This repository has been archived by the owner on Aug 1, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathresources.yaml
146 lines (134 loc) · 4.48 KB
/
resources.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
AWSTemplateFormatVersion: 2010-09-09
Description: AWS resources needed to use the CloudFormation controller for Flux
Parameters:
EnableTemplateBucketAccessLogging:
Description: Enable or disable configuring bucket access logging on the S3 bucket that stores your CloudFormation templates.
Default: "false"
Type: String
AllowedValues: [true, false]
Conditions:
TemplateBucketAccessLoggingCondition:
!Equals
- "true"
- !Ref EnableTemplateBucketAccessLogging
Resources:
# Bucket that the controller will use to upload CFN template files prior to syncing them to their CFN stack
TemplateBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub flux-cfn-templates-${AWS::AccountId}-${AWS::Region}
LifecycleConfiguration:
Rules:
- ExpirationInDays : 1
NoncurrentVersionExpiration:
NewerNoncurrentVersions: 5
NoncurrentDays: 1
AbortIncompleteMultipartUpload:
DaysAfterInitiation: 1
Status: Enabled
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
!If
- TemplateBucketAccessLoggingCondition
- { DestinationBucketName: !Ref TemplateAccessLoggingBucket }
- !Ref "AWS::NoValue"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
DeletionPolicy: Delete
# Enforce HTTPS only on the template bucket
TemplateBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TemplateBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: 's3:*'
Effect: Deny
Principal:
AWS: '*'
Resource:
- !Sub arn:aws:s3:::${TemplateBucket}/*
- !Sub arn:aws:s3:::${TemplateBucket}
Condition:
Bool:
'aws:SecureTransport': false
# Send access logs from the template bucket to this bucket
TemplateAccessLoggingBucket:
Type: AWS::S3::Bucket
Condition: TemplateBucketAccessLoggingCondition
Properties:
AccessControl: LogDeliveryWrite
LifecycleConfiguration:
Rules:
- ExpirationInDays : 365
NoncurrentVersionExpiration:
NewerNoncurrentVersions: 5
NoncurrentDays: 365
AbortIncompleteMultipartUpload:
DaysAfterInitiation: 1
Status: Enabled
VersioningConfiguration:
Status: Enabled
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
DeletionPolicy: Delete
TemplateAccessLoggingBucketPolicy:
Type: AWS::S3::BucketPolicy
Condition: TemplateBucketAccessLoggingCondition
Properties:
Bucket: !Ref TemplateAccessLoggingBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: 's3:*'
Effect: Deny
Principal:
AWS: '*'
Resource:
- !Sub arn:aws:s3:::${TemplateAccessLoggingBucket}/*
- !Sub arn:aws:s3:::${TemplateAccessLoggingBucket}
Condition:
Bool:
'aws:SecureTransport': false
- Action: 's3:PutObject'
Effect: Allow
Principal:
Service: 'logging.s3.amazonaws.com'
Resource:
- !Sub arn:aws:s3:::${TemplateAccessLoggingBucket}/*
# Repository for storing CloudFormation templates
TemplateRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName: my-cloudformation-templates
# Repository for storing Flux configuration
FluxRepo:
Type: AWS::CodeCommit::Repository
Properties:
RepositoryName: my-flux-configuration
# User for Flux to use when interacting with CodeCommit repos
GitUser:
Type: AWS::IAM::User
Properties:
UserName: 'flux-git'
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser"
GitCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Name: flux-git-credentials
# CloudFormation does not yet support creating service-specific credentials,
# so this secret is a placeholder until the credentials are created manually.
SecretString: |
{
"ServiceUserName":"TO-FILL-IN",
"ServicePassword":"TO-FILL-IN"
}