-
Notifications
You must be signed in to change notification settings - Fork 8
/
s3-cloudfront.cfndsl.rb
58 lines (48 loc) · 2.24 KB
/
s3-cloudfront.cfndsl.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
CloudFormation do
policy_document = {
Version: '2008-10-17',
Id: 'PolicyForCloudFrontContent',
Statement: [
{
Effect: 'Allow',
Action: 's3:GetObject',
Resource: FnJoin('', [ 'arn:aws:s3:::', Ref("Bucket"), '/*']),
Principal: { CanonicalUser: { "Fn::GetAtt" => ['s3bucketOriginAccessIdentity', 'S3CanonicalUserId'] }}
}
]
}
bucket_policy = external_parameters.fetch(:bucket_policy, {})
bucket_policy.each do |sid, statement_config|
statement = {}
statement["Sid"] = sid
statement['Effect'] = statement_config.has_key?('effect') ? statement_config['effect'] : "Allow"
statement['Principal'] = statement_config.has_key?('principal') ? statement_config['principal'] : {AWS: FnSub("arn:aws:iam::${AWS::AccountId}:root")}
statement['Resource'] = statement_config.has_key?('resource') ? statement_config['resource'] : [FnJoin("",["arn:aws:s3:::", Ref('Bucket')]), FnJoin("",["arn:aws:s3:::", Ref('Bucket'), "/*"])]
statement['Action'] = statement_config.has_key?('actions') ? statement_config['actions'] : ["s3:*"]
statement['Condition'] = statement_config['conditions'] if statement_config.has_key?('conditions')
policy_document[:Statement] << statement
end
bucket_encryption = external_parameters.fetch(:bucket_encryption, nil)
enable_s3_logging = external_parameters[:enable_s3_logging]
block_public_access_default = {
BlockPublicAcls: 'false',
BlockPublicPolicy: 'false',
IgnorePublicAcls: 'false',
RestrictPublicBuckets: 'false'
}
block_pub_access = external_parameters.fetch(:block_pub_access, block_public_access_default)
Condition(:SetLogFilePrefix, FnNot(FnEquals(Ref(:LogFilePrefix), ''))) if enable_s3_logging
S3_Bucket('Bucket') do
BucketName FnSub(external_parameters[:bucket_name])
PublicAccessBlockConfiguration block_pub_access unless block_pub_access.nil?
LoggingConfiguration ({
DestinationBucketName: Ref(:AccessLogsBucket),
LogFilePrefix: FnIf(:SetLogFilePrefix, Ref(:LogFilePrefix), Ref('AWS::NoValue'))
}) if enable_s3_logging
BucketEncryption bucket_encryption unless bucket_encryption.nil?
end
S3_BucketPolicy("BucketPolicy") do
Bucket Ref('Bucket')
PolicyDocument policy_document
end
end