我正在使用脚本开发AWS创建存储桶和分发。我已经在AWS云形成控制台中创建了一个脚本并运行堆栈模板脚本。
我正在使用脚本和规范ID为S3存储桶创建bucketpolicy。创建存储桶策略后,我想在脚本中动态地将其分配给“OriginAccessIdentity”。我想将存储桶策略生成的id添加到“OriginAccessIdentity”属性。
如何实现此功能?
脚本:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Template S3_With_CloudFront_Distribution",
"Parameters" : {
"bucketname" : {
"Type" : "String",
"Description" : "test"
},
"cannonicalid" : {
"Type" : "String",
"Description" : "234213523145314534523452345234523452345"
}
},
"Conditions" : {
"CreateProdResources" : {"Fn::Equals" : [{"Ref" : "EnvType"}, "dev"]}
},
"Resources" : {
"testbucket" : {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : { "Ref" : "bucketname" },
"WebsiteConfiguration" : {
"IndexDocument" : "index.html"
}
}
},
"mybucketpolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument" : {
"Id" : "MyPolicy",
"Statement" : [ {
"Sid" : "Grant a CloudFront Origin Identity access to support private content",
"Action" : [ "s3:GetObject" ],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : [
"", [ "arn:aws:s3:::", { "Ref" : "testbucket" } , "/*" ]
] },
"Principal" : {
"CanonicalUser":{ "Ref" : "cannonicalid" }
}
} ]
},
"Bucket" : { "Ref" : "testbucket" }
}
},
"testdistribution" : {
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"Origins" : [ {
"Id" : "S3Origin",
"DomainName" : { "Fn::GetAtt" : [ "testbucket", "DomainName" ] },
"S3OriginConfig" : {
"OriginAccessIdentity" : "How to configure the id dynamically here"
}
}
],
"Enabled" : "true",
"Comment" : "",
"DefaultRootObject" : "index.html",
"Aliases" : [ "test.com" ],
"CacheBehaviors" : [ {
"TargetOriginId" : "S3Origin",
"ForwardedValues" : {
"QueryString" : "false"
},
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "1",
"PathPattern" : "resources/*.json"
}
],
"DefaultCacheBehavior" : {
"TargetOriginId" : "S3Origin",
"ForwardedValues" : {
"QueryString" : "false"
},
"ViewerProtocolPolicy" : "allow-all",
"MinTTL" : "1"
}
}
}
}
},
"Outputs" : {
"DistributionId" : {
"Description" : "CloudFront Distribution Id",
"Value" : { "Ref" : "testdistribution" }
},
"DistributionName" : {
"Description" : "URL to access the CloudFront distribution",
"Value" : { "Fn::Join" : [ "", ["http://", {"Fn::GetAtt" : ["testdistribution", "DomainName"]} ]]}
},
"S3OriginDNSName" : {
"Description" : "Name of S3 bucket to hold website content.",
"Value" : { "Fn::GetAtt" : [ "testbucket", "DomainName"] }
}
}
}
答案 0 :(得分:16)
自2017年11月2日起,CloudFormation使用AWS :: CloudFront :: CloudFrontOriginAccessIdentity资源支持此功能。
将原始访问标识资源定义为:
"OriginAccessId": {
"Type": "AWS::CloudFront::CloudFrontOriginAccessIdentity",
"Properties": {
"CloudFrontOriginAccessIdentityConfig": {
"Comment": "MyDescription"
}
}
}
您可以使用以下命令在分发配置中引用它:
"OriginAccessIdentity" : {
"Fn::Sub": "origin-access-identity/cloudfront/${OriginAccessId}"
}
答案 1 :(得分:3)
无法使用CloudFormation创建Origin Access Identity。通过Cloudformation可用的唯一CloudFront资源是AWS::CloudFront::Distribution资源。
您可以通过在创建堆栈时使用参数传入现有OAI来避免硬编码模板中对OAI的引用。然后,您可以将此参数用作与OriginAccessIdentity键关联的S3Origin类型中S3OriginConfig的值。
这并不理想,但它可以让您的模板更通用。
答案 2 :(得分:0)
这有效:)
ApplicationName和DomainName是参数:
TheCloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Sub '${ApplicationName}-ui.${DomainName}'
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: false
TargetOriginId: !Sub '${ApplicationName}.${DomainName}'
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
CustomErrorResponses:
- ErrorCachingMinTTL: 300
ErrorCode: 403
ResponseCode: 404
ResponsePagePath: /404.html
Enabled: true
HttpVersion: http2
Origins:
- DomainName:
!Sub '${TheBucket}.s3.amazonaws.com'
Id: !Sub '${ApplicationName}.${DomainName}'
S3OriginConfig:
OriginAccessIdentity: !Join [ "", [ "origin-access-identity/cloudfront/", !Ref TheCloudFrontOriginAccessIdentity ] ]
--
--
--
TheCloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Sub 'CloudFront OAI for sd-${ApplicationName}.${DomainName}'