d2lcsr_1_s3.yaml
---

D2L Course Site Request - CloudFormation Template (1 of 4)

Deploys D2L Course Site Request S3 buckets.

AWSTemplateFormatVersion: 2010-09-09 Description: D2L Course Site Request (S3)

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters:

BucketNamePrefix is the prefix of the name of the S3 buckets

  • sls-nonprod: edu-arizona-sls-nonprod-d2lcsr
  • sls-prod: edu-arizona-sls-prod-d2lcsr
BucketNamePrefix: Description: Prefix of the name of the S3 buckets (environment type will be appended) Type: String Default: edu-arizona-sls-prod-d2lcsr

HostedDNSZoneName is the named of the DNS hosted zone use for Route53 records

  • sls-nonprod: sls-nonprod-aws.arizona.edu
  • sls-prod: sls-prod-aws.arizona.edu
HostedDNSZoneName: Description: Name of the hosted DNS zone to use for the Route53 records (do NOT enter trailing period) Type: String Default: sls-prod-aws.arizona.edu

ProdAwsAccountNumber is the AWS account number of the production account

ProdAwsAccountNumber: Description: 12-digit AWS account number of the production account Type: String MinLength: 12 MaxLength: 12 AllowedPattern: "[0-9]*" Default: 918461542486

SyllabusBucketDev is the name of the DEV Syllabus bucket

SyllabusBucketDev: Description: The name of the TST Syllabus bucket Type: String Default: edu-arizona-sls-nonprod-d2lcsr-dev-syllabus

SyllabusBucketTst is the name of the TST Syllabus bucket

SyllabusBucketTst: Description: The name of the TST Syllabus bucket Type: String Default: edu-arizona-sls-nonprod-d2lcsr-tst-syllabus ### Tags TagService: Description: Name of the service associated with this resource (as listed in the service catalog) Type: String Default: D2L Course Site Request TagEnvironment: Description: Environment type of this resource (dev, tst, rpt, trn, prd) Type: String Default: prd AllowedValues: - dev - tst - rpt - trn - prd TagContactNetID: Description: NetID of the primary technical resource Type: String Default: dbaty TagTicketNumber: Description: Ticket number of the associated Type: String Default: CLOUD-76 TagAccountNumber: Description: Account number associated with the service Type: String Default: 2433643 # Learning Management Systems TagSubAccount: Description: Sub account associated with the service Type: String Default: D2L

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Settings Parameters: - BucketNamePrefix - HostedDNSZoneName - ProdAwsAccountNumber - SyllabusBucketDev - SyllabusBucketTst - Label: default: Tags Parameters: - TagService - TagEnvironment - TagContactNetID - TagTicketNumber - TagAccountNumber - TagSubAccount ParameterLabels: {}

Conditions

Establishes conditions based on input parameters.

Conditions: IsPRD: !Equals [ !Ref TagEnvironment, prd ] IsNotPRD: !Not [!Equals [!Ref TagEnvironment, prd ]]

Resources

Resources:

S3

S3 Bucket for application

S3Bucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment} AccessControl: Private LifecycleConfiguration: Rules: - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment} - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: service Value: !Ref TagService

S3 Bucket for maintenance site

S3BucketMaint: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-maintenance AccessControl: PublicRead Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-maintenance - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: service Value: !Ref TagService - Key: public Value: making CloudCustodian happy

S3 Bucket for D2L Table Export

S3BucketTableExport: Type: AWS::S3::Bucket Properties: BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-tableexport AccessControl: Private Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-tableexport - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: service Value: !Ref TagService

S3 Bucket for Syllabus app (CLOUD-656)

S3BucketSyllabus: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-syllabus BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-syllabus - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: subaccount Value: !Ref TagSubAccount - Key: service Value: !Ref TagService

S3 Bucket Policy

S3PolicyAllowRefreshUserToNonProd: Type: AWS::S3::BucketPolicy Condition: IsNotPRD Properties: Bucket: !Ref S3BucketSyllabus PolicyDocument: Statement: - Sid: AllowRefreshUserAccess Action: - s3:GetBucketLocation - s3:ListBucket - s3:PutObject - s3:PutObjectAcl - s3:DeleteObject Effect: Allow Principal: AWS: !Sub arn:aws:iam::${ProdAwsAccountNumber}:user/d2lcsr-prd-syllabus-refresh Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus/* - Sid: RequireFullAccessPut Action: - s3:PutObject Effect: Deny Principal: AWS: !Sub arn:aws:iam::${ProdAwsAccountNumber}:user/d2lcsr-prd-syllabus-refresh Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus/* Condition: StringNotEquals: s3:x-amz-acl: bucket-owner-full-control

IAM

 - Includes users

IAM users w/policy

IamUserSyllabusS3Access: Type: AWS::IAM::User Properties: Path: / Policies: - PolicyName: !Sub d2lcsr-${TagEnvironment}-syllabus-s3-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:List* Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus - Effect: Allow Action: - s3:Get* - s3:List* - s3:Put* Resource: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus/* IamUserSyllabusRefreshS3Access: Type: AWS::IAM::User Condition: IsPRD Properties: Path: / UserName: !Sub d2lcsr-${TagEnvironment}-syllabus-refresh Policies: - PolicyName: !Sub d2lcsr-${TagEnvironment}-syllabus-refresh-s3-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:ListBucket Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus - Effect: Allow Action: - s3:GetObject Resource: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-syllabus/* - Effect: Allow Action: - s3:ListBucket Resource: - !Sub arn:aws:s3:::${SyllabusBucketDev} - !Sub arn:aws:s3:::${SyllabusBucketTst} - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:PutObjectAcl Resource: - !Sub arn:aws:s3:::${SyllabusBucketDev}/* - !Sub arn:aws:s3:::${SyllabusBucketTst}/*

Outputs

Outputs are values resulting from the CloudFormation stack that can be: 1) Viewed in the AWS cosole under the CloudFormation service. 2) Marked as export to be imported into another stack allowing cross-stack references.

Outputs: AppBucketName: Description: Name of the application S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment} Export: Name: !Sub ${AWS::StackName}-bucket-app-name AppBucketArn: Description: ARN of the application S3 bucket Value: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment} Export: Name: !Sub ${AWS::StackName}-bucket-app-arn AppBucketArnWildCard: Description: ARN of the application S3 bucket with splat wildcard Value: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}/* Export: Name: !Sub ${AWS::StackName}-bucket-app-arn-wildcard MaintBucketName: Description: Name of the maintenance S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-maintenance Export: Name: !Sub ${AWS::StackName}-bucket-maint-name MaintBucketDomain: Description: FQDN of maintenance S3 bucket Value: !GetAtt S3BucketMaint.DomainName Export: Name: !Sub ${AWS::StackName}-bucket-maint-fqdn TableExportBucketName: Description: Name of the D2L Table Export S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-tableexport Export: Name: !Sub ${AWS::StackName}-bucket-tableexport-name TableExportBucketArn: Description: ARN of the D2L Table Export S3 bucket Value: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-tableexport Export: Name: !Sub ${AWS::StackName}-bucket-tableexport-arn TableExportBucketArnWildCard: Description: ARN of the D2L Table Export S3 bucket with splat wildcard Value: !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-tableexport/* Export: Name: !Sub ${AWS::StackName}-bucket-tableexport-arn-wildcard HostedDNSZoneNameExport: Description: Hosted Route53 DNS zone name Value: !Sub ${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-hostedzone-name FQDNforCSR: Description: FQDN for the CSR application (hosted zone) Value: !Sub d2l-csr-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-csr FQDNforCSRNoTrailingDot: Description: FQDN for the CSR application (hosted zone) Value: !Sub d2l-csr-${TagEnvironment}.${HostedDNSZoneName} Export: Name: !Sub ${AWS::StackName}-fqdn-for-csr-no-trailing-dot FQDNforGradeFeed: Description: FQDN for the Grade Feed application (hosted zone) Value: !Sub d2l-grade-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-grade FQDNforCourseFeed: Description: FQDN for the Course Feed application (hosted zone) Value: !Sub d2l-course-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-course FQDNforValenceTest: Description: FQDN for the Valence Test Tool application (hosted zone) Value: !Sub d2l-valencetest-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-valencetest FQDNforSQL: Description: FQDN for the RDS SQL instance (hosted zone alias) Value: !Sub d2lcsr-sql-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-sql FQDNforTask: Description: FQDN for the Task Server (hosted zone alias) Value: !Sub d2lcsr-task-${TagEnvironment}.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-task FQDNforWebA: Description: FQDN for the Web Server in AZ A (hosted zone alias) Value: !Sub d2lcsr-web-${TagEnvironment}-a.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-web-a FQDNforWebB: Description: FQDN for the Web Server in AZ B (hosted zone alias) Value: !Sub d2lcsr-web-${TagEnvironment}-b.${HostedDNSZoneName}. Export: Name: !Sub ${AWS::StackName}-fqdn-for-web-b