2

I have created a yaml document to create an S3 bucket and attach it to a distribution.



Resources:

  S3BucketContent:
    DeletionPolicy: 'Delete'
    Metadata:
      Comment: 'Bucket to store Content'
    Properties:
      AccessControl: 'Private'
      BucketName: !Sub '${AWS::StackName}-content-bucket'
    Type: 'AWS::S3::Bucket'

  S3BucketPolicy:
    Metadata:
      Comment: 'Bucket policy to allow cloudfront to access the data'
    Properties:
      Bucket: !Ref S3BucketContent
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: 'Allow'
            Principal:
              CanonicalUser: !GetAtt CfOriginAccessIdentity.S3CanonicalUserId
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketContent}/*'
    Type: 'AWS::S3::BucketPolicy'

  CfDistribution:
    Metadata:
      Comment: 'A simple CloudFront distribution with an S3 origin'
    Properties:
      DistributionConfig:
        Comment: 'A simple distribution with an S3 origin'
        DefaultCacheBehavior:
          AllowedMethods:
            - 'HEAD'
            - 'GET'
          CachedMethods:
            - 'HEAD'
            - 'GET'
          Compress: false
          DefaultTTL: 86400
          ForwardedValues:
            Cookies:
              Forward: 'none'
            Headers:
              - 'Origin'
            QueryString: false
          MaxTTL: 31536000
          MinTTL: 86400
          TargetOriginId: !Sub 's3-origin-${S3BucketContent}'
          TrustedSigners:
            - !Ref AWS::AccountId
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: 'http1.1'
        IPV6Enabled: false
        Origins:
          - DomainName: !GetAtt S3BucketContent.RegionalDomainName # NOTE: you may want to replace this with !GetAtt S3Bucket.DomainName (the RegionalDomainName is just to get around the initial DNS propagation issue), more details here: https://stackoverflow.com/questions/38735306/aws-cloudfront-redirecting-to-s3-bucket
            Id: !Sub 's3-origin-${S3BucketContent}'
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'
        PriceClass: 'PriceClass_All'
    Type: 'AWS::CloudFront::Distribution'

  CfOriginAccessIdentity:
    Metadata:
      Comment: 'Access S3 bucket content only through CloudFront'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'Access S3 bucket content only through CloudFront'
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'

Outputs:
  S3BucketName:
    Description: 'Bucket name'
    Value: !Ref S3BucketContent
  CfDistributionId:
    Description: 'Id for our cloudfront distribution'
    Value: !Ref CfDistribution
  CfDistributionDomainName:
    Description: 'Domain name for our cloudfront distribution'
    Value: !GetAtt CfDistribution.DomainName

Once the POC worked, I want to create multiple buckets that I can add to the same cloudfront distribution, but I receive an error saying Template format error: Unresolved resource dependencies [S3BucketDWC] in the Resources block of the template, without specifying the exact error. This is the updated yaml for 2 buckets. Can someone please let me know how to go about this?



Resources:

  S3BucketContent:
    DeletionPolicy: 'Delete'
    Metadata:
      Comment: 'Bucket to store  Content'
    Properties:
      AccessControl: 'Private'
      BucketName: !Sub '${AWS::StackName}-content-bucket'
    Type: 'AWS::S3::Bucket'

  S3BucketPolicy:
    Metadata:
      Comment: 'Bucket policy to allow cloudfront to access the data'
    Properties:
      Bucket: !Ref S3BucketContent
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: 'Allow'
            Principal:
              CanonicalUser: !GetAtt CfOriginAccessIdentity.S3CanonicalUserId
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketContent}/*'
    Type: 'AWS::S3::BucketPolicy'
    
    S3BucketDWC:
    DeletionPolicy: 'Delete'
    Metadata:
      Comment: 'Bucket to store dwc'
    Properties:
      AccessControl: 'Private'
      BucketName: !Sub '${AWS::StackName}-dwc-bucket'
    Type: 'AWS::S3::Bucket'

  S3BucketPolicy:
    Metadata:
      Comment: 'Bucket policy to allow cloudfront to access the data'
    Properties:
      Bucket: !Ref S3BucketDWC
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: 'Allow'
            Principal:
              CanonicalUser: !GetAtt CfOriginAccessIdentity.S3CanonicalUserId
            Resource:
              - !Sub 'arn:aws:s3:::${S3BucketDWC}/*'
    Type: 'AWS::S3::BucketPolicy'

  CfDistribution:
    Metadata:
      Comment: 'A simple CloudFront distribution with an S3 origin'
    Properties:
      DistributionConfig:
        Comment: 'A simple distribution with an S3 origin'
        DefaultCacheBehavior:
          AllowedMethods:
            - 'HEAD'
            - 'GET'
          CachedMethods:
            - 'HEAD'
            - 'GET'
          Compress: false
          DefaultTTL: 86400
          ForwardedValues:
            Cookies:
              Forward: 'none'
            Headers:
              - 'Origin'
            QueryString: false
          MaxTTL: 31536000
          MinTTL: 86400
          TargetOriginId: !Sub 's3-origin-${S3BucketContent}'
          TrustedSigners:
            - !Ref AWS::AccountId
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: 'http1.1'
        IPV6Enabled: false
        Origins:
          - DomainName: !GetAtt S3BucketContent.RegionalDomainName 
            Id: !Sub 's3-origin-${S3BucketContent}'
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'
              
            DomainName: !GetAtt S3BucketContent.RegionalDomainName 
            Id: !Sub 's3-origin-${S3BucketDWC}'
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'
              
        PriceClass: 'PriceClass_All'
    Type: 'AWS::CloudFront::Distribution'

  CfOriginAccessIdentity:
    Metadata:
      Comment: 'Access S3 bucket content only through CloudFront'
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: 'Access S3 bucket content only through CloudFront'
    Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'

Outputs:
  S3BucketName:
    Description: 'Bucket name'
    Value: !Ref S3BucketContent
  CfDistributionId:
    Description: 'Id for our cloudfront distribution'
    Value: !Ref CfDistribution
  CfDistributionDomainName:
    Description: 'Domain name for our cloudfront distribution'
    Value: !GetAtt CfDistribution.DomainName
s_om
  • 661
  • 2
  • 9
  • 24

1 Answers1

2

At least one apparent issue is that you are using wrong indentation:

    S3BucketDWC:
    DeletionPolicy: 'Delete'
    Metadata:
      Comment: 'Bucket to store dwc'
    Properties:
      AccessControl: 'Private'
      BucketName: !Sub '${AWS::StackName}-dwc-bucket'
    Type: 'AWS::S3::Bucket'

This should be:

  S3BucketDWC:
    DeletionPolicy: 'Delete'
    Metadata:
      Comment: 'Bucket to store dwc'
    Properties:
      AccessControl: 'Private'
      BucketName: !Sub '${AWS::StackName}-dwc-bucket'
    Type: 'AWS::S3::Bucket'

The second issue is that Origins should be a list (your are missing -):

        Origins:
          - DomainName: !GetAtt S3BucketContent.RegionalDomainName 
            Id: !Sub 's3-origin-${S3BucketContent}'
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'
              
          - DomainName: !GetAtt S3BucketContent.RegionalDomainName 
            Id: !Sub 's3-origin-${S3BucketDWC}'
            OriginPath: ''
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${CfOriginAccessIdentity}'
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • thank you @Marcin. I fixed that, the stack upload started but it got rolled back with an error ```One or more of your origins or origin groups do not exist.``` I have added both buckets to the origin list though. – s_om Aug 14 '20 at 22:59
  • 1
    @SourabhSriom If found second issue and updated answer. But I would suggest going back to basics, and just start with a single bucket. If this works, then you can concentrated on building on top of that. Also if you have further issues, you could consider making new question, as they may not be associated with the original problem reported in the question. – Marcin Aug 14 '20 at 23:04