forked from aws-samples/lambdaedge-openidconnect-samples
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtemplate.yaml
More file actions
129 lines (128 loc) · 4.76 KB
/
Copy pathtemplate.yaml
File metadata and controls
129 lines (128 loc) · 4.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: SAM configuration for cloudfront-auth function
Parameters:
BucketName:
Type: String
Description: The name of the Static Content S3 Bucket to Create
LogBucketName:
Type: String
Description: The name of the Log Content S3 Bucket already existing
SecretKeyName:
Type: String
Description: The name of the Secret in Secrets manager for the OIDC configuaration (e.g. okta-configuration-v4cw9Z)
MinimumTLSVersion:
Type: String
Description: The minimum version to use for CloudFront TLS
Default: TLSv1.2_2018
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
-
ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
LoggingConfiguration:
DestinationBucketName: !Ref LogBucketName
LogFilePrefix: "accessLogs/"
ReadPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Action: 's3:GetObject'
Effect: Allow
Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Ref S3Bucket
CFDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
MinimumProtocolVersion: !Ref MinimumTLSVersion
Logging:
Bucket: !GetAtt LogBucketName.DomainName
IncludeCookies : "true"
Prefix: "cloudfront/"
Enabled: 'true'
Origins:
- DomainName: !GetAtt S3Bucket.DomainName
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
DefaultCacheBehavior:
TargetOriginId: myS3Origin
LambdaFunctionAssociations:
-
EventType: viewer-request
LambdaFunctionARN: !Ref CloudFrontAuthFunction.Version
ForwardedValues:
QueryString: 'false'
Headers:
- Origin
Cookies:
Forward: none
ViewerProtocolPolicy:
"allow-all"
CloudFrontAuthFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/js/
Role: !GetAtt LambdaEdgeFunctionRole.Arn
Runtime: nodejs10.x
Handler: auth.handle
Timeout: 5
AutoPublishAlias: LIVE
LambdaEdgeFunctionRole:
Type: AWS::IAM::Role
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: !Sub "Lambda-${AWS::StackName}"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "secretsmanager:GetResourcePolicy"
- "secretsmanager:GetSecretValue"
- "secretsmanager:DescribeSecret"
- "secretsmanager:ListSecretVersionIds"
Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretKeyName}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Sid: "AllowLambdaServiceToAssumeRole"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Principal:
Service:
- "lambda.amazonaws.com"
- "edgelambda.amazonaws.com"
Outputs:
CloudFrontAuthFunction:
Description: Lambda@Edge CloudFront Auth Function ARN
Value: !GetAtt CloudFrontAuthFunction.Arn
CloudFrontAuthFunctionVersion:
Description: Lambda@Edge CloudFront Auth Function ARN with Version
Value: !Ref CloudFrontAuthFunction.Version