public SpaStack(Construct scope, string id, SpaStackProps props) : base(scope, id, props)
{
//s3 bucket
var bucket = new Bucket(this, $"{props.ServiceName}-bucket", new BucketProps
{
WebsiteIndexDocument = "index.html",
Versioned = true,
BucketName = props.ServiceName,
RemovalPolicy = RemovalPolicy.DESTROY
});
//cloudfront distribution
var cloudFrontOai = new OriginAccessIdentity(this, $"{props.ServiceName}-oai", new OriginAccessIdentityProps
{
Comment = $"OAI for {props.ServiceName}."
});
var cloudfrontDist = new CloudFrontWebDistribution(this, $"{props.ServiceName}-cfd", new CloudFrontWebDistributionProps
{
ViewerCertificate = ViewerCertificate.FromAcmCertificate(
props.CloudFrontCert,
new ViewerCertificateOptions
{
Aliases = new [] { $"{props.SubDomain}.{props.HostedZoneName}" },
SslMethod = SSLMethod.SNI
}),
OriginConfigs = new ISourceConfiguration[]
{
new SourceConfiguration
{
S3OriginSource = new S3OriginConfig
{
S3BucketSource = bucket,
OriginAccessIdentity = cloudFrontOai
},
Behaviors = new IBehavior[]
{
new Behavior
{
IsDefaultBehavior = true,
}
}
}
}
});
var cnameRecord = new CnameRecord(this, $"{props.ServiceName}CloudFrontCname", new CnameRecordProps
{
Zone = HostedZone.FromHostedZoneAttributes(this, "HostedZone", new HostedZoneAttributes
{
ZoneName = props.HostedZoneName,
HostedZoneId = props.HostedZoneId
}),
RecordName = props.SubDomain,
DomainName = cloudfrontDist.DistributionDomainName
});
var cloudfrontS3Access = new PolicyStatement();
cloudfrontS3Access.AddActions("s3:GetBucket*", "s3:GetObject*", "s3:List*");
cloudfrontS3Access.AddResources(bucket.BucketArn);
cloudfrontS3Access.AddResources($"{bucket.BucketArn}/*");
cloudfrontS3Access.AddCanonicalUserPrincipal(cloudFrontOai.CloudFrontOriginAccessIdentityS3CanonicalUserId);
bucket.AddToResourcePolicy(cloudfrontS3Access);
//codebuild project
var codeBuildProject = new Project(this, $"{props.ServiceName}-codeBuild-project", new ProjectProps
{
Vpc = props.Vpc,
ProjectName = props.ServiceName,
Environment = new BuildEnvironment
{
BuildImage = LinuxBuildImage.STANDARD_4_0,
},
Source = Source.GitHub(props.GitHubSourceProps),
BuildSpec = BuildSpec.FromSourceFilename(props.BuildSpecFile),
EnvironmentVariables = new Dictionary <string, IBuildEnvironmentVariable>
{
{ "SPA_DIRECTORY", new BuildEnvironmentVariable {
Value = props.SpaDirectory
} },
{ "S3_BUCKET", new BuildEnvironmentVariable {
Value = bucket.BucketName
} },
{ "CLOUDFRONT_ID", new BuildEnvironmentVariable {
Value = cloudfrontDist.DistributionId
} },
{ "API_URL", new BuildEnvironmentVariable {
Value = props.ApiUrl
} }
}
});
// iam policy to push your build to S3
codeBuildProject.AddToRolePolicy(
new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.ALLOW,
Resources = new[] { bucket.BucketArn, $"{bucket.BucketArn}/*" },
Actions = new[]
{
"s3:GetBucket*",
"s3:List*",
"s3:GetObject*",
"s3:DeleteObject",
"s3:PutObject"
}
}));
codeBuildProject.AddToRolePolicy(
new PolicyStatement(new PolicyStatementProps
{
Effect = Effect.ALLOW,
Resources = new [] { "*" },
Actions = new []
{
"cloudfront:CreateInvalidation",
"cloudfront:GetDistribution*",
"cloudfront:GetInvalidation",
"cloudfront:ListInvalidations",
"cloudfront:ListDistributions"
}
}));
//codepipeline?
}
