sunapsis_1

---

CloudFormation template for Sunapsis S3 buckets (1 of 5)

Creates S3 buckets for app/web server deployments, database backups & archive files
Creates IAM policy/role for S3 bucket replication
Creates numerous exports used by later templates

AWSTemplateFormatVersion: 2010-09-09 Description: Sunapsis (S3)

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: EnvironmentType: Description: Environment type of this resource (dev, tst, rpt, trn, prd) Type: String Default: prd AllowedValues: - dev - tst - rpt - trn - prd IsStackUpdate:

This is a yes/no value used to workaround a CloudFormation bug (see Support Case 4860139361 in ua-erp account for details)

Description: Specify if you are doing a stack update (workaround of CFN bug) Type: String Default: no AllowedValues: - yes - no BucketNamePrefix:

general-nonprod: edu-arizona-uits-general-nonprod-sunapsis
ua-erp: edu-arizona-uits-general-prod-sunapsis
sls-prod: edu-arizona-sls-prod-sunapsis

Description: Prefix of the name of the S3 buckets (environment type will be appended) Type: String Default: edu-arizona-sls-prod-sunapsis DRBucketNamePrefix:

ua-ecs: edu-arizona-uits-ecs-nonprod-sunapsis
ua-uits-dr: edu-arizona-uits-dr-sunapsis

Description: Prefix of the name of the Disaster Recovery (DR) S3 buckets (created in stack 0) Type: String Default: edu-arizona-uits-dr-sunapsis DRAwsAccountNumber:

ua-ecs: 703857167824
ua-uits-dr: 507937877461

Description: 12-digit AWS account number where Disaster Recovery (DR) S3 buckets reside (created in stack 0) Type: String Default: 507937877461 MinLength: 12 MaxLength: 12 AllowedPattern: "[0-9]*" HostedDNSZoneName:

general-nonprod: uits-nonprod-aws.arizona.edu
ua-erp: uits-prod-aws.arizona.edu
sls-prod: sls-prod-aws.arizona.edu

Description: Name of the hosted DNS zone to use for the Route53 records (do NOT enter trailing period) Type: String Default: sls-prod-aws.arizona.edu VPCID:

ua-uits-general-nonprod: vpc-23b34745
ua-erp: vpc-a6d6fdc3
sls-prod: vpc-82ee9de5

Description: Target VPC Type: AWS::EC2::VPC::Id Default: vpc-82ee9de5 PublicSubnetA:

ua-uits-general-nonprod: subnet-834f4ee4
ua-erp: subnet-7eccf01b
sls-prod: subnet-fc862bb5

Description: Public Subnet (us-west-2a) Type: AWS::EC2::Subnet::Id Default: subnet-fc862bb5 PublicSubnetB:

ua-uits-general-nonprod: subnet-a00e56e9
ua-erp: subnet-2f9ac858
sls-prod: subnet-cb49c2ac

Description: Public Subnet (us-west-2b) Type: AWS::EC2::Subnet::Id Default: subnet-cb49c2ac PrivateSubnetA:

ua-uits-general-nonprod: subnet-8f5051e8
ua-erp: subnet-79ccf01c
sls-prod: subnet-fd862bb4

Description: Private Subnet (us-west-2a) Type: AWS::EC2::Subnet::Id Default: subnet-fd862bb4 PrivateSubnetB:

ua-uits-general-nonprod: subnet-1c0c5455
ua-erp: subnet-2e9ac859
sls-prod: subnet-ca49c2ad

Description: Private Subnet (us-west-2b) Type: AWS::EC2::Subnet::Id Default: subnet-ca49c2ad KeyPairName: Description: EC2 Keypair used for credentialing on all EC2 instances Type: AWS::EC2::KeyPair::KeyName Default: sunapsis-keypair ### Tags TagService: Description: Name of the service associated with this resource (as listed in the service catalog) Type: String Default: Sunapsis TagContactNetID: Description: NetID of the primary technical resource Type: String Default: dbaty TagTicketNumber: Description: Ticket number for the CLOUD Jira project Type: String Default: CLOUD-85 TagAccountNumber: Description: Account number associated with the service Type: String Default: 1192621 TagSubAccount: Description: Sub account associated with the service Type: String Default: Sunapsis

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Environment Parameters: - EnvironmentType - Label: default: Temporary Workarounds Parameters: - IsStackUpdate - Label: default: Settings Parameters: - BucketNamePrefix - DRBucketNamePrefix - DRAwsAccountNumber - Label: default: Exports (used by later templates) Parameters: - HostedDNSZoneName - VPCID - PublicSubnetA - PublicSubnetB - PrivateSubnetA - PrivateSubnetB - KeyPairName - Label: default: Tags Parameters: - TagService - TagContactNetID - TagTicketNumber - TagAccountNumber - TagSubAccount ParameterLabels: {}

Conditions

Establishes conditions based on input parameters.

Conditions: IsPRD: !Equals [ !Ref EnvironmentType, prd ] IsAnUpdate: !Equals [ !Ref IsStackUpdate, yes ]

Resources

Resources:

S3

S3 Bucket for application & bootstrap process

S3BucketApp: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${EnvironmentType}-app BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: ExpireIncompleteMultipartUploads Status: Enabled AbortIncompleteMultipartUpload: DaysAfterInitiation: 2 - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 ReplicationConfiguration: Role: !GetAtt IAMRoleS3Replication.Arn Rules: - Destination: Bucket: !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-app StorageClass: STANDARD_IA Account: !Sub ${DRAwsAccountNumber} AccessControlTranslation: Owner: Destination Id: ReplicationToDR Prefix: "" Status: Enabled VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-app - Key: environment Value: !Ref EnvironmentType - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount

S3 Bucket for database backups

S3BucketDatabase: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${EnvironmentType}-db BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Fn::If: - IsAnUpdate - Id: DeleteAfterSpecifiedNumOfDays ExpirationInDays: !If [ IsPRD, 30, 7 ] # expire DB backups at 7 days for non-PRD, 30 days for PRD NoncurrentVersionExpirationInDays: !If [ IsPRD, 30, 7 ] # expire DB backups at 7 days for non-PRD, 30 days for PRD Status: Enabled - !Ref "AWS::NoValue" - Id: TransitionToStandardIA # we don't need this rule (everything is deleted after 7 days) but we needed a 2nd rule to do a conditional to work around a CloudFormation bug Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 ReplicationConfiguration: Role: !GetAtt IAMRoleS3Replication.Arn Rules: - Destination: Bucket: !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-db StorageClass: STANDARD_IA Account: !Sub ${DRAwsAccountNumber} AccessControlTranslation: Owner: Destination Id: ReplicationToDR Prefix: "" Status: Enabled VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-db - Key: environment Value: !Ref EnvironmentType - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount

S3 Bucket for archives & logs

S3BucketArchive: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Sub ${BucketNamePrefix}-${EnvironmentType}-archive BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: TransitionToStandardIA Status: Enabled Transitions: - StorageClass: STANDARD_IA TransitionInDays: 30 NoncurrentVersionTransitions: - StorageClass: STANDARD_IA TransitionInDays: 30 - Fn::If: - IsAnUpdate - Id: ExpireColdFusionLogs Prefix: coldfusion ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireCustomizationArchives Prefix: customization_archives ExpirationInDays: 90 NoncurrentVersionExpirationInDays: 90 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireSevisTransactions Prefix: sevis ExpirationInDays: 365 NoncurrentVersionExpirationInDays: 365 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireS3SyncJobLogs Prefix: s3synclogs ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" - Fn::If: - IsAnUpdate - Id: ExpireSunapsisJobLogs Prefix: sunapsis_jobs ExpirationInDays: 30 NoncurrentVersionExpirationInDays: 30 Status: Enabled - !Ref "AWS::NoValue" ReplicationConfiguration: Role: !GetAtt IAMRoleS3Replication.Arn Rules: - Destination: Bucket: !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-archive StorageClass: STANDARD_IA Account: !Sub ${DRAwsAccountNumber} AccessControlTranslation: Owner: Destination Id: ReplicationToDR Prefix: "" Status: Enabled VersioningConfiguration: Status: Enabled Tags: - Key: Name Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-archive - Key: environment Value: !Ref EnvironmentType - Key: contactnetid Value: !Ref TagContactNetID - Key: ticketnumber Value: !Ref TagTicketNumber - Key: accountnumber Value: !Ref TagAccountNumber - Key: service Value: !Ref TagService - Key: subaccount Value: !Ref TagSubAccount

IAM

 - Includes roles & policies

IAM Roles

IAMRoleS3Replication: Type: AWS::IAM::Role Properties: RoleName: !Sub sunapsis-${EnvironmentType}-role-s3-replication AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - s3.amazonaws.com Action: - sts:AssumeRole Path: /

IAM Policies

IAMPolicyS3Replication: Type: AWS::IAM::Policy Properties: PolicyName: !Sub sunapsis-${EnvironmentType}-policy-s3-replication PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:ListBucket - s3:GetReplicationConfiguration Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-app - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-archive - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-db - Effect: Allow Action: - s3:GetObjectVersionForReplication - s3:GetObjectVersionAcl Resource: - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-app/* - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-archive/* - !Sub arn:aws:s3:::${BucketNamePrefix}-${EnvironmentType}-db/* - Effect: Allow Action: - s3:ReplicateObject - s3:ReplicateDelete - s3:ObjectOwnerOverrideToBucketOwner Resource: - !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-app/* - !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-archive/* - !Sub arn:aws:s3:::${DRBucketNamePrefix}-${EnvironmentType}-db/* Roles: - !Ref IAMRoleS3Replication

Outputs

Outputs are values resulting from the CloudFormation stack that can be: 1) Viewed in the AWS console under the CloudFormation service. 2) Marked as export to be imported into another stack allowing cross-stack references.

Outputs: BucketNamePrefix: Description: Prefix used for S3 buckets Value: !Sub ${BucketNamePrefix}-${EnvironmentType} Export: Name: !Sub sunapsis-${EnvironmentType}-bucketname-prefix KeyPairName: Description: EC2 KeyPair used for credentialing on all EC2 instances Value: !Sub ${KeyPairName} Export: Name: !Sub sunapsis-${EnvironmentType}-ec2-keypair AppBucket: Description: Name of the application S3 bucket Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-app Export: Name: !Sub sunapsis-${EnvironmentType}-bucket-app DatabaseBucket: Description: Name of the database S3 bucket Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-db Export: Name: !Sub sunapsis-${EnvironmentType}-bucket-db ArchiveBucket: Description: Name of the archive S3 bucket Value: !Sub ${BucketNamePrefix}-${EnvironmentType}-archive Export: Name: !Sub sunapsis-${EnvironmentType}-bucket-archive FQDNforFileServer: Description: FQDN for the RDS SQL instance (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}-files.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-files FQDNforSFTP: Description: FQDN for the SFTP server (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}-sftp.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-sftp FQDNforELB: Description: FQDN for the RDS SQL instance (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-elb FQDNforSQL: Description: FQDN for the RDS SQL instance (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}-sql.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-sql FQDNforWebA: Description: FQDN for the web server in us-west-2a (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}-web-a.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-web-a FQDNforWebB: Description: FQDN for the web server in us-west-2b (hosted zone alias) Value: !Sub sunapsis-${EnvironmentType}-web-b.${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-fqdn-for-web-b HostedDNSZoneNameExport: Description: Hosted Route53 DNS zone name Value: !Sub ${HostedDNSZoneName}. Export: Name: !Sub sunapsis-${EnvironmentType}-hostedzone-name VpcId: Description: Logical ID of the VPC Value: !Sub ${VPCID} Export: Name: !Sub sunapsis-${EnvironmentType}-vpc PublicSubnetA: Description: LogicalID of the Public Subnet in AZ a Value: !Sub ${PublicSubnetA} Export: Name: !Sub sunapsis-${EnvironmentType}-public-subnet-a PublicSubnetB: Description: LogicalID of the Public Subnet in AZ b Value: !Sub ${PublicSubnetB} Export: Name: !Sub sunapsis-${EnvironmentType}-public-subnet-b PrivateSubnetA: Description: LogicalID of the Private Subnet in AZ a Value: !Sub ${PrivateSubnetA} Export: Name: !Sub sunapsis-${EnvironmentType}-private-subnet-a PrivateSubnetB: Description: LogicalID of the Private Subnet in AZ b Value: !Sub ${PrivateSubnetB} Export: Name: !Sub sunapsis-${EnvironmentType}-private-subnet-b EnvironmentType: Description: Value to use for environment tag Value: !Ref EnvironmentType Export: Name: !Sub sunapsis-${EnvironmentType}-tag-environment