificateArn:
    Type: String
    Default: arn:aws:acm:us-east-1:856925536711:certificate/e03ee555-facb-427e-8391-99f01e24e8cb

Resources:
  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: CloudFront access identity

  CloudFrontAPICachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Comment: "Custom CloudFront Caching Policy to allow the Authorization header through to the Origins."
        DefaultTTL: 1
        MaxTTL: 1
        MinTTL: 1
        Name: !Sub ${ApiGatewayId}-CFCachePolicy
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: none
          EnableAcceptEncodingBrotli: false
          EnableAcceptEncodingGzip: false
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: all

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Restrictions:
          GeoRestriction:
            RestrictionType: blacklist
            # Belarus, Central African Republic, China, Democratic Republic of the Congo, Iran, Iraq, Democratic People's Republic of Korea, Lebanon, Libya, Mali, Myanmar, Nicaragua, Russia, Somalia, South Sudan, Sudan, Syria, Ukraine, Venezuela, Yemen, Zimbabwe
            Locations: [BY, CF, CN, CD, IR, IQ, KP, LB, LY, ML, MM, NI, RU, SO, SS, SD, SY, UA, VE, YE, ZW]
        PriceClass: PriceClass_100
        CustomErrorResponses:
          - ErrorCode: 404
            ResponseCode: 200
            ResponsePagePath: !Sub ${BaseHref}index.html
          - ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: !Sub ${BaseHref}index.html
        Aliases:
          - !Ref EnvDomainName
        ViewerCertificate:
          AcmCertificateArn: !Ref DomainCertificateArn
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1
        Comment: !Sub "CloudFront distribution for ${AWS::StackName}"
        DefaultRootObject: !Sub index.html
        Enabled: true
        HttpVersion: http2
        # List of origins that Cloudfront will connect to
        Origins:
          - Id: !Ref DistS3Bucket
            DomainName: !GetAtt DistS3Bucket.RegionalDomainName
            S3OriginConfig:
              # Restricting Bucket access through an origin access identity
              OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
            OriginPath: !Sub /${DistOriginPath}
          - Id: !Sub ${ApiGatewayId}
            DomainName: !Sub "${ApiGatewayId}.execute-api.${AWSRegion}.amazonaws.com"
            CustomOriginConfig:
              HTTPSPort: 443
              OriginProtocolPolicy: https-only
              OriginSSLProtocols:
                - TLSv1.2
        # To connect the CDN to the origins you need to specify behaviours
        DefaultCacheBehavior:
          # Compress resources automatically ( gzip )
          Compress: true
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          # CachingDisabled
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
          TargetOriginId: !Ref DistS3Bucket
          ViewerProtocolPolicy: redirect-to-https
          # Simple CORS
          ResponseHeadersPolicyId: 60669652-455b-4ae9-85a4-c4c02393f86c
        CacheBehaviors:
          - PathPattern: !Sub /${ApiStage}/*
            AllowedMethods:
              - GET
              - HEAD
              - OPTIONS
              - PUT
              - POST
              - PATCH
              - DELETE
            # CachingDisabled
            CachePolicyId: !Ref CloudFrontAPICachePolicy
            TargetOriginId: !Sub ${ApiGatewayId}
            ViewerProtocolPolicy: redirect-to-https
            # Simple CORS
            ResponseHeadersPolicyId: 60669652-455b-4ae9-85a4-c4c02393f86c
          - PathPattern: !Sub ${BaseHref}*
            Compress: true
            AllowedMethods:
              - GET
              - HEAD
              - OPTIONS
            # CachingDisabled
            CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
            TargetOriginId: !Ref DistS3Bucket
            ViewerProtocolPolicy: redirect-to-https
            # Simple CORS
            ResponseHeadersPolicyId: 60669652-455b-4ae9-85a4-c4c02393f86c
        Logging:
          Bucket: !GetAtt LogsS3Bucket.DomainName
          IncludeCookies: false
          Prefix: !Sub ${AWS::StackName}-${Env}-logs

  DistS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-${Env}

  DistS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref DistS3Bucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}
            Action: "s3:GetObject"
            Resource: !Sub "arn:aws:s3:::${DistS3Bucket}/*"

  LogsS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub ${AWS::StackName}-${Env}-logs
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred

  LogsS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref LogsS3Bucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}
            Action: "s3:GetObject"
            Resource: !Sub "arn:aws:s3:::${LogsS3Bucket}/*"

Outputs:
  # ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
  # Find out more about other implicit resources you can reference within SAM
  # https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
  Website:
    Value: !GetAtt CloudFrontDistribution.DomainName