cfn changes

Author: devksingh4

cloudformation/custom-domain.yml

@@ -1,16 +1,7 @@
 Parameters:
-  GWCertArn:
-    Description: Certificate ARN
-    Type: String
   GWBaseDomainName:
     Description: Base domain name
     Type: String
-  GWApiId:
-    Description: API ID
-    Type: String
-  GWHostedZoneId:
-    Description: Hosted Zone ID
-    Type: String
   RunEnvironment:
     Type: String
     AllowedValues: [ 'dev', 'prod' ]
@@ -23,22 +14,6 @@ Conditions:
   IsDev: !Equals [!Ref RunEnvironment, 'dev']
 
 Resources:
-  CustomDomainName:
-    Type: AWS::ApiGateway::DomainName
-    Properties:
-      RegionalCertificateArn: !Ref GWCertArn
-      EndpointConfiguration:
-        Types:
-          - REGIONAL
-      DomainName: !Sub "${RecordName}.${GWBaseDomainName}"
-      SecurityPolicy: TLS_1_2
-
-  CDApiMapping:
-    Type: 'AWS::ApiGatewayV2::ApiMapping'
-    Properties:
-      DomainName: !Ref CustomDomainName
-      ApiId: !Ref GWApiId
-      Stage: default
 
   CDRoute53RecordSetDev:
     Condition: IsDev

cloudformation/main.yml

@@ -117,13 +117,6 @@ Resources:
           - ApiGwConfig
           - !Ref RunEnvironment
           - EnvDomainName
-        GWCertArn: !FindInMap
-          - ApiGwConfig
-          - !Ref RunEnvironment
-          - EnvCertificateArn
-        GWApiId: !Ref AppApiGateway
-        GWHostedZoneId:
-          !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
         CloudfrontDomain: !GetAtt [AppIcalCloudfrontDistribution, DomainName]
 
   CoreUrlProd:
@@ -137,13 +130,6 @@ Resources:
           - ApiGwConfig
           - !Ref RunEnvironment
           - EnvDomainName
-        GWCertArn: !FindInMap
-          - ApiGwConfig
-          - !Ref RunEnvironment
-          - EnvCertificateArn
-        GWApiId: !Ref AppApiGateway
-        GWHostedZoneId:
-          !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
         CloudfrontDomain: !GetAtt [AppFrontendCloudfrontDistribution, DomainName]
 
   AppLambdaUrl:
@@ -210,12 +196,6 @@ Resources:
             !Ref AWS::NoValue,
           ]
       Events:
-        ApiEvent:
-          Type: Api
-          Properties:
-            RestApiId: !Ref AppApiGateway
-            Path: /{proxy+}
-            Method: ANY
         WarmingSchedule:
           Type: Schedule
           Properties:
@@ -544,120 +524,6 @@ Resources:
         AttributeName: "expireAt"
         Enabled: true
 
-  AppApiGateway:
-    Type: AWS::Serverless::Api
-    DependsOn:
-      - AppApiLambdaFunction
-    Properties:
-      Name: !Sub ${ApplicationPrefix}-gateway
-      Description: !Sub "${ApplicationFriendlyName} API Gateway"
-      MinimumCompressionSize: 2048 # 2kb to compress
-      AlwaysDeploy: True
-      DefinitionBody:
-        Fn::Transform:
-          Name: AWS::Include
-          Parameters:
-            Location: ./phony-swagger.yml
-        Route53:
-          HostedZoneId:
-            !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
-      StageName: default
-      EndpointConfiguration:
-        Type: REGIONAL
-      Cors:
-        AllowHeaders: "'Content-Type,Authorization,X-Amz-Date'"
-        AllowOrigin: "'*'"
-        MaxAge: "'300'"
-
-  APIDefault4XXResponse:
-    Type: AWS::ApiGateway::GatewayResponse
-    Properties:
-      RestApiId: !Ref AppApiGateway
-      ResponseType: DEFAULT_4XX
-      StatusCode: "404"
-      ResponseParameters:
-        gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
-      ResponseTemplates:
-        application/json: '{"error": true, "message": "Resource not found. Check your URL or contact support."}'
-
-  APIAccessDeniedResponse:
-    Type: AWS::ApiGateway::GatewayResponse
-    Properties:
-      RestApiId: !Ref AppApiGateway
-      ResponseType: ACCESS_DENIED
-      StatusCode: "403"
-      ResponseParameters:
-        gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
-      ResponseTemplates:
-        application/json: '{"error": true, "message": "Access denied. Perhaps reauthenticate and try again?"}'
-
-  APIUnauthorizedResponse:
-    Type: AWS::ApiGateway::GatewayResponse
-    Properties:
-      RestApiId: !Ref AppApiGateway
-      ResponseType: UNAUTHORIZED
-      StatusCode: "401"
-      ResponseParameters:
-        gatewayresponse.header.Access-Control-Allow-Origin: "'*'"
-      ResponseTemplates:
-        application/json: '{"error": true, "message": "Request could not be authenticated. Perhaps reauthenticate and try again?"}'
-
-  AppApiGatewayLatencyAlarm:
-    Type: "AWS::CloudWatch::Alarm"
-    Condition: IsProd
-    Properties:
-      AlarmName: !Sub ${ApplicationPrefix}-gateway-latency-high
-      AlarmDescription: "Trailing Mean - 95% API gateway latency is > 1.25s for 2 times in 4 minutes."
-      Namespace: "AWS/ApiGateway"
-      MetricName: "Latency"
-      ExtendedStatistic: "tm95"
-      Period: "120"
-      EvaluationPeriods: "2"
-      ComparisonOperator: "GreaterThanThreshold"
-      Threshold: "1250"
-      AlarmActions:
-        - !Ref AlertSNSArn
-      Dimensions:
-        - Name: "ApiName"
-          Value: !Sub ${ApplicationPrefix}-gateway
-
-  AppApiGatewayNoRequestsAlarm:
-    Type: "AWS::CloudWatch::Alarm"
-    Condition: IsProd
-    Properties:
-      AlarmName: !Sub ${ApplicationPrefix}-gateway-no-requests
-      AlarmDescription: "No requests have been received in the past 5 minutes."
-      Namespace: "AWS/ApiGateway"
-      MetricName: "Count"
-      Statistic: "Sum"
-      Period: "300"
-      EvaluationPeriods: "1"
-      ComparisonOperator: "LessThanThreshold"
-      Threshold: "1"
-      AlarmActions:
-        - !Ref PriorityAlertSNSArn
-      Dimensions:
-        - Name: "ApiName"
-          Value: !Sub ${ApplicationPrefix}-gateway
-
-  AppApiGateway5XXErrorAlarm:
-    Type: "AWS::CloudWatch::Alarm"
-    Condition: IsProd
-    Properties:
-      AlarmName: !Sub ${ApplicationPrefix}-gateway-5xx
-      AlarmDescription: "More than 2 API gateway 5XX errors were detected."
-      Namespace: "AWS/ApiGateway"
-      MetricName: "5XXError"
-      Statistic: "Average"
-      Period: "60"
-      EvaluationPeriods: "1"
-      ComparisonOperator: "GreaterThanThreshold"
-      Threshold: "2"
-      AlarmActions:
-        - !Ref PriorityAlertSNSArn
-      Dimensions:
-        - Name: "ApiName"
-          Value: !Sub ${ApplicationPrefix}-gateway
 
   AppDLQMessagesAlarm:
     Type: "AWS::CloudWatch::Alarm"
@@ -678,23 +544,6 @@ Resources:
       AlarmActions:
         - !Ref PriorityAlertSNSArn
 
-  APILambdaPermission:
-    Type: AWS::Lambda::Permission
-    Properties:
-      FunctionName: !GetAtt AppApiLambdaFunction.Arn
-      Action: lambda:InvokeFunction
-      Principal: apigateway.amazonaws.com
-      SourceArn:
-        Fn::Join:
-          - ""
-          - - "arn:aws:execute-api:"
-            - !Ref AWS::Region
-            - ":"
-            - !Ref AWS::AccountId
-            - ":"
-            - !Ref AppApiGateway
-            - "/*/*/*"
-
   AppFrontendS3Bucket:
     Type: AWS::S3::Bucket
     Properties:
@@ -718,7 +567,7 @@ Resources:
             DomainName: !GetAtt AppFrontendS3Bucket.RegionalDomainName
             S3OriginConfig:
               OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
-          - Id: ApiGatewayOrigin
+          - Id: LambdaOrigin
             DomainName: !Select [0, !Split ['/', !Select [1, !Split ['https://', !GetAtt AppLambdaUrl.FunctionUrl]]]]
             CustomOriginConfig:
               HTTPPort: 80
@@ -755,7 +604,7 @@ Resources:
               LambdaFunctionARN: !Ref AppFrontendEdgeLambdaVersion
         CacheBehaviors:
           - PathPattern: "/api/v1/events*"
-            TargetOriginId: ApiGatewayOrigin
+            TargetOriginId: LambdaOrigin
             ViewerProtocolPolicy: redirect-to-https
             AllowedMethods:
               - GET
@@ -772,7 +621,7 @@ Resources:
             OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac
             Compress: true
           - PathPattern: "/api/v1/organizations"
-            TargetOriginId: ApiGatewayOrigin
+            TargetOriginId: LambdaOrigin
             ViewerProtocolPolicy: redirect-to-https
             AllowedMethods:
               - GET
@@ -789,7 +638,7 @@ Resources:
             OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac
             Compress: true
           - PathPattern: "/api/documentation*"
-            TargetOriginId: ApiGatewayOrigin
+            TargetOriginId: LambdaOrigin
             ViewerProtocolPolicy: redirect-to-https
             AllowedMethods:
               - GET
@@ -806,7 +655,7 @@ Resources:
             OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac
             Compress: true
           - PathPattern: "/api/*"
-            TargetOriginId: ApiGatewayOrigin
+            TargetOriginId: LambdaOrigin
             ViewerProtocolPolicy: redirect-to-https
             AllowedMethods:
               - GET
@@ -881,7 +730,6 @@ Resources:
             Headers:
               - x-method-override
               - origin
-              - host
               - x-http-method
               - x-http-method-override
           QueryStringsConfig:
@@ -923,13 +771,15 @@ Resources:
       DistributionConfig:
         HttpVersion: 'http2and3'
         Origins:
-          - Id: ApiGatewayOrigin
-            DomainName: !Sub "${AppApiGateway}.execute-api.${AWS::Region}.amazonaws.com"
-            OriginPath: "/default"
+          - Id: LambdaOrigin
+            DomainName: !Select [0, !Split ['/', !Select [1, !Split ['https://', !GetAtt AppLambdaUrl.FunctionUrl]]]]
             CustomOriginConfig:
               HTTPPort: 80
               HTTPSPort: 443
               OriginProtocolPolicy: https-only
+            OriginCustomHeaders:
+              - HeaderName: X-Origin-Verify
+                HeaderValue: !Join ['-', ['secret', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]]
         Enabled: true
         Aliases:
           - !Join
@@ -941,7 +791,7 @@ Resources:
                 - EnvDomainName
         DefaultCacheBehavior:
           Compress: true
-          TargetOriginId: ApiGatewayOrigin
+          TargetOriginId: LambdaOrigin
           ViewerProtocolPolicy: redirect-to-https
           AllowedMethods:
             - GET
@@ -1069,13 +919,6 @@ Resources:
           - ApiGwConfig
           - !Ref RunEnvironment
           - EnvDomainName
-        GWCertArn: !FindInMap
-          - ApiGwConfig
-          - !Ref RunEnvironment
-          - EnvCertificateArn
-        GWApiId: !Ref AppApiGateway
-        GWHostedZoneId:
-          !FindInMap [ApiGwConfig, !Ref RunEnvironment, HostedZoneId]
         CloudfrontDomain: !GetAtt [AppLinkryCloudfrontDistribution, DomainName]
 
 Outputs: