在 CloudFormation 中将 SSL 证书连接到 CloudFront CDN答案

【问题标题】：Connecting a SSL cert to a CloudFront CDN in CloudFormation在 CloudFormation 中将 SSL 证书连接到 CloudFront CDN
【发布时间】：2018-03-10 19:13:10
【问题描述】：

到目前为止，我有这个来创建资源。

"staticFileBucketPolicy": {
  "Type": "AWS::S3::BucketPolicy",
  "DependsOn": "staticFileBucket",
  "Properties": {
    "Bucket": { "Ref": "staticFileBucket" },
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [{
        "Sid": "AddPerm",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "staticFileBucket" } , "/*" ]]}
      }]
    }
  }
},

"certificate": {
  "Type": "AWS::CertificateManager::Certificate",
  "Properties": {
    "DomainName": { "Ref": "Domain" },
    "SubjectAlternativeNames": [
      { "Fn::Join": ["", [ "*.", { "Ref": "Domain" } ]] }
    ],
    "DomainValidationOptions" : [{
      "DomainName": { "Ref": "Domain" },
      "ValidationDomain" : { "Ref": "Domain" }
    }],
    "Tags": [{
      "Key": "CloudFormationStack",
      "Value": { "Ref": "AWS::StackName" }
    }]
  }
},

"staticCDN": {
  "Type": "AWS::CloudFront::Distribution",
  "DependsOn": "staticFileBucket",
  "Properties": {
    "DistributionConfig": {
      "Comment": "CDN for Sagely static files.",
      "Enabled": true,
      "DefaultRootObject": "index.html",
      "DefaultCacheBehavior": {
        "AllowedMethods": [ "HEAD", "GET", "OPTIONS" ],
        "TargetOriginId": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" } ]] },
        "ForwardedValues": {
          "QueryString": false,
          "Headers": [ "Access-Control-Request-Headers", "Access-Control-Request-Method", "Origin" ]
        },
        "ViewerProtocolPolicy": "redirect-to-https"
      },
      "Origins": [{
        "DomainName": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" }, ".s3.amazonaws.com" ]] },
        "Id": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" } ]] },
        "S3OriginConfig": { }
      }]
    }
  }
},

CDN 通过我的自定义域工作。但是如何将 SSL 证书连接到 CDN？

【问题讨论】：

标签： amazon-web-services amazon-cloudfront amazon-cloudformation

【解决方案1】：

您缺少ViewerCertificate 属性。

这应该是证书的 Ref，因为 ref 返回证书的 ARN。

【讨论】：

【解决方案2】：

您希望在您的 DistributionConfig 上拥有一个 ViewerCertificate 属性。它应该是这样的：

  "ViewerCertificate": {
    "AcmCertificateArn": { "Ref": "certificate" },
    "SslSupportMethod": "sni-only"
  }

根据您的代码，可能希望将您的 staticCDN 更新为：

"staticCDN": {
  "Type": "AWS::CloudFront::Distribution",
  "DependsOn": "staticFileBucket",
  "Properties": {
    "DistributionConfig": {
      "Comment": "CDN for Sagely static files.",
      "Enabled": true,
      "DefaultRootObject": "index.html",
      "DefaultCacheBehavior": {
        "AllowedMethods": [ "HEAD", "GET", "OPTIONS" ],
        "TargetOriginId": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" } ]] },
        "ForwardedValues": {
          "QueryString": false,
          "Headers": [ "Access-Control-Request-Headers", "Access-Control-Request-Method", "Origin" ]
        },
        "ViewerProtocolPolicy": "redirect-to-https"
      },
      "Origins": [{
        "DomainName": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" }, ".s3.amazonaws.com" ]] },
        "Id": { "Fn::Join": ["", [ { "Ref": "SubDomain" }, "-static.", { "Ref": "Domain" } ]] },
        "S3OriginConfig": { }
      }],
      "ViewerCertificate": {
        "AcmCertificateArn": { "Ref": "certificate" },
        "SslSupportMethod": "sni-only"
      }
    }
  }
},

【讨论】：