/
backup-stack.ts
56 lines (51 loc) · 1.83 KB
/
backup-stack.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import * as cdk from '@aws-cdk/core';
import {Duration} from '@aws-cdk/core';
import {BlockPublicAccess, Bucket, BucketAccessControl, BucketEncryption, IBucket, StorageClass} from "@aws-cdk/aws-s3";
import {Effect, Group, ManagedPolicy, PolicyStatement, User} from "@aws-cdk/aws-iam";
export class BackupStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.iamPermissions(this.backupsBucket());
}
private backupsBucket() {
return new Bucket(this, 'backups', {
bucketName: 'droidwiki-backups',
encryption: BucketEncryption.S3_MANAGED,
accessControl: BucketAccessControl.PRIVATE,
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
lifecycleRules: [{
expiration: Duration.days(7)
}],
});
}
private iamPermissions(bucket: Bucket) {
let iamPath = '/backups/';
const s3SyncGroup = new Group(this, 'backups-ingest', {
path: iamPath
});
new User(this, 'backups-ingest/droidwiki-infra', {
path: iamPath,
groups: [s3SyncGroup]
});
s3SyncGroup.addManagedPolicy(this.s3SyncPolicy(bucket));
}
private s3SyncPolicy(bucket: IBucket) {
const s3SyncPolicy = new PolicyStatement({
effect: Effect.ALLOW,
actions: [
's3:PutObject',
's3:GetObject',
's3:DeleteObject',
's3:ListBucket',
's3:GetBucketLocation',
],
resources: [
bucket.bucketArn + '/*',
bucket.bucketArn
]
});
return new ManagedPolicy(this, 'backups-write-policy', {
statements: [s3SyncPolicy],
});
}
}