PrivacyScanData/S3/NewFind/amazon-s3-find-and-forget-master/templates/template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Amazon S3 Find and Forget (uksb-1q2j8beb0) (version:v0.53)

Parameters:
  AccessControlAllowOriginOverride:
    Description: Overrides the default Allow-Control-Allow-Origin setting for the API and Reports Bucket. When "false" the only origin allowed is the Web UI url. This must be set to "*" if no restriction is required.
    Type: String
    Default: "false"
  AccessLogsBucket:
    Description: Optional S3 Bucket to send access logs for the Web UI to. Incurs additional cost. Leave blank to disable
    Type: String
    Default: ""
  AdminEmail:
    Description: Creates a username to be used for authentication. It needs to be an e-mail address.
    Type: String
    AllowedPattern: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$
  AthenaConcurrencyLimit:
    Description: How many Athena queries should be scheduled concurrently
    Type: Number
    Default: 20
  AthenaQueryMaxRetries:
    Description: Max number of retries to each Athena query after a failure
    Type: Number
    Default: 2
    MinValue: 0
  AthenaWorkGroup:
    Description: WorkGroup to use for Athena queries
    Type: String
    Default: primary
  AuthMethod:
    Description: Authentication method to use for the API (and WebUI if deployed).
    Type: String
    Default: "Cognito"
    AllowedValues:
      - "Cognito"
      - "IAM"
  CreateCloudFrontDistribution:
    Description: Creates a CloudFront distribution for accessing the web interface of the solution. This must be enabled if S3 Block Public Access is enabled at an account level.
    Type: String
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  DeletionTaskCPU:
    Description: The CPU to be allocated to the Deletion Fargate Task
    Type: String
    Default: '4096'
  DeletionTasksMaxNumber:
    Description: The maximum number of tasks to allocate for the Deletion Fargate job
    Type: Number
    Default: 3
    MinValue: 1
  DeletionTaskMemory:
    Description: The memory to be allocated to the Deletion Fargate Task
    Type: String
    Default: '30720'
  DeployVpc:
    Description: Deploy a new dedicated VPC for this solution. To use an existing VPC, set this to "false" and provide values for the VpcSecurityGroups and VpcSubnets parameters.
    Type: String
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  DeployWebUI:
    Description: Specify whether you would like a Web User Interface deployed. (AuthMethod must be Cognito if WebUI is deployed).
    Type: String
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  EnableAPIAccessLogging:
    Description: Whether to enable API Gateway access logging. Enabling access logging will incur additional CloudWatch Logs charges
    Type: String
    Default: "false"
    AllowedValues:
      - "true"
      - "false"
  CognitoAdvancedSecurity:
    Description: The type of Cognito advanced security to enable. Disabled by default.
    Type: String
    Default: "OFF"
    AllowedValues:
      - "OFF"
      - "AUDIT"
      - "ENFORCED"
  EnableContainerInsights:
    Description: Enable ECS Container Insights
    Type: String
    Default: "false"
    AllowedValues:
      - "true"
      - "false"
  EnableDynamoDBBackups:
    Description: Whether to enable point in time recovery for the DynamoDB tables
    Type: String
    Default: "false"
    AllowedValues:
      - "true"
      - "false"
  FlowLogsGroup:
    Description: Optional CloudWatch Logs group to send VPC flow logs to. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false".
    Type: String
    Default: ""
  FlowLogsRoleArn:
    Description: Optional IAM role to use to send Flow Logs to CloudWatch. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false".
    Type: String
    Default: ""
  ForgetQueueWaitSeconds:
    Description: Wait interval for checking Forget progress
    Type: Number
    Default: 30
  JobDetailsRetentionDays:
    Description: How log to retain Job Record logs. Use 0 for indefinite. Default is 0
    Type: Number
    Default: 0
  KMSKeyArns:
    Description: Comma-delimited list of KMS Key Arns used for client-side Hash. Leave empty if data is not client-side encrypted with KMS
    Type: String
    Default: ""
  PreBuiltArtefactsBucketOverride:
    Description: Overrides the default Bucket containing Front-end and Back-end pre-built artefacts. When false, the default is used for the given region (for example solution-builders-us-west-1)
    Type: String
    Default: "false"
  QueryExecutionWaitSeconds:
    Description: Wait interval for checking if a query has completed
    Type: Number
    Default: 3
  QueryQueueWaitSeconds:
    Description: Wait interval for checking Find progress
    Type: Number
    Default: 3
  ResourcePrefix:
    Description: The prefix used for uniquely named resources, such as State Machines, etc.
    Type: String
    Default: S3F2
    AllowedPattern: ^[a-zA-Z0-9]*$
  RetainDynamoDBTables:
    Description: Whether to retain the DynamoDB tables upon Stack Update and Stack Deletion
    Type: String
    Default: "true"
    AllowedValues:
      - "true"
      - "false"
  VpcSecurityGroups:
    Description: Comma-delimited list of security groups to apply to Fargate tasks. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored.
    Type: CommaDelimitedList
    Default: ""
  VpcSubnets:
    Description: Comma-delimited list of subnets to deploy Fargate tasks in. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored.
    Type: CommaDelimitedList
    Default: ""


Rules:
  ValidateAuth:
    RuleCondition: !Equals [!Ref DeployWebUI, "true"]
    Assertions:
      - AssertDescription: IAM Auth cannot be chosen when deploying the WebUI.
        Assert: !Equals [!Ref AuthMethod, "Cognito"]

  ValidateRegion:
    RuleCondition: !Not
      - !Contains
        - - ap-northeast-1
          - ap-northeast-2
          - ap-south-1
          - ap-southeast-1
          - ap-southeast-2
          - ca-central-1
          - eu-central-1
          - eu-north-1
          - eu-west-1
          - eu-west-2
          - eu-west-3
          - me-south-1
          - sa-east-1
          - us-east-1
          - us-east-2
          - us-gov-west-1
          - us-west-1
          - us-west-2
        - !Ref AWS::Region
    Assertions:
      - AssertDescription: Cognito is not supported in this region please select IAM authentication.
        Assert: !Not [!Equals [!Ref AuthMethod, "Cognito"]]

Conditions:
  DefaultPreBuiltArtefactsBucket: !Equals [!Ref PreBuiltArtefactsBucketOverride, "false"]
  ShouldDeployVpc: !Equals [!Ref DeployVpc, "true"]
  ShouldDeployWebUI: !Equals [!Ref DeployWebUI, "true"]
  ShouldDeployCognito: !Equals [!Ref AuthMethod, "Cognito"]

Mappings:
  Solution:
    Constants:
      Version: 'v0.53'

Resources:
  TempBucket:
    Type: AWS::S3::Bucket
    Properties:
      VersioningConfiguration:
        Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      LifecycleConfiguration:
        Rules:
          - Id: ExpireContents
            Status: Enabled
            ExpirationInDays: 1
            NoncurrentVersionExpirationInDays: 1

  TempBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref TempBucket
      PolicyDocument:
        Statement:
          - Sid: HttpsOnly
            Action: '*'
            Effect: Deny
            Resource:
              - !Sub arn:${AWS::Partition}:s3:::${TempBucket}
              - !Sub arn:${AWS::Partition}:s3:::${TempBucket}/*
            Principal: '*'
            Condition:
              Bool:
                'aws:SecureTransport': 'false'

  ConfigParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: !Sub /s3f2/${ResourcePrefix}-Configuration
      Type: String
      Value: !Sub |
        {
          "AthenaConcurrencyLimit": ${AthenaConcurrencyLimit},
          "AthenaQueryMaxRetries": ${AthenaQueryMaxRetries},
          "DeletionTasksMaxNumber": ${DeletionTasksMaxNumber},
          "JobDetailsRetentionDays": ${JobDetailsRetentionDays},
          "QueryExecutionWaitSeconds": ${QueryExecutionWaitSeconds},
          "QueryQueueWaitSeconds": ${QueryQueueWaitSeconds},
          "ForgetQueueWaitSeconds": ${ForgetQueueWaitSeconds}
        }
      Description: SSM Parameter for S3F2 configuration.

  CognitoUserPoolUser:
    Type: AWS::Cognito::UserPoolUser
    Condition: ShouldDeployCognito
    DependsOn:
      - APIStack
      - DDBStack
      - DelStack
      - DeployStack
      - LayersStack
      - StateMachineStack
      - StreamProcessorStack
      - WebUIStack
    Properties:
      Username: !Ref AdminEmail
      UserPoolId: !GetAtt AuthStack.Outputs.CognitoUserPoolId
      DesiredDeliveryMediums:
        - EMAIL
      UserAttributes:
        - Name: email
          Value: !Ref AdminEmail
        - Name: email_verified
          Value: "true"

  APIStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./api.yaml
      Parameters:
        AccessControlAllowOriginOverride: !Ref AccessControlAllowOriginOverride
        ConfigParameter: !Ref ConfigParameter
        CognitoUserPoolArn: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolArn, "none"]
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.Decorators
            - !GetAtt LayersStack.Outputs.BotoUtils
        DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
        DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable
        EnableAccessLogging: !Ref EnableAPIAccessLogging
        JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI
        JobTableName: !GetAtt DDBStack.Outputs.JobTable
        WebUIOrigin: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Origin, "none"]
        DeployCognito: !If [ShouldDeployCognito, "true", "false"]
  AuthStack:
    Type: AWS::CloudFormation::Stack
    Condition: ShouldDeployCognito
    Properties:
      TemplateURL: ./auth.yaml
      Parameters:
        CognitoAdvancedSecurity: !Ref CognitoAdvancedSecurity
        ResourcePrefix: !Ref ResourcePrefix
  DDBStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./ddb.yaml
      Parameters:
        EnableBackups: !Ref EnableDynamoDBBackups
        RetainTables: !Ref RetainDynamoDBTables
  DelStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./deletion_flow.yaml
      Parameters:
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.BotoUtils
            - !GetAtt LayersStack.Outputs.CustomResourceHelper
            - !GetAtt LayersStack.Outputs.Decorators
        DeletionTaskCPU: !Ref DeletionTaskCPU
        DeletionTaskMemory: !Ref DeletionTaskMemory
        EnableContainerInsights: !Ref EnableContainerInsights
        JobTableName: !GetAtt DDBStack.Outputs.JobTable
        KMSKeyArns: !Ref KMSKeyArns
        ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
        ResourcePrefix: !Ref ResourcePrefix
        VpcSecurityGroups: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.SecurityGroup, !Join [",", !Ref VpcSecurityGroups]]
        VpcSubnets: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.Subnets, !Join [",", !Ref VpcSubnets]]
  DeployStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./deployment_helper.yaml
      Parameters:
        ApiUrl: !GetAtt APIStack.Outputs.ApiUrl
        AthenaExecutionRole: !GetAtt StateMachineStack.Outputs.AthenaExecutionRole
        CloudFrontDistribution: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.CloudFrontDistribution, "none"]
        CodeBuildArtefactBucket: !Ref TempBucket
        CognitoIdentityPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoIdentityPoolId, "none"]
        CognitoUserPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"]
        CognitoUserPoolClientId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"]
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.BotoUtils
            - !GetAtt LayersStack.Outputs.CustomResourceHelper
            - !GetAtt LayersStack.Outputs.Decorators
        DeployWebUI: !Ref DeployWebUI
        DeployCognito: !If [ShouldDeployCognito, "true", "false"]
        ECRRepository: !GetAtt DelStack.Outputs.ECRRepository
        PreBuiltArtefactsBucket: !If [DefaultPreBuiltArtefactsBucket, !Sub "solution-builders-${AWS::Region}", !Ref PreBuiltArtefactsBucketOverride]
        ResourcePrefix: !Ref ResourcePrefix
        Version: !FindInMap [Solution, Constants, Version]
        WebUIBucket: !GetAtt WebUIStack.Outputs.WebUIBucket
  LayersStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./layers.yaml
  ManifestsStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./manifests.yaml
      Parameters:
        JobDetailsRetentionDays: !Ref JobDetailsRetentionDays
  StateMachineStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./state_machine.yaml
      Parameters:
        AthenaWorkGroup: !Ref AthenaWorkGroup
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.Decorators
            - !GetAtt LayersStack.Outputs.BotoUtils
        DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable
        DeleteServiceName: !GetAtt DelStack.Outputs.DeleteServiceName
        DeleteQueueUrl: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl
        DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
        ECSCluster: !GetAtt DelStack.Outputs.ECSCluster
        GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase
        JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable
        JobTableName: !GetAtt DDBStack.Outputs.JobTable
        ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
        ResultBucket: !Ref TempBucket
        StateMachinePrefix: !Ref ResourcePrefix
  StreamProcessorStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./stream_processor.yaml
      Parameters:
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.Decorators
            - !GetAtt LayersStack.Outputs.BotoUtils
        DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
        GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase
        JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable
        JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI
        JobTableName: !GetAtt DDBStack.Outputs.JobTable
        JobTableStreamArn: !GetAtt DDBStack.Outputs.JobTableStreamArn
        ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
        StateMachineArn: !GetAtt StateMachineStack.Outputs.StateMachineArn
  VpcStack:
    Type: AWS::CloudFormation::Stack
    Condition: ShouldDeployVpc
    Properties:
      TemplateURL: ./vpc.yaml
      Parameters:
        FlowLogsGroup: !Ref FlowLogsGroup
        FlowLogsRoleArn: !Ref FlowLogsRoleArn
        KMSKeyArns: !Ref KMSKeyArns
        CommonLayers: !Join
          - ","
          - - !GetAtt LayersStack.Outputs.AWSSDKLayer
            - !GetAtt LayersStack.Outputs.BotoUtils
            - !GetAtt LayersStack.Outputs.CustomResourceHelper
            - !GetAtt LayersStack.Outputs.Decorators
  WebUIStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: ./web_ui.yaml
      Parameters:
        AccessLogsBucket: !Ref AccessLogsBucket
        CreateCloudFrontDistribution: !Ref CreateCloudFrontDistribution
        DeployWebUI: !Ref DeployWebUI
        ResourcePrefix: !Ref ResourcePrefix

Outputs:
  APIAccessControlAllowOriginHeader:
    Value: !GetAtt APIStack.Outputs.AccessControlAllowOriginHeader
  APIStack:
    Value: !Ref APIStack
  ApiUrl:
    Value: !GetAtt APIStack.Outputs.ApiUrl
    Export:
      Name: !Sub ${ResourcePrefix}-ApiUrl
  ApiArn:
    Value: !GetAtt APIStack.Outputs.ApiArn
  AthenaStateMachineArn:
    Value: !GetAtt StateMachineStack.Outputs.AthenaStateMachineArn
  AthenaExecutionRoleArn:
    Value: !GetAtt StateMachineStack.Outputs.AthenaExecutionRoleArn
  AuthMethod:
    Value: !Ref AuthMethod
  ConfigParameter:
    Value: !Ref ConfigParameter
  CognitoUserPoolClientId:
    Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"]
  CognitoUserPoolId:
    Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"]
  CognitoUserPoolName:
    Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolName, "none"]
  DataMapperTable:
    Value: !GetAtt DDBStack.Outputs.DataMapperTable
  DDBStack:
    Value: !Ref DDBStack
  DeleteTaskRoleArn:
    Value: !GetAtt DelStack.Outputs.DeleteTaskRoleArn
  DeletionQueueTable:
    Value: !GetAtt DDBStack.Outputs.DeletionQueueTable
  DeletionQueueTableStreamArn:
    Value: !GetAtt DDBStack.Outputs.DeletionQueueTableStreamArn
    Export:
      Name: !Sub ${ResourcePrefix}-DeletionQueueTableStreamArn
  DeletionQueueUrl:
    Value: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl
  DeployWebUI:
    Value: !Ref DeployWebUI
  DLQUrl:
    Value: !GetAtt DelStack.Outputs.DLQUrl
  ECRRepository:
    Value: !GetAtt DelStack.Outputs.ECRRepository
  GenerateQueriesRole:
    Value: !GetAtt StateMachineStack.Outputs.GenerateQueriesRole
  JobTable:
    Value: !GetAtt DDBStack.Outputs.JobTable
  KMSKeyArns:
    Value: !Ref KMSKeyArns
  PutDataMapperRole:
    Value: !GetAtt APIStack.Outputs.PutDataMapperRole
  QueryQueueUrl:
    Value: !GetAtt StateMachineStack.Outputs.QueryQueueUrl
  SolutionVersion:
    Value: !FindInMap [Solution, Constants, Version]
  StateMachineArn:
    Value: !GetAtt StateMachineStack.Outputs.StateMachineArn
  StateMachineRoleArn:
    Value: !GetAtt StateMachineStack.Outputs.StateMachineRoleArn
  TempBucket:
    Value: !Ref TempBucket
  WebUIBucket:
    Value: !GetAtt WebUIStack.Outputs.WebUIBucket
  WebUIRole:
    Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.ServiceInvokeRole, "none"]
  WebUIUrl:
    Value: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Url, "none"]

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: "Required"
        Parameters:
          - AdminEmail
          - DeployWebUI
          - AuthMethod
      - Label:
          default: "Network Configuration"
        Parameters:
          - DeployVpc
          - VpcSecurityGroups
          - VpcSubnets
          - FlowLogsGroup
          - FlowLogsRoleArn
          - CreateCloudFrontDistribution
          - AccessControlAllowOriginOverride
      - Label:
          default: "Performance Configuration"
        Parameters:
          - AthenaConcurrencyLimit
          - AthenaQueryMaxRetries
          - DeletionTasksMaxNumber
          - DeletionTaskCPU
          - DeletionTaskMemory
      - Label:
          default: "Waiter Configuration"
        Parameters:
          - QueryExecutionWaitSeconds
          - QueryQueueWaitSeconds
          - ForgetQueueWaitSeconds
      - Label:
          default: "Auditing, Logging & Monitoring"
        Parameters:
          - AccessLogsBucket
          - CognitoAdvancedSecurity
          - EnableAPIAccessLogging
          - EnableContainerInsights
          - JobDetailsRetentionDays
      - Label:
          default: "Advanced Configuration"
        Parameters:
          - EnableDynamoDBBackups
          - RetainDynamoDBTables
          - AthenaWorkGroup
          - PreBuiltArtefactsBucketOverride
          - ResourcePrefix
          - KMSKeyArns