# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Template to deploy cloudfront and s3 bucket for UI code. 
  This template will be used to pre-provision cloudfront and 
  s3 buckets for UI code using event engine module during 
  AWS hosted events. So that we don't need to provision them 
  in individual labs and it improves individual labs execution time.
Resources:
  CloudFrontOriginAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: "Origin Access Identity for CloudFront Distributions"
  AdminAppBucket:  
    Type: AWS::S3::Bucket
    DeletionPolicy : Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
  AdminAppSiteReadPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref AdminAppBucket
      PolicyDocument:
        Statement:
        - Action: 's3:GetObject'
          Effect: Allow
          Resource: !Sub 'arn:aws:s3:::${AdminAppBucket}/*'
          Principal:
            CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
  AdminAppSite:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        #Aliases: 
         # - !Sub 'admin.${CustomDomainName}'
        CustomErrorResponses:
        # Needed to support angular routing
        - ErrorCode: 403 
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        - ErrorCode: 404
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        DefaultCacheBehavior:
          AllowedMethods:
          - GET
          - HEAD
          - OPTIONS
          CachedMethods:
          - GET
          - HEAD
          - OPTIONS
          Compress: true
          DefaultTTL: 3600 # in seconds
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          MaxTTL: 86400 # in seconds
          MinTTL: 60 # in seconds
          TargetOriginId: adminapp-s3origin
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: http2
        Origins:
        - DomainName: !GetAtt AdminAppBucket.RegionalDomainName
          Id: adminapp-s3origin
          S3OriginConfig:
            OriginAccessIdentity: !Join ["", ["origin-access-identity/cloudfront/", !Ref CloudFrontOriginAccessIdentity]] 
        PriceClass: 'PriceClass_All'  
  LandingAppBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy : Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
  
  LandingAppSiteReadPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref LandingAppBucket
      PolicyDocument:
        Statement:
        - Action: 's3:GetObject'
          Effect: Allow
          Resource: !Sub 'arn:aws:s3:::${LandingAppBucket}/*'
          Principal:
            CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
  LandingApplicationSite:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CustomErrorResponses:
        # Needed to support angular routing
        - ErrorCode: 403 
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        - ErrorCode: 404
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        DefaultCacheBehavior:
          AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          Compress: true
          DefaultTTL: 3600 # in seconds
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          MaxTTL: 86400 # in seconds
          MinTTL: 60 # in seconds
          TargetOriginId: landingapp-s3origin
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: http2
        Origins:
        - DomainName: !GetAtt 'LandingAppBucket.RegionalDomainName'
          Id: landingapp-s3origin
          S3OriginConfig:
            OriginAccessIdentity: !Join ["", ["origin-access-identity/cloudfront/", !Ref CloudFrontOriginAccessIdentity]] 
        PriceClass: 'PriceClass_All' 
  AppBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy : Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      PublicAccessBlockConfiguration: 
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
  AppSiteReadPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref AppBucket
      PolicyDocument:
        Statement:
        - Action: 's3:GetObject'
          Effect: Allow
          Resource: !Sub 'arn:aws:s3:::${AppBucket}/*'
          Principal:
            CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
  ApplicationSite:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CustomErrorResponses:
        # Needed to support angular routing
        - ErrorCode: 403 
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        - ErrorCode: 404
          ResponseCode: 200
          ResponsePagePath: '/index.html'
        DefaultCacheBehavior:
          AllowedMethods:
            - DELETE
            - GET
            - HEAD
            - OPTIONS
            - PATCH
            - POST
            - PUT
          Compress: true
          DefaultTTL: 3600 # in seconds
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          MaxTTL: 86400 # in seconds
          MinTTL: 60 # in seconds
          TargetOriginId: tenantapp-s3origin
          ViewerProtocolPolicy: 'allow-all'
        DefaultRootObject: 'index.html'
        Enabled: true
        HttpVersion: http2
        Origins:
        - DomainName: !GetAtt 'AppBucket.RegionalDomainName'
          Id: tenantapp-s3origin
          S3OriginConfig:
            OriginAccessIdentity: !Join ["", ["origin-access-identity/cloudfront/", !Ref CloudFrontOriginAccessIdentity]] 
        PriceClass: 'PriceClass_All'          
Outputs:
  AdminBucket:
    Description: The name of the bucket for uploading the Admin Management site to
    Value: !Ref AdminAppBucket
    Export:
      Name: "Serverless-SaaS-AdminSiteBucket"
  AdminAppSite:
    Description: The name of the CloudFront url for Admin Management site
    Value: !GetAtt AdminAppSite.DomainName
    Export:
      Name: "Serverless-SaaS-AdminAppSite"
  LandingAppBucket:
    Description: The name of the bucket for uploading the Landing site to
    Value: !Ref LandingAppBucket
    Export:
      Name: "Serverless-SaaS-LandingApplicationSiteBucket"
  LandingApplicationSite:
    Description: The name of the CloudFront url for Landing site
    Value: !GetAtt LandingApplicationSite.DomainName
    Export:
      Name: "Serverless-SaaS-LandingApplicationSite"
  AppBucket:
    Description: The name of the bucket for uploading the Tenant Management site to
    Value: !Ref AppBucket
    Export:
      Name: "Serverless-SaaS-ApplicationSiteBucket"
  ApplicationSite:
    Description: The name of the CloudFront url for Tenant Management site
    Value: !GetAtt ApplicationSite.DomainName     
    Export:
      Name: "Serverless-SaaS-ApplicationSite"