NewsPassIDAudienceProject/cloudformation.yaml at main · GrahamDigital/NewsPassIDAudienceProject · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
AWSTemplateFormatVersion: '2010-09-09'
Description: 'NewsPassID - Complete Infrastructure'

Parameters:
  DataBucketName:
    Type: String
    Description: S3 bucket for storing ID data
    Default: newspassid-data

  CdnBucketName:
    Type: String
    Description: S3 bucket for CDN
    Default: newspassid-cdn

  AllowedOrigins:
    Type: String
    Description: Comma-separated list of allowed origins for CORS
    Default: '*'

Resources:
  # S3 Bucket for ID data
  NewsPassIDDataBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref DataBucketName
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders: ['*']
            AllowedMethods: ['GET', 'PUT', 'POST']
            AllowedOrigins: ['*']
            MaxAge: 3000

  # S3 Bucket for CDN
  NewsPassIDCdnBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref CdnBucketName
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
      CorsConfiguration:
        CorsRules:
          - AllowedHeaders: ['*']
            AllowedMethods: ['GET']
            AllowedOrigins: ['*']
            MaxAge: 3000

  # CDN Bucket Policy
  CdnBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref NewsPassIDCdnBucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: PublicReadGetObject
            Effect: Allow
            Principal: '*'
            Action:
              - 's3:GetObject'
            Resource: !Sub "arn:aws:s3:::${CdnBucketName}/*"

  # Lambda execution role
  NewsPassIDLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: S3AccessPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:GetObject
                Resource: !Sub 'arn:aws:s3:::${DataBucketName}/*'

  # Lambda function
  NewsPassIDLambda:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: NewsPassID
      Runtime: nodejs16.x
      Handler: src/index.handler
      Role: !GetAtt NewsPassIDLambdaRole.Arn
      Code:
        S3Bucket: !Ref DataBucketName
        S3Key: lambda/newspassid-lambda.zip
      Environment:
        Variables:
          STORAGE_BUCKET: !Ref DataBucketName
          ID_FOLDER: newspassid
          ALLOWED_ORIGINS: !Ref AllowedOrigins
      Timeout: 10
      MemorySize: 256

  # API Gateway
  NewsPassIDApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: NewsPassID API
      Description: API for NewsPassID
      EndpointConfiguration:
        Types:
          - REGIONAL

  # API Resource
  NewsPassIDResource:
    Type: AWS::ApiGateway::Resource
    Properties:
      RestApiId: !Ref NewsPassIDApi
      ParentId: !GetAtt NewsPassIDApi.RootResourceId
      PathPart: newspassid

  # POST Method
  NewsPassIDMethod:
    Type: AWS::ApiGateway::Method
    Properties:
      RestApiId: !Ref NewsPassIDApi
      ResourceId: !Ref NewsPassIDResource
      HttpMethod: POST
      AuthorizationType: NONE
      Integration:
        Type: AWS_PROXY
        IntegrationHttpMethod: POST
        Uri: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${NewsPassIDLambda.Arn}/invocations
      MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
            method.response.header.Access-Control-Allow-Origin: true
            method.response.header.Access-Control-Allow-Methods: true
            method.response.header.Access-Control-Allow-Headers: true

  # OPTIONS Method (for CORS)
  NewsPassIDOptionsMethod:
    Type: AWS::ApiGateway::Method
    Properties:
      RestApiId: !Ref NewsPassIDApi
      ResourceId: !Ref NewsPassIDResource
      HttpMethod: OPTIONS
      AuthorizationType: NONE
      Integration:
        Type: MOCK
        IntegrationResponses:
          - StatusCode: 200
            ResponseParameters:
              method.response.header.Access-Control-Allow-Origin: "'*'"
              method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS'"
              method.response.header.Access-Control-Allow-Headers: "'Content-Type,Authorization'"
            ResponseTemplates:
              application/json: '{}'
        RequestTemplates:
          application/json: '{"statusCode": 200}'
      MethodResponses:
        - StatusCode: 200
          ResponseModels:
            application/json: 'Empty'
          ResponseParameters:
            method.response.header.Access-Control-Allow-Origin: true
            method.response.header.Access-Control-Allow-Methods: true
            method.response.header.Access-Control-Allow-Headers: true

  # API Deployment
  NewsPassIDApiDeployment:
    Type: AWS::ApiGateway::Deployment
    DependsOn:
      - NewsPassIDMethod
      - NewsPassIDOptionsMethod
    Properties:
      RestApiId: !Ref NewsPassIDApi
      StageName: prod

  # Lambda permission for API Gateway
  NewsPassIDLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref NewsPassIDLambda
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${NewsPassIDApi}/*/POST/newspassid

  # CloudFront Distribution for CDN
  NewsPassIDCloudFront:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt NewsPassIDCdnBucket.RegionalDomainName
            Id: S3Origin
            S3OriginConfig:
              OriginAccessIdentity: ''
        Enabled: true
        DefaultRootObject: index.html
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
          TargetOriginId: S3Origin
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_All
        ViewerCertificate:
          CloudFrontDefaultCertificate: true

Outputs:
  ApiEndpoint:
    Description: "API Gateway endpoint URL for NewsPassID"
    Value: !Sub "https://${NewsPassIDApi}.execute-api.${AWS::Region}.amazonaws.com/prod/newspassid"

  CdnUrl:
    Description: "CloudFront CDN URL"
    Value: !GetAtt NewsPassIDCloudFront.DomainName