Cloudfront 的 Cloudformation S3 存储桶主体

Question

我正在尝试为 S3 存储桶上的云端分发创建 Yaml 模板。 我不知道如何在BucketPolicy 上添加principal。

我想知道如何将 CloudFront 原始访问身份 XXXXXXXXXXX 上的 XXXXXXXXXXX 替换为将通过部署模板生成的云前端。

还有没有办法在 yaml 模板上添加 html、css 同步程序（我现在通过 aws cli 进行）？

请告诉我。 TIA

 AWSTemplateFormatVersion: 2010-09-09
 Resources:
   Bucket:
     Type: 'AWS::S3::Bucket'
     Properties:
       BucketName: pridesys.webbucket
       AccessControl: Private 
       WebsiteConfiguration:
         IndexDocument: index.html

   BucketPolicy:
     Type: AWS::S3::BucketPolicy
     Properties:
       Bucket: !Ref Bucket
       PolicyDocument:
         Id: ReportPolicy
         Version: "2012-10-17"
         Statement:
           - Sid: "1"
             Effect: Allow
             Action: "s3:GetObject"
             Principal:
               AWS: "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
             Resource: !Join ['', ['arn:aws:s3:::', !Ref Bucket, '/*']]

   Distro:
     Type: 'AWS::CloudFront::Distribution'
     Properties:
       DistributionConfig:
         Origins:
           - DomainName: !GetAtt Bucket.DomainName
             Id: foo
             S3OriginConfig: {}
          Enabled: True
         DefaultRootObject: index.html
         DefaultCacheBehavior:
           ForwardedValues:
             QueryString: False
           TargetOriginId: foo
           ViewerProtocolPolicy: allow-all

Answer 1

以下是 CloudFront 的 S3 源身份配置的有效示例：

  WebUIBucket:
    Type: AWS::S3::Bucket
  CloudFrontOriginIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: "origin identity"
  WebUIPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket:
        Ref: WebUIBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              CanonicalUser:
                Fn::GetAtt: [ CloudFrontOriginIdentity , S3CanonicalUserId ]
            Action: "s3:GetObject"
            Resource: !Sub "${WebUIBucket.Arn}/*"
  WebpageCDN:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub "${WebUIBucket}.s3.amazonaws.com"
            Id: webpage
            S3OriginConfig:
              OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"

至于将您的资产同步到 S3 存储桶中，CloudFormation 功能无法提供。您要么必须实现 CustomResource，要么继续使用 CLI。

Answer 2

非常感谢@Jens！！

您的解决方案帮了大忙。我在尝试部署模板时遇到 TargetOriginId & ForwarededValues 错误。

这对我有用 -

AWSTemplateFormatVersion: '2010-09-09'
Description: An AWS Serverless Specification template describing your function.
Resources:
  WebUIBucket:
    Type: AWS::S3::Bucket
  CloudFrontOriginIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
    Comment: "origin identity"
  WebUIPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket:
        Ref: WebUIBucket
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              CanonicalUser:
                Fn::GetAtt: [ CloudFrontOriginIdentity , S3CanonicalUserId ]
            Action: "s3:GetObject"
            Resource: !Sub "${WebUIBucket.Arn}/*"
  WebpageCDN:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !Sub "${WebUIBucket}.s3.amazonaws.com"
            Id: webpage
            S3OriginConfig:
              OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginIdentity}"
        Enabled: True
        DefaultRootObject: index.html
        DefaultCacheBehavior:
          ForwardedValues:
            QueryString: False
          TargetOriginId: webpage
          ViewerProtocolPolicy: allow-all
Transform: AWS::Serverless-2016-10-31