--- AWSTemplateFormatVersion: 2010-09-09 Description: "This template deploys the bucket and related policy (qs-1snm79fdq)." Metadata: LintSpellExclude: - Discngine - 3decision Parameters: VPCID: Type: String NodeGroupArn: Type: String Resources: Bucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true BucketPolicy: Type: AWS::S3::BucketPolicy Metadata: { cfn-lint: { config: { ignore_checks: [EIAMPolicyActionWildcard] } } } Properties: Bucket: !Ref Bucket PolicyDocument: Version: 2012-10-17 Statement: - Action: "*" Effect: Allow Resource: - !GetAtt Bucket.Arn - !Join [ "", [Fn::GetAtt: Bucket.Arn, "/*"] ] Principal: AWS: "*" Condition: StringEquals: s3:DataAccessPointAccount: !Ref AWS::AccountId RedisAccessPoint: Type: AWS::S3::AccessPoint Properties: Bucket: !Ref Bucket Name: 3decision-redis-access-point VpcConfiguration: VpcId: !Ref VPCID PublicAccessBlockConfiguration: BlockPublicAcls: true IgnorePublicAcls: true BlockPublicPolicy: true RestrictPublicBuckets: true RedisRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: AWS: - !Ref NodeGroupArn Action: - 'sts:AssumeRole' Description: 'Role designed to access the redis access point inside EKS pods' RoleName: !Sub '3decision-redis-s3-${AWS::Region}' RedisPolicy: Type: AWS::IAM::Policy Properties: PolicyName: !Sub '3decision-redis-s3-${AWS::Region}' Roles: - !Ref RedisRole PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - s3:PutObject - s3:GetObject Resource: - !GetAtt RedisAccessPoint.Arn - !Join [ "", [Fn::GetAtt: RedisAccessPoint.Arn, "/*"] ] Outputs: RedisAccessPointAlias: Value: !GetAtt RedisAccessPoint.Alias Description: Alias for the redis access point RedisRoleArn: Value: !GetAtt RedisRole.Arn Description: Arn of the Role made to access the redis access point