forked from thinegan/cloudformation-project1
-
Notifications
You must be signed in to change notification settings - Fork 4
/
webapp-s3bucket.yaml
149 lines (128 loc) · 4.49 KB
/
webapp-s3bucket.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Note: Total of 3 buckets will be deploy
# This is due to each isolated functions
#
# https://forums.aws.amazon.com/thread.jspa?threadID=221113
# Note : at this time ELB logging does not support server side encryption
#
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
This template to deploys S3 buckets
- Bucket 1, Backup Data with security data at rest and archive objects greater than 60 days.
- Bucket 2, ELB logging and archive objects greater than 60 days.
- Bucket 3, Webhosting serve static content
Parameters:
PMRegionAStorage:
Description: "A reference to the Region Archive Storage"
Type: "String"
PMServerEnv:
Description: "Server Environment name."
ConstraintDescription: "Choose an Environment from the drop down"
Type: "String"
AllowedValues:
- "dev"
- "staging"
- "prod"
Resources:
############################################################################
# S3 Backup Data Encrypted Bucket
############################################################################
S3Backup:
Type: "AWS::S3::Bucket"
Properties:
AccessControl: "Private"
VersioningConfiguration:
Status: "Enabled"
LifecycleConfiguration:
Rules:
- Id: "MyBackupArchive"
Status: "Enabled"
ExpirationInDays: '365' # Complete Disposal/Deletion of Data after 1 year
Transition:
TransitionInDays: '60' # Move Data from S3 bucket to Archive after 60 days.
StorageClass: !Ref "PMRegionAStorage"
DeletionPolicy: "Retain"
S3BackupPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref "S3Backup"
PolicyDocument:
Statement:
- Sid: "DenyUnEncryptedObjectUploads"
Effect: "Deny"
Principal:
AWS: "*"
Action: "s3:PutObject"
Resource: !Join ["", ["arn:aws:s3:::", !Ref "S3Backup", "/*"]]
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: "AES256"
############################################################################
# S3 Logging Bucket Data Encrypted Bucket
# https://forums.aws.amazon.com/thread.jspa?threadID=221113
# Note : at this time ELB logging does not support server side encryption
############################################################################
S3Logging:
Type: "AWS::S3::Bucket"
Properties:
AccessControl: "Private"
VersioningConfiguration:
Status: "Enabled"
LifecycleConfiguration:
Rules:
- Id: "MyLoggingArchive"
Status: "Enabled"
ExpirationInDays: '365' # Complete Disposal/Deletion of Data after 1 year
Transition:
TransitionInDays: '60' # Move Data from S3 bucket to Infrequent Archive after 60 days.
StorageClass: !Ref "PMRegionAStorage"
DeletionPolicy: "Retain"
S3LoggingPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref "S3Logging"
PolicyDocument:
Statement:
- Sid: "AllowLogsObjectUploads"
Effect: "Allow"
Action: "s3:PutObject"
Resource: !Join ["", ["arn:aws:s3:::", !Ref "S3Logging", "/*"]]
Principal:
AWS: "*"
############################################################################
# S3 Webhosting Bucket which will be used in CloudFront Distribution
# Serving Static content, no need for Lifecycle policy the data taken
# from repositories. (content can be rebuilt)
############################################################################
S3CloudFront:
Type: "AWS::S3::Bucket"
Properties:
AccessControl: "PublicRead"
WebsiteConfiguration:
IndexDocument: "index.html"
ErrorDocument: "error.html"
DeletionPolicy: "Retain"
S3CloudFrontPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref "S3CloudFront"
PolicyDocument:
Statement:
- Sid: "AllowStaticObjectDownload"
Action: "s3:GetObject"
Effect: 'Allow'
Resource: !Join ["", ["arn:aws:s3:::", !Ref "S3CloudFront", "/*"]]
Principal:
AWS: "*"
Outputs:
S3Backup:
Description: "S3 Backup Bucket Name"
Value: !Ref "S3Backup"
S3Logging:
Description: "S3 Logging Bucket Name"
Value: !Ref "S3Logging"
S3CloudFrontDN:
Description: "S3 Webhosting Bucket Name"
Value: !GetAtt "S3CloudFront.DomainName"
Export:
Name: !Sub "${PMServerEnv}CDN-S3CloudFrontDN"