I am working on the AWS creation of the bucket and distribution using the scripts. I have created a script and running the stack template script in AWS cloud formation console.
I am creating the bucketpolicy for S3 bucket using the script and canonical ID. Once I create a bucket policy I want to assign it to the "OriginAccessIdentity" dynamically in the script. I want to add the id generated from the bucket policy to "OriginAccessIdentity" attributes.
How to achieve this functionality?
Script :
{ "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "AWS CloudFormation Template S3_With_CloudFront_Distribution", "Parameters" : { "bucketname" : { "Type" : "String", "Description" : "test" }, "cannonicalid" : { "Type" : "String", "Description" : "234213523145314534523452345234523452345" } }, "Conditions" : { "CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]} }, "Resources" : { "testbucket" : { "Type" : "AWS::S3::Bucket", "Properties" : { "BucketName" : { "Ref" : "bucketname" }, "WebsiteConfiguration" : { "IndexDocument" : "index.html" } } }, "mybucketpolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument" : { "Id" : "MyPolicy", "Statement" : [ { "Sid" : "Grant a CloudFront Origin Identity access to support private content", "Action" : [ "s3:GetObject" ], "Effect" : "Allow", "Resource" : { "Fn::Join" : [ "", [ "arn:aws:s3:::", { "Ref" : "testbucket" } , "/*" ] ] }, "Principal" : { "CanonicalUser":{ "Ref" : "cannonicalid" } } } ] }, "Bucket" : { "Ref" : "testbucket" } } }, "testdistribution" : { "Type" : "AWS::CloudFront::Distribution", "Properties" : { "DistributionConfig" : { "Origins" : [ { "Id" : "S3Origin", "DomainName" : { "Fn::GetAtt" : [ "testbucket", "DomainName" ] }, "S3OriginConfig" : { "OriginAccessIdentity" : "How to configure the id dynamically here" } } ], "Enabled" : "true", "Comment" : "", "DefaultRootObject" : "index.html", "Aliases" : [ "test.com" ], "CacheBehaviors" : [ { "TargetOriginId" : "S3Origin", "ForwardedValues" : { "QueryString" : "false" }, "ViewerProtocolPolicy" : "allow-all", "MinTTL" : "1", "PathPattern" : "resources/*.json" } ], "DefaultCacheBehavior" : { "TargetOriginId" : "S3Origin", "ForwardedValues" : { "QueryString" : "false" }, "ViewerProtocolPolicy" : "allow-all", "MinTTL" : "1" } } } } }, "Outputs" : { "DistributionId" : { "Description" : "CloudFront Distribution Id", "Value" : { "Ref" : "testdistribution" } }, "DistributionName" : { "Description" : "URL to access the CloudFront distribution", "Value" : { "Fn::Join" : [ "", ["http://", {"Fn::GetAtt" : ["testdistribution", "DomainName"]} ]]} }, "S3OriginDNSName" : { "Description" : "Name of S3 bucket to hold website content.", "Value" : { "Fn::GetAtt" : [ "testbucket", "DomainName"] } } } }
If you specify a template file stored locally, CloudFormation uploads it to an S3 bucket in your AWS account. CloudFormation creates a bucket for each region in which you upload a template file. The buckets are accessible to anyone with Amazon Simple Storage Service (Amazon S3) permissions in your AWS account.
You can use the CloudFormation template in the following resolution to use custom resources with an S3 bucket. Consider the following: The template allows you to create folders in S3 buckets. Amazon S3 has a flat structure, but supports the folder concept as a means of grouping objects.
Since November 2, 2017 CloudFormation supports this using AWS::CloudFront::CloudFrontOriginAccessIdentity resource.
With a origin access identity resource defined as:
"OriginAccessId": { "Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity", "Properties": { "CloudFrontOriginAccessIdentityConfig": { "Comment": "MyDescription" } } }
you can reference it in the distribution config with:
"OriginAccessIdentity" : { "Fn::Sub": "origin-access-identity/cloudfront/${OriginAccessId}" }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With