シンプルかつセキュアなCloudFront+S3のホスティング環境をCloudFormationで作成する

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template for serving static content using S3 and CloudFront.

Parameters:
  DomainName:
    Type: String
    Description: The custom domain name for the CloudFront distribution.
  StaticContentBucketName:
    Type: String
    Description: The backet name for put static contents.
  CertificateArn:
    Type: String
    Description: The certificate ARN.

Resources:
  StaticContentBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref StaticContentBucketName

  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref StaticContentBucket
      PolicyDocument:
        Statement:
          - Sid: AllowCloudFrontServicePrincipal
            Action:
              - s3:GetObject
              - s3:ListBucket
            Effect: Allow
            Resource:
              - !Sub 'arn:aws:s3:::${StaticContentBucket}/*'
              - !Sub 'arn:aws:s3:::${StaticContentBucket}'
            Principal:
              Service: cloudfront.amazonaws.com
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution.Id}'

  CloudFrontOAC:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Name: 'OAC'
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  CachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: !Sub 'caching-optimized-policy'
        Comment: Custom cache policy similar to CachingOptimized
        DefaultTTL: 86400
        MaxTTL: 31536000
        MinTTL: 1
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: none
          EnableAcceptEncodingBrotli: true
          EnableAcceptEncodingGzip: true
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: none

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt StaticContentBucket.RegionalDomainName
            Id: S3Origin
            OriginAccessControlId: !Ref CloudFrontOAC
            S3OriginConfig: {}
        Aliases:
          - !Ref DomainName
        Enabled: true
        DefaultCacheBehavior:
          Compress: true
          CachePolicyId: !Ref CachePolicy
          TargetOriginId: S3Origin
          ViewerProtocolPolicy: redirect-to-https
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          FunctionAssociations:
            - EventType: viewer-request
              FunctionARN: !GetAtt IndexHtmlRedirectFunction.FunctionARN
        DefaultRootObject: index.html
        ViewerCertificate:
          AcmCertificateArn: !Ref CertificateArn
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2018

  IndexHtmlRedirectFunction:
    Type: AWS::CloudFront::Function
    Properties:
      Name: !Sub 'redirect-to-index-html'
      AutoPublish: true
      FunctionCode: |
        function handler(event) {
            var request = event.request;
            var uri = request.uri;
            if (uri.endsWith('/')) {
                request.uri += 'index.html';
            } else if (!uri.includes('.')) {
                request.uri += '/index.html';
            }
            return request;
        }        
      FunctionConfig:
        Comment: Redirect to index.html for subdirectories
        Runtime: cloudfront-js-2.0

Outputs:
  S3BucketName:
    Value: !Ref StaticContentBucket
    Description: Name of the S3 bucket for static content.

  CloudFrontDistributionDomainName:
    Value: !GetAtt CloudFrontDistribution.DomainName
    Description: Domain name of the CloudFront distribution.