tobilg / serverless-aws-static-websites Goto Github PK
View Code? Open in Web Editor NEWDeploy your static websites without all the hassle on AWS with CloudFront, S3, ACM and Route53 via Serverless
License: MIT License
serverless-aws-static-websites's People
Contributors
Stargazers
Watchers
Forkers
gulliverinv tiberiuc aryannava rembly developersti kichik localchooseme crishushu weisisheng pakdoz parkme24 daxgoon swarnkars2807 aktur mwg-digital krishna412 wendelrocha airqus lushmana aruljothijoo2003 cellsummerserverless-aws-static-websites's Issues
Configuration with existing hosted zone
Hi, I am trying to use your library with an already existing Hosted Zone. Therefore I replaced the reference to the Hosted Zone in all files with the existing Hosted Zone ID and removed the Hosted Zone from the resources. Unfortunately something still doesn't work with cloudfront. Because I didn't fully understand some configuration files I can't tell where the error is.
Below are all configuration files with my setup:
Configuration
# serverless.yml
service:
name: my-service
provider:
name: aws
runtime: nodejs8.10
region: eu-central-1
stage: dev
environment:
HOSTED_ZONE_ID: 'MY_EXISTING_HOSTED_ZONE_ID'
DOMAIN: 'my-subdomain-of-hosted-zone'
plugins:
- serverless-s3-sync
- serverless-pseudo-parameters
- serverless-stack-output
- serverless-cloudfront-invalidate
custom:
# The domain name to be used
domainName: ${self:provider.environment.DOMAIN}
# Output plugin configuration
output:
handler: modules/output.handler
# CloudFront invalidation plugin configuration
cloudfrontInvalidate:
distributionIdKey: 'CloudFrontDistributionId'
items: # Add your files to invalidate here:
- '/index.html'
# S3 sync plugin configuration
s3Sync:
- bucketName: ${self:provider.environment.DOMAIN}
localDir: src
resources:
- ${file(resources/custom-acm-certificate-lambda.yml)}
- ${file(resources/custom-acm-certificate-lambda-role.yml)}
- ${file(resources/cloudfront-origin-access-identity.yml)}
- ${file(resources/s3-bucket.yml)}
- ${file(resources/s3-policies.yml)}
- ${file(resources/dns-records.yml)}
- ${file(resources/certificate.yml)}
- ${file(resources/cf-distribution.yml)}
- ${file(resources/outputs.yml)}
# custom-acm-certificate-lambda.yml
Resources:
CustomAcmCertificateLambda:
Type: 'AWS::Lambda::Function'
Metadata:
Source: https://github.com/dflook/cloudformation-dns-certificate
Version: 1.7.1
Properties:
Description: Cloudformation custom resource for DNS validated certificates
Handler: index.handler
Role: '#{CustomAcmCertificateLambdaExecutionRole.Arn}'
Runtime: python3.6
Timeout: 900
Code:
ZipFile: "T=RuntimeError\nimport copy,hashlib as t,json,logging as B,time\
\ as b\nfrom boto3 import client as K\nfrom botocore.exceptions import ClientError\
\ as u,ParamValidationError as v\nfrom botocore.vendored import requests\
\ as w\nA=B.getLogger()\nA.setLevel(B.INFO)\nD=A.info\nS=A.exception\nd=json.dumps\n\
M=copy.copy\ne=b.sleep\ndef handler(event,c):\n\tA9='OldResourceProperties';A8='Update';A7='Delete';A6='None';A5='acm';A4='FAILED';A3='properties';A2='stack-id';A1='logical-id';A0='DNS';s='Old';r='Certificate';q='LogicalResourceId';p='DomainName';o='ValidationMethod';n='Route53RoleArn';m='Region';a='RequestType';Z='Reinvoked';Y='StackId';X=None;R='Status';Q='Key';P='';O=True;N='DomainValidationOptions';L=False;J='ResourceProperties';I='cloudformation:';H='Value';G='CertificateArn';F='Tags';C='PhysicalResourceId';A=event;f=c.get_remaining_time_in_millis;D(A)\n\
\tdef g():\n\t\tD=M(B)\n\t\tfor H in ['ServiceToken',m,F,n]:D.pop(H,X)\n\
\t\tif o in B:\n\t\t\tif B[o]==A0:\n\t\t\t\tfor I in set([B[p]]+B.get('SubjectAlternativeNames',[])):k(I)\n\
\t\t\t\tdel D[N]\n\t\tA[C]=E.request_certificate(IdempotencyToken=y,**D)[G];l()\n\
\tdef U(a):\n\t\twhile O:\n\t\t\ttry:E.delete_certificate(**{G:a});return\n\
\t\t\texcept u as B:\n\t\t\t\tS(P);A=B.response['Error']['Code']\n\t\t\t\
\tif A=='ResourceInUseException':\n\t\t\t\t\tif f()/1000<30:raise\n\t\t\t\
\t\te(5);continue\n\t\t\t\tif A in['ResourceNotFoundException','ValidationException']:return\n\
\t\t\t\traise\n\t\t\texcept v:return\n\tdef V(props):\n\t\tfor J in E.get_paginator('list_certificates').paginate():\n\
\t\t\tfor B in J['CertificateSummaryList']:\n\t\t\t\tD(B);C={A[Q]:A[H]for\
\ A in E.list_tags_for_certificate(**{G:B[G]})[F]}\n\t\t\t\tif C.get(I+A1)==A[q]and\
\ C.get(I+A2)==A[Y]and C.get(I+A3)==hash(props):return B[G]\n\tdef h():\n\
\t\tif A.get(Z,L):raise T('Certificate not issued in time')\n\t\tA[Z]=O;D(A);K('lambda').invoke(FunctionName=c.invoked_function_arn,InvocationType='Event',Payload=d(A).encode())\n\
\tdef i():\n\t\twhile f()/1000>30:\n\t\t\tB=E.describe_certificate(**{G:A[C]})[r];D(B)\n\
\t\t\tif B[R]=='ISSUED':return O\n\t\t\telif B[R]==A4:raise T(B.get('FailureReason',P))\n\
\t\t\te(5)\n\t\treturn L\n\tdef x():B=M(A[s+J]);B.pop(F,X);C=M(A[J]);C.pop(F,X);return\
\ B!=C\n\tdef j():\n\t\tW='Type';V='Name';U='HostedZoneId';T='ValidationStatus';S='PENDING_VALIDATION';L='ResourceRecord'\n\
\t\tif B.get(o)!=A0:return\n\t\twhile O:\n\t\t\tI=E.describe_certificate(**{G:A[C]})[r];D(I)\n\
\t\t\tif I[R]!=S:return\n\t\t\tif not[A for A in I.get(N,[{}])if T not in\
\ A or L not in A]:break\n\t\t\tb.sleep(1)\n\t\tfor F in I[N]:\n\t\t\tif\
\ F[T]==S:M=k(F[p]);P=M.get(n,B.get(n));J=K('sts').assume_role(RoleArn=P,RoleSessionName=(r+A[q])[:64],DurationSeconds=900)['Credentials']if\
\ P is not X else{};Q=K('route53',aws_access_key_id=J.get('AccessKeyId'),aws_secret_access_key=J.get('SecretAccessKey'),aws_session_token=J.get('SessionToken')).change_resource_record_sets(**{U:M[U],'ChangeBatch':{'Comment':'Domain\
\ validation for '+A[C],'Changes':[{'Action':'UPSERT','ResourceRecordSet':{V:F[L][V],W:F[L][W],'TTL':60,'ResourceRecords':[{H:F[L][H]}]}}]}});D(Q)\n\
\tdef k(n):\n\t\tC='.';n=n.rstrip(C);D={A[p].rstrip(C):A for A in B[N]};A=n.split(C)\n\
\t\twhile len(A):\n\t\t\tif C.join(A)in D:return D[C.join(A)]\n\t\t\tA=A[1:]\n\
\t\traise T(N+' missing'+' for '+n)\n\thash=lambda v:t.new('md5',d(v,sort_keys=O).encode()).hexdigest()\n\
\tdef l():B=M(A[J].get(F,[]));B+=[{Q:I+A1,H:A[q]},{Q:I+A2,H:A[Y]},{Q:I+'stack-name',H:A[Y].split('/')[1]},{Q:I+A3,H:hash(A[J])}];E.add_tags_to_certificate(**{G:A[C],F:B})\n\
\tdef W():D(A);B=w.put(A['ResponseURL'],json=A,headers={'content-type':P});B.raise_for_status()\n\
\ttry:\n\t\ty=hash(A['RequestId']+A[Y]);B=A[J];E=K(A5,region_name=B.get(m));A[R]='SUCCESS'\n\
\t\tif A[a]=='Create':\n\t\t\tif A.get(Z,L)is L:A[C]=A6;g()\n\t\t\tj()\n\
\t\t\tif not i():return h()\n\t\telif A[a]==A7:\n\t\t\tif A[C]!=A6:\n\t\t\
\t\tif A[C].startswith('arn:'):U(A[C])\n\t\t\t\telse:U(V(B))\n\t\telif A[a]==A8:\n\
\t\t\tif x():\n\t\t\t\tD(A8)\n\t\t\t\tif V(B)==A[C]:\n\t\t\t\t\ttry:E=K(A5,region_name=A[A9].get(m));D(A7);U(V(A[A9]))\n\
\t\t\t\t\texcept:S(P)\n\t\t\t\t\treturn W()\n\t\t\t\tif A.get(Z,L)is L:g()\n\
\t\t\t\tj()\n\t\t\t\tif not i():return h()\n\t\t\telse:\n\t\t\t\tif F in\
\ A[s+J]:E.remove_tags_from_certificate(**{G:A[C],F:A[s+J][F]})\n\t\t\t\t\
l()\n\t\telse:raise T(A[a])\n\t\treturn W()\n\texcept Exception as z:S(P);A[R]=A4;A['Reason']=str(z);return\
\ W()"
# custom-acm-certificate-lambda-role.yml
Resources:
CustomAcmCertificateLambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyDocument:
Statement:
- Action:
- acm:AddTagsToCertificate
- acm:DeleteCertificate
- acm:DescribeCertificate
- acm:RemoveTagsFromCertificate
Effect: Allow
Resource:
- 'arn:aws:acm:*:#{AWS::AccountId}:certificate/*'
- Action:
- acm:RequestCertificate
- acm:ListTagsForCertificate
- acm:ListCertificates
Effect: Allow
Resource:
- '*'
- Action:
- route53:ChangeResourceRecordSets
Effect: Allow
Resource:
- arn:aws:route53:::hostedzone/*
Version: '2012-10-17'
PolicyName: 'CustomAcmCertificateLambdaExecutionPolicy-${self:service.name}'
# cloudfront-origin-access-identity.yml
Resources:
CloudFrontOriginAccessIdentity:
Type: 'AWS::CloudFront::CloudFrontOriginAccessIdentity'
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: '${self:service.name}-oai'
# s3-bucket.yml
Resources:
WebsiteBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: ${self:provider.environment.DOMAIN}
# s3-policies.yml
Resources:
WebsiteBucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn:
- WebsiteBucket
Properties:
Bucket:
Ref: WebsiteBucket
PolicyDocument:
Statement:
- Sid: PublicReadGetObject
Effect: Allow
Principal:
AWS:
Fn::Join:
- ' '
- - 'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity'
- '#{CloudFrontOriginAccessIdentity}'
Action:
- s3:GetObject
Resource:
- Fn::Join: [
'', [
'arn:aws:s3:::',
{
'Ref': 'WebsiteBucket'
},
'/*'
]
]
# dns-records.yml
# See RecordSet: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-recordset.html
# See AliasTarget: https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html
# See https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region (below the first table for hosted zone ids / website endpoints of S3)
Resources:
DnsRecord:
Type: 'AWS::Route53::RecordSet'
Properties:
Comment: 'Alias CloudFront for ${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
Type: A
Name: '${self:provider.environment.DOMAIN}'
AliasTarget:
# Generated domain name from CloudFront
DNSName: '#{CFDistribution.DomainName}'
# Default (static) hosted zone for CloudFront
HostedZoneId: 'Z2FDTNDATAQYW2'
WWWDnsRecord:
Type: 'AWS::Route53::RecordSet'
Properties:
Comment: 'Alias CloudFront for www.${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
Type: A
Name: 'www.${self:provider.environment.DOMAIN}'
AliasTarget:
# Generated domain name from CloudFront
DNSName: '#{CFDistribution.DomainName}'
# Default (static) hosted zone for CloudFront
HostedZoneId: 'Z2FDTNDATAQYW2'
# certificate.yml
Resources:
SSLCertificate:
Type: 'Custom::DNSCertificate'
Properties:
DomainName: '${self:provider.environment.DOMAIN}'
SubjectAlternativeNames:
- 'www.${self:provider.environment.DOMAIN}'
ValidationMethod: DNS
# Needs to be in us-east-1 because of CloudFront limitations
Region: us-east-1
DomainValidationOptions:
- DomainName: '${self:provider.environment.DOMAIN}'
HostedZoneId: '${self:provider.environment.HOSTED_ZONE_ID}'
ServiceToken: '#{CustomAcmCertificateLambda.Arn}'
# cf-distribution.yml
# See https://blog.m-taylor.co.uk/2018/01/cloudformation-template-for-a-cloudfront-enabled-s3-website.html
Resources:
CFDistribution:
Type: 'AWS::CloudFront::Distribution'
DependsOn:
- WebsiteBucket
- SSLCertificate
- CloudFrontOriginAccessIdentity
Properties:
DistributionConfig:
Aliases:
- '${self:provider.environment.DOMAIN}'
- 'www.${self:provider.environment.DOMAIN}'
Origins:
- DomainName: '#{WebsiteBucket.DomainName}'
OriginPath: ''
Id: S3BucketOrigin
S3OriginConfig:
OriginAccessIdentity:
Fn::Join:
- ''
- - 'origin-access-identity/cloudfront/'
- '#{CloudFrontOriginAccessIdentity}'
Comment: 'CloudFront origin for ${self:provider.environment.DOMAIN}'
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: S3BucketOrigin
Compress: true
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
ViewerProtocolPolicy: redirect-to-https
DefaultRootObject: index.html
Enabled: 'true'
HttpVersion: 'http2'
PriceClass: 'PriceClass_100'
ViewerCertificate:
AcmCertificateArn: '#{SSLCertificate}'
SslSupportMethod: sni-only
# outputs.yml
Outputs:
CloudFrontDistributionId:
Description: CloudFront distribution id
Value:
Ref: CFDistribution
HostedZoneNameservers:
Description: The nameservers for the Hosted Zone (to be used with your external DNS configuration)
Value:
'Fn::Join':
- ', '
- 'Fn::GetAtt': ['${self:provider.environment.HOSTED_ZONE_ID}', 'NameServers']
Error Message:
# outputs.yml
Error: The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource MY_EXISTING_HOSTED_ZONE_ID
Could you please help me modify the configuration to get it working?
Please provide the code for the obfuscated lambda python code
It's hard to unobfuscate an indentation based language. I want to see what does it do exactly and maybe change it to suit my needs if necessary. Thanks
Failed to create resource. Certificate not issued in time
when I first deploy the application, it just come up this error,
SSLCertificate | CREATE_FAILED | Failed to create resource. Certificate not issued in time
i did do the following step in my routh53 to change the NS record
The nameservers you have to configure your domain DNS to can be found under the NS record and will look similar to this:
ns-1807.awsdns-33.co.uk.
ns-977.awsdns-58.net.
ns-1351.awsdns-40.org.
ns-32.awsdns-04.com.Failed to create resource. 'DomainValidationOptions'
I bought a domain on namecheap, when I run sls deploy --domain domain.com with the domain I bought I get the above error. Is there further configuration required to use external domains?
SSL certificate creation times out on deploy
I created a Serverless project using this framework, but for some reason the CF resource creation for creating the SSL cert times out after ~500-600 seconds. Is the cert supposed to take this long to create?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.