-
-
Notifications
You must be signed in to change notification settings - Fork 332
/
stack.yml
117 lines (117 loc) · 4.1 KB
/
stack.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
AWSTemplateFormatVersion: '2010-09-09'
Description: 'The documentation for Vapor'
Parameters:
DomainName:
Type: String
Description: The domain name for the site
AllowedPattern: (?!-)[a-zA-Z0-9-.]{1,63}(?<!-)
ConstraintDescription: Must be a valid DNS zone name.
AcmCertificateArn:
Type: String
Description: the Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
AllowedPattern: "arn:aws:acm:.*"
S3BucketName:
Type: String
Description: Name for the bucket
Resources:
S3BucketForWebsiteContent:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref 'S3BucketName'
WebsiteConfiguration:
IndexDocument: index.html
# Redirect
ErrorDocument: /404.html
RoutingRules:
- RoutingRuleCondition:
HttpErrorCodeReturnedEquals: '404'
KeyPrefixEquals: /
RedirectRule:
HostName: !Ref 'DomainName'
- RoutingRuleCondition:
KeyPrefixEquals: "4.0/"
RedirectRule:
HostName: !Ref 'DomainName'
HttpRedirectCode: 301
Protocol: "https"
ReplaceKeyPrefixWith: ""
WebsiteCloudfront:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Comment: Cloudfront Distribution pointing to S3 bucket
Origins:
- DomainName: !Join [ '', !Split [ 'http://', !GetAtt 'S3BucketForWebsiteContent.WebsiteURL' ] ]
Id: S3Origin
CustomOriginConfig:
OriginProtocolPolicy: 'http-only'
Enabled: true
HttpVersion: 'http2'
Aliases:
- !Ref 'DomainName'
CustomErrorResponses:
- ErrorCode: 403
ResponseCode: 404
ResponsePagePath: /404.html
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
Compress: true
TargetOriginId: S3Origin
ForwardedValues:
QueryString: false
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
ResponseHeadersPolicyId: !Ref WebsiteCloudFrontPolicies
PriceClass: PriceClass_All
ViewerCertificate:
AcmCertificateArn: !Ref 'AcmCertificateArn'
SslSupportMethod: sni-only
WebsiteCloudFrontPolicies:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name: Docs-Security-Header-Policy
Comment: The Vapor Docs security header policy
CustomHeadersConfig:
Items:
- Header: Permissions-Policy
Value: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
Override: false
- Header: server
Value: 'Vapor Docs'
Override: true
- Header: Content-Security-Policy-Report-Only
Value: default-src 'none'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self'; connect-src 'self'
Override: false
SecurityHeadersConfig:
#ContentSecurityPolicy:
# ContentSecurityPolicy: default-src 'none'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self'; connect-src 'self'
# Override: false
ContentTypeOptions:
Override: false
FrameOptions:
FrameOption: DENY
Override: false
ReferrerPolicy:
ReferrerPolicy: strict-origin-when-cross-origin
Override: false
StrictTransportSecurity:
AccessControlMaxAgeSec: 63072000
IncludeSubdomains: true
Preload: false
Override: false
XSSProtection:
ModeBlock: true
Protection: true
Override: false
Outputs:
CloudfrontURL:
Description: 'Cloudfront URL'
Value: !GetAtt WebsiteCloudfront.DomainName
BucketName:
Description: 'Name of S3 bucket to hold website content'
Value: !Ref 'S3BucketForWebsiteContent'