Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
102 lines (92 sloc) 2.51 KB
---
AWSTemplateFormatVersion: '2010-09-09'
Description: Deployment Bucket for Lambda & Cloudformation
Parameters:
pBucketName:
Default: '-'
Type: String
Description: 'Bucket Name to Create'
pTagCreatedBy:
Default: ''
Type: String
Description: User who created the instances
pTagEnvironment:
Default: ''
Type: String
Description: Environment (dev, ref,prod)
pHttpIPSpace:
Type: String
Description: Allow https from these IP Addresses
pTagProject:
Default: ''
Type: String
Description: project these instances are part of
pLoggingBucket:
Default: '-'
Type: String
Description: '-'
pAllowedVpcEndpoints:
Type: CommaDelimitedList
Description: "Comma Delimited List of VPC Endpoints to permit"
Resources:
# These buckets should only allow content to be added from
DeployBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref pBucketName
PolicyDocument:
Statement:
- Sid: IPAllowGetViaHTTP
Effect: Allow
Principal: '*'
Action: s3:getObject
Resource: !Join ["", ['arn:aws:s3:::', !Ref pBucketName, '/*']]
Condition:
IpAddress:
aws:SourceIp: !Ref pHttpIPSpace
- Sid: VpceGetViaHTTP
Effect: Allow
Principal: '*'
Action: s3:getObject
Resource: !Join ["", ['arn:aws:s3:::', !Ref pBucketName, '/*']]
Condition:
StringEquals:
aws:sourceVpce: !Ref pAllowedVpcEndpoints
DeployBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref pBucketName
AccessControl: Private
CorsConfiguration:
CorsRules:
- AllowedHeaders:
- Authorization
MaxAge: '300'
AllowedMethods:
- GET
Id: AllowHTTP
AllowedOrigins:
- '*'
Tags:
- Key: contact-email
Value: !Ref pTagCreatedBy
- Key: application
Value: !Ref pTagProject
- Key: environment
Value: !Ref pTagEnvironment
- Key: customer
Value: pht
LoggingConfiguration:
DestinationBucketName:
Ref: pLoggingBucket
LogFilePrefix: !Join ['', ['S3logs/', !Ref pBucketName, '/']]
LifecycleConfiguration:
Rules:
- Status: Enabled
Id: ExpireOldVersions
NoncurrentVersionExpirationInDays: '5'
VersioningConfiguration:
Status: Enabled
Outputs:
DeployBucket:
Value: !Ref DeployBucket