forked from 1Strategy/s3-starter-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3-bucket.yaml
153 lines (126 loc) · 5.7 KB
/
s3-bucket.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ACL:
Type: String
Description: Would you like to apply a canned access control list to grant predefined permissions?
# S3 Canned ACLs: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
AllowedValues:
# private - (Bucket & Object): Owner gets FULL_CONTROL. No one else has access rights. *default*
- "Private"
# public-read - (Bucket & Object): Owner gets FULL_CONTROL. The AllUsers group gets READ access.
- "PublicRead"
# public-read-write - (Bucket & Object): Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. *Not generally recommended*
- "PublicReadWrite"
# aws-exec-read - (Bucket & Object): Owner gets FULL_CONTROL. Amazon EC2 gets READ access to GET an AMI bundle from Amazon S3.
- "AwsExecRead"
# authenitcated-read - (Bucket & Object): Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access.
- "AuthenticatedRead"
# bucket-owner-read - (Object): Object owner gets FULL_CONTROL. Bucket owner gets READ access. *If specified at time of bucket creation, Amazon S3 ignores it*
- "BucketOwnerRead"
# bucket-owner-full-control - (Object): Both object owner and bucket owner get FULL_CONTROL over objects. *If specified at time of bucket creation, Amazon S3 ignores it*
- "BucketOwnerFullControl"
# log-delivery-write - (Bucket): The LogDelivery group gets WRITE and READ_ACP permissions on the bucket. *See S3 Server Access Logging for more information: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html *
- "LogDeliveryWrite"
# none - (N/A): No canned ACL defined
- "None"
Default: "None"
BucketName:
Type: String
Description: What name would you like to use for the S3 Bucket?
# Bucket Restrictions: https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
AllowedPattern: "^([a-z0-9]{1}[a-z0-9-]{1,61}[a-z0-9]{1})$"
ConstraintDescription: "Bucket names must start and end with a letter or number, and be between 3 and 63 characters in length."
Encryption:
Type: String
Description: "Would you like to enable default encryption for objects stored in your bucket?"
AllowedValues:
- "true"
- "false"
ConstraintDescription: "A valid boolean value is required (true/false)"
Default: "true"
KmsKeyId:
Type: String
Description: Would you like to use a custom KMS Key for encryption? (Requires a valid KMS Key Id)
AllowedPattern: "^([a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})$"
Default: "12345678-aaaa-bbbb-cccc-123456789abc"
Versioning:
Type: String
Description: Would you like to enable versioning for objects in the S3 Bucket?
AllowedValues:
- "Enabled"
- "Suspended"
Default: "Suspended"
Metadata:
Authors:
Description: Will Nave ([email protected])
Purpose:
Description: "This template is used to create a single S3 bucket for basic object storage. Parameters
provide the ability to use S3 canned ACLs, enable default encryption (with or without a
custom KMS Key) and enable object versioning. On successful resource creation both the
bucket url and arn will be exported and available for import in other CloudFormation
templates."
License:
Description: 'Copyright 2019 1Strategy
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.'
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: "S3 Bucket Configuration Parameters"
Parameters:
- BucketName
- ACL
- Versioning
- Encryption
- KmsKeyId
ParameterLabels:
BucketName:
default: "S3 Bucket Name"
ACL:
default: "Bucket Access Control List"
Versioning:
default: "Object Versioning"
Encryption:
default: "Enable Default Encryption"
KmsKeyId:
default: "KMS Key Id"
Conditions:
hasACL:
!Not [!Equals [!Ref ACL, "None"]]
isEncrypted:
!Equals [!Ref Encryption, "true"]
hasKmsKey:
!Not [!Equals [!Ref KmsKeyId, "12345678-aaaa-bbbb-cccc-123456789abc"]]
useCustomKey: !And
- Condition: isEncrypted
- Condition: hasKmsKey
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: !If [hasACL, !Ref ACL, !Ref "AWS::NoValue"]
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
KMSMasterKeyID: !If [useCustomKey, !Ref KmsKeyId, !Ref "AWS::NoValue"]
SSEAlgorithm: !If [useCustomKey, "aws:kms", "AES256"]
BucketName: !Ref BucketName
VersioningConfiguration:
Status: !Ref Versioning
Outputs:
BucketURL:
Value: !Join ['', ["https://", !GetAtt Bucket.DomainName]]
Export:
Name: !Join ['', [!Ref "AWS::StackName", "BucketURL"]]
BucketARN:
Value: !GetAtt Bucket.Arn
Export:
Name: !Join ['', [!Ref "AWS::StackName", "BucketARN"]]