# Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved. # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with # the License. A copy of the License is located at # http://aws.amazon.com/apache2.0/ # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR # CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and # limitations under the License. AWSTemplateFormatVersion: '2010-09-09' Description: Creates a S3 bucket in the region where cloudformation stack is executed. Parameters: BucketStartName: Description: Bucket starting name to use for artifacts. It will be suffixed with respective region name. Type: String EnvironmentName: Description: An environment name that is prefixed to resource names Type: String Default: Poc PutS3BucketPolicy: Description: Update S3Bucket policy to include codebuild and codepipeline roles access. Type: String Default: false CodeCommitAccount: Description: AWS AccountNumber for codecommit account Type: Number TestAccount1: Description: AWS AccountNumber for test account 1 Type: Number TestAccount2: Description: AWS AccountNumber for test account 2 Type: Number TestAccount3: Description: AWS AccountNumber for test account 3 Type: Number ToolsAccount: Description: AWS AccountNumber for test account 3 Type: Number Conditions: UpdateS3BucketPolicy: !Equals [ !Ref PutS3BucketPolicy, true ] Resources: AccessLogBucket: Type: "AWS::S3::Bucket" Properties: AccessControl: LogDeliveryWrite OwnershipControls: Rules: - ObjectOwnership: BucketOwnerPreferred BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: TRUE BlockPublicPolicy: TRUE IgnorePublicAcls: TRUE RestrictPublicBuckets: TRUE ArtifactBucket1: Type: AWS::S3::Bucket #DeletionPolicy: Retain Properties: BucketName: !Sub '${BucketStartName}-${AWS::Region}' #As of now hard coded prefix for artifact buckets BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LoggingConfiguration: DestinationBucketName: !Ref AccessLogBucket PublicAccessBlockConfiguration: BlockPublicAcls: TRUE BlockPublicPolicy: TRUE IgnorePublicAcls: TRUE RestrictPublicBuckets: TRUE S3TestBucketPolicy: Type: AWS::S3::BucketPolicy Condition: UpdateS3BucketPolicy Properties: Bucket: !Sub '${BucketStartName}-${AWS::Region}' PolicyDocument: Statement: - Action: - s3:PutObject - s3:GetObjectAcl - s3:GetObject - s3:DeleteObjectVersion - s3:PutObjectVersionAcl - s3:GetObjectVersionAcl - s3:DeleteObject - s3:PutObjectAcl - s3:GetObjectVersion Effect: Allow Resource: - !Sub arn:aws:s3:::${BucketStartName}-${AWS::Region} - !Sub arn:aws:s3:::${BucketStartName}-${AWS::Region}/* Principal: AWS: - !Sub arn:aws:iam::${CodeCommitAccount}:role/ECSToolsAcctCodePipelineCodeCommitRole - !Sub arn:aws:iam::${TestAccount1}:role/${EnvironmentName}codedeployRole - !Sub arn:aws:iam::${TestAccount1}:role/${EnvironmentName}-codepipeline-role - !Sub arn:aws:iam::${TestAccount2}:role/${EnvironmentName}codedeployRole - !Sub arn:aws:iam::${TestAccount2}:role/${EnvironmentName}-codepipeline-role - !Sub arn:aws:iam::${TestAccount3}:role/${EnvironmentName}codedeployRole - !Sub arn:aws:iam::${TestAccount3}:role/${EnvironmentName}-codepipeline-role - !Sub arn:aws:iam::${ToolsAccount}:role/${EnvironmentName}-CodeBuildRole - !Sub arn:aws:iam::${ToolsAccount}:role/${EnvironmentName}-codepipeline-role Outputs: ArtifactBucketTest1: Value: !Ref ArtifactBucket1