Resources:

  S3DataBucketPolicyCDN:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket:
        Ref: DataBucket
      PolicyDocument:
        Statement:
          - Effect: "Allow"
            Action:
              - "s3:GetObject"
            Resource:
              Fn::Join:
                - ""
                - - "arn:aws:s3:::"
                  - Ref: DataBucket
                  - "/*"
            Principal: "*"

  DataBucketCachePolicy:
    Type: AWS::CloudFront::CachePolicy
    Properties:
      CachePolicyConfig:
        Name: ${self:provider.stage}-${self:service}-cloudfront-cache-policy
        Comment: CloudFront Cache Policy for justice40 data harvester
        DefaultTTL: "86400" # one day, only if Origin does _not_ send `Cache-Control` or `Expires` headers
        MaxTTL: "31536000" # one year, used to validate when origin sends `Cache-Control` or `Expires` headers
        MinTTL: "1" # one second
        ParametersInCacheKeyAndForwardedToOrigin:
          EnableAcceptEncodingGzip: false
          EnableAcceptEncodingBrotli: false
          CookiesConfig:
            CookieBehavior: none
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: none

  DataDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
        - Id: DataBucket
          DomainName: 
            # e.g. j40-sit-justice40-data-harvester-data.s3-website-us-east-1.amazonaws.com 
            Fn::Join:
              - ""
              - - ${self:custom.namespaceShort}-
                - ${self:provider.stage}-
                - ${self:service}-
                - data
                - ".s3-website-"
                - Ref: AWS::Region
                - ".amazonaws.com"
          CustomOriginConfig:
            HTTPPort: '80'
            HTTPSPort: '443'
            OriginProtocolPolicy: http-only
            OriginSSLProtocols: [ "TLSv1", "TLSv1.1", "TLSv1.2" ]
          OriginCustomHeaders:
            - HeaderName: Origin # if the `Origin` header isn't present, S3 won't send CORS headers, this forces CORS to always be included
              HeaderValue: geoplatform.gov # this doesn't need to be anything specific, since Allow-Origin: * is our CORS policy, it just has to have a value
              
        Enabled: true
        HttpVersion: http2
        Comment: CDN for justice40 data bucket
        Aliases:
          - ${self:custom.environment.HOSTED_ZONE_SUBDOMAIN}.${self:custom.environment.HOSTED_ZONE_DOMAIN}
        PriceClass: PriceClass_All
        DefaultCacheBehavior:
          AllowedMethods: [HEAD, GET, OPTIONS]
          CachedMethods: [HEAD, GET]
          CachePolicyId:
            Ref: DataBucketCachePolicy
          MinTTL: '0'
          DefaultTTL: '0'
          TargetOriginId: DataBucket
          ViewerProtocolPolicy: redirect-to-https
        CustomErrorResponses: []
        ViewerCertificate:
          AcmCertificateArn: ${self:custom.environment.CLOUDFRONT_CERTIFICATE_ARN}
          SslSupportMethod: sni-only