elb.yml

Parameters:
  DynamicPrefix:
    Type: String
    Description: Prefix to use for dynamic resources
    Default: /api
  CloudFrontCert:
    Type: String
    Description: The identifier for the certificate to use for CloudFront. Leave blank to disable HTTPS
    Default: ''
Conditions:
  HasCloudFrontCert:
    "Fn::Not":
      - "Fn::Equals":
        - !Ref CloudFrontCert
        - ''
Resources:
  SiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Fn::Sub: ${AWS::StackName}-${AWS::Region}-${AWS::AccountId}
  SampleBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: SiteBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              CanonicalUser:
                Fn::Sub: ${CloudFrontOAI.S3CanonicalUserId}
            Action: s3:GetObject
            Resource:
              Fn::Sub: arn:aws:s3:::${SiteBucket}/*
  LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName:
        Fn::Sub: ${AWS::StackName}-logging-${AWS::Region}-${AWS::AccountId}
  CloudFrontOAI:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment:
          Fn::Sub: ${AWS::StackName}-logging-${AWS::Region}-${AWS::AccountId}
  CloudFrontDist:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - Fn::If:
            - HasElbDomainName
            - Fn::If:
               - HasElbHostName
               - Fn::Sub: ${ElbHostName}.${ElbDomainName}
               - Fn::Sub: ${ElbDomainName}
            - Ref: AWS::NoValue
        CustomErrorResponses:
          - ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /index.html
        CacheBehaviors:
          - AllowedMethods:
              - DELETE
              - GET
              - HEAD
              - OPTIONS
              - PATCH
              - POST
              - PUT
            DefaultTTL: 0
            ForwardedValues:
              QueryString: true
              Cookies:
                Forward: all
              Headers: 
                - '*'
            MaxTTL: 60
            MinTTL: 0
            PathPattern:
              Fn::Sub: ${DynamicPrefix}/*
            TargetOriginId: ecs-alb
            ViewerProtocolPolicy:
              Fn::If:
                - HasCloudFrontCert
                - redirect-to-https
                - allow-all
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          DefaultTTL: 0
          ForwardedValues:
            QueryString: no
            Cookies:
              Forward: all
          MaxTTL: 60
          MinTTL: 0
          TargetOriginId: s3-bucket
          ViewerProtocolPolicy:
            Fn::If:
              - HasCloudFrontCert
              - redirect-to-https
              - allow-all
        DefaultRootObject: index.html
        Enabled: true
        Logging:
          Bucket:
            Fn::Sub: ${LoggingBucket.DomainName}
          Prefix: cloudfront
        Origins:
          - Id: s3-bucket
            DomainName:
              Fn::Sub: ${SiteBucket.DomainName}
            S3OriginConfig:
              OriginAccessIdentity:
                Fn::Sub: origin-access-identity/cloudfront/${CloudFrontOAI}
          - Id: ecs-alb
            CustomOriginConfig:
              HTTPPort: 80
              HTTPSPort:
                Fn::If:
                  - HasElbCert
                  - 443
                  - Ref: AWS::NoValue
              OriginProtocolPolicy:
                Fn::If:
                  - HasElbCert
                  - https-only
                  - http-only
              OriginSSLProtocols:
                - 'TLSv1.2'
            DomainName:
              Fn::If:
               - HasElbDomainName
               - Fn::If:
                 - HasElbHostName
                 - Fn::Sub: elb.${ElbHostName}.${ElbDomainName}
                 - Fn::Sub: elb.${ElbDomainName}
               - Fn::Sub: ${Elb.DNSName}
        PriceClass: PriceClass_100
        ViewerCertificate:
          Fn::If:
            - HasCloudFrontCert
            - AcmCertificateArn:
                Fn::Sub: "arn:aws:acm:us-east-1:${AWS::AccountId}:certificate/${CloudFrontCert}"
              MinimumProtocolVersion: TLSv1.2_2018
              SslSupportMethod: sni-only
            - Ref: AWS::NoValue
  ElbDns:
    Properties:
      Comment: DNS for CloudFrontDistribution
      RecordSets:
        Fn::Splice:
          - 0
          - 2
          - - AliasTarget:
                HostedZoneId: Z2FDTNDATAQYW2
                DNSName:
                  Fn::GetAtt: CloudFrontDist.DomainName
                EvaluateTargetHealth: false
              Name:
                Fn::If:
                  Fn::Replace:
                  - HasElbHostName
                  - Fn::Sub: ${ElbHostName}.${ElbDomainName}.
                  - Fn::Sub: ${ElbDomainName}.
            - AliasTarget:
                HostedZoneId:
                  Fn::GetAtt: Elb.CanonicalHostedZoneID
                DNSName:
                  Fn::GetAtt: Elb.DNSName
                EvaluateTargetHealth: true
              Name:
                Fn::If:
                  Fn::Replace:
                  - HasElbHostName
                  - Fn::Sub: '*.${ElbHostName}.${ElbDomainName}.'
                  - Fn::Sub: '*.${ElbDomainName}.'