Created
August 17, 2020 15:59
-
-
Save ugurcemozturk/2374732d34c42bc0331d75def761293c to your computer and use it in GitHub Desktop.
Cloudformation template to create an API gateway that triggers a lambda to get a signed url of a S3 object from cloudfront
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: "2010-09-09" | |
| Transform: AWS::Serverless-2016-10-31 | |
| Description: "Stack to create signed URLs through API Gateway" | |
| Parameters: | |
| ImagesBucket: | |
| Type: String | |
| Description: Bucket name of the images | |
| UrlExpire: | |
| Type: Number | |
| Description: Expire of signed image url in miliseconds | |
| Default: 1200000 | |
| ImageFolder: | |
| Type: String | |
| Description: Expire of signed image url in miliseconds | |
| Default: images-hd | |
| ImagesDomainName: | |
| Type: String | |
| Description: URL of the Cloudfront that points to images bucket | |
| Environment: | |
| Type: String | |
| Description: Environment name to be deployed | |
| Resources: | |
| ApiGateway: | |
| Type: AWS::Serverless::Api | |
| Properties: | |
| Name: | |
| Fn::Sub: APP-${Environment} Serverless API | |
| StageName: !Ref Environment | |
| GetImageLambda: | |
| Type: AWS::Serverless::Function | |
| Properties: | |
| Runtime: nodejs12.x | |
| CodeUri: handlers/GetImage/ | |
| Handler: index.GetImage | |
| Environment: | |
| Variables: | |
| CLOUDFRONT_KEY_ID: "{{resolve:ssm:CLOUDFRONT_KEY_ID:1}}" | |
| URL_EXPIRE: !Ref "UrlExpire" | |
| IMAGE_FOLDER: !Ref "ImageFolder" | |
| CLOUDFRONT_DOMAIN_NAME: !Ref ImagesDomainName | |
| Events: | |
| ApiGateway: | |
| Type: Api | |
| Properties: | |
| RestApiId: | |
| Ref: ApiGateway | |
| Path: /Image | |
| Method: GET | |
| S3BucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Properties: | |
| Bucket: | |
| Ref: ImagesBucket | |
| PolicyDocument: | |
| Statement: | |
| - Sid: AllowCloudFrontAccessIdentity | |
| Effect: Allow | |
| Action: | |
| - s3:GetObject | |
| Resource: | |
| Fn::Join: | |
| - "" | |
| - - "arn:aws:s3:::" | |
| - Ref: ImagesBucket | |
| - /* | |
| Principal: | |
| AWS: | |
| Fn::Join: | |
| - " " | |
| - - arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity | |
| - Ref: OAI | |
| OAI: | |
| Type: AWS::CloudFront::CloudFrontOriginAccessIdentity | |
| Properties: | |
| CloudFrontOriginAccessIdentityConfig: | |
| Comment: S3 content protection | |
| CFDistribution: | |
| Type: AWS::CloudFront::Distribution | |
| Properties: | |
| DistributionConfig: | |
| Origins: | |
| - DomainName: | |
| Fn::Sub: ${ImagesBucket}.s3.amazonaws.com | |
| Id: S3BucketOrigin | |
| S3OriginConfig: | |
| OriginAccessIdentity: | |
| Fn::Join: | |
| - "" | |
| - - origin-access-identity/cloudfront/ | |
| - Ref: OAI | |
| DefaultCacheBehavior: | |
| AllowedMethods: | |
| - GET | |
| - HEAD | |
| - OPTIONS | |
| TargetOriginId: S3BucketOrigin | |
| ForwardedValues: | |
| QueryString: false | |
| Cookies: | |
| Forward: none | |
| ViewerProtocolPolicy: redirect-to-https | |
| Aliases: | |
| - !Ref ImagesDomainName | |
| Enabled: true | |
| HttpVersion: http2 | |
| PriceClass: PriceClass_100 | |
| ApiGatewayCloudWatchLogsRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - apigateway.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| Policies: | |
| - PolicyName: API_GW_Logs_Policy | |
| PolicyDocument: | |
| Version: "2012-10-17" | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - logs:CreateLogGroup | |
| - logs:CreateLogStream | |
| - logs:DescribeLogGroups | |
| - logs:DescribeLogStreams | |
| - logs:PutLogEvents | |
| - logs:GetLogEvents | |
| - logs:FilterLogEvents | |
| Resource: "*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment