在CloudFormation或serverless.yml中提供OriginAccessIdentity参考

时间:2019-02-15 14:19:40

标签: amazon-cloudformation serverless-framework

我想拥有一个CloudFront来访问私有s3存储桶,为此,我必须创建原始访问身份。我可以手动使用AWS控制台执行此操作,但是我想通过CloudFormation脚本或serverless.yml创建。在执行此操作的同时,我能够将物理来源身份标识添加到我的CloudFront发行版中(使用一个脚本)。我在下面提到了文件https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.html

我尝试了以下代码:

myDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Origins:
      - DomainName:bucket.s3.amazonaws.com
        Id: myS3Origin
        S3OriginConfig: {
          OriginAccessIdentity:origin-access-identity/cloudfront/ !Ref cloudfrontoriginaccessidentity
        }
      Enabled: 'true'
      Comment: Some comment
      DefaultCacheBehavior:
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ViewerProtocolPolicy: redirect-to-https
      PriceClass: PriceClass_200
      ViewerCertificate:
        CloudFrontDefaultCertificate: 'true'
cloudfrontoriginaccessidentity:
  Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
  Properties:
    CloudFrontOriginAccessIdentityConfig:
      Comment: "some comment"

我必须创建原始访问身份和具有该身份的CloudFront分发。我们可以在一个CloudFormation脚本或serverless.yml中同时做这件事吗?

如果可以的话,让我知道。

3 个答案:

答案 0 :(得分:0)

是的,您可以在同一CloudFormation模板中创建两者。 cloudfrontoriginaccessidentity是一个单独的资源,因此需要从myDistribution下面移出。 

myDistribution:
      Type: AWS::CloudFront::Distribution
      Properties:
        DistributionConfig:
          Origins:
          - DomainName:bucket.s3.amazonaws.com
            Id: myS3Origin
            S3OriginConfig: {
              OriginAccessIdentity:origin-access-identity/cloudfront/ !Ref cloudfrontoriginaccessidentity
            }
          Enabled: 'true'
          Comment: Some comment
          DefaultCacheBehavior:
            ForwardedValues:
              QueryString: 'false'
              Cookies:
                Forward: none
            AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            TargetOriginId: myS3Origin
            ViewerProtocolPolicy: redirect-to-https
          PriceClass: PriceClass_200
          ViewerCertificate:
            CloudFrontDefaultCertificate: 'true'
cloudfrontoriginaccessidentity:
  Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
  Properties:
    CloudFrontOriginAccessIdentityConfig:
    Comment: "toyoguard-acces-identity"

答案 1 :(得分:0)

您绝对可以在同一serverless.yml中创建原始访问标识和CloudFront分布。

我已经修改了您的方案,并将OriginAccessIdentity更改为使用Fn::Join

myDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Origins:
      - DomainName:bucket.s3.amazonaws.com
        Id: myS3Origin
        S3OriginConfig:
          OriginAccessIdentity:
            Fn::Join:
              - ''
              -
                - 'origin-access-identity/cloudfront/'
                - Ref: cloudfrontoriginaccessidentity
      Enabled: 'true'
      Comment: Some comment
      DefaultCacheBehavior:
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ViewerProtocolPolicy: redirect-to-https
      PriceClass: PriceClass_200
      ViewerCertificate:
        CloudFrontDefaultCertificate: 'true'

cloudfrontoriginaccessidentity:
  Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
  Properties:
    CloudFrontOriginAccessIdentityConfig:
      Comment: "some comment"

无服务器示例存储库也有一个很好的例子:https://github.com/serverless/examples/blob/master/aws-node-single-page-app-via-cloudfront/serverless.yml

答案 2 :(得分:0)

不要忘记将s3策略和存储桶添加到您的DependsOn列表中

相关问题
最新问题