ziyuutyou-next/cloudformation.yaml at main · takusan23/ziyuutyou-next · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
Parameters:

  BucketName:
    Type: String
    Description: WebSite Output S3 Bucket Name

  OriginAccessControlDescription:
    Type: String
    Default: cloudfront-s3-oac
    Description: Origin Access Control Description

  CloudFrontComment:
    Type: String
    Default: s3-cloudfront
    Description: CloudFront memo

  CloudFrontFunctionCreateOrReuse:
    Type: String
    Default: Create
    AllowedValues:
      - Create
      - Reuse
    Description: Append index.html suffix CloudFront Function. If created some
      function, Reuse. Don't have, Create

  CloudFrontFunctionName:
    Type: String
    Default: function-add-index
    Description: CloudFront Function Name. If Reuse, created function name.

  CachePolicyCreatedOrManaged:
    Type: String
    Default: 658327ea-f89d-4fab-a63d-7e88639e58f6
    Description: Cache Policy. Default is CachingOptimized.

Conditions:

  # CloudFront Functions を作るか
  CreateCloudFrontFunction: !Equals
    - !Ref CloudFrontFunctionCreateOrReuse
    - Create

Resources:

  # Next.js の static exports した結果を入れる S3
  WebSiteBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref BucketName
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  # S3 - CloudFront をつなぐバケットポリシー
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebSiteBucket
      PolicyDocument:
        Id: PolicyForCloudFrontPrivateContent
        Version: '2008-10-17'
        Statement:
          - Sid: AllowCloudFrontServicePrincipal
            Effect: Allow
            Principal:
              Service: cloudfront.amazonaws.com
            Action: s3:GetObject
            Resource: !Sub arn:aws:s3:::${BucketName}/*
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}

  # S3 に入っている Web サイトを配信する CloudFront
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - Id: !GetAtt WebSiteBucket.RegionalDomainName # マネジメントコンソールで作ると DomainName と同じ文字列になってそう
            DomainName: !GetAtt WebSiteBucket.RegionalDomainName # リージョンが入ってないとアクセスできなかった
            OriginAccessControlId: !GetAtt OriginAccessControl.Id
            S3OriginConfig:
              OriginAccessIdentity: ''
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          TargetOriginId: !GetAtt WebSiteBucket.RegionalDomainName # Origins Id に合わせる
          ViewerProtocolPolicy: allow-all
          FunctionAssociations:
            # CloudFront Functions を作成する場合は、CloudFrontAddIndexFunction に依存するように書いておく。これで CloudFormation は先に Function を作る順番になるはず
            - EventType: viewer-request
              FunctionARN: !If
                - CreateCloudFrontFunction
                - !GetAtt CloudFrontAddIndexFunction.FunctionMetadata.FunctionARN
                - !Sub arn:aws:cloudfront::${AWS::AccountId}:function/${CloudFrontFunctionName}
          CachePolicyId: !Ref CachePolicyCreatedOrManaged
          Compress: true
        HttpVersion: http2
        Enabled: true
        Comment: !Ref CloudFrontComment

  # S3- CloudFront をつなぐ OAC
  OriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Description: !Ref OriginAccessControlDescription
        Name: !GetAtt WebSiteBucket.RegionalDomainName
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  # CloudFront Function を作成する場合
  # index.html を付与する Function
  # https://docs.aws.amazon.com/ja_jp/AmazonCloudFront/latest/DeveloperGuide/example_cloudfront_functions_url_rewrite_single_page_apps_section.html
  CloudFrontAddIndexFunction:
    Type: AWS::CloudFront::Function
    Condition: CreateCloudFrontFunction
    Properties:
      Name: !Ref CloudFrontFunctionName
      AutoPublish: true
      FunctionConfig:
        Comment: add index.html to url suffix
        Runtime: cloudfront-js-2.0
      FunctionCode: |
        async function handler(event) {
            var request = event.request;
            var uri = request.uri;

            // Check whether the URI is missing a file name.
            if (uri.endsWith('/')) {
                request.uri += 'index.html';
            }
            // Check whether the URI is missing a file extension.
            else if (!uri.includes('.')) {
                request.uri += '/index.html';
            }

            return request;
        }

Outputs:

  WebSiteBucket:
    Description: S3
    Value: !Ref WebSiteBucket

  CloudFrontDistribution:
    Description: CloudFront
    Value: !Ref CloudFrontDistribution

  OriginAccessControl:
    Description: CloudFront OAC
    Value: !Ref OriginAccessControl

  CloudFrontAddIndexFunction:
    Condition: CreateCloudFrontFunction
    Description: CloudFront Functions
    Value: !Ref CloudFrontAddIndexFunction