123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547 |
- AWSTemplateFormatVersion: "2010-09-09"
- Transform: AWS::Serverless-2016-10-31
- Description: Amazon S3 Find and Forget (uksb-1q2j8beb0) (version:v0.53)
- Parameters:
- AccessControlAllowOriginOverride:
- Description: Overrides the default Allow-Control-Allow-Origin setting for the API and Reports Bucket. When "false" the only origin allowed is the Web UI url. This must be set to "*" if no restriction is required.
- Type: String
- Default: "false"
- AccessLogsBucket:
- Description: Optional S3 Bucket to send access logs for the Web UI to. Incurs additional cost. Leave blank to disable
- Type: String
- Default: ""
- AdminEmail:
- Description: Creates a username to be used for authentication. It needs to be an e-mail address.
- Type: String
- AllowedPattern: ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$
- AthenaConcurrencyLimit:
- Description: How many Athena queries should be scheduled concurrently
- Type: Number
- Default: 20
- AthenaQueryMaxRetries:
- Description: Max number of retries to each Athena query after a failure
- Type: Number
- Default: 2
- MinValue: 0
- AthenaWorkGroup:
- Description: WorkGroup to use for Athena queries
- Type: String
- Default: primary
- AuthMethod:
- Description: Authentication method to use for the API (and WebUI if deployed).
- Type: String
- Default: "Cognito"
- AllowedValues:
- - "Cognito"
- - "IAM"
- CreateCloudFrontDistribution:
- Description: Creates a CloudFront distribution for accessing the web interface of the solution. This must be enabled if S3 Block Public Access is enabled at an account level.
- Type: String
- Default: "true"
- AllowedValues:
- - "true"
- - "false"
- DeletionTaskCPU:
- Description: The CPU to be allocated to the Deletion Fargate Task
- Type: String
- Default: '4096'
- DeletionTasksMaxNumber:
- Description: The maximum number of tasks to allocate for the Deletion Fargate job
- Type: Number
- Default: 3
- MinValue: 1
- DeletionTaskMemory:
- Description: The memory to be allocated to the Deletion Fargate Task
- Type: String
- Default: '30720'
- DeployVpc:
- Description: Deploy a new dedicated VPC for this solution. To use an existing VPC, set this to "false" and provide values for the VpcSecurityGroups and VpcSubnets parameters.
- Type: String
- Default: "true"
- AllowedValues:
- - "true"
- - "false"
- DeployWebUI:
- Description: Specify whether you would like a Web User Interface deployed. (AuthMethod must be Cognito if WebUI is deployed).
- Type: String
- Default: "true"
- AllowedValues:
- - "true"
- - "false"
- EnableAPIAccessLogging:
- Description: Whether to enable API Gateway access logging. Enabling access logging will incur additional CloudWatch Logs charges
- Type: String
- Default: "false"
- AllowedValues:
- - "true"
- - "false"
- CognitoAdvancedSecurity:
- Description: The type of Cognito advanced security to enable. Disabled by default.
- Type: String
- Default: "OFF"
- AllowedValues:
- - "OFF"
- - "AUDIT"
- - "ENFORCED"
- EnableContainerInsights:
- Description: Enable ECS Container Insights
- Type: String
- Default: "false"
- AllowedValues:
- - "true"
- - "false"
- EnableDynamoDBBackups:
- Description: Whether to enable point in time recovery for the DynamoDB tables
- Type: String
- Default: "false"
- AllowedValues:
- - "true"
- - "false"
- FlowLogsGroup:
- Description: Optional CloudWatch Logs group to send VPC flow logs to. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false".
- Type: String
- Default: ""
- FlowLogsRoleArn:
- Description: Optional IAM role to use to send Flow Logs to CloudWatch. Flow Logs incur additional cost. Set to "" to disable. This parameter is ignored if the DeployVpc parameter is set to "false".
- Type: String
- Default: ""
- ForgetQueueWaitSeconds:
- Description: Wait interval for checking Forget progress
- Type: Number
- Default: 30
- JobDetailsRetentionDays:
- Description: How log to retain Job Record logs. Use 0 for indefinite. Default is 0
- Type: Number
- Default: 0
- KMSKeyArns:
- Description: Comma-delimited list of KMS Key Arns used for client-side Hash. Leave empty if data is not client-side encrypted with KMS
- Type: String
- Default: ""
- PreBuiltArtefactsBucketOverride:
- Description: Overrides the default Bucket containing Front-end and Back-end pre-built artefacts. When false, the default is used for the given region (for example solution-builders-us-west-1)
- Type: String
- Default: "false"
- QueryExecutionWaitSeconds:
- Description: Wait interval for checking if a query has completed
- Type: Number
- Default: 3
- QueryQueueWaitSeconds:
- Description: Wait interval for checking Find progress
- Type: Number
- Default: 3
- ResourcePrefix:
- Description: The prefix used for uniquely named resources, such as State Machines, etc.
- Type: String
- Default: S3F2
- AllowedPattern: ^[a-zA-Z0-9]*$
- RetainDynamoDBTables:
- Description: Whether to retain the DynamoDB tables upon Stack Update and Stack Deletion
- Type: String
- Default: "true"
- AllowedValues:
- - "true"
- - "false"
- VpcSecurityGroups:
- Description: Comma-delimited list of security groups to apply to Fargate tasks. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored.
- Type: CommaDelimitedList
- Default: ""
- VpcSubnets:
- Description: Comma-delimited list of subnets to deploy Fargate tasks in. This parameter must be set if the DeployVpc parameter is "false", otherwise it is ignored.
- Type: CommaDelimitedList
- Default: ""
- Rules:
- ValidateAuth:
- RuleCondition: !Equals [!Ref DeployWebUI, "true"]
- Assertions:
- - AssertDescription: IAM Auth cannot be chosen when deploying the WebUI.
- Assert: !Equals [!Ref AuthMethod, "Cognito"]
- ValidateRegion:
- RuleCondition: !Not
- - !Contains
- - - ap-northeast-1
- - ap-northeast-2
- - ap-south-1
- - ap-southeast-1
- - ap-southeast-2
- - ca-central-1
- - eu-central-1
- - eu-north-1
- - eu-west-1
- - eu-west-2
- - eu-west-3
- - me-south-1
- - sa-east-1
- - us-east-1
- - us-east-2
- - us-gov-west-1
- - us-west-1
- - us-west-2
- - !Ref AWS::Region
- Assertions:
- - AssertDescription: Cognito is not supported in this region please select IAM authentication.
- Assert: !Not [!Equals [!Ref AuthMethod, "Cognito"]]
- Conditions:
- DefaultPreBuiltArtefactsBucket: !Equals [!Ref PreBuiltArtefactsBucketOverride, "false"]
- ShouldDeployVpc: !Equals [!Ref DeployVpc, "true"]
- ShouldDeployWebUI: !Equals [!Ref DeployWebUI, "true"]
- ShouldDeployCognito: !Equals [!Ref AuthMethod, "Cognito"]
- Mappings:
- Solution:
- Constants:
- Version: 'v0.53'
- Resources:
- TempBucket:
- Type: AWS::S3::Bucket
- Properties:
- VersioningConfiguration:
- Status: Enabled
- BucketEncryption:
- ServerSideEncryptionConfiguration:
- - ServerSideEncryptionByDefault:
- SSEAlgorithm: AES256
- LifecycleConfiguration:
- Rules:
- - Id: ExpireContents
- Status: Enabled
- ExpirationInDays: 1
- NoncurrentVersionExpirationInDays: 1
- TempBucketPolicy:
- Type: AWS::S3::BucketPolicy
- Properties:
- Bucket: !Ref TempBucket
- PolicyDocument:
- Statement:
- - Sid: HttpsOnly
- Action: '*'
- Effect: Deny
- Resource:
- - !Sub arn:${AWS::Partition}:s3:::${TempBucket}
- - !Sub arn:${AWS::Partition}:s3:::${TempBucket}/*
- Principal: '*'
- Condition:
- Bool:
- 'aws:SecureTransport': 'false'
- ConfigParameter:
- Type: AWS::SSM::Parameter
- Properties:
- Name: !Sub /s3f2/${ResourcePrefix}-Configuration
- Type: String
- Value: !Sub |
- {
- "AthenaConcurrencyLimit": ${AthenaConcurrencyLimit},
- "AthenaQueryMaxRetries": ${AthenaQueryMaxRetries},
- "DeletionTasksMaxNumber": ${DeletionTasksMaxNumber},
- "JobDetailsRetentionDays": ${JobDetailsRetentionDays},
- "QueryExecutionWaitSeconds": ${QueryExecutionWaitSeconds},
- "QueryQueueWaitSeconds": ${QueryQueueWaitSeconds},
- "ForgetQueueWaitSeconds": ${ForgetQueueWaitSeconds}
- }
- Description: SSM Parameter for S3F2 configuration.
- CognitoUserPoolUser:
- Type: AWS::Cognito::UserPoolUser
- Condition: ShouldDeployCognito
- DependsOn:
- - APIStack
- - DDBStack
- - DelStack
- - DeployStack
- - LayersStack
- - StateMachineStack
- - StreamProcessorStack
- - WebUIStack
- Properties:
- Username: !Ref AdminEmail
- UserPoolId: !GetAtt AuthStack.Outputs.CognitoUserPoolId
- DesiredDeliveryMediums:
- - EMAIL
- UserAttributes:
- - Name: email
- Value: !Ref AdminEmail
- - Name: email_verified
- Value: "true"
- APIStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./api.yaml
- Parameters:
- AccessControlAllowOriginOverride: !Ref AccessControlAllowOriginOverride
- ConfigParameter: !Ref ConfigParameter
- CognitoUserPoolArn: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolArn, "none"]
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.Decorators
- - !GetAtt LayersStack.Outputs.BotoUtils
- DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
- DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable
- EnableAccessLogging: !Ref EnableAPIAccessLogging
- JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI
- JobTableName: !GetAtt DDBStack.Outputs.JobTable
- WebUIOrigin: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Origin, "none"]
- DeployCognito: !If [ShouldDeployCognito, "true", "false"]
- AuthStack:
- Type: AWS::CloudFormation::Stack
- Condition: ShouldDeployCognito
- Properties:
- TemplateURL: ./auth.yaml
- Parameters:
- CognitoAdvancedSecurity: !Ref CognitoAdvancedSecurity
- ResourcePrefix: !Ref ResourcePrefix
- DDBStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./ddb.yaml
- Parameters:
- EnableBackups: !Ref EnableDynamoDBBackups
- RetainTables: !Ref RetainDynamoDBTables
- DelStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./deletion_flow.yaml
- Parameters:
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.BotoUtils
- - !GetAtt LayersStack.Outputs.CustomResourceHelper
- - !GetAtt LayersStack.Outputs.Decorators
- DeletionTaskCPU: !Ref DeletionTaskCPU
- DeletionTaskMemory: !Ref DeletionTaskMemory
- EnableContainerInsights: !Ref EnableContainerInsights
- JobTableName: !GetAtt DDBStack.Outputs.JobTable
- KMSKeyArns: !Ref KMSKeyArns
- ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
- ResourcePrefix: !Ref ResourcePrefix
- VpcSecurityGroups: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.SecurityGroup, !Join [",", !Ref VpcSecurityGroups]]
- VpcSubnets: !If [ShouldDeployVpc, !GetAtt VpcStack.Outputs.Subnets, !Join [",", !Ref VpcSubnets]]
- DeployStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./deployment_helper.yaml
- Parameters:
- ApiUrl: !GetAtt APIStack.Outputs.ApiUrl
- AthenaExecutionRole: !GetAtt StateMachineStack.Outputs.AthenaExecutionRole
- CloudFrontDistribution: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.CloudFrontDistribution, "none"]
- CodeBuildArtefactBucket: !Ref TempBucket
- CognitoIdentityPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoIdentityPoolId, "none"]
- CognitoUserPoolId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"]
- CognitoUserPoolClientId: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"]
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.BotoUtils
- - !GetAtt LayersStack.Outputs.CustomResourceHelper
- - !GetAtt LayersStack.Outputs.Decorators
- DeployWebUI: !Ref DeployWebUI
- DeployCognito: !If [ShouldDeployCognito, "true", "false"]
- ECRRepository: !GetAtt DelStack.Outputs.ECRRepository
- PreBuiltArtefactsBucket: !If [DefaultPreBuiltArtefactsBucket, !Sub "solution-builders-${AWS::Region}", !Ref PreBuiltArtefactsBucketOverride]
- ResourcePrefix: !Ref ResourcePrefix
- Version: !FindInMap [Solution, Constants, Version]
- WebUIBucket: !GetAtt WebUIStack.Outputs.WebUIBucket
- LayersStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./layers.yaml
- ManifestsStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./manifests.yaml
- Parameters:
- JobDetailsRetentionDays: !Ref JobDetailsRetentionDays
- StateMachineStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./state_machine.yaml
- Parameters:
- AthenaWorkGroup: !Ref AthenaWorkGroup
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.Decorators
- - !GetAtt LayersStack.Outputs.BotoUtils
- DataMapperTableName: !GetAtt DDBStack.Outputs.DataMapperTable
- DeleteServiceName: !GetAtt DelStack.Outputs.DeleteServiceName
- DeleteQueueUrl: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl
- DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
- ECSCluster: !GetAtt DelStack.Outputs.ECSCluster
- GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase
- JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable
- JobTableName: !GetAtt DDBStack.Outputs.JobTable
- ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
- ResultBucket: !Ref TempBucket
- StateMachinePrefix: !Ref ResourcePrefix
- StreamProcessorStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./stream_processor.yaml
- Parameters:
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.Decorators
- - !GetAtt LayersStack.Outputs.BotoUtils
- DeletionQueueTableName: !GetAtt DDBStack.Outputs.DeletionQueueTable
- GlueDatabase: !GetAtt ManifestsStack.Outputs.GlueDatabase
- JobManifestsGlueTable: !GetAtt ManifestsStack.Outputs.JobManifestsGlueTable
- JobTableDateGSI: !GetAtt DDBStack.Outputs.JobTableDateGSI
- JobTableName: !GetAtt DDBStack.Outputs.JobTable
- JobTableStreamArn: !GetAtt DDBStack.Outputs.JobTableStreamArn
- ManifestsBucket: !GetAtt ManifestsStack.Outputs.ManifestsBucket
- StateMachineArn: !GetAtt StateMachineStack.Outputs.StateMachineArn
- VpcStack:
- Type: AWS::CloudFormation::Stack
- Condition: ShouldDeployVpc
- Properties:
- TemplateURL: ./vpc.yaml
- Parameters:
- FlowLogsGroup: !Ref FlowLogsGroup
- FlowLogsRoleArn: !Ref FlowLogsRoleArn
- KMSKeyArns: !Ref KMSKeyArns
- CommonLayers: !Join
- - ","
- - - !GetAtt LayersStack.Outputs.AWSSDKLayer
- - !GetAtt LayersStack.Outputs.BotoUtils
- - !GetAtt LayersStack.Outputs.CustomResourceHelper
- - !GetAtt LayersStack.Outputs.Decorators
- WebUIStack:
- Type: AWS::CloudFormation::Stack
- Properties:
- TemplateURL: ./web_ui.yaml
- Parameters:
- AccessLogsBucket: !Ref AccessLogsBucket
- CreateCloudFrontDistribution: !Ref CreateCloudFrontDistribution
- DeployWebUI: !Ref DeployWebUI
- ResourcePrefix: !Ref ResourcePrefix
- Outputs:
- APIAccessControlAllowOriginHeader:
- Value: !GetAtt APIStack.Outputs.AccessControlAllowOriginHeader
- APIStack:
- Value: !Ref APIStack
- ApiUrl:
- Value: !GetAtt APIStack.Outputs.ApiUrl
- Export:
- Name: !Sub ${ResourcePrefix}-ApiUrl
- ApiArn:
- Value: !GetAtt APIStack.Outputs.ApiArn
- AthenaStateMachineArn:
- Value: !GetAtt StateMachineStack.Outputs.AthenaStateMachineArn
- AthenaExecutionRoleArn:
- Value: !GetAtt StateMachineStack.Outputs.AthenaExecutionRoleArn
- AuthMethod:
- Value: !Ref AuthMethod
- ConfigParameter:
- Value: !Ref ConfigParameter
- CognitoUserPoolClientId:
- Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolClientId, "none"]
- CognitoUserPoolId:
- Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolId, "none"]
- CognitoUserPoolName:
- Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.CognitoUserPoolName, "none"]
- DataMapperTable:
- Value: !GetAtt DDBStack.Outputs.DataMapperTable
- DDBStack:
- Value: !Ref DDBStack
- DeleteTaskRoleArn:
- Value: !GetAtt DelStack.Outputs.DeleteTaskRoleArn
- DeletionQueueTable:
- Value: !GetAtt DDBStack.Outputs.DeletionQueueTable
- DeletionQueueTableStreamArn:
- Value: !GetAtt DDBStack.Outputs.DeletionQueueTableStreamArn
- Export:
- Name: !Sub ${ResourcePrefix}-DeletionQueueTableStreamArn
- DeletionQueueUrl:
- Value: !GetAtt DelStack.Outputs.DeleteObjectsQueueUrl
- DeployWebUI:
- Value: !Ref DeployWebUI
- DLQUrl:
- Value: !GetAtt DelStack.Outputs.DLQUrl
- ECRRepository:
- Value: !GetAtt DelStack.Outputs.ECRRepository
- GenerateQueriesRole:
- Value: !GetAtt StateMachineStack.Outputs.GenerateQueriesRole
- JobTable:
- Value: !GetAtt DDBStack.Outputs.JobTable
- KMSKeyArns:
- Value: !Ref KMSKeyArns
- PutDataMapperRole:
- Value: !GetAtt APIStack.Outputs.PutDataMapperRole
- QueryQueueUrl:
- Value: !GetAtt StateMachineStack.Outputs.QueryQueueUrl
- SolutionVersion:
- Value: !FindInMap [Solution, Constants, Version]
- StateMachineArn:
- Value: !GetAtt StateMachineStack.Outputs.StateMachineArn
- StateMachineRoleArn:
- Value: !GetAtt StateMachineStack.Outputs.StateMachineRoleArn
- TempBucket:
- Value: !Ref TempBucket
- WebUIBucket:
- Value: !GetAtt WebUIStack.Outputs.WebUIBucket
- WebUIRole:
- Value: !If [ShouldDeployCognito, !GetAtt AuthStack.Outputs.ServiceInvokeRole, "none"]
- WebUIUrl:
- Value: !If [ShouldDeployWebUI, !GetAtt WebUIStack.Outputs.Url, "none"]
- Metadata:
- AWS::CloudFormation::Interface:
- ParameterGroups:
- - Label:
- default: "Required"
- Parameters:
- - AdminEmail
- - DeployWebUI
- - AuthMethod
- - Label:
- default: "Network Configuration"
- Parameters:
- - DeployVpc
- - VpcSecurityGroups
- - VpcSubnets
- - FlowLogsGroup
- - FlowLogsRoleArn
- - CreateCloudFrontDistribution
- - AccessControlAllowOriginOverride
- - Label:
- default: "Performance Configuration"
- Parameters:
- - AthenaConcurrencyLimit
- - AthenaQueryMaxRetries
- - DeletionTasksMaxNumber
- - DeletionTaskCPU
- - DeletionTaskMemory
- - Label:
- default: "Waiter Configuration"
- Parameters:
- - QueryExecutionWaitSeconds
- - QueryQueueWaitSeconds
- - ForgetQueueWaitSeconds
- - Label:
- default: "Auditing, Logging & Monitoring"
- Parameters:
- - AccessLogsBucket
- - CognitoAdvancedSecurity
- - EnableAPIAccessLogging
- - EnableContainerInsights
- - JobDetailsRetentionDays
- - Label:
- default: "Advanced Configuration"
- Parameters:
- - EnableDynamoDBBackups
- - RetainDynamoDBTables
- - AthenaWorkGroup
- - PreBuiltArtefactsBucketOverride
- - ResourcePrefix
- - KMSKeyArns
|