AWSTemplateFormatVersion: "2010-09-09" Description: Amazon S3 Find and Forget Web UI Parameters: AccessLogsBucket: Type: String Default: "" CreateCloudFrontDistribution: Type: String DeployWebUI: Type: String ResourcePrefix: Type: String Conditions: WithAccessLogs: !Not [!Equals [!Ref AccessLogsBucket, ""]] ShouldDeployWebUI: !Equals [!Ref DeployWebUI, "true"] WithCloudFront: !And - !Equals [!Ref CreateCloudFrontDistribution, "true"] - !Condition ShouldDeployWebUI Resources: WebUIBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 CorsConfiguration: CorsRules: - AllowedHeaders: ["*"] AllowedMethods: [GET] AllowedOrigins: ["*"] Id: !Sub ${ResourcePrefix}CorsRule MaxAge: 3600 LoggingConfiguration: !If - WithAccessLogs - DestinationBucketName: !Ref AccessLogsBucket LogFilePrefix: !Sub ${ResourcePrefix}/ - !Ref AWS::NoValue WebUIBucketPolicy: Type: AWS::S3::BucketPolicy Condition: ShouldDeployWebUI Properties: Bucket: !Ref WebUIBucket PolicyDocument: Statement: - Sid: HttpsOnly Action: '*' Effect: Deny Resource: - !Sub arn:${AWS::Partition}:s3:::${WebUIBucket} - !Sub arn:${AWS::Partition}:s3:::${WebUIBucket}/* Principal: '*' Condition: Bool: 'aws:SecureTransport': 'false' - !If - WithCloudFront - Sid: CloudFrontOriginOnly Action: s3:GetObject Effect: Allow Resource: !Sub arn:${AWS::Partition}:s3:::${WebUIBucket}/* Principal: CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId - !Ref AWS::NoValue CloudFrontOriginAccessIdentity: Type: AWS::CloudFront::CloudFrontOriginAccessIdentity Condition: WithCloudFront Properties: CloudFrontOriginAccessIdentityConfig: Comment: !Ref WebUIBucket CloudFrontDistribution: Type: AWS::CloudFront::Distribution Condition: WithCloudFront Properties: DistributionConfig: Origins: - DomainName: !GetAtt WebUIBucket.RegionalDomainName Id: !Sub ${ResourcePrefix}-myS3Origin S3OriginConfig: OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity} Enabled: true HttpVersion: http2 Comment: The Distribution for Amazon S3 Find and Forget DefaultRootObject: index.html DefaultCacheBehavior: AllowedMethods: - HEAD - GET - OPTIONS TargetOriginId: !Sub ${ResourcePrefix}-myS3Origin ForwardedValues: QueryString: false Cookies: Forward: none ViewerProtocolPolicy: redirect-to-https PriceClass: PriceClass_All ViewerCertificate: CloudFrontDefaultCertificate: true Logging: !If - WithAccessLogs - Bucket: !Sub ${AccessLogsBucket}.s3.${AWS::URLSuffix} IncludeCookies: false Prefix: !Sub ${ResourcePrefix}/ - !Ref AWS::NoValue Outputs: CloudFrontDistribution: Value: !If - WithCloudFront - !Ref CloudFrontDistribution - "none" Origin: Value: !If - WithCloudFront - !Sub "https://${CloudFrontDistribution.DomainName}" - !Sub "https://${WebUIBucket.RegionalDomainName}" Description: Web UI Origin Url: Value: !If - WithCloudFront - !Sub "https://${CloudFrontDistribution.DomainName}" - !Sub "https://${WebUIBucket.RegionalDomainName}/index.html" Description: Web UI Url WebUIBucket: Value: !Ref WebUIBucket Description: Web UI S3 Bucket