in cdk/lib/recipe-search-ui-playground.ts [19:75]
constructor(scope: App, id: string, props: GuStackProps) {
super(scope, id, props);
const webAclId = aws_ssm.StringParameter.valueForStringParameter(this, `/account/services/waf/default-ruleset-arn`);
const staticBucketNameParam = new GuStringParameter(this, "StaticBucketName", {
fromSSM: true,
default: `/account/services/static.serving.bucket`,
description: "SSM parameter giving the name of a bucket which is to be used for static hosting"
});
const hostingBucket = Bucket.fromBucketName(this, "StaticBucket", staticBucketNameParam.valueAsString);
//We can't create the cert here, because it must live in us-east-1 for Cloudfront to use it.
const hostingCertArn = new GuStringParameter(this, "DistroCertArn", {
fromSSM: true,
default: `/${this.stage}/${this.stack}/${app}/GlobalCertArn`,
description: `Cert to use for recipe search UI playground ${this.stage}. This must reside in us-east-1`,
});
const hostingCert = Certificate.fromCertificateArn(this, "SearchPlaygroundCert", hostingCertArn.valueAsString);
const cloudFrontDistro = new Distribution(this, "SearchPlaygroundDist", {
certificate: hostingCert,
defaultRootObject: "index.html",
domainNames: [hostingDomain[this.stage]!],
enableLogging: false,
errorResponses: [],
priceClass: PriceClass.PRICE_CLASS_100,
httpVersion: HttpVersion.HTTP2_AND_3,
webAclId,
defaultBehavior: {
origin: new S3Origin(hostingBucket, {
originPath: `/${this.stage}/${app}`
})
}
});
hostingBucket.addToResourcePolicy(new PolicyStatement({
effect: Effect.ALLOW,
principals: [
new ServicePrincipal("cloudfront.amazonaws.com")
],
actions: ["s3:GetObject"],
resources: [`arn:aws:s3:::${hostingBucket.bucketName}/${app}/*`],
conditions: {
"StringEquals": {
"AWS::SourceArn": `arn:aws:cloudfront::${this.account}:distribution/${cloudFrontDistro.distributionId}`
}
}
}));
new CfnOutput(this, "DistroUrlOut", {
value: cloudFrontDistro.distributionDomainName,
});
}