lambda-authorizer-cloudformation.yml

Resources:

#### Lambda Authorizer ####
  LambdaAuthorizerExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: lambda-authorizer-execution-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Effect: Allow
                Resource: '*'
          PolicyName: lambda-authorizer-execution-policy

  LambdaAuthorizerFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: lambda-authorizer
      Handler: index.handler
      Runtime: nodejs12.x
      Role: !GetAtt LambdaAuthorizerExecutionRole.Arn
      Code:
        ZipFile: !Sub |
          exports.handler = function(event, context) {
            console.log('Upload built lambda authorizer code & update nodejs version to nodejs14.x');
          };

  LambdaApiGatewayPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt LambdaAuthorizerFunction.Arn
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com

  LambdaAuthorizerLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub '/aws/lambda/${LambdaAuthorizerFunction}'
      RetentionInDays: 1
#### ####

#### API Gateway ####
  APIGatewayHttpApi:
    Type: AWS::ApiGatewayV2::Api
    Properties:
      Name: sample-secured-app-gateway
      Description: Sample API using the lambda authorizer
      ProtocolType: HTTP

  APIGatewayLambdaIntegration:
    Type: AWS::ApiGatewayV2::Integration
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      IntegrationType: HTTP_PROXY
      IntegrationMethod: "ANY"
      IntegrationUri: "https://google.com"
      PayloadFormatVersion: 1.0

  APIGatewayAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      AuthorizerType: REQUEST
      AuthorizerPayloadFormatVersion: 2.0
      AuthorizerUri: !Sub 'arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaAuthorizerFunction.Arn}/invocations'
      IdentitySource:
        - "$request.header.Authorization"
      Name: LambdaAuthorizer

  APIGatewayGetRoute:
    Type: AWS::ApiGatewayV2::Route
    Properties:
      ApiId: !Ref APIGatewayHttpApi
      RouteKey: 'GET /sample'
      AuthorizationType: CUSTOM
      AuthorizerId: !Ref APIGatewayAuthorizer
      Target: !Sub 'integrations/${APIGatewayLambdaIntegration}'

  APIGatewayLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: api-gateway-log-grp
      RetentionInDays: 1

  APIGatewayDevStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      StageName: Dev
      Description: Dev Stage
      AccessLogSettings:
        DestinationArn: !GetAtt APIGatewayLogGroup.Arn
        Format: '{ "requestId":"$context.requestId", "ip": "$context.identity.sourceIp", "requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod","routeKey":"$context.routeKey", "status":"$context.status","protocol":"$context.protocol", "responseLength":"$context.responseLength", "integrationError":"$context.integrationErrorMessage" }'
      AutoDeploy: true
      ApiId: !Ref APIGatewayHttpApi
#### ####

#### S3 Website ####
  WebAppS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: sample-secured-web-app-s3

  WebAppS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref WebAppS3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - s3:GetObject
            Principal:
              CanonicalUser: !GetAtt WebAppAccessIdentity.S3CanonicalUserId
            Effect: Allow
            Resource: !Sub '${WebAppS3Bucket.Arn}/*'

  WebAppAccessIdentity:
    Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
    Properties:
      CloudFrontOriginAccessIdentityConfig:
        Comment: sample-secured-web-app-cloudfront-access-identity

  WebAppDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - DomainName: !GetAtt WebAppS3Bucket.RegionalDomainName
            Id: sampleSecuredWebAppBucket
            S3OriginConfig:
              OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${WebAppAccessIdentity.Id}'
        Enabled: true
        DefaultRootObject: index.html
        HttpVersion: http2
        CustomErrorResponses:
          - ErrorCode: 403
            ResponseCode: 200
            ResponsePagePath: /index.html
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          Compress: true
          TargetOriginId: sampleSecuredWebAppBucket
          ForwardedValues:
            QueryString: false
            Cookies:
              Forward: none
          ViewerProtocolPolicy: redirect-to-https
        PriceClass: PriceClass_100
#### ####