template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    DependsOn:
      - S3Bucket
      - OriginAccessIdentity
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt 'S3Bucket.DomainName'
            Id: hostingS3Bucket
            S3OriginConfig:
              OriginAccessIdentity: !Join
                - ''
                - - origin-access-identity/cloudfront/
                  - !Ref 'OriginAccessIdentity'
        Enabled: 'true'
        DefaultCacheBehavior:
          AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          TargetOriginId: hostingS3Bucket
          ForwardedValues:
            QueryString: 'false'
          ViewerProtocolPolicy: redirect-to-https
          DefaultTTL: 86400
          MaxTTL: 31536000
          MinTTL: 60
          Compress: true
        DefaultRootObject: index.html
        CustomErrorResponses:
          - ErrorCachingMinTTL: 300
            ErrorCode: 400
            ResponseCode: 200
            ResponsePagePath: /
          - ErrorCachingMinTTL: 300
            ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /
          - ErrorCachingMinTTL: 300
            ErrorCode: 404
            ResponseCode: 200
            ResponsePagePath: /
  S3Bucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      AccessControl: Private
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: index.html
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders:
              - Authorization
              - Content-Length
            AllowedMethods:
              - GET
            AllowedOrigins:
              - '*'
            MaxAge: 3000
  PrivateBucketPolicy:
    Type: AWS::S3::BucketPolicy
    DependsOn: OriginAccessIdentity
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: '2012-10-17'
        Statement:
          - Sid: APIReadForGetBucketObjects
            Effect: Allow
            Principal:
              CanonicalUser: !GetAtt 'OriginAccessIdentity.S3CanonicalUserId'
            Action: s3:GetObject
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref 'S3Bucket'
                - /*
      Bucket: !Ref 'S3Bucket'
  OriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: CloudFrontOriginAccessIdentityConfig
  
Outputs:
  Region:
    Value: !Ref 'AWS::Region'
  HostingBucketName:
    Description: Hosting bucket name
    Value: !Ref 'S3Bucket'
  WebsiteURL:
    Value: !GetAtt 'S3Bucket.WebsiteURL'
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - https://
        - !GetAtt 'S3Bucket.DomainName'
    Description: Name of S3 bucket to hold website content
  CloudFrontDistributionID:
    Value: !Ref 'CloudFrontDistribution'
  CloudFrontDomainName:
    Value: !GetAtt 'CloudFrontDistribution.DomainName'
  CloudFrontSecureURL:
    Value: !Join
      - ''
      - - https://
        - !GetAtt 'CloudFrontDistribution.DomainName'