AWSTemplateFormatVersion: "2010-09-09"

Description: "Add a CloudFront distribution to a static S3 website with basic authentication This template *must* be deployed in us-east-1.\n"

Parameters:
  DomainName:
    Type: String
    Default: ""

  HostedZoneId:
    Type: String
    Default: ""

Conditions:
  HasDomainName: !Not
    - !Or
      - !Equals [!Ref DomainName, ""]
      - !Equals [!Ref HostedZoneId, ""]

Resources:
  WebBucket:
    Type: "AWS::S3::Bucket"

  CloudFrontOriginAccessIdentity:
    Type: "AWS::CloudFront::CloudFrontOriginAccessIdentity"
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: !Sub OAI for ${AWS::StackName}

  EdgeFunctionRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - edgelambda.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

  LogBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      AccessControl: LogDeliveryWrite

  WebBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket: !Ref WebBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}"
            Action: "s3:GetObject"
            Resource: !Sub arn:aws:s3:::${WebBucket}/*

  Certificate:
    Type: "AWS::CertificateManager::Certificate"
    Condition: HasDomainName
    Properties:
      DomainName: !Ref DomainName
      ValidationMethod: DNS
      DomainValidationOptions:
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId

  Distribution:
    Type: "AWS::CloudFront::Distribution"
    Properties:
      DistributionConfig:
        Aliases: !If
          - HasDomainName
          - - !Ref DomainName
          - !Ref AWS::NoValue
        ViewerCertificate: !If
          - HasDomainName
          - AcmCertificateArn: !Ref Certificate
            MinimumProtocolVersion: TLSv1.2_2018
            SslSupportMethod: sni-only
          - !Ref AWS::NoValue
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          CachedMethods:
            - GET
            - HEAD
          Compress: true
          ForwardedValues:
            QueryString: false
          TargetOriginId: S3
          ViewerProtocolPolicy: redirect-to-https
          DefaultTTL: 60
        DefaultRootObject: index.html
        Enabled: true
        Logging:
          Bucket: !GetAtt LogBucket.RegionalDomainName
        Origins:
          - DomainName: !GetAtt WebBucket.RegionalDomainName
            Id: S3
            S3OriginConfig:
              OriginAccessIdentity: !Sub origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}
        PriceClass: PriceClass_100

  RecordSet:
    Type: "AWS::Route53::RecordSet"
    Condition: HasDomainName
    Properties:
      AliasTarget:
        DNSName: !GetAtt Distribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2
      HostedZoneId: !Ref HostedZoneId
      Name: !Ref DomainName
      Type: A

Outputs:
  Uri:
    Value: !If
      - HasDomainName
      - !Sub "https://${DomainName}/"
      - !Sub "https://${Distribution.DomainName}/"

  Bucket:
    Value: !Ref WebBucket