# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). # You may not use this file except in compliance with the License. # A copy of the License is located at # # http://www.apache.org/licenses/LICENSE-2.0 # # or in the "license" file accompanying this file. This file is distributed # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. See the License for the specific language governing # permissions and limitations under the License. # # Template for Simple File Manager for Amazon EFS Solution # # author: aws-solutions-builder@ AWSTemplateFormatVersion: 2010-09-09 Description: (SO0145) Simple File Manager for Amazon EFS Solution Main %%VERSION%% Parameters: AdminEmail: Description: Email address of the Simple File Manager Administrator Type: String Mappings: SourceCode: General: GlobalS3Bucket: "%%GLOBAL_BUCKET_NAME%%" RegionalS3Bucket: "%%REGIONAL_BUCKET_NAME%%" CodeKeyPrefix: "simple-file-manager-for-amazon-efs/%%VERSION%%" TemplateKeyPrefix: "simple-file-manager-for-amazon-efs/%%VERSION%%" Resources: # File Manager API Handler IAM Role # TODO: Scope some of the inline policies down EFSFileManagerIamRole: Type: "AWS::IAM::Role" Metadata: cfn_nag: rules_to_suppress: - id: W11 reason: "* resource needed for ec2:DescribeSecurityGroups and lambda:CreateFunction in this policy" Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyName: !Sub "${AWS::StackName}-API-Policy" PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" - Effect: Allow Action: - "iam:CreateRole" Resource: "arn:aws:iam::*:*" - Effect: Allow Action: - "lambda:CreateFunction" - "ec2:DescribeSecurityGroups" - "ec2:DescribeSubnets" - "ec2:DescribeVpcs" Resource: "*" - Effect: Allow Action: - "elasticfilesystem:DescribeMountTargets" - "elasticfilesystem:DescribeFileSystems" - "elasticfilesystem:CreateAccessPoint" - "elasticfilesystem:DescribeAccessPoints" - "elasticfilesystem:DescribeMountTargetSecurityGroups" Resource: - "arn:aws:elasticfilesystem:*:*:file-system/*" - "arn:aws:elasticfilesystem:*:*:access-point/*" - "arn:aws:elasticfilesystem:*:*:*" - Effect: Allow Action: - "iam:PassRole" Resource: - "arn:aws:iam::*:role/fs-*-manager-role" Condition: StringEquals: iam:PassedToService: lambda.amazonaws.com - Effect: Allow Action: - "iam:GetRole" Resource: - "arn:aws:iam::*:role/fs-*-manager-role" - Effect: Allow Action: - "elasticfilesystem:DeleteAccessPoint" Resource: "arn:aws:elasticfilesystem:*:*:access-point/*" Condition: StringEquals: aws:ResourceTag/Name: "simple-file-manager-access-point" - Effect: Allow Action: - "iam:DetachRolePolicy" - "iam:AttachRolePolicy" - "iam:DeleteRole" Resource: "arn:aws:iam::*:role/fs-*-manager-role" - Effect: Allow Action: - "lambda:InvokeFunction" - "lambda:GetFunction" - "lambda:DeleteFunction" Resource: "arn:aws:lambda:*:*:function:fs-*-manager-lambda" - Effect: Allow Action: - "cloudformation:CreateStack" - "cloudformation:DeleteStack" - "cloudformation:DescribeStacks" Resource: "arn:aws:cloudformation:*:*:stack/*" # File Manager API stack EFSFileManagerAPI: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: !Join [ "", [ "https://", !FindInMap [ "SourceCode", "General", "GlobalS3Bucket" ], ".s3.amazonaws.com/", !FindInMap ["SourceCode", "General", "TemplateKeyPrefix"], "/file-manager-api-stack.template", ], ] Parameters: ApiHandlerIamRole: !GetAtt EFSFileManagerIamRole.Arn botoConfig: '{"user_agent_extra": "AwsSolution/SO0145/%%VERSION%%"}' DeploymentPackageBucket: !Join ["-", [!FindInMap ["SourceCode", "General", "RegionalS3Bucket"], Ref: "AWS::Region"]] DeploymentPackageKey: !Join [ "/", [ !FindInMap ["SourceCode", "General", "CodeKeyPrefix"], "filemanagerapi.zip", ], ] stackPrefix: !Sub "${AWS::StackName}" # Deploy Authentication stack. EFSFileAuthentication: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: !Join [ "", [ "https://", !FindInMap [ "SourceCode", "General", "GlobalS3Bucket" ], ".s3.amazonaws.com/", !FindInMap ["SourceCode", "General", "TemplateKeyPrefix"], "/efs-file-manager-auth.template", ], ] Parameters: AdminEmail: !Ref AdminEmail ApiId: !GetAtt EFSFileManagerAPI.Outputs.RestAPIId # Deploy Web Application stack EFSFileWebApplication: Type: "AWS::CloudFormation::Stack" Properties: TemplateURL: !Join [ "", [ "https://", !FindInMap [ "SourceCode", "General", "GlobalS3Bucket" ], ".s3.amazonaws.com/", !FindInMap ["SourceCode", "General", "TemplateKeyPrefix"], "/efs-file-manager-web.template", ], ] Parameters: FileManagerAPIEndpoint: !Join [ '', !Split [ '/api/', !GetAtt EFSFileManagerAPI.Outputs.EndpointURL ] ] UserPoolId: !GetAtt EFSFileAuthentication.Outputs.UserPoolId IdentityPoolId: !GetAtt EFSFileAuthentication.Outputs.IdentityPoolId PoolClientId: !GetAtt EFSFileAuthentication.Outputs.UserPoolClientId Outputs: EFSFileSimpleWebsiteUrl: Value: !GetAtt EFSFileWebApplication.Outputs.EFSFileSimpleWebsiteUrl