feat: change cloudformation templates of cloudfront and codepipeline

template-cloudfront.yaml

@@ -8,6 +8,26 @@ Parameters:
 
 Resources:
 
+  AddIndexFunction:
+    Type: AWS::CloudFront::Function
+    Properties:
+      Name: "AddIndexFunction"
+      AutoPublish: true
+      FunctionConfig:
+        Comment: "Appends index.html for directory URIs"
+        Runtime: cloudfront-js-1.0
+      FunctionCode: |
+        function handler(event) {
+          var request = event.request;
+          var uri = request.uri;
+          if (uri.endsWith("/")) {
+            request.uri += "index.html";
+          } else if (uri === "") {
+            request.uri = "/index.html";
+          }
+          return request;
+        }
+
   BlogOriginAccessControl:
     Type: AWS::CloudFront::OriginAccessControl
     Properties:
@@ -22,6 +42,7 @@ Resources:
     Properties:
       DistributionConfig:
         Enabled: true
+        DefaultRootObject: index.html
         Origins:
           - Id: S3WebsiteOrigin
             DomainName: !Sub "${WebsiteBucketName}.s3.amazonaws.com"
@@ -40,10 +61,19 @@ Resources:
             QueryString: false
             Cookies:
               Forward: none
+          FunctionAssociations:
+            - EventType: viewer-request
+              FunctionARN: !GetAtt AddIndexFunction.FunctionARN
         Aliases:
           - blog.n-daisuke897.com
         ViewerCertificate:
-          AcmCertificateArn: "arn:aws:acm:us-east-1:692859919890:certificate/4d3e8182-71e0-4ccb-a437-36523f61a6c0"
+          AcmCertificateArn: !Sub "arn:aws:acm:us-east-1:${AWS::AccountId}:certificate/4d3e8182-71e0-4ccb-a437-36523f61a6c0"
           SslSupportMethod: sni-only
           MinimumProtocolVersion: TLSv1.2_2021
         PriceClass: PriceClass_200
+
+Outputs:
+  IdBlogCloudFrontDistribution:
+    Value: !Ref BlogCloudFrontDistribution
+    Export:
+      Name: BlogCloudFrontDistribution-ID

template-codepipeline.yaml

@@ -12,14 +12,11 @@ Resources:
     Type: AWS::S3::Bucket
     Properties:
       BucketName: !Ref BucketName
-      WebsiteConfiguration:
-        IndexDocument: index.html
-        ErrorDocument: error.html
       PublicAccessBlockConfiguration:
-        BlockPublicAcls: false
-        BlockPublicPolicy: false
-        IgnorePublicAcls: false
-        RestrictPublicBuckets: false
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   WebsiteBucketPolicy:
     Type: AWS::S3::BucketPolicy
@@ -36,12 +33,20 @@ Resources:
               - s3:PutObject
               - s3:DeleteObject
             Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
-          - Sid: PublicReadGetObject
+          - Sid: AllowCloudFrontOACGetObject
             Effect: Allow
-            Principal: "*"
+            Principal:
+              Service: cloudfront.amazonaws.com
             Action: 
               - s3:GetObject
             Resource: !Sub "arn:aws:s3:::${WebsiteBucket}/*"
+            Condition:
+              StringEquals:
+                AWS:SourceArn: 
+                  Fn::Sub:
+                    - arn:aws:cloudfront::${AWS::AccountId}:distribution/${MyCloudFrontDistribution}
+                    - MyCloudFrontDistribution:
+                        Fn::ImportValue: BlogCloudFrontDistribution-ID
 
   CodeBuildServiceRole:
     Type: AWS::IAM::Role