-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.cfn.yaml
77 lines (76 loc) · 2.67 KB
/
template.cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Parameters:
CreateObject:
Type: String
Default: false
AllowedValues: [true, false]
ObjectKey:
Type: String
Default: 'hello_world.txt'
ObjectContent:
Type: String
Default: 'Hello World, I am Custom Resource!!!'
ObjectACL:
Type: String
Default: bucket-owner-full-control
AllowedValues: [private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, bucket-owner-full-control, log-delivery-write]
SSE:
Type: String
Description: S3 Object encryption
AllowedValues: [ 'aws:kms', 'AES256' ]
Default: 'aws:kms'
Conditions:
CreateObject: !Equals [ !Ref CreateObject, true ]
KMSEncryption: !Equals [ !Ref SSE, 'aws:kms' ]
Resources:
Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "s3-object-custom-resource-${AWS::AccountId}.demo"
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault: { SSEAlgorithm: AES256 }
BackingLambdaRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: AllowS3Put
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: [ s3:PutObject*, s3:DeleteObject* ]
Resource: !Sub "arn:aws:s3:::${Bucket}*"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ["lambda.amazonaws.com"]
Action: ["sts:AssumeRole"]
BackingLambda:
Type: AWS::Serverless::Function
Properties:
CodeUri: build/src.zip
Runtime: python3.8
Handler: cr_s3object.handler
Role: !GetAtt BackingLambdaRole.Arn
MyS3Object:
Type: Custom::S3Object
Condition: CreateObject
Properties:
ServiceToken: !GetAtt BackingLambda.Arn
Bucket: !Ref Bucket
Key: !Ref ObjectKey
Content:
Fn::Base64: !Ref ObjectContent
ACL: !Ref ObjectACL
SSE: !Ref SSE
SSEKmsKeyId: !If [KMSEncryption, 'alias/aws/s3', !Ref AWS::NoValue ]
ContentBase64: true
Outputs:
S3Url:
Value: !Ref MyS3Object