-
Notifications
You must be signed in to change notification settings - Fork 1
/
public-access-template.yaml
171 lines (156 loc) · 5.66 KB
/
public-access-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: "EC API public access: TLS, CDN, DNS"
Parameters:
StackNameSuffix:
Description: "The suffix (automatically prefixed with 'ECApi-') constructing the name of the CloudFormation Stack that created the API Gateway & Lambda function to which this Stack will attach TLS, CDN, and DNS."
Type: String
CertificateArn:
Type: String
PublicFqdn:
Type: String
AuthHeaderToQueryStringARN:
Type: String
Resources:
APIResponsePolicy:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name: API-Response-Policy
Comment: CORS and other headers for the API
SecurityHeadersConfig:
ContentSecurityPolicy:
ContentSecurityPolicy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; frame-ancestors 'none'
Override: false
ContentTypeOptions: # You don't need to specify a value for 'X-Content-Type-Options'.
# Simply including it in the template sets its value to 'nosniff'.
Override: false
FrameOptions:
FrameOption: DENY
Override: false
ReferrerPolicy:
ReferrerPolicy: same-origin
Override: false
StrictTransportSecurity:
AccessControlMaxAgeSec: 63072000
IncludeSubdomains: true
Preload: true
Override: false
XSSProtection:
ModeBlock: true # You can set ModeBlock to 'true' OR set a value for ReportUri, but not both
Protection: true
Override: false
ServerTimingHeadersConfig:
Enabled: false
RemoveHeadersConfig:
Items:
- Header: Vary
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
Comment: 'Cloudfront Distribution pointing to Lambda origin'
Origins:
- Id: Static
DomainName:
Fn::ImportValue: !Sub "ECApiApp-${StackNameSuffix}:ECApiFqdn"
OriginPath: "/Prod"
CustomOriginConfig:
OriginProtocolPolicy: "https-only"
OriginCustomHeaders:
- HeaderName: X-Forwarded-Host
HeaderValue: !Ref PublicFqdn
- HeaderName: X-Forwarded-Proto
HeaderValue: https
OriginShield:
Enabled: true
OriginShieldRegion: eu-west-2
- Id: Dynamic
DomainName:
Fn::ImportValue: !Sub "ECApiApp-${StackNameSuffix}:ECApiFqdn"
OriginPath: "/Prod"
CustomOriginConfig:
OriginProtocolPolicy: "https-only"
OriginCustomHeaders:
- HeaderName: X-Forwarded-Host
HeaderValue: !Ref PublicFqdn
- HeaderName: X-Forwarded-Proto
HeaderValue: https
- Id: StarletteAPI
DomainName:
Fn::ImportValue: !Sub "ECApiApp-${StackNameSuffix}:ECStarletteApiFqdn"
OriginPath: "/Prod"
CustomOriginConfig:
OriginProtocolPolicy: "https-only"
OriginCustomHeaders:
- HeaderName: X-Forwarded-Host
HeaderValue: !Ref PublicFqdn
Enabled: true
HttpVersion: 'http2'
Aliases:
- !Ref PublicFqdn
PriceClass: "PriceClass_100"
ViewerCertificate:
AcmCertificateArn: !Ref CertificateArn
MinimumProtocolVersion: TLSv1.1_2016
SslSupportMethod: sni-only
DefaultCacheBehavior:
AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
TargetOriginId: Dynamic
ForwardedValues:
QueryString: true
Cookies:
Forward: "all"
Headers:
- Authorization
- Origin
- Referer
ResponseHeadersPolicyId: "eaab4381-ed33-4a86-88ca-d9558dc6cd63"
ViewerProtocolPolicy: "redirect-to-https"
CacheBehaviors:
- AllowedMethods: [ GET, HEAD, OPTIONS ]
PathPattern: api/*
TargetOriginId: StarletteAPI
LambdaFunctionAssociations:
- EventType: 'viewer-request'
LambdaFunctionARN: !Ref AuthHeaderToQueryStringARN
ForwardedValues:
QueryString: true
Cookies:
Forward: none
Headers:
- Authorization
ViewerProtocolPolicy: "redirect-to-https"
MinTTL: '0'
DefaultTTL: '0'
MaxTTL: '0'
Compress: true
ResponseHeadersPolicyId: !Ref APIResponsePolicy
- AllowedMethods: [ GET, HEAD, OPTIONS ]
PathPattern: static/*
TargetOriginId: Static
ForwardedValues:
QueryString: true
Cookies:
Forward: none
Headers:
- Authorization
- Origin
ViewerProtocolPolicy: "redirect-to-https"
MinTTL: '50'
DnsRecord:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
DNSName: !GetAtt CloudFrontDistribution.DomainName
HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
HostedZoneName: !Sub "${PublicFqdn}."
Name: !Sub "${PublicFqdn}."
Type: A
Outputs:
CloudFrontDistributionFqdn:
Description: "The FQDN of the CloudFront distribution serving this instance."
Value: !GetAtt CloudFrontDistribution.DomainName
PublicFqdn:
Description: "The EC API's URL."
Value: !Sub "https://${PublicFqdn}/"