Closed Kobayashi-Riku0226 closed 1 year ago
Specifically, the template can be deployed by doing the following.
FrontEndBucketPolicy:
Condition: DeployCloudFront
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FrontEndBucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Resource: !Sub ${FrontEndBucket.Arn}/*
Principal:
Service: cloudfront.amazonaws.com
Condition:
StringEquals:
AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudfrontDistribution}
CloudFrontOriginAccessControl:
Condition: DeployCloudFront
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Description: Default Origin Access Control
Name: !Ref AWS::StackName
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
CloudfrontDistribution:
Condition: DeployCloudFront
DependsOn: CloudFrontFunction
Type: AWS::CloudFront::Distribution
Properties:
Tags:
-
Key: application
Value: !Ref Application
-
Key: environment
Value: !Ref Environment
-
Key: Name
Value: !Sub ${Application}-${Environment}-CloudFrontDistribution
DistributionConfig:
WebACLId:
!If
- DeployWAF
- !GetAtt WAFFEStack.Outputs.WAFFEACLArn
- !Ref 'AWS::NoValue'
Enabled: true
PriceClass: 'PriceClass_100'
DefaultRootObject: 'index.html'
ViewerCertificate:
CloudFrontDefaultCertificate: true
MinimumProtocolVersion: TLSv1.2_2018
CustomErrorResponses:
- ErrorCachingMinTTL: 300
ErrorCode: 403
ResponseCode: 200
ResponsePagePath: '/index.html'
HttpVersion: http2
DefaultCacheBehavior:
AllowedMethods:
- HEAD
- DELETE
- POST
- GET
- OPTIONS
- PUT
- PATCH
ForwardedValues:
QueryString: false
TargetOriginId: !Sub S3-${FrontEndBucket}
ViewerProtocolPolicy: redirect-to-https
FunctionAssociations:
- EventType: viewer-response
FunctionARN: !GetAtt CloudFrontFunction.FunctionMetadata.FunctionARN
IPV6Enabled: true
Logging:
Bucket: !GetAtt AccessLoggingBucket.DomainName
Origins:
- DomainName: !GetAtt FrontEndBucket.DomainName
Id: !Sub S3-${FrontEndBucket}
S3OriginConfig:
OriginAccessIdentity: ''
OriginAccessControlId: !GetAtt CloudFrontOriginAccessControl.Id
Metadata:
cfn_nag:
rules_to_suppress:
- id: W70
reason: "It is already TLSv1.2_2018"
Thanks @Kobayashi-Riku0226 this update is now included within v3.3.1 release due today (23rd October 2023).
https://github.com/aws-solutions/cloud-migration-factory-on-aws/blob/master/deployment/CFN-templates/aws-cloud-migration-factory-solution.template
When deploying an AWS resource using the above template, the following error occurs in "FrontEndBucketPolicy".
So please change to a template that uses OAC.