jeffreyjs/chefBackup-s3.yaml

## chefBackup-s3.yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: ChefBackup S3 Bucket
Parameters:
  AccessControl:
    Type: String
    Description: Default permissions for the bucket
    AllowedValues:
      - Private
      - PublicRead
      - PublicReadWrite
      - AuthenticatedRead
      - LogDeliveryWrite
      - BucketOwnerRead
      - BucketOwnerFullControl
    Default: Private
  ServiceUserName:
    Type: String
    Description: 'The name of the Service User.'
    Default: _chefBackup-S3-User
Resources:
  ChefBackupUser:
    Type: AWS::IAM::User
    Properties:
      UserName:
        Ref: ServiceUserName
  ChefBackupUserPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ChefBackupPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ChefBackups
          Effect: Allow
          Action:
          - 's3:GetObject'
          - 's3:PutObject'
          Resource:
          - !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
      Users:
      - Ref: ChefBackupUser
  ChefBackupBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: !Ref 'AccessControl'
      BucketName: ic-chef-backup
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256
      LifecycleConfiguration:
              Rules:
              - Id: DeleteAfterSevenDays
                Prefix: ''
                Status: Enabled
                ExpirationInDays: '7'
      Tags:
        -
          Key: "Owner"
          Value: "Systems Teams"
  ChefBackupBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref 'ChefBackupBucket'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowVpceHttpsBucketAccess
            Effect: Allow
            Principal: '*'
            Action: s3:*
            Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
            Condition:
              StringEquals:
                aws:sourceVpce:
                  - vpc-123456 #vpc-1
                  - vpc-987654 #vpc-2
          - Sid: AllowIpBucketAccess
            Effect: Allow
            Principal: "*"
            Action: s3:*
            Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
            Condition:
              IpAddress:
                aws:SourceIp:
                  - x.x.x.x/24 #cidr-1
                  - x.x.x.x/32 #cidr-2
Outputs:
  Region:
    Value: !Ref 'AWS::Region'
  ChefBackupBucketArn:
    Description: ChefBackup Bucket Arn
    Value: !Join
      - ''
      - - !GetAtt 'ChefBackupBucket.Arn'
    Export:
      Name: ChefBackupBucketArn
  ChefBackupBucketUrl:
    Description: ChefBackup Bucket Url
    Value: !Join
      - ''
      - - https://
        - !GetAtt 'ChefBackupBucket.DomainName'
    Export:
      Name: ChefBackupBucketUrl
  ChefBackupBucketName:
    Description: S3 bucket to hold Chef Backups
    Value: !Ref 'ChefBackupBucket'
    Export:
      Name: ChefBackupBucketName
	AWSTemplateFormatVersion: '2010-09-09'
	Description: ChefBackup S3 Bucket
	Parameters:
	AccessControl:
	Type: String
	Description: Default permissions for the bucket
	AllowedValues:
	- Private
	- PublicRead
	- PublicReadWrite
	- AuthenticatedRead
	- LogDeliveryWrite
	- BucketOwnerRead
	- BucketOwnerFullControl
	Default: Private
	ServiceUserName:
	Type: String
	Description: 'The name of the Service User.'
	Default: _chefBackup-S3-User
	Resources:
	ChefBackupUser:
	Type: AWS::IAM::User
	Properties:
	UserName:
	Ref: ServiceUserName
	ChefBackupUserPolicy:
	Type: AWS::IAM::Policy
	Properties:
	PolicyName: ChefBackupPolicy
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Sid: ChefBackups
	Effect: Allow
	Action:
	- 's3:GetObject'
	- 's3:PutObject'
	Resource:
	- !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
	Users:
	- Ref: ChefBackupUser
	ChefBackupBucket:
	Type: AWS::S3::Bucket
	Properties:
	AccessControl: !Ref 'AccessControl'
	BucketName: ic-chef-backup
	BucketEncryption:
	ServerSideEncryptionConfiguration:
	- ServerSideEncryptionByDefault:
	SSEAlgorithm: AES256
	LifecycleConfiguration:
	Rules:
	- Id: DeleteAfterSevenDays
	Prefix: ''
	Status: Enabled
	ExpirationInDays: '7'
	Tags:
	-
	Key: "Owner"
	Value: "Systems Teams"
	ChefBackupBucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref 'ChefBackupBucket'
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Sid: AllowVpceHttpsBucketAccess
	Effect: Allow
	Principal: '*'
	Action: s3:*
	Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
	Condition:
	StringEquals:
	aws:sourceVpce:
	- vpc-123456 #vpc-1
	- vpc-987654 #vpc-2
	- Sid: AllowIpBucketAccess
	Effect: Allow
	Principal: "*"
	Action: s3:*
	Resource: !Join ['', ['arn:aws:s3:::', !Ref 'ChefBackupBucket', '/*']]
	Condition:
	IpAddress:
	aws:SourceIp:
	- x.x.x.x/24 #cidr-1
	- x.x.x.x/32 #cidr-2
	Outputs:
	Region:
	Value: !Ref 'AWS::Region'
	ChefBackupBucketArn:
	Description: ChefBackup Bucket Arn
	Value: !Join
	- ''
	- - !GetAtt 'ChefBackupBucket.Arn'
	Export:
	Name: ChefBackupBucketArn
	ChefBackupBucketUrl:
	Description: ChefBackup Bucket Url
	Value: !Join
	- ''
	- - https://
	- !GetAtt 'ChefBackupBucket.DomainName'
	Export:
	Name: ChefBackupBucketUrl
	ChefBackupBucketName:
	Description: S3 bucket to hold Chef Backups
	Value: !Ref 'ChefBackupBucket'
	Export:
	Name: ChefBackupBucketName