-
Notifications
You must be signed in to change notification settings - Fork 1
/
destination-bucket.yml
61 lines (61 loc) · 2.01 KB
/
destination-bucket.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
AWSTemplateFormatVersion: 2010-09-09
Description: >
This CloudFormation template defines an S3 Bucket that is the destination of a
replication from another S3 Bucket defined in the source-bucket.yml
CloudFormation template contained in this project.
Parameters:
DestinationS3BucketName:
Type: String
Description: >
The name of the S3 Bucket that is the destination of the same-region replication.
SourceAccountId:
Type: String
Description: AWS Account ID that contains the source S3 Bucket.
ProjectName:
Type: String
Description: >
This is the name of this project, to be used to help name Resources and apply
apply Project tags to taggable Resources.
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Description: >
This S3 Bucket is the destination of the same-region replication.
Properties:
BucketName: !Ref DestinationS3BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: Enabled # requirement for replication
Tags:
- Key: Project
Value: !Ref ProjectName
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Description: >
This S3 bucket policy allows the destination S3 bucket to receive objects.
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Statement:
- Sid: Replication
Effect: Allow
Principal:
AWS: !Join ['', ['arn:aws:iam::', !Ref SourceAccountId, ':root']]
Action:
- s3:GetBucketVersioning
- s3:PutBucketVersioning
- s3:ReplicateObject
- s3:ReplicateDelete
- s3:ObjectOwnerOverrideToBucketOwner
Resource:
- !GetAtt S3Bucket.Arn
- !Join ['', [!GetAtt S3Bucket.Arn, '/*']]
Outputs:
DestinationS3BucketArn:
Description: Destination S3 Bucket ARN
Value: !GetAtt S3Bucket.Arn
Export:
Name: DestinationS3BucketArn