Created
December 11, 2018 16:37
-
-
Save jeffreyjs/aa67c1f2eacc4feef06c29570d7c23c7 to your computer and use it in GitHub Desktop.
CF_chefServerBackup-S3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: '2010-09-09' | |
Description: ChefBackup S3 Bucket | |
Parameters: | |
AccessControl: | |
Type: String | |
Description: Default permissions for the bucket | |
AllowedValues: | |
- Private | |
- PublicRead | |
- PublicReadWrite | |
- AuthenticatedRead | |
- LogDeliveryWrite | |
- BucketOwnerRead | |
- BucketOwnerFullControl | |
Default: Private | |
ServiceUserName: | |
Type: String | |
Description: 'The name of the Service User.' | |
Default: _chefBackup-S3-User | |
Resources: | |
ChefBackupUser: | |
Type: AWS::IAM::User | |
Properties: | |
UserName: | |
Ref: ServiceUserName | |
ChefBackupUserPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: ChefBackupPolicy | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Sid: ChefBackups | |
Effect: Allow | |
Action: | |
- 's3:GetObject' | |
- 's3:PutObject' | |
Resource: | |
- !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']] | |
Users: | |
- Ref: ChefBackupUser | |
ChefBackupBucket: | |
Type: AWS::S3::Bucket | |
Properties: | |
AccessControl: !Ref 'AccessControl' | |
BucketName: ic-chef-backup | |
BucketEncryption: | |
ServerSideEncryptionConfiguration: | |
- ServerSideEncryptionByDefault: | |
SSEAlgorithm: AES256 | |
LifecycleConfiguration: | |
Rules: | |
- Id: DeleteAfterSevenDays | |
Prefix: '' | |
Status: Enabled | |
ExpirationInDays: '7' | |
Tags: | |
- | |
Key: "Owner" | |
Value: "Systems Teams" | |
ChefBackupBucketPolicy: | |
Type: AWS::S3::BucketPolicy | |
Properties: | |
Bucket: !Ref 'ChefBackupBucket' | |
PolicyDocument: | |
Version: '2012-10-17' | |
Statement: | |
- Sid: AllowVpceHttpsBucketAccess | |
Effect: Allow | |
Principal: '*' | |
Action: s3:* | |
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']] | |
Condition: | |
StringEquals: | |
aws:sourceVpce: | |
- vpc-123456 #vpc-1 | |
- vpc-987654 #vpc-2 | |
- Sid: AllowIpBucketAccess | |
Effect: Allow | |
Principal: "*" | |
Action: s3:* | |
Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']] | |
Condition: | |
IpAddress: | |
aws:SourceIp: | |
- x.x.x.x/24 #cidr-1 | |
- x.x.x.x/32 #cidr-2 | |
Outputs: | |
Region: | |
Value: !Ref 'AWS::Region' | |
ChefBackupBucketArn: | |
Description: ChefBackup Bucket Arn | |
Value: !Join | |
- '' | |
- - !GetAtt 'ChefBackupBucket.Arn' | |
Export: | |
Name: ChefBackupBucketArn | |
ChefBackupBucketUrl: | |
Description: ChefBackup Bucket Url | |
Value: !Join | |
- '' | |
- - https:// | |
- !GetAtt 'ChefBackupBucket.DomainName' | |
Export: | |
Name: ChefBackupBucketUrl | |
ChefBackupBucketName: | |
Description: S3 bucket to hold Chef Backups | |
Value: !Ref 'ChefBackupBucket' | |
Export: | |
Name: ChefBackupBucketName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment