Open
Description
Hi there,
Because Copilot does not Output the ACM ARM of a domain for cloudfront, so I want to use Mapping to hard code the ARN into the template
Mappings:
Cert:
dev:
arn: 'arn:aws:acm:us-east-1:443171139711:certificate/bddf7928-e96d-4355-8725-a264f2fcc4f3'
And here how I use the mapping
ViewerCertificate:
AcmCertificateArn: !FindInMap
- Cert
- !Sub ${Env}
- arn
And here is the error
✘ Proposing infrastructure changes for stack quick-dev-api
✘ deploy service api to environment dev: deploy service: wait for creation of change set copilot-68e92bf9-be39-48c9-8917-6889af57041e for stack quick-dev-api: ResourceNotReady: failed waiting for successful resource state: Template error: every Fn::FindInMap object requires three parameters, the map name, map key and the attribute for return value: CustomResource attribute error: Vendor response doesn't contain Priority key in object arn:aws:cloudformation:ap-south-1:443171139711:stack/quick-dev-api/0ce34700-381a-11ed-ab9d-06b04aa587c4|HTTPSRulePriorityAction|0886df0d-bfe0-4b40-b292-a7d3ad9260fd in S3 bucket cloudformation-custom-resource-storage-apsouth1
So, how could I get Env in the addons template, or could you make and OUTPUT resource with Copilot CLI, I mean I could control the Output what I want to make it use from another stack.
In my case, I'm going to create a new Cloudfront Distribution for my S3 bucket which created by Copilot because currently Copilot 1.21 only create Cloudfront Distribution for ALB.
If any workaround for this time?
Thank you so much!
Here is the rest resource to create cloudfront
Parameters:
App:
Type: String
Description: Your application's name.
Env:
Type: String
Description: The environment name your service, job, or workflow is being deployed to.
Name:
Type: String
Description: The name of the service, job, or workflow being deployed.
Mappings:
Cert:
dev:
arn: 'arn:aws:acm:us-east-1:443171139711:certificate/bddf7928-e96d-4355-8725-a264f2fcc4f3'
Resources:
imagesBucket:
Metadata:
'aws:copilot:description': 'An Amazon S3 bucket to store and retrieve objects for images'
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: false
BlockPublicPolicy: false
IgnorePublicAcls: false
RestrictPublicBuckets: false
imagesBucketPolicy:
Metadata:
'aws:copilot:description': 'A bucket policy to deny unencrypted access to the bucket and its contents'
Type: AWS::S3::BucketPolicy
DeletionPolicy: Retain
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: ForceHTTPS
Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !Sub ${ imagesBucket.Arn}/*
- !Sub ${ imagesBucket.Arn}
Condition:
Bool:
"aws:SecureTransport": false
- Sid: Allow from Cloudfront
Action:
- s3:GetObject
Effect: Allow
Resource: !Join ['', ['arn:aws:s3:::', !Ref imagesBucket, '/*']]
Principal:
CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
Bucket: !Ref imagesBucket
imagesAccessPolicy:
Metadata:
'aws:copilot:description': 'An IAM ManagedPolicy for your service to access the images bucket'
Type: AWS::IAM::ManagedPolicy
Properties:
Description: !Sub
- Grants CRUD access to the S3 bucket ${Bucket}
- { Bucket: !Ref imagesBucket }
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: S3ObjectActions
Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectACL
- s3:PutObjectTagging
- s3:DeleteObject
- s3:RestoreObject
Resource: !Sub ${ imagesBucket.Arn}/*
- Sid: S3ListAction
Effect: Allow
Action: s3:ListBucket
Resource: !Sub ${ imagesBucket.Arn}
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: !Sub 'CloudFront OAI for S3 bucket'
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- !Join
- ''
- - 'img.'
- 'Fn::ImportValue': !Sub '${App}-${Env}-SubDomain'
DefaultCacheBehavior:
Compress: true
ForwardedValues:
QueryString: false
TargetOriginId: the-s3-bucket
ViewerProtocolPolicy: redirect-to-https
Enabled: true
HttpVersion: http2
Origins:
- DomainName: !Join ['', [!Ref imagesBucket, '.s3.amazonaws.com']]
Id: the-s3-bucket
S3OriginConfig:
OriginAccessIdentity:
!Join ['', ['origin-access-identity/cloudfront/', !Ref CloudFrontOriginAccessIdentity]]
PriceClass: PriceClass_All
ViewerCertificate:
AcmCertificateArn: !FindInMap
- Cert
- !Sub ${Env}
- arn
MinimumProtocolVersion: TLSv1
SslSupportMethod: sni-only
Outputs:
imagesName:
Description: "The name of a user-defined bucket."
Value: !Ref imagesBucket
imagesAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role"
Value: !Ref imagesAccessPolicy
Activity