---
AWSTemplateFormatVersion: 2010-09-09

Description: >
    This template deploys the Retail Demo Store CloudFront distribution for the Web-UI and static assets.

Parameters:
  CleanupBucketLambdaArn:
    Type: String
    Description: Lambda Arn for cleanup function
  LoggingBucketName:
    Type: String
    Description: S3 Bucket For logging

Resources:
  
  # Web UI infrastructure    
  WebUIBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucketName
        LogFilePrefix: webui-logs   
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
            BucketKeyEnabled: true              
         

  # Empties bucket when stack is deleted
  EmptyWebUIBucket:
    Type: Custom::EmptyStackBucket
    Properties:
      ServiceToken: !Ref CleanupBucketLambdaArn
      BucketName: !Ref WebUIBucket

  WebUIBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref WebUIBucket
      PolicyDocument:
        Statement:
          - Sid: 'AllowCloudFrontServicePrincipalReadOnly'
            Action: 's3:GetObject'
            Effect: Allow
            Resource: !Sub 'arn:aws:s3:::${WebUIBucket}/*'
            Principal:
              Service: 'cloudfront.amazonaws.com'
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${WebUICDN}'

  UIOriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties: 
      OriginAccessControlConfig:
        Name: UIOriginAccessControl
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4
  
  UICachePolicy:  
    Type: AWS::CloudFront::CachePolicy
    Properties: 
      CachePolicyConfig:
        DefaultTTL: 86400
        MaxTTL: 31536000
        MinTTL: 86400
        Name: UICachePolicy
        ParametersInCacheKeyAndForwardedToOrigin:
          CookiesConfig:
            CookieBehavior: none
          EnableAcceptEncodingGzip: true
          HeadersConfig:
            HeaderBehavior: none
          QueryStringsConfig:
            QueryStringBehavior: all

  WebUICDN:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Enabled: true
        Comment: !Sub 'Retail Demo Store CDN for ${WebUIBucket}'
        DefaultRootObject: index.html
        PriceClass: PriceClass_100
        HttpVersion: http2and3
        Origins:
          - DomainName: !GetAtt WebUIBucket.RegionalDomainName
            Id: S3
            S3OriginConfig:
              OriginAccessIdentity: ''
            OriginAccessControlId: !Ref UIOriginAccessControl
        DefaultCacheBehavior:
          TargetOriginId: S3
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: !Ref UICachePolicy

  # Swagger UI infrastructure
  SwaggerUIBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      LoggingConfiguration:
        DestinationBucketName: !Ref LoggingBucketName
        LogFilePrefix: swaggerui-logs   
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
            BucketKeyEnabled: true              
              

  # Empties bucket when stack is deleted
  EmptySwaggerUIBucket:
    Type: Custom::EmptyStackBucket
    Properties:
      ServiceToken: !Ref CleanupBucketLambdaArn
      BucketName: !Ref SwaggerUIBucket

  SwaggerUIBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref SwaggerUIBucket
      PolicyDocument:
        Statement:
          - Action: 's3:GetObject'
            Effect: Allow
            Resource: !Sub 'arn:aws:s3:::${SwaggerUIBucket}/*'
            Principal:
              Service: 'cloudfront.amazonaws.com'
            Condition:
              StringEquals:
                AWS:SourceArn: !Sub 'arn:aws:cloudfront::${AWS::AccountId}:distribution/${SwaggerUICDN}'

  SwaggerUICDN:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Enabled: true
        Comment: !Sub 'Swagger UI CDN for ${SwaggerUIBucket}'
        DefaultRootObject: index.html
        PriceClass: PriceClass_100
        HttpVersion: http2and3
        Origins:
          - DomainName: !GetAtt SwaggerUIBucket.RegionalDomainName
            Id: S3
            S3OriginConfig:
              OriginAccessIdentity: ''
            OriginAccessControlId: !Ref UIOriginAccessControl
        DefaultCacheBehavior:
          TargetOriginId: S3
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: !Ref UICachePolicy

Outputs:
  # Web UI outputs
  WebUIBucketName:
    Description: Web UI S3 bucket for CloudFront distribution.
    Value: !Ref WebUIBucket

  WebUICDN:
    Description: CloudFront distribution ID for the Web UI CDN
    Value: !Ref WebUICDN

  # Since the Retail Demo Store web service load balancers are not deployed with SSL, 
  # the Web UI URL must be http to avoid mixed content errors in the browser.
  WebUICDNURL:
    Description: The URL for the web application
    Value: !Sub 
      - 'https://${Domain}'
      - Domain: !GetAtt WebUICDN.DomainName    

  # Swagger UI outputs
  SwaggerUIBucketName:
    Description: Swagger UI S3 bucket for CloudFront distribution.
    Value: !Ref SwaggerUIBucket

  SwaggerUICDN:
    Description: CloudFront distribution ID for the Swagger UI CDN
    Value: !Ref SwaggerUICDN

  # Since the Retail Demo Store web service load balancers are not deployed with SSL, 
  # the Swagger UI URL must be http to avoid mixed content errors in the browser.
  SwaggerUICDNURL:
    Description: The URL for the Swagger UI application
    Value: !Sub 
      - 'https://${Domain}'
      - Domain: !GetAtt SwaggerUICDN.DomainName