sunapsis_0_dr_s3.yaml
---

CloudFormation template for Sunapsis DR S3 buckets (0 of 5)

  • Creates S3 buckets for disaster recovery (cross-account/cross-region replication destinations)

NOTE: This template is intended to be deployed in a different account & different region than the other templates

AWSTemplateFormatVersion: 2010-09-09 Description: Sunapsis DR (S3)

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: IsStackUpdate:

This is a yes/no value used to workaround a CloudFormation bug (see Support Case 4860139361 in ua-erp account for details)

Description: Specify if you are doing a stack update (workaround of CFN bug) Type: String Default: no AllowedValues: - yes - no BucketNamePrefix:
  • ua-ecs: edu-arizona-uits-ecs-nonprod-sunapsis
  • ua-uits-dr: edu-arizona-uits-dr-sunapsis
Description: Prefix of the name of the S3 buckets (environment type will be appended) Type: String Default: edu-arizona-uits-dr-sunapsis SourceBucketAccountNumber:
  • general-nonprod: 722748364533
  • ua-erp: 760232551367
  • sls-prod: 918461542486
Description: Account number of the AWS account containing the replication source S3 buckets Type: String Default: 918461542486 ### Tags TagService: Description: Name of the service associated with this resource (as listed in the service catalog) Type: String Default: Sunapsis TagEnvironment: Description: Environment type of this resource (dev, tst, rpt, trn, prd) Type: String Default: prd AllowedValues: - dev - tst - rpt - trn - prd TagContactNetID: Description: NetID of the primary technical resource Type: String Default: dbaty TagTicketNumber: Description: Ticket number for the CLOUD Jira project Type: String Default: CLOUD-85 TagAccountNumber: Description: Account number associated with the service Type: String Default: 1192621 TagSubAccount: Description: Sub account associated with the service Type: String Default: Sunapsis

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Temporary Workarounds Parameters: - IsStackUpdate - Label: default: Settings Parameters: - BucketNamePrefix - SourceBucketAccountNumber - Label: default: Tags Parameters: - TagService - TagEnvironment - TagContactNetID - TagTicketNumber - TagAccountNumber - TagSubAccount ParameterLabels: {}

Conditions

Establishes conditions based on input parameters.

Conditions: IsAnUpdate: !Equals [ !Ref IsStackUpdate, yes ]

Resources

Resources:

S3

 -includes buckets & bucket policies

S3 Buckets

S3BucketApp: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-app BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: ExpireIncompleteMultipartUploads Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 2 - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-app - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount S3BucketDatabase: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-db BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Fn::If: - IsAnUpdate - Id: DeleteAfterSpecifiedNumOfDays ExpirationInDays: 7 # expire DB backups in DR at 7 days NoncurrentVersionExpirationInDays: 7 # expire DB backups in DR at 7 days Status: Enabled - !Ref "AWS::NoValue" - Id: TransitionToStandardIA # we don't need this rule (everything is deleted after 7 days) but we needed a 2nd rule to do a conditional to work around a CloudFormation bug Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-db - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount S3BucketArchive: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${TagEnvironment}-archive BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 - Fn::If: - IsAnUpdate - Id: ExpireColdFusionLogs Prefix: coldfusion ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireCustomizationArchives Prefix: customization_archives ExpirationInDays: 90 NoncurrentVersionExpirationInDays: 90 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireSevisTransactions Prefix: sevis ExpirationInDays: 365 NoncurrentVersionExpirationInDays: 365 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireS3SyncJobLogs Prefix: s3synclogs ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireSunapsisJobLogs Prefix: sunapsis_jobs ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-archive - Key: environment Value: !Ref TagEnvironment - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount

S3 bucket policies

S3BucketPolicyApp: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3BucketApp PolicyDocument: Id: BucketPolicyForReplication Version: 2012-10-17 Statement: - Sid: BucketPolicyForReplication Action: - s3:ReplicateObject - s3:ReplicateDelete - s3:ObjectOwnerOverrideToBucketOwner Effect: Allow Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-app/* Principal: AWS: - !Sub arn:aws:iam::${SourceBucketAccountNumber}:root S3BucketPolicyDatabase: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3BucketDatabase PolicyDocument: Id: BucketPolicyForReplication Version: 2012-10-17 Statement: - Sid: BucketPolicyForReplication Action: - s3:ReplicateObject - s3:ReplicateDelete - s3:ObjectOwnerOverrideToBucketOwner Effect: Allow Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-db/* Principal: AWS: - !Sub arn:aws:iam::${SourceBucketAccountNumber}:root S3BucketPolicyArchive: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref S3BucketArchive PolicyDocument: Id: BucketPolicyForReplication Version: 2012-10-17 Statement: - Sid: BucketPolicyForReplication Action: - s3:ReplicateObject - s3:ReplicateDelete - s3:ObjectOwnerOverrideToBucketOwner Effect: Allow Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${TagEnvironment}-archive/* Principal: AWS: - !Sub arn:aws:iam::${SourceBucketAccountNumber}:root

Outputs

Outputs are values resulting from the CloudFormation stack that can be: 1) Viewed in the AWS console under the CloudFormation service. 2) Marked as export to be imported into another stack allowing cross-stack references.

Outputs: AppBucket: Description: Name of the application S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-app Export: Name: !Sub sunapsis-${TagEnvironment}-dr-bucket-app DatabaseBucket: Description: Name of the database S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-db Export: Name: !Sub sunapsis-${TagEnvironment}-dr-bucket-db ArchiveBucket: Description: Name of the archive S3 bucket Value: !Sub ${BucketNamePrefix}-${TagEnvironment}-archive Export: Name: !Sub sunapsis-${TagEnvironment}-dr-bucket-archive