DataMgmt-S3-Create.yaml
---

Description

This template provisions S3 buckets used by the CloudOps Data Management service

AWSTemplateFormatVersion: "2010-09-09"

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: S3BucketName: Description: S3 bucket name Type: String Versioning: Description: Specifies whether versioning is enabled for the bucket Type: String AllowedValues: - "true" - "false"

Tags for auditing/accounting

TagContactNetid: Description: Netid of the person most familiar with the usage of the resource Type: String TagService: Description: Exact name of the Service as defined in the service catalog Type: String Default: CloudOps Data Management AllowedValues: - CloudOps Data Management TagCloudOpsGroupName: Description: CloudOps group name. (description attribute in LDAP) Type: String TagCloudOpsGroupId: Description: CloudOps group ID. (UUID of cn attribute in LDAP) Type: String TagBucketName: Description: Bucket friendly name Type: String TagBucketDescr: Description: Bucket description Type: String TagEnvironment: Description: Used to distinguish between development, test, production, etc. environment types Type: String Default: tst AllowedValues: - dev - tst - prd TagAccountNumber: Description: KFS account number paying for the resource Type: String TagTicketNumber: Description: Resource identifier from ServiceNow Type: String Conditions: Versions: !Equals [!Ref Versioning, true]

Resources

Deploys an S3 bucket and, optionally, versioning rules

Resources:

S3 bucket for static website

S3Bucket: Type: "AWS::S3::Bucket" Properties: AccessControl: BucketOwnerFullControl BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 BucketName: !Join ["-",["cloudops-datamgmt",!Ref S3BucketName]] CorsConfiguration: CorsRules: - Id: !Join ["-",[!Ref S3BucketName,"Cors-Rule"]] AllowedHeaders: - "*" AllowedMethods: - "GET" - "POST" - "PUT" AllowedOrigins: - https://s3browser.cloudops-svcs-nonprod.arizona.edu ExposedHeaders: - ETag MaxAge: 3000 LifecycleConfiguration: Rules: - Id: !Join ["-",[!Ref S3BucketName,"Lifecycle-Rule"]] NoncurrentVersionExpirationInDays: 7 Status: !If [Versions, Enabled, Disabled] - Id: !Join ["-",[!Ref S3BucketName,"Multipart-Rule"]] AbortIncompleteMultipartUpload: DaysAfterInitiation: 1 Tags: - Key: contactnetid Value: !Ref TagContactNetid - Key: service Value: !Ref TagService - Key: groupname Value: !Ref TagCloudOpsGroupName - Key: environment Value: !Ref TagEnvironment - Key: accountnumber Value: !Ref TagAccountNumber - Key: ticketnumber Value: !Ref TagTicketNumber - Key: bucketdescr Value: !Ref TagBucketDescr - Key: bucketname Value: !Ref TagBucketName - Key: groupid Value: !Ref TagCloudOpsGroupId VersioningConfiguration: Status: !If [Versions, Enabled, Suspended]

Bucket Read Group

This is the IAM group to allow programmatic read access to the named bucket.

ReadGroup: Type: 'AWS::IAM::Group' Properties: GroupName: !Join ["-",[!Ref S3BucketName,"Read-Group"]] Policies: - PolicyName: !Join ["-",[!Ref S3BucketName,"Read-Policy"]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:Describe*' - 's3:Get*' - 's3:List*' Resource: - !Join [":",["arn:aws:s3::",!Ref S3BucketName]]

Bucket Write Group

This is the IAM group to allow programmatic write access to the named bucket.

WriteGroup: Type: 'AWS::IAM::Group' Properties: GroupName: !Join ["-",[!Ref S3BucketName,"Write-Group"]] Policies: - PolicyName: !Join ["-",[!Ref S3BucketName,"Write-Policy"]] PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:PutObject' - 's3:DeleteObject' - 's3:DeleteObjectVersion' Resource: - !Join [":",["arn:aws:s3::",!Ref S3BucketName]]

Outputs

Outputs to identify the created resources

Outputs:

Bucket name

BucketFriendlyName: Value: !Ref TagBucketName