tobilg / serverless-aws-static-websites Goto Github PK
View Code? Open in Web Editor NEWDeploy your static websites without all the hassle on AWS with CloudFront, S3, ACM and Route53 via Serverless
License: MIT License
Deploy your static websites without all the hassle on AWS with CloudFront, S3, ACM and Route53 via Serverless
License: MIT License
Hi, I am trying to use your library with an already existing Hosted Zone. Therefore I replaced the reference to the Hosted Zone in all files with the existing Hosted Zone ID and removed the Hosted Zone from the resources. Unfortunately something still doesn't work with cloudfront. Because I didn't fully understand some configuration files I can't tell where the error is.
Below are all configuration files with my setup:
# serverless.yml
service:
name: my-service
provider:
name: aws
runtime: nodejs8.10
region: eu-central-1
stage: dev
environment:
HOSTED_ZONE_ID: 'MY_EXISTING_HOSTED_ZONE_ID'
DOMAIN: 'my-subdomain-of-hosted-zone'
plugins:
- serverless-s3-sync
- serverless-pseudo-parameters
- serverless-stack-output
- serverless-cloudfront-invalidate
custom:
# The domain name to be used
domainName: ${self:provider.environment.DOMAIN}
# Output plugin configuration
output:
handler: modules/output.handler
# CloudFront invalidation plugin configuration
cloudfrontInvalidate:
distributionIdKey: 'CloudFrontDistributionId'
items: # Add your files to invalidate here:
- '/index.html'
# S3 sync plugin configuration
s3Sync:
- bucketName: ${self:provider.environment.DOMAIN}
localDir: src
resources:
- ${file(resources/custom-acm-certificate-lambda.yml)}
- ${file(resources/custom-acm-certificate-lambda-role.yml)}
- ${file(resources/cloudfront-origin-access-identity.yml)}
- ${file(resources/s3-bucket.yml)}
- ${file(resources/s3-policies.yml)}
- ${file(resources/dns-records.yml)}
- ${file(resources/certificate.yml)}
- ${file(resources/cf-distribution.yml)}
- ${file(resources/outputs.yml)}
# custom-acm-certificate-lambda.yml
Resources:
CustomAcmCertificateLambda:
Type: 'AWS::Lambda::Function'
Metadata:
Source: https://github.com/dflook/cloudformation-dns-certificate
Version: 1.7.1
Properties:
Description: Cloudformation custom resource for DNS validated certificates
Handler: index.handler
Role: '#{CustomAcmCertificateLambdaExecutionRole.Arn}'
Runtime: python3.6
Timeout: 900
Code:
ZipFile: "T=RuntimeError\nimport copy,hashlib as t,json,logging as B,time\
\ as b\nfrom boto3 import client as K\nfrom botocore.exceptions import ClientError\
\ as u,ParamValidationError as v\nfrom botocore.vendored import requests\
\ as w\nA=B.getLogger()\nA.setLevel(B.INFO)\nD=A.info\nS=A.exception\nd=json.dumps\n\
M=copy.copy\ne=b.sleep\ndef handler(event,c):\n\tA9='OldResourceProperties';A8='Update';A7='Delete';A6='None';A5='acm';A4='FAILED';A3='properties';A2='stack-id';A1='logical-id';A0='DNS';s='Old';r='Certificate';q='LogicalResourceId';p='DomainName';o='ValidationMethod';n='Route53RoleArn';m='Region';a='RequestType';Z='Reinvoked';Y='StackId';X=None;R='Status';Q='Key';P='';O=True;N='DomainValidationOptions';L=False;J='ResourceProperties';I='cloudformation:';H='Value';G='CertificateArn';F='Tags';C='PhysicalResourceId';A=event;f=c.get_remaining_time_in_millis;D(A)\n\
\tdef g():\n\t\tD=M(B)\n\t\tfor H in ['ServiceToken',m,F,n]:D.pop(H,X)\n\
\t\tif o in B:\n\t\t\tif B[o]==A0:\n\t\t\t\tfor I in set([B[p]]+B.get('SubjectAlternativeNames',[])):k(I)\n\
\t\t\t\tdel D[N]\n\t\tA[C]=E.request_certificate(IdempotencyToken=y,**D)[G];l()\n\
\tdef U(a):\n\t\twhile O:\n\t\t\ttry:E.delete_certificate(**{G:a});return\n\
\t\t\texcept u as B:\n\t\t\t\tS(P);A=B.response['Error']['Code']\n\t\t\t\
\tif A=='ResourceInUseException':\n\t\t\t\t\tif f()/1000<30:raise\n\t\t\t\
\t\te(5);continue\n\t\t\t\tif A in['ResourceNotFoundException','ValidationException']:return\n\
\t\t\t\traise\n\t\t\texcept v:return\n\tdef V(props):\n\t\tfor J in E.get_paginator('list_certificates').paginate():\n\
\t\t\tfor B in J['CertificateSummaryList']:\n\t\t\t\tD(B);C={A[Q]:A[H]for\
\ A in E.list_tags_for_certificate(**{G:B[G]})[F]}\n\t\t\t\tif C.get(I+A1)==A[q]and\
\ C.get(I+A2)==A[Y]and C.get(I+A3)==hash(props):return B[G]\n\tdef h():\n\
\t\tif A.get(Z,L):raise T('Certificate not issued in time')\n\t\tA[Z]=O;D(A);K('lambda').invoke(FunctionName=c.invoked_function_arn,InvocationType='Event',Payload=d(A).encode())\n\
\tdef i():\n\t\twhile f()/1000>30:\n\t\t\tB=E.describe_certificate(**{G:A[C]})[r];D(B)\n\
\t\t\tif B[R]=='ISSUED':return O\n\t\t\telif B[R]==A4:raise T(B.get('FailureReason',P))\n\
\t\t\te(5)\n\t\treturn L\n\tdef x():B=M(A[s+J]);B.pop(F,X);C=M(A[J]);C.pop(F,X);return\
\ B!=C\n\tdef j():\n\t\tW='Type';V='Name';U='HostedZoneId';T='ValidationStatus';S='PENDING_VALIDATION';L='ResourceRecord'\n\
\t\tif B.get(o)!=A0:return\n\t\twhile O:\n\t\t\tI=E.describe_certificate(**{G:A[C]})[r];D(I)\n\
\t\t\tif I[R]!=S:return\n\t\t\tif not[A for A in I.get(N,[{}])if T not in\
\ A or L not in A]:break\n\t\t\tb.sleep(1)\n\t\tfor F in I[N]:\n\t\t\tif\
\ F[T]==S:M=k(F[p]);P=M.get(n,B.get(n));J=K('sts').assume_role(RoleArn=P,RoleSessionName=(r+A[q])[:64],DurationSeconds=900)['Credentials']if\
\ P is not X else{};Q=K('route53',aws_access_key_id=J.get('AccessKeyId'),aws_secret_access_key=J.get('SecretAccessKey'),aws_session_token=J.get('SessionToken')).change_resource_record_sets(**{U:M[U],'ChangeBatch':{'Comment':'Domain\
\ validation for '+A[C],'Changes':[{'Action':'UPSERT','ResourceRecordSet':{V:F[L][V],W:F[L][W],'TTL':60,'ResourceRecords':[{H:F[L][H]}]}}]}});D(Q)\n\
\tdef k(n):\n\t\tC='.';n=n.rstrip(C);D={A[p].rstrip(C):A for A in B[N]};A=n.split(C)\n\
\t\twhile len(A):\n\t\t\tif C.join(A)in D:return D[C.join(A)]\n\t\t\tA=A[1:]\n\
\t\traise T(N+' missing'+' for '+n)\n\thash=lambda v:t.new('md5',d(v,sort_keys=O).encode()).hexdigest()\n\
\tdef l():B=M(A[J].get(F,[]));B+=[{Q:I+A1,H:A[q]},{Q:I+A2,H:A[Y]},{Q:I+'stack-name',H:A[Y].split('/')[1]},{Q:I+A3,H:hash(A[J])}];E.add_tags_to_certificate(**{G:A[C],F:B})\n\
\tdef W():D(A);B=w.put(A['ResponseURL'],json=A,headers={'content-type':P});B.raise_for_status()\n\
\ttry:\n\t\ty=hash(A['RequestId']+A[Y]);B=A[J];E=K(A5,region_name=B.get(m));A[R]='SUCCESS'\n\
\t\tif A[a]=='Create':\n\t\t\tif A.get(Z,L)is L:A[C]=A6;g()\n\t\t\tj()\n\
\t\t\tif not i():return h()\n\t\telif A[a]==A7:\n\t\t\tif A[C]!=A6:\n\t\t\
\t\tif A[C].startswith('arn:'):U(A[C])\n\t\t\t\telse:U(V(B))\n\t\telif A[a]==A8:\n\
\t\t\tif x():\n\t\t\t\tD(A8)\n\t\t\t\tif V(B)==A[C]:\n\t\t\t\t\ttry:E=K(A5,region_name=A[A9].get(m));D(A7);U(V(A[A9]))\n\
\t\t\t\t\texcept:S(P)\n\t\t\t\t\treturn W()\n\t\t\t\tif A.get(Z,L)is L:g()\n\
\t\t\t\tj()\n\t\t\t\tif not i():return h()\n\t\t\telse:\n\t\t\t\tif F in\
\ A[s+J]:E.remove_tags_from_certificate(**{G:A[C],F:A[s+J][F]})\n\t\t\t\t\
l()\n\t\telse:raise T(A[a])\n\t\treturn W()\n\texcept Exception as z:S(P);A[R]=A4;A['Reason']=str(z);return\
\ W()"
# custom-acm-certificate-lambda-role.yml
Resources:
CustomAcmCertificateLambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyDocument:
Statement:
- Action:
- acm:AddTagsToCertificate
- acm:DeleteCertificate
- acm:DescribeCertificate
- acm:RemoveTagsFromCertificate
Effect: Allow
Resource:
- 'arn:aws:acm:*:#{AWS::AccountId}:certificate/*'
- Action:
- acm:RequestCertificate
- acm:ListTagsForCertificate
- acm:ListCertificates
Effect: Allow
Resource:
- '*'
- Action:
- route53:ChangeResourceRecordSets
Effect: Allow
Resource:
- arn:aws:route53:::hostedzone/*
Version: '2012-10-17'
PolicyName: 'CustomAcmCertificateLambdaExecutionPolicy-${self:service.name}'
# cloudfront-origin-access-identity.yml
Resources:
CloudFrontOriginAccessIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: '${self:service.name}-oai'
# s3-bucket.yml
Resources:
WebsiteBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: ${self:provider.environment.DOMAIN}
# s3-policies.yml
Resources:
WebsiteBucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn:
- WebsiteBucket
Properties:
Bucket:
Ref: WebsiteBucket
PolicyDocument:
Statement:
- Sid: PublicReadGetObject
Effect: Allow
Principal:
AWS:
Fn::Join:
- ' '
- - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
- '#{CloudFrontOriginAccessIdentity}'
Action:
- s3:GetObject
Resource:
- Fn::Join: [
'', [
'arn:aws:s3:::',
{
'Ref': 'WebsiteBucket'
},
'/*'
]
]
# dns-records.yml
# See RecordSet: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html
# See AliasTarget: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html
# See https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region (below the first table for hosted zone ids / website endpoints of S3)
Resources:
DnsRecord:
Type: 'AWS::Route53::RecordSet'
Properties:
Comment: 'Alias CloudFront for ${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
Type: A
Name: '${self:provider.environment.DOMAIN}'
AliasTarget:
# Generated domain name from CloudFront
DNSName: '#{CFDistribution.DomainName}'
# Default (static) hosted zone for CloudFront
HostedZoneId: 'Z2FDTNDATAQYW2'
WWWDnsRecord:
Type: 'AWS::Route53::RecordSet'
Properties:
Comment: 'Alias CloudFront for www.${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
Type: A
Name: 'www.${self:provider.environment.DOMAIN}'
AliasTarget:
# Generated domain name from CloudFront
DNSName: '#{CFDistribution.DomainName}'
# Default (static) hosted zone for CloudFront
HostedZoneId: 'Z2FDTNDATAQYW2'
# certificate.yml
Resources:
SSLCertificate:
Type: 'Custom::DNSCertificate'
Properties:
DomainName: '${self:provider.environment.DOMAIN}'
SubjectAlternativeNames:
- 'www.${self:provider.environment.DOMAIN}'
ValidationMethod: DNS
# Needs to be in us-east-1 because of CloudFront limitations
Region: us-east-1
DomainValidationOptions:
- DomainName: '${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
ServiceToken: '#{CustomAcmCertificateLambda.Arn}'
# cf-distribution.yml
# See https://blog.m-taylor.co.uk/2018/01/cloudformation-template-for-a-cloudfront-enabled-s3-website.html
Resources:
CFDistribution:
Type: 'AWS::CloudFront::Distribution'
DependsOn:
- WebsiteBucket
- SSLCertificate
- CloudFrontOriginAccessIdentity
Properties:
DistributionConfig:
Aliases:
- '${self:provider.environment.DOMAIN}'
- 'www.${self:provider.environment.DOMAIN}'
Origins:
- DomainName: '#{WebsiteBucket.DomainName}'
OriginPath: ''
Id: S3BucketOrigin
S3OriginConfig:
OriginAccessIdentity:
Fn::Join:
- ''
- - 'origin-access-identity/cloudfront/'
- '#{CloudFrontOriginAccessIdentity}'
Comment: 'CloudFront origin for ${self:provider.environment.DOMAIN}'
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3BucketOrigin
Compress: true
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: 'true'
HttpVersion: 'http2'
PriceClass: 'PriceClass_100'
ViewerCertificate:
AcmCertificateArn: '#{SSLCertificate}'
SslSupportMethod: sni-only
# outputs.yml
Outputs:
CloudFrontDistributionId:
Description: CloudFront distribution id
Value:
Ref: CFDistribution
HostedZoneNameservers:
Description: The nameservers for the Hosted Zone (to be used with your external DNS configuration)
Value:
'Fn::Join':
- ', '
- 'Fn::GetAtt': ['${self:provider.environment.HOSTED_ZONE_ID}', 'NameServers']
# outputs.yml
Error: The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource MY_EXISTING_HOSTED_ZONE_ID
It's hard to unobfuscate an indentation based language. I want to see what does it do exactly and maybe change it to suit my needs if necessary. Thanks
when I first deploy the application, it just come up this error,
SSLCertificate | CREATE_FAILED | Failed to create resource. Certificate not issued in time
i did do the following step in my routh53 to change the NS record
The nameservers you have to configure your domain DNS to can be found under the NS
record and will look similar to this:
ns-1807.awsdns-33.co.uk.
ns-977.awsdns-58.net.
ns-1351.awsdns-40.org.
ns-32.awsdns-04.com.
I bought a domain on namecheap, when I run sls deploy --domain domain.com with the domain I bought I get the above error. Is there further configuration required to use external domains?
I created a Serverless project using this framework, but for some reason the CF resource creation for creating the SSL cert times out after ~500-600 seconds. Is the cert supposed to take this long to create?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.