forked from cloudfoundry/cf-performance-tests-pipeline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbootstrap.yml
executable file
·81 lines (81 loc) · 2.32 KB
/
bootstrap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Bootstraps all s3 buckets and IAM users needed by performance tests pipelines'
Parameters:
UserName:
Type: String
Default: cf-perf-tests-pipeline
AWSRegion:
Type: String
Default: eu-central-1
BucketName:
Type: String
Default: cf-performance-tests
Resources:
PipelineUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref UserName
PipelineUserCreds:
Type: AWS::IAM::AccessKey
DependsOn: PipelineUser
Properties:
Status: Active
UserName: !Ref UserName
PipelineUserCredsSecret:
Type: AWS::SecretsManager::Secret
DependsOn: PipelineUserCreds
Properties:
Name: !Sub /${UserName}
Description: !Sub 'credentials for the ${UserName} user'
SecretString: !Sub '{"ACCESS_KEY":"${PipelineUserCreds}","SECRET_KEY":"${PipelineUserCreds.SecretAccessKey}"}'
PipelineUserPolicy:
Type: 'AWS::IAM::Policy'
DependsOn: PipelineUser
Properties:
PolicyName: cf-perf-tests-pipeline
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:*
- elasticloadbalancing:*
- cloudformation:*
- kms:*
- ec2:*
Condition:
StringEquals:
aws:RequestedRegion: !Ref AWSRegion
Resource: '*'
- Effect: Allow
Action:
- iam:*
- s3:*
Resource: '*'
Users:
- !Ref UserName
PerfTestBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Ref BucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
VersioningConfiguration:
Status: Enabled
LifecycleConfiguration:
Rules:
- Id: DeleteRule
Status: Enabled
NoncurrentVersionExpiration:
NoncurrentDays: 14
Outputs:
PipelineUserCredsARN:
Description: ARN for the pipeline user creds that the human running this should retrieve and store in credhub
Value: !Ref PipelineUserCredsSecret