j40-cejst-2/infrastructure/resources-cloudfront.yml

Resources:

  S3DataBucketPolicyCDN:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: DataBucket
      PolicyDocument:
        Statement:
          - Effect: "Allow"
            Action:
              - "s3:GetObject"
            Resource:
              Fn::Join:
                - ""
                - - "arn:aws:s3:::"
                  - Ref: DataBucket
                  - "/*"
            Principal: "*"

  DataBucketCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: ${self:provider.stage}-${self:service}-cloudfront-cache-policy
        Comment: CloudFront Cache Policy for justice40 data harvester
        DefaultTTL: "86400" # one day, only if Origin does _not_ send `Cache-Control` or `Expires` headers
        MaxTTL: "31536000" # one year, used to validate when origin sends `Cache-Control` or `Expires` headers
        MinTTL: "1" # one second
        ParametersInCacheKeyAndForwardedToOrigin:
          EnableAcceptEncodingGzip: false
          EnableAcceptEncodingBrotli: false
          CookiesConfig:
            CookieBehavior: none
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: none

  DataDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
        - Id: DataBucket
          DomainName: 
            # e.g. j40-sit-justice40-data-harvester-data.s3-website-us-east-1.amazonaws.com 
            Fn::Join:
              - ""
              - - ${self:custom.namespaceShort}-
                - ${self:provider.stage}-
                - ${self:service}-
                - data
                - ".s3-website-"
                - Ref: AWS::Region
                - ".amazonaws.com"
          CustomOriginConfig:
            HTTPPort: '80'
            HTTPSPort: '443'
            OriginProtocolPolicy: http-only
            OriginSSLProtocols: [ "TLSv1", "TLSv1.1", "TLSv1.2" ]
          OriginCustomHeaders:
            - HeaderName: Origin # if the `Origin` header isn't present, S3 won't send CORS headers, this forces CORS to always be included
              HeaderValue: geoplatform.gov # this doesn't need to be anything specific, since Allow-Origin: * is our CORS policy, it just has to have a value
              
        Enabled: true
        HttpVersion: http2
        Comment: CDN for justice40 data bucket
        Aliases:
          - ${self:custom.environment.HOSTED_ZONE_SUBDOMAIN}.${self:custom.environment.HOSTED_ZONE_DOMAIN}
        PriceClass: PriceClass_All
        DefaultCacheBehavior:
          AllowedMethods: [HEAD, GET, OPTIONS]
          CachedMethods: [HEAD, GET]
          CachePolicyId:
            Ref: DataBucketCachePolicy
          MinTTL: '0'
          DefaultTTL: '0'
          TargetOriginId: DataBucket
          ViewerProtocolPolicy: redirect-to-https
        CustomErrorResponses: []
        ViewerCertificate:
          AcmCertificateArn: ${self:custom.environment.CLOUDFRONT_CERTIFICATE_ARN}
          SslSupportMethod: sni-only
Fargate Serverless Workers for Census Data Enrichment and Tile Generation (#230) * add basic infrastructure * add cloudfront distribution * WIP checkpoint * add ecs cluster * add conditions and route53 dns entry to cloudfront * WIP checkin * Added a raw execution mode for demo/testing * Add pre-defined Task for ogr2ogr * Tweak Task Definition name * Mostly working except for logging error * Add additional logging permissions * Succesfully executed ogr2ogr in fargate. S3 permissions needs to be addresses * Add multipart permissions * Add a few more actions * Put IAM Policy on the correct resource * Deploy lambda and update events * fix iam permissions 🤦🏻‍♂️ * Add reference to Tippecanoe container * Clean up to only use named actions * Refactor resources to include support for tippecanoe * Make a more interesting GDAL command * Pull all ECS variables into environment file; successful test of running tippecanoe container * Support pre/post commands * Refactor codebase and enable linting * Implement many-to-many enrichment between USDS CSV files and Census zipped shapefiles * Change the GDAL image to one with the built-in drivers * Add some additional fixes to support the enrichment use case * Clean up old hello-world example * Expand the README to include ways to execute the lambdas * Validate scheduled lambda execution and then comment out Co-authored-by: Tim Zwolak <timothypage@gmail.com> 2021-06-30 08:29:01 -05:00			`Resources:`

			`S3DataBucketPolicyCDN:`
			`Type: AWS::S3::BucketPolicy`
			`Properties:`
			`Bucket:`
			`Ref: DataBucket`
			`PolicyDocument:`
			`Statement:`
			`- Effect: "Allow"`
			`Action:`
			`- "s3:GetObject"`
			`Resource:`
			`Fn::Join:`
			`- ""`
			`- - "arn:aws:s3:::"`
			`- Ref: DataBucket`
			`- "/*"`
			`Principal: "*"`

			`DataBucketCachePolicy:`
			`Type: AWS::CloudFront::CachePolicy`
			`Properties:`
			`CachePolicyConfig:`
			`Name: ${self:provider.stage}-${self:service}-cloudfront-cache-policy`
			`Comment: CloudFront Cache Policy for justice40 data harvester`
			DefaultTTL: "86400" # one day, only if Origin does _not_ send `Cache-Control` or `Expires` headers
			MaxTTL: "31536000" # one year, used to validate when origin sends `Cache-Control` or `Expires` headers
			`MinTTL: "1" # one second`
			`ParametersInCacheKeyAndForwardedToOrigin:`
			`EnableAcceptEncodingGzip: false`
			`EnableAcceptEncodingBrotli: false`
			`CookiesConfig:`
			`CookieBehavior: none`
			`HeadersConfig:`
			`HeaderBehavior: none`
			`QueryStringsConfig:`
			`QueryStringBehavior: none`

			`DataDistribution:`
			`Type: AWS::CloudFront::Distribution`
			`Properties:`
			`DistributionConfig:`
			`Origins:`
			`- Id: DataBucket`
			`DomainName:`
			`# e.g. j40-sit-justice40-data-harvester-data.s3-website-us-east-1.amazonaws.com`
			`Fn::Join:`
			`- ""`
			`- - ${self:custom.namespaceShort}-`
			`- ${self:provider.stage}-`
			`- ${self:service}-`
			`- data`
			`- ".s3-website-"`
			`- Ref: AWS::Region`
			`- ".amazonaws.com"`
			`CustomOriginConfig:`
			`HTTPPort: '80'`
			`HTTPSPort: '443'`
			`OriginProtocolPolicy: http-only`
			`OriginSSLProtocols: [ "TLSv1", "TLSv1.1", "TLSv1.2" ]`
			`OriginCustomHeaders:`
			- HeaderName: Origin # if the `Origin` header isn't present, S3 won't send CORS headers, this forces CORS to always be included
			`HeaderValue: geoplatform.gov # this doesn't need to be anything specific, since Allow-Origin: * is our CORS policy, it just has to have a value`

			`Enabled: true`
			`HttpVersion: http2`
			`Comment: CDN for justice40 data bucket`
			`Aliases:`
			`- ${self:custom.environment.HOSTED_ZONE_SUBDOMAIN}.${self:custom.environment.HOSTED_ZONE_DOMAIN}`
			`PriceClass: PriceClass_All`
			`DefaultCacheBehavior:`
			`AllowedMethods: [HEAD, GET, OPTIONS]`
			`CachedMethods: [HEAD, GET]`
			`CachePolicyId:`
			`Ref: DataBucketCachePolicy`
			`MinTTL: '0'`
			`DefaultTTL: '0'`
			`TargetOriginId: DataBucket`
			`ViewerProtocolPolicy: redirect-to-https`
			`CustomErrorResponses: []`
			`ViewerCertificate:`
			`AcmCertificateArn: ${self:custom.environment.CLOUDFRONT_CERTIFICATE_ARN}`
			`SslSupportMethod: sni-only`