Apex domain (#30)

* Added apex domain to ACM cert and Cloudfront distribution

* Docs updated with optional steps for apex configuration

Co-authored-by: Mohsan Jaffery <mjaffery@amazon.com>

Author: mohsanjaffery

README.md

@@ -70,7 +70,8 @@ To deploy the solution, you use [AWS CloudFormation](https://aws.amazon.com/clou
    following fields:
 
     - **SubDomain:** The subdomain for your registered domain name. Viewers use the subdomain to access your website, for example: www.example.com. We recommend using the default value of **www** as the subdomain.
-    - **DomainName:** Your registered domain name, such as example.com. This domain must be pointed to a Route 53 hosted zone.
+    - **DomainName:** Your registered domain name, such as example.com. This domain must be pointed to a Route 53 hosted zone.
+    - **CreateApex:** Optionally create an Alias to the domain apex (example.com) in your CloudFront configuration.  Default is [no]
 
    After entering values, choose the **Next** button.
 5. On the **Configure stack options** page, you can optionally [add tags and other stack options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html). When finished, choose the **Next** button.
@@ -129,15 +130,27 @@ https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-st
         --output-template-file packaged.template
     ```
 
-7. Run the following command to deploy the packaged CloudFormation template to a CloudFormation stack:
+7. Run the following command to deploy the packaged CloudFormation template to a CloudFormation stack.  To optionally deploy the stack with a domain apex skip this section and proceed to [Step 8] below.
 
     ```shell
     aws --region us-east-1 cloudformation deploy \
         --stack-name <your CloudFormation stack name> \
         --template-file packaged.template \
         --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
         --parameter-overrides  DomainName=<your domain name> SubDomain=<your website subdomain>
-    ```
+    ```
+    
+8. [Optional] Run the following command to deploy the packaged CloudFormation template to a CloudFormation stack with a domain apex.
+
+    ```shell
+    aws --region us-east-1 cloudformation deploy \
+        --stack-name <your CloudFormation stack name> \
+        --template-file packaged.template \
+        --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
+        --parameter-overrides  DomainName=<your domain name> SubDomain=<your website subdomain> CreateApex=yes
+    ```
+
+
 ### Updating the site Content Security Policy
 
 To change the Content Security Policy of the site:

templates/acm-certificate.yaml

@@ -13,6 +13,13 @@ Parameters:
     Type: String
   SubDomain:
     Type: String
+  CreateApex:
+    Type: String
+
+Conditions:
+  CreateApexConfig:  !Equals 
+    - !Ref CreateApex
+    - 'yes'
 
 Resources:
   CopyCustomResource:
@@ -24,6 +31,11 @@ Resources:
     Type: Custom::Certificate
     Properties:
       DomainName: !Sub '${SubDomain}.${DomainName}'
+      SubjectAlternativeNames:
+        Fn::If:
+          - CreateApexConfig
+          - - Ref: DomainName
+          - Ref: AWS::NoValue
       Region: !Ref Region
       ValidationMethod: DNS
       ServiceToken: !Ref 'CFNCustomProvider'
@@ -41,6 +53,14 @@ Resources:
       DomainName: !Sub '${SubDomain}.${DomainName}'
       ServiceToken: !Ref 'CFNCustomProvider'
 
+  apexCertificateDNSRecord:
+    Type: Custom::CertificateDNSRecord
+    Condition: CreateApexConfig
+    Properties:
+      CertificateArn: !Ref Certificate
+      DomainName: !Ref DomainName
+      ServiceToken: !Ref 'CFNCustomProvider'
+
   DomainValidationRecord:
     Type: AWS::Route53::RecordSetGroup
     Properties:
@@ -54,10 +74,25 @@ Resources:
           ResourceRecords:
             - !GetAtt CertificateDNSRecord.Value
 
+  apexDomainValidationRecord:
+    Type: AWS::Route53::RecordSetGroup
+    Condition: CreateApexConfig
+    Properties:
+      HostedZoneName: !Sub '${DomainName}.'
+      RecordSets:
+        - Name: !GetAtt apexCertificateDNSRecord.Name
+          Type: !GetAtt apexCertificateDNSRecord.Type
+          TTL: 60
+          Weight: 1
+          SetIdentifier: !Ref Certificate
+          ResourceRecords:
+            - !GetAtt apexCertificateDNSRecord.Value
+
 Outputs:
   DNSRecord:
     Description: DNS record
     Value: !Sub '${CertificateDNSRecord.Name} ${CertificateDNSRecord.Type} ${CertificateDNSRecord.Value}'
+
   CertificateArn: 
     Description: Issued certificate
     Value: !Ref Certificate

templates/cloudfront-site.yaml

@@ -27,6 +27,13 @@ Parameters:
   S3BucketRootArn:
     Description: Content Bucket locator
     Type: String
+  CreateApex: 
+    Type: String
+
+Conditions:
+  CreateApexConfig:  !Equals
+    - !Ref CreateApex
+    - 'yes'
 
 Resources:
   S3BucketPolicy:
@@ -87,6 +94,7 @@ Resources:
       DistributionConfig:
         Aliases:
           - !Sub '${SubDomain}.${DomainName}'
+          - !If [ CreateApexConfig, !Ref DomainName, !Ref 'AWS::NoValue' ]
         DefaultCacheBehavior:
           Compress: true
           DefaultTTL: 86400
@@ -150,6 +158,20 @@ Resources:
           # The  following HosteZoneId is always used for alias records pointing to CF.
           HostedZoneId: 'Z2FDTNDATAQYW2'
 
+  ApexRoute53RecordSetGroup:
+    Condition: CreateApexConfig
+    Type: AWS::Route53::RecordSetGroup
+    Properties:
+      HostedZoneName: !Sub '${DomainName}.'
+      RecordSets:
+      - Name: !Ref 'DomainName'
+        Type: 'A'
+        AliasTarget:
+          DNSName: !GetAtt 'CloudFrontDistribution.DomainName'
+          EvaluateTargetHealth: false
+          # The  following HosteZoneId is always used for alias records pointing to CF.
+          HostedZoneId: 'Z2FDTNDATAQYW2'
+
 Outputs:
   LambdaEdgeFunctionVersion:
     Description: Security Lambda version

templates/main.yaml

@@ -24,6 +24,11 @@ Parameters:
   DomainName:
     Description: The part of a website address after your SubDomain - e.g. example.com
     Type: String
+  CreateApex:
+    Description: Create an Apex Alias in CloudFront distribution - yes/no
+    Type: String
+    Default: 'no'
+    AllowedValues: ['yes','no']
 
 Resources:
   CustomResourceStack:
@@ -43,6 +48,7 @@ Resources:
         DomainName: !Ref DomainName
         CFNCustomProvider: !GetAtt CustomResourceStack.Outputs.CFNCustomProvider
         CopyFunction: !GetAtt CustomResourceStack.Outputs.CopyFunction
+        CreateApex: !Ref CreateApex
       Tags:
         - Key: Solution
           Value: ACFS3
@@ -55,6 +61,7 @@ Resources:
         CertificateArn: !GetAtt AcmCertificateStack.Outputs.CertificateArn
         DomainName: !Ref DomainName
         SubDomain: !Ref SubDomain
+        CreateApex: !Ref CreateApex
         S3BucketRoot: !GetAtt CustomResourceStack.Outputs.S3BucketRoot
         S3BucketRootName: !GetAtt CustomResourceStack.Outputs.S3BucketRootName
         S3BucketRootArn: !GetAtt CustomResourceStack.Outputs.S3BucketRootArn