project-resources-with-domain.yml

# TODO: this does not enable CORS support
# that should either be an option, or just done all of the time
AWSTemplateFormatVersion: '2010-09-09'
Description: portal ecs stack
Parameters:
  ProjectName:
    Type: String
    Description: This should be lower case with words seperated by dashes. This same name
      will need to be used as folder name in the cc-project-resources S3 bucket
Resources:
  ReportDNS:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        # need to get this from the cloudfront distribution
        DNSName: !GetAtt CloudFrontDistribution.DomainName
        # static zone id from documentation
        HostedZoneId: Z2FDTNDATAQYW2
      HostedZoneName: concord.org.
      Name: !Sub '${ProjectName}-resources.concord.org'
      Type: A

  AccessGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: !Sub 'GroupAccess-${ProjectName}-Resources'

  AccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub 'Access-${ProjectName}-Resources'
      Groups:
      - !Ref AccessGroup
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: AllowUserToSeeBucketListInTheConsole
          Action:
          - s3:ListAllMyBuckets
          - s3:GetBucketLocation
          Effect: Allow
          Resource: '*'
        - Sid: AllowRootAndHomeListingOfBucket
          Action:
          - s3:ListBucket
          Effect: Allow
          Resource:
          - arn:aws:s3:::cc-project-resources
          Condition:
            StringEquals:
              s3:prefix:
              - ''
              s3:delimiter:
              - "/"
        - Sid: AllowRootListingWithoutPrefix
          Action:
          - s3:ListBucket
          Effect: Allow
          Resource:
          - arn:aws:s3:::cc-project-resources
          Condition:
            'Null':
              s3:prefix: 'true'
            StringEquals:
              s3:delimiter:
              - "/"
        - Sid: AllowListingOfProjectFolder
          Action:
          - s3:ListBucket
          Effect: Allow
          Resource:
          - arn:aws:s3:::cc-project-resources
          Condition:
            StringLike:
              s3:prefix:
              - !Sub '${ProjectName}/*'
        - Sid: AllowMostReadActionsOnBucket
          Effect: Allow
          Action:
          - s3:GetAccelerateConfiguration
          - s3:GetAnalyticsConfiguration
          - s3:GetBucketAcl
          - s3:GetBucketCORS
          - s3:GetBucketLogging
          - s3:GetBucketNotification
          - s3:GetBucketPolicy
          - s3:GetBucketRequestPayment
          - s3:GetBucketTagging
          - s3:GetBucketVersioning
          - s3:GetBucketWebsite
          - s3:GetInventoryConfiguration
          - s3:GetIpConfiguration
          - s3:GetLifecycleConfiguration
          - s3:GetMetricsConfiguration
          - s3:GetReplicationConfiguration
          Resource:
          - arn:aws:s3:::cc-project-resources
        - Sid: AllowAllS3ActionsOnObjectsInProjectFolder
          Effect: Allow
          Action:
          - s3:GetObject
          - s3:GetObjectAcl
          - s3:GetObjectTagging
          - s3:GetObjectTorrent
          - s3:GetObjectVersion
          - s3:GetObjectVersionAcl
          - s3:GetObjectVersionForReplication
          - s3:GetObjectVersionTagging
          - s3:GetObjectVersionTorrent
          - s3:ListMultipartUploadParts
          - s3:AbortMultipartUpload
          - s3:DeleteObject
          - s3:DeleteObjectTagging
          - s3:DeleteObjectVersionTagging
          - s3:PutObject
          - s3:PutObjectTagging
          - s3:PutObjectVersionTagging
          - s3:ReplicateDelete
          - s3:ReplicateObject
          - s3:ReplicateTags
          - s3:RestoreObject
          - s3:ObjectOwnerOverrideToBucketOwner
          - s3:PutObjectAcl
          - s3:PutObjectVersionAcl

          Resource:
          - !Sub 'arn:aws:s3:::cc-project-resources/${ProjectName}'
          - !Sub 'arn:aws:s3:::cc-project-resources/${ProjectName}/*'
        - Sid: AllowSomeDistributionAccessToHelpCyberduck
          Effect: Allow
          Action:
          - cloudfront:ListDistributions
          - cloudfront:GetDistribution
          - cloudfront:GetDistributionConfig
          - cloudfront:ListInvalidations
          - cloudfront:CreateInvalidation
          - cloudfront:GetInvalidation
          # There isn't documented support to limit these actions to a particular distribution
          # I suspect with experimentation we could craft this to work that way
          Resource: '*'

  CloudFrontDistribution:
    Type: "AWS::CloudFront::Distribution"
    Properties:
      DistributionConfig:
        Aliases:
        - !Sub '${ProjectName}-resources.concord.org'
        Comment: !Sub 'Cloudfront Distribution for ${ProjectName} resources'
        DefaultCacheBehavior:
          AllowedMethods:
          - GET
          - HEAD
          Compress: true
          ForwardedValues:
            QueryString: true
            Cookies:
              Forward: none
          TargetOriginId: S3Origin
          ViewerProtocolPolicy: redirect-to-https
        Enabled: true
        HttpVersion: 'http2'
        Logging:
          Bucket: cc-cloudfront-logs.s3.amazonaws.com
          IncludeCookies: false
          Prefix: !Sub '${ProjectName}-resources'
        PriceClass: PriceClass_All
        Origins:
        - DomainName: cc-project-resources.s3.amazonaws.com
          Id: S3Origin
          OriginPath: !Sub '/${ProjectName}'
          CustomOriginConfig:
            OriginProtocolPolicy: https-only
        ViewerCertificate:
          AcmCertificateArn: arn:aws:acm:us-east-1:612297603577:certificate/2b62511e-ccc8-434b-ba6c-a8c33bbd509e
          SslSupportMethod: sni-only