def __init__(self, title, key, **kwargs):
super().__init__(title, **kwargs)
name = self.title # Ex. BucketStatic
# need to specify key cause there is a problem regarind Bucket Names
# key in common.yml and Bucket dict (RP_to_cfg)
auto_get_props(self, key=key)
self.Condition = name
self.BucketName = Sub(bucket_name)
self.CorsConfiguration = If(
f"{name}Cors",
s3.CorsConfiguration(CorsRules=[
s3.CorsRules(
AllowedHeaders=["Authorization"],
AllowedMethods=["GET"],
AllowedOrigins=["*"],
MaxAge=3000,
)
]),
Ref("AWS::NoValue"),
)
self.VersioningConfiguration = If(
f"{name}Versioning",
s3.VersioningConfiguration(
Status=get_endvalue(f"{name}Versioning")),
Ref("AWS::NoValue"),
)
def render_s3(context, template):
for bucket_name in context['s3']:
props = {
'DeletionPolicy':
context['s3'][bucket_name]['deletion-policy'].capitalize(),
'Tags':
s3.Tags(**aws.generic_tags(context, name=False)),
}
bucket_title = _sanitize_title(bucket_name) + "Bucket"
if context['s3'][bucket_name]['cors']:
# generic configuration for allowing read-only access
props['CorsConfiguration'] = s3.CorsConfiguration(CorsRules=[
s3.CorsRules(AllowedHeaders=['*'],
AllowedMethods=['GET', 'HEAD'],
AllowedOrigins=['*'])
])
if context['s3'][bucket_name]['website-configuration']:
index_document = context['s3'][bucket_name][
'website-configuration'].get('index-document', 'index.html')
props['WebsiteConfiguration'] = s3.WebsiteConfiguration(
IndexDocument=index_document)
_add_bucket_policy(template, bucket_title, bucket_name)
if context['s3'][bucket_name]['public']:
_add_bucket_policy(template, bucket_title, bucket_name)
props['AccessControl'] = s3.PublicRead
if context['s3'][bucket_name]['encryption']:
props['BucketEncryption'] = _bucket_kms_encryption(
context['s3'][bucket_name]['encryption'])
template.add_resource(
s3.Bucket(bucket_title, BucketName=bucket_name, **props))
def create_s3_resources(self):
s3_bucket = self.add_resource(
s3.Bucket('s3TileCacheBucket',
BucketName=Join(
'.',
['tile-cache',
Ref(self.public_hosted_zone_name)]),
AccessControl=s3.PublicRead,
CorsConfiguration=s3.CorsConfiguration(CorsRules=[
s3.CorsRules(
AllowedOrigins=['*'],
AllowedMethods=['GET'],
MaxAge=3000,
AllowedHeaders=['*'],
)
])))
self.add_resource(
s3.BucketPolicy(
's3TileCacheBucketPolicy',
Bucket=Ref(s3_bucket),
PolicyDocument={
'Statement': [{
'Action': ['s3:GetObject'],
'Effect': 'Allow',
'Resource': {
'Fn::Join':
['', ['arn:aws:s3:::',
Ref(s3_bucket), '/*']]
},
'Principal': '*'
}]
}))
self.add_resource(
r53.RecordSetGroup(
'dnsPublicRecordsCache',
HostedZoneName=Join('',
[Ref(self.public_hosted_zone_name), '.']),
RecordSets=[
r53.RecordSet('dnsTileServersCache',
AliasTarget=r53.AliasTarget(
AMAZON_S3_HOSTED_ZONE_ID,
AMAZON_S3_WEBSITE_DOMAIN,
True,
),
Name=Join('', [
'tile-cache.',
Ref(self.public_hosted_zone_name), '.'
]),
Type='A')
]))
def render_s3(context, template):
for bucket_name in context['s3']:
props = {
'DeletionPolicy':
context['s3'][bucket_name]['deletion-policy'].capitalize()
}
bucket_title = _sanitize_title(bucket_name) + "Bucket"
if context['s3'][bucket_name]['cors']:
# generic configuration for allowing read-only access
props['CorsConfiguration'] = s3.CorsConfiguration(CorsRules=[
s3.CorsRules(AllowedHeaders=['*'],
AllowedMethods=['GET', 'HEAD'],
AllowedOrigins=['*'])
])
if context['s3'][bucket_name]['website-configuration']:
index_document = context['s3'][bucket_name][
'website-configuration'].get('index-document', 'index.html')
props['WebsiteConfiguration'] = s3.WebsiteConfiguration(
IndexDocument=index_document)
template.add_resource(
s3.BucketPolicy("%sPolicy" % bucket_title,
Bucket=bucket_name,
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Sid":
"AddPerm",
"Effect":
"Allow",
"Principal":
"*",
"Action": ["s3:GetObject"],
"Resource":
["arn:aws:s3:::%s/*" % bucket_name]
}]
}))
template.add_resource(
s3.Bucket(bucket_title, BucketName=bucket_name, **props))
def __init__(self, title, key, **kwargs):
super().__init__(title, **kwargs)
name = self.title # Ex. BucketStatic
auto_get_props(self, key, recurse=True)
self.Condition = name
self.BucketName = Sub(bucket_name)
self.CorsConfiguration = If(
f'{name}Cors',
s3.CorsConfiguration(CorsRules=[
s3.CorsRules(AllowedHeaders=['Authorization'],
AllowedMethods=['GET'],
AllowedOrigins=['*'],
MaxAge=3000)
]), Ref('AWS::NoValue'))
self.ReplicationConfiguration = If(
f'{name}Replica',
S3ReplicationConfiguration(name=name, key=key),
Ref('AWS::NoValue'),
)
self.VersioningConfiguration = If(
f'{name}Versioning',
s3.VersioningConfiguration(
Status=get_endvalue(f'{name}Versioning')), Ref('AWS::NoValue'))
def _build_template(self, template):
t = template
s3b = t.add_resource(s3.Bucket(self.name))
if self.public_read:
s3b.AccessControl = s3.PublicRead
t.add_resource(
s3.BucketPolicy('{}BucketPolicy'.format(self.name),
Bucket=Ref(s3b),
PolicyDocument={
"Statement": [{
"Action": ["s3:GetObject"],
"Effect":
"Allow",
"Resource":
Join('',
["arn:aws:s3:::",
Ref(s3b), "/*"]),
"Principal":
"*"
}]
}))
versioning = "Suspended"
if self.versioning:
versioning = "Enabled"
s3b.VersioningConfiguration = s3.VersioningConfiguration(
Status=versioning)
if self.website_mode:
s3b.WebsiteConfiguration = s3.WebsiteConfiguration(
**self.website_config)
if self.cors_enabled is True \
and len(self.cors_rules) <= 0:
self.add_cors_rule("CorsAll", ['*'], ['GET', 'POST', 'PUT'], ['*'],
3000)
if len(self.cors_rules) > 0:
cors = s3.CorsConfiguration(CorsRules=self.cors_rules)
s3b.CorsConfiguration = cors
if len(self.lifecycle_rules) > 0:
s3b.LifecycleConfiguration = s3.LifecycleConfiguration(Rules=[])
for lcr in self.lifecycle_rules:
s3b.LifecycleConfiguration.Rules.append(lcr)
t.add_output([
Output("{}BucketName".format(self.name),
Value=Ref(s3b),
Description="{} Bucket Name".format(self.name)),
Output("{}BucketUrl".format(self.name),
Value=GetAtt(s3b, "DomainName"),
Description="{} Bucket Name".format(self.name)),
Output('{}WebsiteUrl'.format(self.name),
Value=GetAtt(s3b, 'WebsiteURL'))
])
return s3b
#
t.add_condition('HasCorsOrigin', Not(Equals(Ref(param_cors_origin), '')))
#
# Resource
#
bucket = t.add_resource(
s3.Bucket(
'Bucket',
CorsConfiguration=If(
'HasCorsOrigin',
s3.CorsConfiguration(CorsRules=[
s3.CorsRules(
AllowedHeaders=['*'],
AllowedMethods=['GET', 'PUT', 'HEAD', 'POST', 'DELETE'],
AllowedOrigins=[Ref(param_cors_origin)],
)
]), Ref(AWS_NO_VALUE))))
t.add_resource(
s3.BucketPolicy(
'BucketPolicy',
Bucket=Ref(bucket),
PolicyDocument={
'Version':
'2012-10-17',
'Id':
'CdnAccessPolicy',
'Statement': [{
'Sid': '1',
t.add_parameter(Parameter('MySQLUser', Type='String'))
t.add_parameter(Parameter('MySQLPass', Type='String'))
t.add_parameter(Parameter('NodeEnv', Type='String'))
t.add_parameter(Parameter('KeycloakServerURL', Type='String'))
t.add_parameter(Parameter('KeycloakRealm', Type='String'))
t.add_parameter(Parameter('KeycloakClientID', Type='String'))
t.add_parameter(Parameter('KeycloakClientSecret', Type='String'))
t.add_parameter(Parameter('AwsKmsCmk', Type='String'))
# Create S3 Bucket
accountMediaBucket = t.add_resource(s3.Bucket(
'AccountMedia',
CorsConfiguration = s3.CorsConfiguration(CorsRules = [
s3.CorsRules(
AllowedHeaders = ['*'],
AllowedMethods = ['GET', 'POST'],
AllowedOrigins = ['*'],
)
]),
))
# Lambda Variables
lambdaSrcPath = '../.'
lambdaHandlerPath = 'src/lambda/'
nodeRuntime = 'nodejs8.10'
lambdaVpcConfig = awslambda.VPCConfig(
None,
SecurityGroupIds=[
ImportValue(Sub('${CoreStack}-RDS-Access-SG-ID')),