forked from aws-samples/cloudfront-authorization-at-edge
-
Notifications
You must be signed in to change notification settings - Fork 0
/
reuse-auth-only.yaml
151 lines (140 loc) · 6.32 KB
/
reuse-auth-only.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Example stack to that reuses the auth portion of the serverless application
in your own CloudFront distribution.
After deployment, manually update the User Pool client to point the 'Callback URL' and 'Sign out URL' to the URL of the CloudFront distribution.
Alternately, add an alternate domain name to the CloudFront distribution and provide the name as parameter to the serverless stack. The alternate
domain will also require adding a certificate to the Cloudfront Distribution. This alternative will set the User Pool client to the right Callback URL
and Sign out URL automatically.
The sample CloudFront distribution illustrates a full pattern of use -- modify it as needed.
The HttpHeaders parameter and corresponding reference in the 'LambdaEdgeProtection' nested application Resource
illustrates how to pass information to the underlying SAM app
Outputs illustrate retrieving values from the underlying SAM application
Parameters:
BucketNameParameter:
Type: String
Description: A legal bucket name. Must not exist.
PriceClass:
Type: String
Description: CloudFront price class, e.g. PriceClass_200 for most regions (default), PriceClass_All for all regions (the default), PriceClass_100 least expensive (US, Canada, Europe), or PriceClass_All
Default: PriceClass_200
SemanticVersion:
Type: String
Description: Semantic version of the back end
Default: 2.1.8
HttpHeaders:
Type: String
Description: The HTTP headers to set on all responses from CloudFront. Defaults are illustrations only and contain a report-only Cloud Security Policy -- adjust for your application
Default: >-
{
"Content-Security-Policy-Report-Only": "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
"Referrer-Policy": "same-origin",
"X-XSS-Protection": "1; mode=block",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
}
Resources:
ApplicationBucket:
Type: AWS::S3::Bucket
DeletionPolicy: Retain
Properties:
BucketName:
Ref: BucketNameParameter
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Sub "${BucketNameParameter}-OAI"
S3AccessPolicyForOAI:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: ApplicationBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
CanonicalUser:
Fn::GetAtt: [CloudFrontOriginAccessIdentity, S3CanonicalUserId]
Action: "s3:GetObject"
Resource: !Sub "${ApplicationBucket.Arn}/*"
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
# Aliases: <your alternate domain names, also pass these to the serverless stack below>
# ViewerCertificate: <the config for your HTTPS certificate>
CacheBehaviors:
- PathPattern: /parseauth
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt LambdaEdgeProtection.Outputs.ParseAuthHandler
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
- PathPattern: /refreshauth
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt LambdaEdgeProtection.Outputs.RefreshAuthHandler
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
- PathPattern: /signout
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt LambdaEdgeProtection.Outputs.SignOutHandler
TargetOriginId: dummy-origin
ViewerProtocolPolicy: redirect-to-https
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: true
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !GetAtt LambdaEdgeProtection.Outputs.CheckAuthHandler
- EventType: origin-response
LambdaFunctionARN: !GetAtt LambdaEdgeProtection.Outputs.HttpHeadersHandler
TargetOriginId: protected-origin
ViewerProtocolPolicy: redirect-to-https
Enabled: true
Origins:
- DomainName: example.org # Dummy origin is used for Lambda@Edge functions, keep this as-is
Id: dummy-origin
CustomOriginConfig:
OriginProtocolPolicy: match-viewer
- DomainName: !GetAtt ApplicationBucket.RegionalDomainName
Id: protected-origin
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
CustomErrorResponses:
- ErrorCode: 404
ResponseCode: 200
ResponsePagePath: /index.html
PriceClass: !Ref PriceClass
DefaultRootObject: index.html
LambdaEdgeProtection:
Type: AWS::Serverless::Application
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
SemanticVersion: !Ref SemanticVersion
Parameters:
CreateCloudFrontDistribution: "false"
HttpHeaders: !Ref HttpHeaders
# AlternateDomainNames: <your alternate domain names, this will be the same list as the aliases of your CloudFront distribution above>
Outputs:
UserPoolId:
Description: The user pool id to illustrate how to retrieve outputs from the SAM app
Value: !GetAtt LambdaEdgeProtection.Outputs.UserPoolId