Description: CloudFront Secrets Resources: sampleCloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Comment: Sample CloudFront Distribution DefaultCacheBehavior: CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 Compress: true TargetOriginId: CloudfrontSecretsStacksampleCloudFrontDistributionOrigin ViewerProtocolPolicy: allow-all Enabled: true HttpVersion: http2 IPV6Enabled: true Origins: - CustomOriginConfig: OriginProtocolPolicy: https-only OriginSSLProtocols: - TLSv1.2 DomainName: target-backend-domain-name Id: CloudfrontSecretsStacksampleCloudFrontDistributionOrigin OriginCustomHeaders: - HeaderName: X-AWS-API-Key HeaderValue: nHMJCRSGqxELjYPE ApiKeys: Type: AWS::SecretsManager::Secret Properties: Description: ApiKeys Name: cloudfront-apikeys SecretString: '{"key1": "nHMJCRSGqxELjYPE", "key2": "b3OWBHlP4QB95I8V", "key3": "lTx5P8eyIB38DoLV"}' ApiKeysRotator: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: AssetParametersS3Bucket S3Key: Fn::Join: - "" - - Fn::Select: - 0 - Fn::Split: - "||" - Ref: AssetParametersS3VersionKey - Fn::Select: - 1 - Fn::Split: - "||" - Ref: AssetParametersS3VersionKey Role: Fn::Join: - "" - - "arn:aws:iam::" - Ref: AWS::AccountId - :role/cloudfront-apikeys-rotator Environment: Variables: DISTRIBUTION: Ref: sampleCloudFrontDistribution FunctionName: cloudfront_apikeys_rotator Handler: cloudfront_apikeys_rotator.lambda_handler Runtime: python3.8 Timeout: 300 ApiKeysRotationSchedule: Type: AWS::SecretsManager::RotationSchedule Properties: SecretId: Ref: ApiKeys RotationLambdaARN: Fn::GetAtt: - ApiKeysRotator - Arn RotationRules: AutomaticallyAfterDays: 1 Parameters: AssetParametersS3Bucket: Type: String Description: S3 bucket for lambda function asset AssetParametersS3VersionKey: Type: String Description: S3 key for lambda function asset version