public-access-template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: "Aggregator API public access: TLS, CDN, DNS"

Parameters:
  StackNameSuffix:
    Description: "The suffix (automatically prefixed with 'AggregatorApiApp-') constructing the name of the CloudFormation Stack that created the API Gateway & Lambda function to which this Stack will attach TLS, CDN, and DNS."
    Type: String

  CertificateArn:
    Type: String

  PublicFqdn:
    Type: String

Resources:

  CloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Comment: 'Cloudfront Distribution pointing to Lambda origin'
        Origins:

          - Id: Static
            DomainName:
              Fn::ImportValue: !Sub "AggregatorApiApp-${StackNameSuffix}:AggregatorApiFrontendFqdn"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref PublicFqdn
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https

            OriginShield:
              Enabled: true
              OriginShieldRegion: eu-west-2

          - Id: APIApp
            DomainName:
              Fn::ImportValue: !Sub "AggregatorApiApp-${StackNameSuffix}:AggregatorApiFqdn"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref PublicFqdn
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https

          - Id: FrontendApp
            DomainName:
              Fn::ImportValue: !Sub "AggregatorApiApp-${StackNameSuffix}:AggregatorApiFrontendFqdn"
            OriginPath: "/Prod"
            CustomOriginConfig:
              OriginProtocolPolicy: "https-only"
            OriginCustomHeaders:
              - HeaderName: X-Forwarded-Host
                HeaderValue: !Ref PublicFqdn
              - HeaderName: X-Forwarded-Proto
                HeaderValue: https

        Enabled: true
        HttpVersion: 'http2'
        Aliases:
          - !Ref PublicFqdn
        PriceClass: "PriceClass_100"
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          MinimumProtocolVersion: TLSv1.1_2016
          SslSupportMethod: sni-only

        DefaultCacheBehavior:
          AllowedMethods: [ GET, HEAD, OPTIONS ]
          TargetOriginId: FrontendApp
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: "all"
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"

        CacheBehaviors:
        - AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
          PathPattern: user/*
          TargetOriginId: FrontendApp
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: all
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '0'
          MaxTTL: '0'
          DefaultTTL: '0'
        - AllowedMethods: [ GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE ]
          PathPattern: admin/*
          TargetOriginId: FrontendApp
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: all
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '0'
          MaxTTL: '0'
          DefaultTTL: '0'
        - AllowedMethods: [ GET, HEAD, OPTIONS ]
          PathPattern: static/*
          TargetOriginId: Static
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '50'
        - AllowedMethods: [ GET, HEAD, OPTIONS ]
          PathPattern: api/v1/
          TargetOriginId: FrontendApp
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '50'
        - AllowedMethods: [ GET, HEAD, OPTIONS ]
          PathPattern: api/v1/*
          TargetOriginId: APIApp
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
            Headers:
              - Authorization
              - Origin
          ViewerProtocolPolicy: "redirect-to-https"
          MinTTL: '0'
          MaxTTL: '60'
          DefaultTTL: '60'


  DnsRecord:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt CloudFrontDistribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2 # this is an AWS-owned, global singleton required for Aliases to CloudFront
      HostedZoneName: !Sub "${PublicFqdn}."
      Name: !Sub "${PublicFqdn}."
      Type: A

Outputs:
  CloudFrontDistributionFqdn:
    Description: "The FQDN of the CloudFront distribution serving this instance."
    Value: !GetAtt CloudFrontDistribution.DomainName
  PublicFqdn:
    Description: "The Aggregator API's URL."
    Value: !Sub "https://${PublicFqdn}/"