---
AWSTemplateFormatVersion: 2010-09-09
Description: AWS EKS Reference Sample Application CloudFront, OAI and S3 Bucket
Parameters:
  CustomDomainName:
    Type: String
  S3OAIUserId:
    Type: String
  S3OAIId:
    Type: String
  CloudFrontAppCertArn:
    Type: String
  HostedZoneId:
    Type: String
Resources:
  AppBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy : Retain
  AppSiteReadPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Statement:
        - Action: 's3:GetObject'
          Effect: Allow
          Resource: !Sub 'arn:aws:s3:::${AppBucket}/*'
          Principal:
            CanonicalUser: !Ref S3OAIUserId
  ApplicationSite:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
          - !Sub 'app.${CustomDomainName}'
        CustomErrorResponses:
        # Needed to support angular routing
        - ErrorCode: 403 
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        - ErrorCode: 404
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        DefaultCacheBehavior:
          AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          Compress: true
          DefaultTTL: 3600 # in seconds
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          MaxTTL: 86400 # in seconds
          MinTTL: 60 # in seconds
          TargetOriginId: s3origin
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: http2
        Origins:
        - DomainName: !GetAtt 'AppBucket.RegionalDomainName'
          Id: s3origin
          S3OriginConfig:
            OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${S3OAIId}'
        PriceClass: 'PriceClass_All'  
        ViewerCertificate:
          AcmCertificateArn: !Ref CloudFrontAppCertArn
          MinimumProtocolVersion: 'TLSv1.2_2018'
          SslSupportMethod: 'sni-only'
  ApplicationSiteAlias:
    Type: AWS::Route53::RecordSet
    Properties:
      AliasTarget:
        DNSName: !GetAtt 'ApplicationSite.DomainName'
        EvaluateTargetHealth: false
        HostedZoneId: 'Z2FDTNDATAQYW2'
      HostedZoneId : !Ref HostedZoneId
      Name: !Sub 'app.${CustomDomainName}'
      Type: A
Outputs:
  ApplicationSiteUrl:
    Description: The URL of the application site sans any tenant
    Value: !Sub 'https://${ApplicationSite.DomainName}'
  AppBucket:
    Description: The name of the s3 bucket for uploading the application site to
    Value: !Ref AppBucket
  AppCloudFrontId:
    Description: The ID of the CloudFront distribution hosting the application site
    Value: !Ref ApplicationSite