forked from mlevit/aws-auto-cleanup
-
Notifications
You must be signed in to change notification settings - Fork 0
/
serverless.yml
112 lines (100 loc) · 3.84 KB
/
serverless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
service: auto-cleanup-web
custom:
log_level: INFO # DEBUG for dev | INFO for prod
region: ${opt:region, "us-east-1"} # AWS deployment region
client:
bucketName: ${self:service}-${self:provider.stage}-site-${cf:auto-cleanup-api-${self:provider.stage}.AccountID}
distributionFolder: ./src
sse: AES256
corsFile: cors_configuration.json # Modify the CORS file to match your subdomain below. You can use a wildcard as well.. i.e. *.troydieter.com
domain: cleanup.troydieter.com
certArn: "" # Replace with an ACM certificate to cover the above domain value
provider:
name: aws
stage: ${opt:stage, "prod"} # overwrite via CLI "--stage dev"
region: ${self:custom.region}
package:
individually: true
patterns:
- "!node_modules/**"
resources:
Resources:
WebBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:service}-${self:provider.stage}-site-${cf:auto-cleanup-api-${self:provider.stage}.AccountID}
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
OriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "OAI for auto-cleanup-web"
WebBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref WebBucket
PolicyDocument:
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${OriginAccessIdentity}
Action: "s3:GetObject"
Resource: !Sub "${WebBucket.Arn}/*"
addSecurityHeadersFunction:
Type: AWS::CloudFront::Function
Properties:
Name: add-security-headers
AutoPublish: true
FunctionConfig:
Comment: Adds security headers to the response
Runtime: cloudfront-js-1.0
FunctionCode: |
function handler(event) {
var response = event.response;
var headers = response.headers;
// Set HTTP security headers
// Since JavaScript doesn't allow for hyphens in variable names, we use the dict["key"] notation
headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubdomains; preload'};
headers['x-content-type-options'] = { value: 'nosniff'};
headers['x-frame-options'] = {value: 'DENY'};
headers['x-xss-protection'] = {value: '1; mode=block'};
// Return the response to viewers
return response;
}
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Comment: "auto-cleanup-web"
PriceClass: PriceClass_100
Origins:
- DomainName: !GetAtt WebBucket.DomainName
Id: WebBucketOrigin
S3OriginConfig:
OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${OriginAccessIdentity}
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
TargetOriginId: WebBucketOrigin
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
FunctionAssociations:
- EventType: viewer-response
FunctionARN: !GetAtt addSecurityHeadersFunction.FunctionMetadata.FunctionARN
DefaultRootObject: index.html
Aliases:
- ${self:custom.domain}
ViewerCertificate:
AcmCertificateArn: ${self:custom.certArn}
SslSupportMethod: sni-only
MinimumProtocolVersion: TLSv1.2_2021
plugins:
- serverless-finch