aws-solutions / cloud-migration-factory-on-aws

The Cloud Migration Factory on AWS solution is designed to coordinate and automate manual processes for large-scale migrations. This solution helps enterprises improve performance and prevents long cutover windows by providing an orchestration platform for migrating workloads to AWS at scale.
https://aws.amazon.com/solutions/implementations/cloud-migration-factory-on-aws/
Apache License 2.0
61 stars 63 forks source link

Deployment error with bucket policy using OAI #27

Closed Kobayashi-Riku0226 closed 1 year ago

Kobayashi-Riku0226 commented 1 year ago

https://github.com/aws-solutions/cloud-migration-factory-on-aws/blob/master/deployment/CFN-templates/aws-cloud-migration-factory-solution.template

When deploying an AWS resource using the above template, the following error occurs in "FrontEndBucketPolicy".

cloudfront oai resource handler returned message: "invalid principal in policy

So please change to a template that uses OAC.

Kobayashi-Riku0226 commented 1 year ago

Specifically, the template can be deployed by doing the following.

  FrontEndBucketPolicy:
    Condition: DeployCloudFront
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref FrontEndBucket
      PolicyDocument:
        Statement:
        - Action: s3:GetObject
          Effect: Allow
          Resource: !Sub ${FrontEndBucket.Arn}/*
          Principal:
            Service: cloudfront.amazonaws.com
          Condition:
            StringEquals:
              AWS:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudfrontDistribution}

  CloudFrontOriginAccessControl:
    Condition: DeployCloudFront
    Type: AWS::CloudFront::OriginAccessControl
    Properties: 
      OriginAccessControlConfig:
        Description: Default Origin Access Control
        Name: !Ref AWS::StackName
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  CloudfrontDistribution:
    Condition: DeployCloudFront
    DependsOn: CloudFrontFunction
    Type: AWS::CloudFront::Distribution
    Properties:
      Tags:
        -
          Key: application
          Value: !Ref Application
        -
          Key: environment
          Value: !Ref Environment
        -
          Key: Name
          Value: !Sub ${Application}-${Environment}-CloudFrontDistribution
      DistributionConfig:
        WebACLId:
          !If
          - DeployWAF
          - !GetAtt WAFFEStack.Outputs.WAFFEACLArn
          - !Ref 'AWS::NoValue'
        Enabled: true
        PriceClass: 'PriceClass_100'
        DefaultRootObject: 'index.html'
        ViewerCertificate:
          CloudFrontDefaultCertificate: true
          MinimumProtocolVersion: TLSv1.2_2018
        CustomErrorResponses:
          - ErrorCachingMinTTL: 300
            ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: '/index.html'
        HttpVersion: http2
        DefaultCacheBehavior:
          AllowedMethods:
            - HEAD
            - DELETE
            - POST
            - GET
            - OPTIONS
            - PUT
            - PATCH
          ForwardedValues:
            QueryString: false
          TargetOriginId: !Sub S3-${FrontEndBucket}
          ViewerProtocolPolicy: redirect-to-https
          FunctionAssociations:
            - EventType: viewer-response
              FunctionARN: !GetAtt CloudFrontFunction.FunctionMetadata.FunctionARN
        IPV6Enabled: true
        Logging:
          Bucket: !GetAtt AccessLoggingBucket.DomainName
        Origins:
          - DomainName: !GetAtt FrontEndBucket.DomainName
            Id: !Sub S3-${FrontEndBucket}
            S3OriginConfig:
              OriginAccessIdentity: ''
            OriginAccessControlId: !GetAtt CloudFrontOriginAccessControl.Id
    Metadata:
      cfn_nag:
        rules_to_suppress:
          - id: W70
            reason: "It is already TLSv1.2_2018"
chris-p-baker commented 1 year ago

Thanks @Kobayashi-Riku0226 this update is now included within v3.3.1 release due today (23rd October 2023).