AWSTemplateFormatVersion: "2010-09-09"

Parameters:
  HostedZoneName:
    Type: String
    Description: The Route53 Hosted Zone name with no trailing dot / example.com
  SiteAlias:
    Type: String
    Description: The site alias with no trailing dot / www.example.com
  BucketName:
    Type: String
    Description: The name of the S3 bucket to use for the site

  CDNPricingClass:
    Type: String
    Description: The pricing class for the CDN
    Default: PriceClass_100
    AllowedValues:
      - PriceClass_100
      - PriceClass_200
      - PriceClass_All
  CachePolicyId:
    Type: String
    Description: |
      The CloudFront cache policy ID.
      - Cache Enabled: 658327ea-f89d-4fab-a63d-7e88639e58f6
      - Cache Disabled: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
    Default: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad

Resources:
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Sub ${SiteAlias}
      ValidationMethod: DNS

  RecordSet:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneName: !Sub ${HostedZoneName}.
      Name: !Sub ${SiteAlias}.
      Type: A
      AliasTarget:
        DNSName: !GetAtt Distribution.DomainName
        HostedZoneId: Z2FDTNDATAQYW2

  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref BucketName
      PolicyDocument:
        Statement:
          - Action: [s3:GetObject]
            Effect: Allow
            Resource: !Sub arn:aws:s3:::${BucketName}/*
            Principal:
              Service: [cloudfront.amazonaws.com]
            Condition:
              StringEquals:
                aws:SourceArn: !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${Distribution}

  OriginAccessControl:
    Type: AWS::CloudFront::OriginAccessControl
    Properties:
      OriginAccessControlConfig:
        Name: !Ref BucketName
        OriginAccessControlOriginType: s3
        SigningBehavior: always
        SigningProtocol: sigv4

  Distribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        PriceClass: !Ref CDNPricingClass
        Enabled: true
        DefaultCacheBehavior:
          TargetOriginId: S3Origin
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: !Ref CachePolicyId
        DefaultRootObject: index.html
        Origins:
          - DomainName: !Sub ${BucketName}.s3.amazonaws.com
            Id: S3Origin
            OriginAccessControlId: !Ref OriginAccessControl
            S3OriginConfig:
              OriginAccessIdentity: ""
        ViewerCertificate:
          AcmCertificateArn: !Ref Certificate
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2021
        HttpVersion: http2
        Aliases:
          - !Sub ${SiteAlias}

Outputs:
  WebsiteURL:
    Description: The URL of the website
    Value: !Sub https://${SiteAlias}/