template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: 
  - AWS::LanguageExtensions
  - AWS::Serverless-2016-10-31
Description: "EC Postcode Lookup app: Lambda, API Gateway"

Globals:
  Function:
    Timeout: 10
  Api:
    BinaryMediaTypes:
      - "*/*"

Parameters:
  FQDN:
    Default: FQDN
    Description: "The domain name this app is mounted on"
    Type: AWS::SSM::Parameter::Value<String>

  CertificateArn:
    Default: CertificateArn
    Description: "The ARN of the cert to use"
    Type: AWS::SSM::Parameter::Value<String>

  XForwardedForHost:
    Default: XForwardedForHost
    Description: "The ARN of the cert to use"
    Type: AWS::SSM::Parameter::Value<String>

  AppAPIKey:
    Default: AppAPIKey
    Description: "The DC aggregator API key"
    Type: AWS::SSM::Parameter::Value<String>

  AppSentryDSN:
    Default: SENTRY_DSN
    Description: "The Sentry DSN"
    Type: AWS::SSM::Parameter::Value<String>

  DCEnvironment:
    Default: DC_ENVIRONMENT
    Description: "The DC_ENVIRONMENT environment variable passed to the app."
    Type: AWS::SSM::Parameter::Value<String>

Conditions:
  UseBasicAuth: !Or
    - !Equals [ !Ref DCEnvironment, development ]
    - !Equals [ !Ref DCEnvironment, staging ]

Resources:
  ECDeployerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      RoleName: ECDeployer

  ECPostcodeLookupFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: ECPostcodeLookupFunction
      Timeout: 60
      CodeUri: postcode_lookup
      Handler: app.handler
      Runtime: python3.12
      MemorySize: 512
      Environment:
        Variables:
          FQDN: !Ref FQDN
          API_KEY: !Ref AppAPIKey
          SENTRY_DSN: !Ref AppSentryDSN
          DC_ENVIRONMENT: !Ref DCEnvironment
      Events:
        HTTPRequests:
          Type: Api
          Properties:
            RestApiId: !Ref ECPostcodeLookupFunctionApiGateway
            Path: /{proxy+}
            Method: ANY
        HTTPRequestRoots:
          Type: Api
          Properties:
            RestApiId: !Ref ECPostcodeLookupFunctionApiGateway
            Path: /
            Method: ANY

  ECPostcodeLookupFunctionLogGroup:
    Type: AWS::Logs::LogGroup
    DependsOn: [ ECPostcodeLookupFunction ]
    Properties:
      LogGroupName: !Sub /aws/lambda/${ECPostcodeLookupFunction}
      RetentionInDays: 60

  ECPostcodeLookupFunctionApiGateway:
    Type: AWS::Serverless::Api
    Properties:
      AlwaysDeploy: True
      StageName: Prod
      Cors:
        AllowMethods: "'GET'"
        AllowOrigin: "'*'"
        MaxAge: "'600'"
      Auth:
        DefaultAuthorizer: !If [ UseBasicAuth, "BasicAuthFunction", !Ref AWS::NoValue]
        Authorizers:
          BasicAuthFunction:
            FunctionArn: !GetAtt BasicAuthFunction.Arn
            FunctionPayloadType: REQUEST
            Identity:
              Headers:
                - Authorization
              ReauthorizeEvery: 3600

  BasicAuthGatewayResponse:
    Condition: UseBasicAuth
    Type: AWS::ApiGateway::GatewayResponse
    Properties:
      ResponseParameters:
        gatewayresponse.header.www-authenticate: "'Basic realm=\"Restricted\"'"
      ResponseType: UNAUTHORIZED
      RestApiId: !Ref ECPostcodeLookupFunctionApiGateway
      StatusCode: '401'

  BasicAuthFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./postcode_lookup/
      Handler: lambda_basic_auth.lambda_handler
      Runtime: python3.12

  FailOver:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${FQDN}-failover"
      AccessControl: Private
    DeletionPolicy: Delete

  FailOverBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - 's3:*'
            Effect: 'Allow'
            Principal:
              CanonicalUser: !GetAtt CfOriginAccessIdentity.S3CanonicalUserId
            Resource:
              - !Sub 'arn:aws:s3:::${FailOver}/*'
      Bucket: !Ref FailOver

  StaticPages:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: !Sub "${FQDN}-static-pages"
        AccessControl: Private
      DeletionPolicy: Delete

  StaticPagesBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Id: FailOverBucketPolicy
        Version: 2012-10-17
        Statement:
          - Action:
              - 's3:*'
            Effect: 'Allow'
            Principal:
              CanonicalUser: !GetAtt CfOriginAccessIdentity.S3CanonicalUserId
            Resource:
              - !Sub 'arn:aws:s3:::${StaticPages}/*'
      Bucket: !Ref StaticPages



  CloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Comment: 'Cloudfront Distribution pointing to Lambda origin'
        Origins:
          - Id: Dynamic
            DomainName: !Sub "${ECPostcodeLookupFunctionApiGateway}.execute-api.${AWS::Region}.amazonaws.com"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref XForwardedForHost
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https
            OriginShield:
              Enabled: true
              OriginShieldRegion: eu-west-2
          - Id: StaticPages
            DomainName: !GetAtt StaticPages.RegionalDomainName
            ConnectionAttempts: 1
            ConnectionTimeout: 2
            OriginShield:
              Enabled: true
              OriginShieldRegion: eu-west-2
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'

          - Id: Failover
            DomainName: !GetAtt FailOver.RegionalDomainName
            # Keep the ? to convert the path in to a query param
            OriginPath: "/index.html?"
            OriginShield:
              Enabled: true
              OriginShieldRegion: eu-west-2
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'

        OriginGroups:
          Quantity: 2
          Items:
            - Id: DynamicPagesFailOverOriginGroup
              FailoverCriteria:
                StatusCodes:
                  Quantity: 6
                  Items:
                  - 404
                  - 400
                  - 500
                  - 502
                  - 503
                  - 504
              Members:
                Quantity: 2
                Items:
                - OriginId: Dynamic
                - OriginId: Failover
            - Id: StaticPagesOriginGroup
              FailoverCriteria:
                StatusCodes:
                  Quantity: 6
                  Items:
                  - 404
                  - 400
                  - 500
                  - 502
                  - 503
                  - 504
              Members:
                Quantity: 2
                Items:
                - OriginId: StaticPages
                - OriginId: Dynamic
        Enabled: true
        HttpVersion: 'http2'
        Aliases:
          - !Ref FQDN
        PriceClass: "PriceClass_100"
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only

        DefaultCacheBehavior:
          AllowedMethods: [ GET, HEAD, OPTIONS ]
          TargetOriginId: DynamicPagesFailOverOriginGroup
          DefaultTTL: '60'
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: "all"
            Headers:
              - Authorization
              - Origin
              - Referer
          ViewerProtocolPolicy: "redirect-to-https"

        CacheBehaviors:
          - AllowedMethods: [ GET, HEAD, OPTIONS ]
            PathPattern: static/*
            TargetOriginId: Dynamic
            Compress: true
            ViewerProtocolPolicy: "redirect-to-https"
            ForwardedValues:
              QueryString: true
              Cookies:
                Forward: none
              Headers:
                - Authorization
                - Origin
            MinTTL: '50'
          - AllowedMethods: [ GET, HEAD, OPTIONS ]
            PathPattern: /i-am-a/voter/your-election-information
            TargetOriginId: StaticPagesOriginGroup
            Compress: true
            DefaultTTL: '60'
            MaxTTL: '60'
            CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
            ViewerProtocolPolicy: "redirect-to-https"
          - AllowedMethods: [ GET, HEAD, OPTIONS ]
            PathPattern: /cy/rwyf-yneg-pleidleisiwr/pleidleisiwr/gwybodaeth-etholiad
            TargetOriginId: StaticPagesOriginGroup
            Compress: true
            DefaultTTL: '60'
            MaxTTL: '60'
            CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
            ViewerProtocolPolicy: "redirect-to-https"


  CfOriginAccessIdentity:
    Metadata:
      Comment: 'Access S3 bucket content only through CloudFront'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'Access S3 bucket content only through CloudFront'
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'

  DnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt CloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
      HostedZoneName: !Sub "${FQDN}."
      Name: !Sub "${FQDN}."
      Type: A

Outputs:
  ECPostcodeLookupFqdn:
    Description: "API Gateway endpoint FQDN for EC Postcode Lookup function"
    Value: !Sub "${ECPostcodeLookupFunctionApiGateway}.execute-api.${AWS::Region}.amazonaws.com"
    Export:
      Name: !Join [ ":", [ !Ref "AWS::StackName", "ECPostcodeLookupFqdn" ] ]