Last active
November 30, 2017 13:45
-
-
Save carlosroman/94d2b620d366f255d823b8f19a740b8e to your computer and use it in GitHub Desktop.
ansible origin access
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: Create/update CloudFront origin access identity | |
command: aws cloudfront create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config "CallerReference={{ site }},Comment=access-identity-{{ site }}.site.s3.amazonaws.com" | |
environment: | |
AWS_ACCESS_KEY_ID: "{{ aws_access_key }}" | |
AWS_SECRET_ACCESS_KEY: "{{ aws_secret_access_key }}" | |
AWS_DEFAULT_REGION: "{{ aws_region }}" | |
no_log: true | |
register: aws_cli_out | |
- name: Get Origin Access Identity Id | |
set_fact: | |
origin_access_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}" | |
vars: | |
query: CloudFrontOriginAccessIdentity.Id | |
- name: Get Origin Access Identity S3 Canonical User Id | |
set_fact: | |
S3_canonical_user_id: "{{ aws_cli_out.stdout | from_json | json_query(query) }}" | |
vars: | |
query: CloudFrontOriginAccessIdentity.S3CanonicalUserId | |
- name: Debug statment origin_access_id | |
debug: | |
msg: "origin_access_id: '{{ origin_access_id }}'" | |
- name: Debug statment S3_canonical_user_id | |
debug: | |
msg: "S3_canonical_user_id: '{{ S3_canonical_user_id }}'" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: S3 bucket and Cloudfront for hosting a static website | |
Parameters: | |
DomainParameter: | |
Type: String | |
Description: Domain for site. | |
AllowedPattern: "^(\\*\\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$" | |
ConstraintDescription: "must be a valid domain name" | |
CertARNParameter: | |
Type: String | |
Description: ARN for the cert to use on cloudfront. | |
AllowedPattern: "arn:aws:acm:us-east-1:819206333881:certificate/.*" | |
ConstraintDescription: "must be an ACM cert ARN" | |
OriginAccessIdParameter: | |
Type: String | |
Description: The Origin Access Identifier | |
AllowedPattern: "^[E][A-Z0-9]+$" | |
ConstraintDescription: "must be a valid Origin Access Identifier" | |
S3CanonicalUserIdParameter: | |
Type: String | |
Description: The Origin Access Identifier | |
AllowedPattern: "^[a-f0-9]+$" | |
ConstraintDescription: "must be a valid Origin Access Identifier" | |
Resources: | |
SiteBucket: | |
Type: 'AWS::S3::Bucket' | |
Properties: | |
BucketName: !Join [ '.', [ !Ref DomainParameter, 'site'] ] | |
LoggingConfiguration: | |
DestinationBucketName: !Ref LogsBucket | |
LogFilePrefix: S3/ | |
VersioningConfiguration: | |
Status: Enabled | |
Tags: | |
- { Key: "site", Value: !Ref DomainParameter } | |
SiteBucketOriginPolicy: | |
Type: "AWS::S3::BucketPolicy" | |
Properties: | |
Bucket: !Ref SiteBucket | |
PolicyDocument: | |
Statement: | |
- Action: ['s3:GetObject'] | |
Effect: "Allow" | |
Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket, '/*' ] ] | |
Principal: | |
CanonicalUser: !Ref S3CanonicalUserIdParameter | |
- Action: ['s3:ListBucket'] | |
Effect: "Allow" | |
Resource: !Join [ '', [ 'arn:aws:s3:::', !Ref SiteBucket ] ] | |
Principal: | |
CanonicalUser: !Ref S3CanonicalUserIdParameter | |
LogsBucket: | |
Type: 'AWS::S3::Bucket' | |
Properties: | |
BucketName: !Join [ '.', [ !Ref DomainParameter, 'logs'] ] | |
AccessControl: LogDeliveryWrite | |
Tags: | |
- { Key: "site", Value: !Ref DomainParameter } | |
SiteDistribution: | |
Type: AWS::CloudFront::Distribution | |
Properties: | |
DistributionConfig: | |
Aliases: | |
- !Ref DomainParameter | |
- !Join [ '.', [ 'www', !Ref DomainParameter] ] | |
Comment: !Join [ ' ', [ 'CDN for', !Ref DomainParameter, '.'] ] | |
DefaultCacheBehavior: | |
AllowedMethods: | |
- GET | |
- HEAD | |
- OPTIONS | |
TargetOriginId: s3Origin | |
ForwardedValues: | |
QueryString: 'false' | |
Cookies: | |
Forward: none | |
ViewerProtocolPolicy: redirect-to-https | |
DefaultRootObject: index.html | |
CustomErrorResponses: | |
- ErrorCode: '404' | |
ResponsePagePath: '/404.html' | |
ResponseCode: '404' | |
ErrorCachingMinTTL: '60' | |
Enabled: 'true' | |
HttpVersion: http2 | |
Logging: | |
IncludeCookies: 'false' | |
Bucket: !GetAtt [LogsBucket, DomainName] | |
Prefix: CloudFront/ | |
Origins: | |
- DomainName: !GetAtt [SiteBucket, DomainName] | |
Id: s3Origin | |
S3OriginConfig: | |
OriginAccessIdentity: !Join [ '', ['origin-access-identity/cloudfront/', !Ref OriginAccessIdParameter ] ] | |
PriceClass: PriceClass_100 | |
ViewerCertificate: | |
AcmCertificateArn: !Ref CertARNParameter | |
SslSupportMethod: sni-only | |
Outputs: | |
SiteBucketName: | |
Value: !Ref SiteBucket | |
Description: The S3 bucket name for the site | |
SiteBucketARN: | |
Value: !GetAtt [SiteBucket, Arn] | |
Description: The S3 bucket ARN for the site | |
SiteDistributionID: | |
Value: !Ref SiteDistribution | |
Description: The CloudFront distribution ID | |
SiteDistributionDomainName: | |
Value: !GetAtt [SiteDistribution, DomainName] | |
Description: The CloudFront distribution domain name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment