AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: Amazon S3 Find and Forget (uksb-1q2j8beb0) (version:v0.53) Parameters: AccessControlAllowOriginOverride: Description: Overrides the default Allow-Control-Allow-Origin setting for the API and Reports Bucket. When "false" the only origin allowed is the Web UI url. This must be set to "*" if no restriction is required. Type: String Default: "false" AccessLogsBucket: Description: Optional S3 Bucket to send access logs for the Web UI to. Incurs additional cost. Leave blank to disable Type: String Default: "" AdminEmail: Description: Creates a username to be used for authentication. It needs to be an e-mail address. Type: String AllowedPattern: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$ AthenaConcurrencyLimit: Description: How many Athena queries should be scheduled concurrently Type: Number Default: 20 AthenaQueryMaxRetries: Description: Max number of retries to each Athena query after a failure Type: Number Default: 2 MinValue: 0 AthenaWorkGroup: Description: WorkGroup to use for Athena queries Type: String Default: primary AuthMethod: Description: Authentication method to use for the API (and WebUI if deployed). Type: String Default: "Cognito" AllowedValues: - "Cognito" - "IAM" CreateCloudFrontDistribution: Description: Creates a CloudFront distribution for accessing the web interface of the solution. This must be enabled if S3 Block Public Access is enabled at an account level. Type: String Default: "true" AllowedValues: - "true" - "false" DeletionTaskCPU: Description: The CPU to be allocated to the Deletion Fargate Task Type: String Default: '4096' DeletionTasksMaxNumber: Description: The maximum number of tasks to allocate for the Deletion Fargate job Type: Number Default: 3 MinValue: 1 DeletionTaskMemory: Description: The memory to be allocated to the Deletion Fargate Task Type: String Default: '30720' DeployVpc: Description: Deploy a new dedicated VPC for this solution. To use an existing VPC, set this to "false" and provide values for the VpcSecurityGroups and VpcSubnets parameters. Type: String Default: "true" AllowedValues: - "true" - "false" DeployWebUI: Description: Specify whether you would like a Web User Interface deployed. (AuthMethod must be Cognito if WebUI is deployed). Type: String Default: "true" AllowedValues: - "true" - "false" EnableAPIAccessLogging: Description: Whether to enable API Gateway access logging. Enabling access logging will incur additional CloudWatch Logs charges Type: String Default: "false" AllowedValues: - "true" - "false" CognitoAdvancedSecurity: Description: The type of Cognito advanced security to enable. Disabled by default. Type: String Default: "OFF" AllowedValues: - "OFF" - "AUDIT" - "ENFORCED" EnableContainerInsights: Description: Enable ECS Container Insights Type: String Default: "false" AllowedValues: - "true" - "false" EnableDynamoDBBackups: Description: Whether to enable point in time recovery for the DynamoDB tables Type: String Default: "false" AllowedValues: - "true" - "false" FlowLogsGroup: Description: Optional CloudWatch Logs group to send VPC flow logs to. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false". Type: String Default: "" FlowLogsRoleArn: Description: Optional IAM role to use to send Flow Logs to CloudWatch. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false". Type: String Default: "" ForgetQueueWaitSeconds: Description: Wait interval for checking Forget progress Type: Number Default: 30 JobDetailsRetentionDays: Description: How log to retain Job Record logs. Use 0 for indefinite. Default is 0 Type: Number Default: 0 KMSKeyArns: Description: Comma-delimited list of KMS Key Arns used for client-side Encryption. Leave empty if data is not client-side encrypted with KMS Type: String Default: "" PreBuiltArtefactsBucketOverride: Description: Overrides the default Bucket containing Front-end and Back-end pre-built artefacts. When false, the default is used for the given region (for example solution-builders-us-west-1) Type: String Default: "false" QueryExecutionWaitSeconds: Description: Wait interval for checking if a query has completed Type: Number Default: 3 QueryQueueWaitSeconds: Description: Wait interval for checking Find progress Type: Number Default: 3 ResourcePrefix: Description: The prefix used for uniquely named resources, such as State Machines, etc. Type: String Default: S3F2 AllowedPattern: ^[a-zA-Z0-9]*$ RetainDynamoDBTables: Description: Whether to retain the DynamoDB tables upon Stack Update and Stack Deletion Type: String Default: "true" AllowedValues: - "true" - "false" VpcSecurityGroups: Description: Comma-delimited list of security groups to apply to Fargate tasks. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored. Type: CommaDelimitedList Default: "" VpcSubnets: Description: Comma-delimited list of subnets to deploy Fargate tasks in. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored. Type: CommaDelimitedList Default: "" Rules: ValidateAuth: RuleCondition: !Equals [!Ref DeployWebUI, "true"] Assertions: - AssertDescription: IAM Auth cannot be chosen when deploying the WebUI. Assert: !Equals [!Ref AuthMethod, "Cognito"] ValidateRegion: RuleCondition: !Not - !Contains - - ap-northeast-1 - ap-northeast-2 - ap-south-1 - ap-southeast-1 - ap-southeast-2 - ca-central-1 - eu-central-1 - eu-north-1 - eu-west-1 - eu-west-2 - eu-west-3 - me-south-1 - sa-east-1 - us-east-1 - us-east-2 - us-gov-west-1 - us-west-1 - us-west-2 - !Ref AWS::Region Assertions: - AssertDescription: Cognito is not supported in this region please select IAM authentication. Assert: !Not [!Equals [!Ref AuthMethod, "Cognito"]] Conditions: DefaultPreBuiltArtefactsBucket: !Equals [!Ref PreBuiltArtefactsBucketOverride, "false"] ShouldDeployVpc: !Equals [!Ref DeployVpc, "true"] ShouldDeployWebUI: !Equals [!Ref DeployWebUI, "true"] ShouldDeployCognito: !Equals [!Ref AuthMethod, "Cognito"] Mappings: Solution: Constants: Version: 'v0.53' Resources: TempBucket: Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 LifecycleConfiguration: Rules: - Id: ExpireContents Status: Enabled ExpirationInDays: 1 NoncurrentVersionExpirationInDays: 1 TempBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref TempBucket PolicyDocument: Statement: - Sid: HttpsOnly Action: '*' Effect: Deny Resource: - !Sub arn:${AWS::Partition}:s3:::${TempBucket} - !Sub arn:${AWS::Partition}:s3:::${TempBucket}/* Principal: '*' Condition: Bool: 'aws:SecureTransport': 'false' ConfigParameter: Type: AWS::SSM::Parameter Properties: Name: !Sub /s3f2/${ResourcePrefix}-Configuration Type: String Value: !Sub | { "AthenaConcurrencyLimit": ${AthenaConcurrencyLimit}, "AthenaQueryMaxRetries": ${AthenaQueryMaxRetries}, "DeletionTasksMaxNumber": ${DeletionTasksMaxNumber}, "JobDetailsRetentionDays": ${JobDetailsRetentionDays}, "QueryExecutionWaitSeconds": ${QueryExecutionWaitSeconds}, "QueryQueueWaitSeconds": ${QueryQueueWaitSeconds}, "ForgetQueueWaitSeconds": ${ForgetQueueWaitSeconds} } Description: SSM Parameter for S3F2 configuration. CognitoUserPoolUser: Type: AWS::Cognito::UserPoolUser Condition: ShouldDeployCognito DependsOn: - APIStack - DDBStack - DelStack - DeployStack - LayersStack - StateMachineStack - StreamProcessorStack - WebUIStack Properties: Username: !Ref AdminEmail UserPoolId: !GetAtt AuthStack.Outputs.CognitoUserPoolId DesiredDeliveryMediums: - EMAIL UserAttributes: - Name: email Value: !Ref AdminEmail - Name: email_verified Value: "true" APIStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./api.yaml Parameters: AccessControlAllowOriginOverride: !Ref AccessControlAllowOriginOverride ConfigParameter: !Ref ConfigParameter CognitoUserPoolArn: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolArn, "none"] CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.Decorators - !GetAtt LayersStack.Outputs.BotoUtils DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable EnableAccessLogging: !Ref EnableAPIAccessLogging JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI JobTableName: !GetAtt DDBStack.Outputs.JobTable WebUIOrigin: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Origin, "none"] DeployCognito: !If [ShouldDeployCognito, "true", "false"] AuthStack: Type: AWS::CloudFormation::Stack Condition: ShouldDeployCognito Properties: TemplateURL: ./auth.yaml Parameters: CognitoAdvancedSecurity: !Ref CognitoAdvancedSecurity ResourcePrefix: !Ref ResourcePrefix DDBStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./ddb.yaml Parameters: EnableBackups: !Ref EnableDynamoDBBackups RetainTables: !Ref RetainDynamoDBTables DelStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./deletion_flow.yaml Parameters: CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.BotoUtils - !GetAtt LayersStack.Outputs.CustomResourceHelper - !GetAtt LayersStack.Outputs.Decorators DeletionTaskCPU: !Ref DeletionTaskCPU DeletionTaskMemory: !Ref DeletionTaskMemory EnableContainerInsights: !Ref EnableContainerInsights JobTableName: !GetAtt DDBStack.Outputs.JobTable KMSKeyArns: !Ref KMSKeyArns ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket ResourcePrefix: !Ref ResourcePrefix VpcSecurityGroups: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.SecurityGroup, !Join [",", !Ref VpcSecurityGroups]] VpcSubnets: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.Subnets, !Join [",", !Ref VpcSubnets]] DeployStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./deployment_helper.yaml Parameters: ApiUrl: !GetAtt APIStack.Outputs.ApiUrl AthenaExecutionRole: !GetAtt StateMachineStack.Outputs.AthenaExecutionRole CloudFrontDistribution: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.CloudFrontDistribution, "none"] CodeBuildArtefactBucket: !Ref TempBucket CognitoIdentityPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoIdentityPoolId, "none"] CognitoUserPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"] CognitoUserPoolClientId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"] CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.BotoUtils - !GetAtt LayersStack.Outputs.CustomResourceHelper - !GetAtt LayersStack.Outputs.Decorators DeployWebUI: !Ref DeployWebUI DeployCognito: !If [ShouldDeployCognito, "true", "false"] ECRRepository: !GetAtt DelStack.Outputs.ECRRepository PreBuiltArtefactsBucket: !If [DefaultPreBuiltArtefactsBucket, !Sub "solution-builders-${AWS::Region}", !Ref PreBuiltArtefactsBucketOverride] ResourcePrefix: !Ref ResourcePrefix Version: !FindInMap [Solution, Constants, Version] WebUIBucket: !GetAtt WebUIStack.Outputs.WebUIBucket LayersStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./layers.yaml ManifestsStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./manifests.yaml Parameters: JobDetailsRetentionDays: !Ref JobDetailsRetentionDays StateMachineStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./state_machine.yaml Parameters: AthenaWorkGroup: !Ref AthenaWorkGroup CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.Decorators - !GetAtt LayersStack.Outputs.BotoUtils DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable DeleteServiceName: !GetAtt DelStack.Outputs.DeleteServiceName DeleteQueueUrl: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable ECSCluster: !GetAtt DelStack.Outputs.ECSCluster GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable JobTableName: !GetAtt DDBStack.Outputs.JobTable ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket ResultBucket: !Ref TempBucket StateMachinePrefix: !Ref ResourcePrefix StreamProcessorStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./stream_processor.yaml Parameters: CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.Decorators - !GetAtt LayersStack.Outputs.BotoUtils DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI JobTableName: !GetAtt DDBStack.Outputs.JobTable JobTableStreamArn: !GetAtt DDBStack.Outputs.JobTableStreamArn ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket StateMachineArn: !GetAtt StateMachineStack.Outputs.StateMachineArn VpcStack: Type: AWS::CloudFormation::Stack Condition: ShouldDeployVpc Properties: TemplateURL: ./vpc.yaml Parameters: FlowLogsGroup: !Ref FlowLogsGroup FlowLogsRoleArn: !Ref FlowLogsRoleArn KMSKeyArns: !Ref KMSKeyArns CommonLayers: !Join - "," - - !GetAtt LayersStack.Outputs.AWSSDKLayer - !GetAtt LayersStack.Outputs.BotoUtils - !GetAtt LayersStack.Outputs.CustomResourceHelper - !GetAtt LayersStack.Outputs.Decorators WebUIStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: ./web_ui.yaml Parameters: AccessLogsBucket: !Ref AccessLogsBucket CreateCloudFrontDistribution: !Ref CreateCloudFrontDistribution DeployWebUI: !Ref DeployWebUI ResourcePrefix: !Ref ResourcePrefix Outputs: APIAccessControlAllowOriginHeader: Value: !GetAtt APIStack.Outputs.AccessControlAllowOriginHeader APIStack: Value: !Ref APIStack ApiUrl: Value: !GetAtt APIStack.Outputs.ApiUrl Export: Name: !Sub ${ResourcePrefix}-ApiUrl ApiArn: Value: !GetAtt APIStack.Outputs.ApiArn AthenaStateMachineArn: Value: !GetAtt StateMachineStack.Outputs.AthenaStateMachineArn AthenaExecutionRoleArn: Value: !GetAtt StateMachineStack.Outputs.AthenaExecutionRoleArn AuthMethod: Value: !Ref AuthMethod ConfigParameter: Value: !Ref ConfigParameter CognitoUserPoolClientId: Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"] CognitoUserPoolId: Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"] CognitoUserPoolName: Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolName, "none"] DataMapperTable: Value: !GetAtt DDBStack.Outputs.DataMapperTable DDBStack: Value: !Ref DDBStack DeleteTaskRoleArn: Value: !GetAtt DelStack.Outputs.DeleteTaskRoleArn DeletionQueueTable: Value: !GetAtt DDBStack.Outputs.DeletionQueueTable DeletionQueueTableStreamArn: Value: !GetAtt DDBStack.Outputs.DeletionQueueTableStreamArn Export: Name: !Sub ${ResourcePrefix}-DeletionQueueTableStreamArn DeletionQueueUrl: Value: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl DeployWebUI: Value: !Ref DeployWebUI DLQUrl: Value: !GetAtt DelStack.Outputs.DLQUrl ECRRepository: Value: !GetAtt DelStack.Outputs.ECRRepository GenerateQueriesRole: Value: !GetAtt StateMachineStack.Outputs.GenerateQueriesRole JobTable: Value: !GetAtt DDBStack.Outputs.JobTable KMSKeyArns: Value: !Ref KMSKeyArns PutDataMapperRole: Value: !GetAtt APIStack.Outputs.PutDataMapperRole QueryQueueUrl: Value: !GetAtt StateMachineStack.Outputs.QueryQueueUrl SolutionVersion: Value: !FindInMap [Solution, Constants, Version] StateMachineArn: Value: !GetAtt StateMachineStack.Outputs.StateMachineArn StateMachineRoleArn: Value: !GetAtt StateMachineStack.Outputs.StateMachineRoleArn TempBucket: Value: !Ref TempBucket WebUIBucket: Value: !GetAtt WebUIStack.Outputs.WebUIBucket WebUIRole: Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.ServiceInvokeRole, "none"] WebUIUrl: Value: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Url, "none"] Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Required" Parameters: - AdminEmail - DeployWebUI - AuthMethod - Label: default: "Network Configuration" Parameters: - DeployVpc - VpcSecurityGroups - VpcSubnets - FlowLogsGroup - FlowLogsRoleArn - CreateCloudFrontDistribution - AccessControlAllowOriginOverride - Label: default: "Performance Configuration" Parameters: - AthenaConcurrencyLimit - AthenaQueryMaxRetries - DeletionTasksMaxNumber - DeletionTaskCPU - DeletionTaskMemory - Label: default: "Waiter Configuration" Parameters: - QueryExecutionWaitSeconds - QueryQueueWaitSeconds - ForgetQueueWaitSeconds - Label: default: "Auditing, Logging & Monitoring" Parameters: - AccessLogsBucket - CognitoAdvancedSecurity - EnableAPIAccessLogging - EnableContainerInsights - JobDetailsRetentionDays - Label: default: "Advanced Configuration" Parameters: - EnableDynamoDBBackups - RetainDynamoDBTables - AthenaWorkGroup - PreBuiltArtefactsBucketOverride - ResourcePrefix - KMSKeyArns