This repository has been archived by the owner on Dec 31, 2022. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
infrastructure.cf.yml
334 lines (307 loc) · 8.76 KB
/
infrastructure.cf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
Description: wa11y.co
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: wa11y.co
DomainValidationOptions:
- DomainName: wa11y.co
HostedZoneId:
Ref: HostedZone
SubjectAlternativeNames:
- "*.wa11y.co"
ValidationMethod: DNS
HostedZone:
Type: AWS::Route53::HostedZone
Properties:
Name: wa11y.co
Dkim1:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: fm1._domainkey.wa11y.co
ResourceRecords:
- fm1.wa11y.co.dkim.fmhosted.com
TTL: 3600
Type: CNAME
Dkim2:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: fm2._domainkey.wa11y.co
ResourceRecords:
- fm2.wa11y.co.dkim.fmhosted.com
TTL: 3600
Type: CNAME
Dkim3:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: fm3._domainkey.wa11y.co
ResourceRecords:
- fm3.wa11y.co.dkim.fmhosted.com
TTL: 3600
Type: CNAME
DkimMesmtp:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: mesmtp._domainkey.wa11y.co
ResourceRecords:
- mesmtp.wa11y.co.dkim.fmhosted.com
TTL: 3600
Type: CNAME
Img:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: img.wa11y.co
ResourceRecords:
- cname.vercel-dns.com
TTL: 3600
Type: CNAME
PtTranslation:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: pt.wa11y.co
ResourceRecords:
- anacuentro.github.io
TTL: 3600
Type: CNAME
Mx:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: wa11y.co
ResourceRecords:
- 10 in1-smtp.messagingengine.com
- 20 in2-smtp.messagingengine.com
TTL: 3600
Type: MX
Txt:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneId:
Ref: HostedZone
Name: wa11y.co
ResourceRecords:
- '"v=spf1 include:spf.messagingengine.com ?all"'
TTL: 3600
Type: TXT
CachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
DefaultTTL: 600
MaxTTL: 31536000
MinTTL: 600
Name:
Fn::Sub: ${AWS::StackName}
ParametersInCacheKeyAndForwardedToOrigin:
CookiesConfig:
CookieBehavior: none
EnableAcceptEncodingBrotli: true
EnableAcceptEncodingGzip: true
HeadersConfig:
HeaderBehavior: none
QueryStringsConfig:
# Allow cache busting via query strings (i.e. "style.css?v2" to
# ignore the cached "style.css" and get the latest content).
QueryStringBehavior: all
OriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment:
Fn::Sub: ${AWS::StackName}
ViewerRequest:
Type: AWS::CloudFront::Function
Properties:
AutoPublish: true
FunctionCode: |
function handler(event) {
var request = event.request;
var host = request.headers.host ? request.headers.host.value : undefined;
if (host && host.startsWith('www.'))
return {
statusCode: 301,
statusDescription: 'Redirect',
headers: {
location: {
value: 'https://' + host.substring(4) + request.uri
}
}
}
if (request.uri.endsWith('/'))
request.uri += 'index.html';
else if (!request.uri.includes('.'))
request.uri += '/index.html';
return request;
}
FunctionConfig:
Comment: ViewerRequest
Runtime: cloudfront-js-1.0
# CloudFront Functions are global so need globally-safe names.
Name:
Fn::Sub: ${AWS::StackName}-${AWS::Region}-ViewerRequest
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- wa11y.co
- www.wa11y.co
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
CachedMethods:
- GET
- HEAD
- OPTIONS
CachePolicyId:
Ref: CachePolicy
Compress: true
FunctionAssociations:
- EventType: viewer-request
FunctionARN:
Ref: ViewerRequest
ResponseHeadersPolicyId:
Ref: ResponseHeadersPolicy
TargetOriginId: website
ViewerProtocolPolicy: redirect-to-https
Enabled: true
HttpVersion: http2
IPV6Enabled: true
Origins:
- DomainName:
Fn::Sub: ${Bucket}.s3.${AWS::Region}.amazonaws.com
Id: website
S3OriginConfig:
OriginAccessIdentity:
Fn::Sub: origin-access-identity/cloudfront/${OriginAccessIdentity}
PriceClass: PriceClass_All
ViewerCertificate:
AcmCertificateArn:
Ref: Certificate
MinimumProtocolVersion: TLSv1.2_2021
SslSupportMethod: sni-only
ResponseHeadersPolicy:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name:
Fn::Sub: ${AWS::StackName}
CustomHeadersConfig:
Items:
- Header: Content-Security-Policy-Report-Only
Override: true
Value:
"default-src
'none';
img-src
data:
https://cdn.usefathom.com/;
report-uri
https://antagonist.report-uri.com/r/d/csp/reportOnly;
script-src
'self'
'report-sample'
https://cdn.usefathom.com/;
style-src
'self';
style-src-elem
'self';"
- Header: Report-To
Override: true
Value: '{
"group": "default",
"max_age": 31536000,
"endpoints": [{
"url": "https://antagonist.report-uri.com/a/d/g"
}],
"include_subdomains": true
}'
- Header: NEL
Override: true
Value: '{
"report_to": "default",
"max_age": 31536000,
"include_subdomains": true
}'
SecurityHeadersConfig:
ContentTypeOptions:
Override: false
FrameOptions:
FrameOption: DENY
Override: true
ReferrerPolicy:
ReferrerPolicy: strict-origin-when-cross-origin
Override: true
StrictTransportSecurity:
AccessControlMaxAgeSec: 63072000
IncludeSubdomains: true
Preload: true
Override: true
XSSProtection:
ModeBlock: true
Protection: true
Override: true
RootRecordSet:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
DNSName:
Fn::Sub: ${CloudFrontDistribution.DomainName}
HostedZoneId: Z2FDTNDATAQYW2 # AWS ID for aliases # cspell:disable-line
HostedZoneId:
Ref: HostedZone
Name: wa11y.co
Type: A
WwwRecordSet:
Type: AWS::Route53::RecordSet
Properties:
AliasTarget:
DNSName:
Fn::Sub: ${CloudFrontDistribution.DomainName}
HostedZoneId: Z2FDTNDATAQYW2 # AWS ID for aliases # cspell:disable-line
HostedZoneId:
Ref: HostedZone
Name: www.wa11y.co
Type: A
Bucket:
Type: AWS::S3::Bucket
Properties:
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
WebsiteConfiguration:
ErrorDocument: error.html
IndexDocument: index.html
BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: Bucket
PolicyDocument:
Statement:
- Action: s3:GetObject
Effect: Allow
Principal:
AWS:
Fn::Sub:
arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity
${OriginAccessIdentity}
Resource:
Fn::Sub: arn:aws:s3:::${Bucket}/*