feat: change cloudformation templates of cloudfront and codepipeline

2025-05-14 21:25:42 +09:00 · 2025-05-14 21:25:42 +09:00 · aa1f4a91bf
commit aa1f4a91bf
parent c352d43605
2 changed files with 46 additions and 11 deletions
--- a/template-codepipeline.yaml
+++ b/template-codepipeline.yaml
@ -12,14 +12,11 @@ Resources:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref BucketName
-      WebsiteConfiguration:
-        IndexDocument: index.html
-        ErrorDocument: error.html
      PublicAccessBlockConfiguration:
-        BlockPublicAcls: false
-        BlockPublicPolicy: false
-        IgnorePublicAcls: false
-        RestrictPublicBuckets: false
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true

  WebsiteBucketPolicy:
    Type: AWS::S3::BucketPolicy
@ -36,12 +33,20 @@ Resources:
              - s3:PutObject
              - s3:DeleteObject
            Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
-          - Sid: PublicReadGetObject
+          - Sid: AllowCloudFrontOACGetObject
            Effect: Allow
-            Principal: "*"
+            Principal:
+              Service: cloudfront.amazonaws.com
            Action: 
              - s3:GetObject
            Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
+            Condition:
+              StringEquals:
+                AWS:SourceArn: 
+                  Fn::Sub:
+                    - arn:aws:cloudfront::${AWS::AccountId}:distribution/${MyCloudFrontDistribution}
+                    - MyCloudFrontDistribution:
+                        Fn::ImportValue: BlogCloudFrontDistribution-ID

  CodeBuildServiceRole:
    Type: AWS::IAM::Role