diff --git a/config/develop/config.yaml b/config/develop/config.yaml index 62408648..203fde06 100644 --- a/config/develop/config.yaml +++ b/config/develop/config.yaml @@ -4,3 +4,4 @@ raw_bucket_name: recover-dev-raw-data template_bucket_name: recover-dev-cloudformation intermediate_bucket_name: recover-dev-intermediate-data processed_data_bucket_name: recover-dev-processed-data +shareable_artifacts_vpn_bucket_name: recover-dev-shareable-artifacts-vpn diff --git a/config/develop/s3-shareable-artifacts-vpn-bucket.yaml b/config/develop/s3-shareable-artifacts-vpn-bucket.yaml new file mode 100644 index 00000000..7f4b61cd --- /dev/null +++ b/config/develop/s3-shareable-artifacts-vpn-bucket.yaml @@ -0,0 +1,9 @@ +template: + type: file + path: s3-bucket-html-hosting.yaml +stack_name: recover-dev-shareable-artifacts-vpn-bucket +parameters: + BucketName: {{ stack_group_config.shareable_artifacts_vpn_bucket_name }} + EnableVpnAccess: "true" +stack_tags: + {{ stack_group_config.default_stack_tags }} diff --git a/config/prod/config.yaml b/config/prod/config.yaml index fd753263..65716b52 100644 --- a/config/prod/config.yaml +++ b/config/prod/config.yaml @@ -4,3 +4,4 @@ raw_bucket_name: recover-raw-data template_bucket_name: recover-cloudformation intermediate_bucket_name: recover-intermediate-data processed_data_bucket_name: recover-processed-data +shareable_artifacts_vpn_bucket_name: recover-shareable-artifacts-vpn diff --git a/config/prod/s3-shareable-artifacts-vpn-bucket.yaml b/config/prod/s3-shareable-artifacts-vpn-bucket.yaml new file mode 100644 index 00000000..2a4b5b10 --- /dev/null +++ b/config/prod/s3-shareable-artifacts-vpn-bucket.yaml @@ -0,0 +1,9 @@ +template: + type: file + path: s3-bucket-html-hosting.yaml +stack_name: recover-shareable-artifacts-vpn-bucket +parameters: + BucketName: {{ stack_group_config.shareable_artifacts_vpn_bucket_name }} + EnableVpnAccess: "true" +stack_tags: + {{ stack_group_config.default_stack_tags }} diff --git a/templates/s3-bucket-html-hosting.yaml b/templates/s3-bucket-html-hosting.yaml new file mode 100644 index 00000000..f6ea6af8 --- /dev/null +++ b/templates/s3-bucket-html-hosting.yaml @@ -0,0 +1,90 @@ +AWSTemplateFormatVersion: 2010-09-09 + +Description: >- + This S3 bucket will be used for development and production, + and for storing GX reports to be viewable from the Sage AWS VPN. + +Parameters: + + BucketName: + Type: String + Description: Name of the bucket. + Default: '' + + EnableVpnAccess: + Type: String + Description: Whether to grant the Sage VPN read permissions on the bucket. + AllowedValues: + - "true" + - "false" + Default: "true" + +Conditions: + HasBucketName: !Not [!Equals [!Ref BucketName, ""]] + EnableVpnAccess: + !Equals [!Ref EnableVpnAccess, "true"] + +Resources: + Bucket: + Type: AWS::S3::Bucket + DeletionPolicy: Delete + Properties: + BucketName: !If [HasBucketName, !Ref BucketName, !Ref 'AWS::NoValue'] + AccessControl: Private + OwnershipControls: + Rules: + - ObjectOwnership: BucketOwnerEnforced + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true + + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref Bucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: AccountRead + Effect: Allow + Principal: + AWS: + - !Sub '${AWS::AccountId}' + Action: + - 's3:Get*' + - 's3:List*' + Resource: + - !Sub 'arn:aws:s3:::${Bucket}' + - !Sub 'arn:aws:s3:::${Bucket}/*' + - !If + - EnableVpnAccess + - Sid: Allow based on source IP + Effect: Allow + Principal: '*' + Action: + - 's3:GetObject' + Resource: + - !Sub 'arn:aws:s3:::${Bucket}' + - !Sub 'arn:aws:s3:::${Bucket}/*' + Condition: + IpAddress: + aws:SourceIp: '52.44.61.21' + - !Ref AWS::NoValue + +Outputs: + + BucketName: + Value: !Ref Bucket + Export: + Name: !Sub '${AWS::Region}-${AWS::StackName}-BucketName' + + BucketArn: + Value: !GetAtt Bucket.Arn + Export: + Name: !Sub '${AWS::Region}-${AWS::StackName}-BucketArn'