mirror of
https://github.com/vapor/blog.git
synced 2025-04-19 15:42:50 +08:00
110 lines
4.0 KiB
YAML
110 lines
4.0 KiB
YAML
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: 'Create a static website on S3 served by CloudFront'
|
|
Parameters:
|
|
DomainName:
|
|
Type: String
|
|
Description: The domain name for the site
|
|
AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
|
|
ConstraintDescription: must be a valid DNS zone name.
|
|
AcmCertificateArn:
|
|
Type: String
|
|
Description: the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
|
|
AllowedPattern: "arn:aws:acm:.*"
|
|
S3BucketName:
|
|
Type: String
|
|
Description: Name for the bucket
|
|
Resources:
|
|
S3BucketForWebsiteContent:
|
|
Type: AWS::S3::Bucket
|
|
Properties:
|
|
BucketName: !Ref 'S3BucketName'
|
|
WebsiteConfiguration:
|
|
IndexDocument: index.html
|
|
# Redirect
|
|
ErrorDocument: /error/404/index.html
|
|
RoutingRules:
|
|
- RoutingRuleCondition:
|
|
HttpErrorCodeReturnedEquals: '404'
|
|
KeyPrefixEquals: /
|
|
RedirectRule:
|
|
HostName: !Ref 'DomainName'
|
|
ReplaceKeyPrefixWith: error/404/
|
|
WebsiteCloudfront:
|
|
Type: AWS::CloudFront::Distribution
|
|
Properties:
|
|
DistributionConfig:
|
|
Comment: Cloudfront Distribution pointing to S3 bucket
|
|
Origins:
|
|
- DomainName: !Join [ '', !Split [ 'http://', !GetAtt 'S3BucketForWebsiteContent.WebsiteURL' ] ]
|
|
Id: S3Origin
|
|
CustomOriginConfig:
|
|
OriginProtocolPolicy: 'http-only'
|
|
Enabled: true
|
|
HttpVersion: 'http2'
|
|
# DefaultRootObject: index.html
|
|
Aliases:
|
|
- !Ref 'DomainName'
|
|
CustomErrorResponses:
|
|
- ErrorCode: 403
|
|
ResponseCode: 404
|
|
ResponsePagePath: '/error/404/index.html'
|
|
DefaultCacheBehavior:
|
|
AllowedMethods:
|
|
- GET
|
|
- HEAD
|
|
- OPTIONS
|
|
Compress: true
|
|
TargetOriginId: S3Origin
|
|
ForwardedValues:
|
|
QueryString: false
|
|
Cookies:
|
|
Forward: none
|
|
ViewerProtocolPolicy: redirect-to-https
|
|
ResponseHeadersPolicyId: !Ref WebsiteCloudFrontPolicies
|
|
PriceClass: PriceClass_All
|
|
ViewerCertificate:
|
|
AcmCertificateArn: !Ref 'AcmCertificateArn'
|
|
SslSupportMethod: sni-only
|
|
WebsiteCloudFrontPolicies:
|
|
Type: AWS::CloudFront::ResponseHeadersPolicy
|
|
Properties:
|
|
ResponseHeadersPolicyConfig:
|
|
Name: Blog-Security-Header-Policy
|
|
Comment: The Vapor Blog security header policy
|
|
CustomHeadersConfig:
|
|
Items:
|
|
- Header: Permissions-Policy
|
|
Value: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
|
|
Override: false
|
|
- Header: server
|
|
Value: 'Vapor Blog'
|
|
Override: true
|
|
SecurityHeadersConfig:
|
|
ContentSecurityPolicy:
|
|
ContentSecurityPolicy: default-src 'none'; script-src 'self' https://design.vapor.codes; style-src 'self' https://design.vapor.codes; img-src 'self' https://design.vapor.codes; font-src 'self' https://design.vapor.codes; media-src 'self' https://design.vapor.codes; upgrade-insecure-requests; block-all-mixed-content; manifest-src 'self' https://design.vapor.codes
|
|
Override: false
|
|
ContentTypeOptions:
|
|
Override: false
|
|
FrameOptions:
|
|
FrameOption: DENY
|
|
Override: false
|
|
ReferrerPolicy:
|
|
ReferrerPolicy: strict-origin-when-cross-origin
|
|
Override: false
|
|
StrictTransportSecurity:
|
|
AccessControlMaxAgeSec: 63072000
|
|
IncludeSubdomains: true
|
|
Preload: false
|
|
Override: false
|
|
XSSProtection:
|
|
ModeBlock: true
|
|
Protection: true
|
|
Override: false
|
|
Outputs:
|
|
CloudfrontURL:
|
|
Description: 'Cloudfront URL'
|
|
Value: !GetAtt WebsiteCloudfront.DomainName
|
|
BucketName:
|
|
Value: !Ref 'S3BucketForWebsiteContent'
|
|
Description: Name of S3 bucket to hold website content
|