public-access-template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: "EC API public access: TLS, CDN, DNS"

Parameters:
  StackNameSuffix:
    Description: "The suffix (automatically prefixed with 'ECApi-') constructing the name of the CloudFormation Stack that created the API Gateway & Lambda function to which this Stack will attach TLS, CDN, and DNS."
    Type: String

  CertificateArn:
    Type: String

  PublicFqdn:
    Type: String

  LeafletsBucketName:
    Type: String

Resources:

  CloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Comment: 'Cloudfront Distribution pointing to Lambda origin'
        Origins:

          - Id: Static
            DomainName:
              Fn::ImportValue: !Sub "ElectionLeafletsApp-${StackNameSuffix}:ElectionLeafletsFqdn"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref PublicFqdn
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https

            OriginShield:
              Enabled: true
              OriginShieldRegion: eu-west-2

          - Id: Dynamic
            DomainName:
              Fn::ImportValue: !Sub "ElectionLeafletsApp-${StackNameSuffix}:ElectionLeafletsFqdn"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref PublicFqdn
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https

        Enabled: true
        HttpVersion: 'http2'
        Aliases:
          - !Ref PublicFqdn
        PriceClass: "PriceClass_100"
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only

        DefaultCacheBehavior:
          AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
          TargetOriginId: Dynamic
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: "all"
            Headers:
              - Authorization
              - Origin
              - Referer
          ViewerProtocolPolicy: "redirect-to-https"

        CacheBehaviors:
        - AllowedMethods: [ GET, HEAD, OPTIONS ]
          PathPattern: static/*
          TargetOriginId: Static
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '50'

  CloudFrontMediaDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Comment: 'Cloudfront Distribution serving leaflet images'
        Origins:
          - Id: "ImagesBucket"
            DomainName: !Join ['', [!Ref LeafletsBucketName, '.s3.amazonaws.com']]
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"

            OriginShield:
              Enabled: false

        Enabled: true
        HttpVersion: 'http2'
        Aliases:
          - !Sub "images.${PublicFqdn}"
        PriceClass: "PriceClass_100"
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only

        DefaultCacheBehavior:
          AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
          TargetOriginId: ImagesBucket
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: "all"
          ViewerProtocolPolicy: "redirect-to-https"

        CacheBehaviors:
          - AllowedMethods: [ GET, HEAD, OPTIONS ]
            PathPattern: thumbs/*
            TargetOriginId: ImagesBucket
            ForwardedValues:
              QueryString: true
              Cookies:
                Forward: "all"
              Headers:
                - Authorization
                - Origin
                - Referer
            ViewerProtocolPolicy: "redirect-to-https"

  DnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt CloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
      HostedZoneName: !Sub "${PublicFqdn}."
      Name: !Sub "${PublicFqdn}."
      Type: A
  ImagesDnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt CloudFrontMediaDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
      HostedZoneName: !Sub "${PublicFqdn}."
      Name: !Sub "images.${PublicFqdn}."
      Type: A

Outputs:
  CloudFrontDistributionFqdn:
    Description: "The FQDN of the CloudFront distribution serving this instance."
    Value: !GetAtt CloudFrontDistribution.DomainName
  PublicFqdn:
    Description: "The Election Leaflets"
    Value: !Sub "https://${PublicFqdn}/"
  CloudFrontDistributionImagesFqdn:
    Description: "The FQDN of the CloudFront distribution media host."
    Value: !GetAtt CloudFrontMediaDistribution.DomainName
  PublicImagesFqdn:
    Description: "Images Domain"
    Value: !Sub "https://images.${PublicFqdn}/"