-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinfrastructure.yaml
117 lines (117 loc) · 3.59 KB
/
infrastructure.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
AWSTemplateFormatVersion: '2010-09-09'
Description: Infrastructure resources for Factura
Parameters:
AcmCertificateArn:
Type: String
Description: the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate in us-east-1
AllowedPattern: "arn:aws:acm:us-east-1:.*"
DomainName:
Type: String
Description: The DNS name of the website e.g. example.com
AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
ConstraintDescription: must be a valid DNS zone name.
Resources:
Database:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: PK
AttributeType: S
- AttributeName: SK
AttributeType: S
- AttributeName: GSI1PK
AttributeType: S
- AttributeName: GSI1SK
AttributeType: S
KeySchema:
- AttributeName: PK
KeyType: HASH
- AttributeName: SK
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: GSI1
KeySchema:
- AttributeName: GSI1PK
KeyType: HASH
- AttributeName: GSI1SK
KeyType: RANGE
Projection:
ProjectionType: ALL
BillingMode: PAY_PER_REQUEST
DeletionPolicy: Retain
DBUser:
Type: AWS::IAM::User
Properties:
Policies:
- PolicyName: ddb_get_query
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:Query
Resource:
- !GetAtt Database.Arn
- !Sub '${Database.Arn}/index/*'
DBAccessKey:
Type: AWS::IAM::AccessKey
Properties:
UserName:
!Ref DBUser
FrontendBucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
OriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Ref FrontendBucket
WebsiteCloudFront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Ref DomainName
DefaultCacheBehavior:
Compress: true
DefaultTTL: 3600
ForwardedValues:
QueryString: false
TargetOriginId: !Sub "S3-${WebsiteBucket}"
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: true
HttpVersion: http2
Origins:
- DomainName: !GetAtt WebsiteBucket.DomainName
Id: !Sub "S3-${WebsiteBucket}"
S3OriginConfig:
OriginAccessIdentity: !Join ["", ["origin-access-identity/cloudfront/", !Ref OriginAccessIdentity]]
ViewerCertificate:
AcmCertificateArn: !Ref AcmCertificateArn
MinimumProtocolVersion: TLSv1.2_2018
SslSupportMethod: sni-only
DomainDns:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html
HostedZoneId: "Z2FDTNDATAQYW2"
DNSName: !GetAtt WebsiteCloudFront.DomainName
HostedZoneName: !Sub "${DomainName}."
Name: !Sub "${DomainName}."
Type: A
Outputs:
AccessKeyforWebUser:
Value:
!Ref DBAccessKey
SecretKeyforWebUser:
Value: !GetAtt DBAccessKey.SecretAccessKey
DatabaseArn:
Value: !GetAtt Database.Arn