AWSTemplateFormatVersion: 2010-09-09 Description: S3, ACM, Route53 and CloudFront for Windows Server proxy.pac deployer Parameters: TagService: Description: Name of the service associated with this resource (as listed in the service catalog) Type: String Default: CloudOps Windows Server AllowedValues: - CloudOps Windows Server TagContactNetID: Description: NetID of the primary technical resource Type: String Default: dbaty TagTicketNumber: Description: Resource identifier from ServiceNow Type: String Default: CLOPS-275 TagAccountNumber: Description: KFS account number paying for the resource Type: String Default: 1192660 TagEnvironment: Description: Environment type Type: String Default: dev AllowedValues: - dev - tst - prd

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Tags Parameters: - TagService - TagEnvironment - TagContactNetID - TagTicketNumber - TagAccountNumber ParameterLabels: {} Conditions: IsProduction: !Equals [ !Ref TagEnvironment, prd ] Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead BucketName: !If [ IsProduction, proxypac.cloudops-svcs.arizona.edu, proxypac.cloudops-svcs-nonprod.arizona.edu ] BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: CloudOps-Windows-Proxy-Pac-Repository-S3-Bucket - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3Bucket PolicyDocument: Statement: - Sid: PublicReadGetObject Effect: Allow Action: - s3:GetObject Resource: - !If [ IsProduction, "arn:aws:s3:::proxypac.cloudops-svcs.arizona.edu/*", "arn:aws:s3:::proxypac.cloudops-svcs-nonprod.arizona.edu/*" ] Principal: "*" CloudFrontDistribution: Type: AWS::CloudFront::Distribution DependsOn: IssuedCert Properties: DistributionConfig: Aliases: - !If [ IsProduction, proxypac.cloudops-svcs.arizona.edu, proxypac.cloudops-svcs-nonprod.arizona.edu ] Origins: - DomainName: !GetAtt S3Bucket.DomainName Id: S3-CloudOps-Windows-Server-Proxy-Pac-Repository S3OriginConfig: OriginAccessIdentity: "" Enabled: true Comment: CloudOps Winders Server - proxy.pac repository DefaultCacheBehavior: TargetOriginId: S3-CloudOps-Windows-Server-Proxy-Pac-Repository ForwardedValues: QueryString: false Cookies: Forward: none ViewerProtocolPolicy: redirect-to-https HttpVersion: http2 PriceClass: PriceClass_100 ViewerCertificate: AcmCertificateArn: !Ref SslCert SslSupportMethod: sni-only Route53Record: Type: AWS::Route53::RecordSet Properties: HostedZoneName: !If [ IsProduction, cloudops-svcs.arizona.edu., cloudops-svcs-nonprod.arizona.edu. ] Name: !If [ IsProduction, proxypac.cloudops-svcs.arizona.edu, proxypac.cloudops-svcs-nonprod.arizona.edu ] Type: A AliasTarget: HostedZoneId: Z2FDTNDATAQYW2 DNSName: !GetAtt CloudFrontDistribution.DomainName SslCert: Type: Custom::Certificate Properties: DomainName: !If [ IsProduction, proxypac.cloudops-svcs.arizona.edu, proxypac.cloudops-svcs-nonprod.arizona.edu ] ValidationMethod: DNS ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-certificate-provider Region: us-east-1 IssuedCert: Type: Custom::IssuedCertificate Properties: CertificateArn: !Ref SslCert ServiceToken: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:binxio-cfn-certificate-provider