pimcoreDevBox.yml

AWSTemplateFormatVersion: 2010-09-09
Description: Create a Pimcore Admin tool box (optional), before the actual pimcore stack is created.
             Please not that this template is not optimized for the security concerns of your company.
Parameters:
  Prefix:
    Type: String
    Description: A common prefix for users and resources
    Default: 'Pimcore'
  S3BucketName:
    Type: String
    Default: 'pimcore-utility-bucket'
  EcrRepositoryName:
    Type: String
    Default: 'pimcore-company-ecr'
    Description: 'Set to false if a ECR docker image repository should not be created.'
  WildcardCertificateDomainName:
    Type: String
    Default: false
    Description: Name of your (root) test domain, such as "pimcore.xyz", when *.pimcore.xyz should be hosted.
                 For multiple projects, extend the template, or create additional certificats manually.

Conditions:
  CreateEcr: !Not [ !Equals [ !Ref EcrRepositoryName, "false" ]]
  CreateWildcardCertificate: !Not [ !Equals [ !Ref WildcardCertificateDomainName, "false" ]]

Resources:
  #
  # Setup User is used to install the cloudformation environment from your local (docker) environment.
  # @see https://policysim.aws.amazon.com/ for simulating policies.
  #
  SetupUser:
    Type: 'AWS::IAM::User'

  SetupUserGroup:
    Type: 'AWS::IAM::Group'
    Properties:
      GroupName: !Sub '${Prefix}-SetupUserGroup'
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMFullAccess
        - arn:aws:iam::aws:policy/AWSCloudFormationFullAccess
        - arn:aws:iam::aws:policy/IAMFullAccess
        - arn:aws:iam::aws:policy/AWSCloudMapFullAccess
        - arn:aws:iam::aws:policy/AmazonEC2FullAccess
        - arn:aws:iam::aws:policy/AmazonECS_FullAccess
        - arn:aws:iam::aws:policy/AWSLambdaFullAccess
        - arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess
        - arn:aws:iam::aws:policy/AmazonRDSFullAccess
        - arn:aws:iam::aws:policy/CloudFrontFullAccess
        # attention: max 10 managed policies
  AddSetupUserToGroup:
    Type: 'AWS::IAM::UserToGroupAddition'
    DependsOn: SetupUserGroup
    Properties:
      GroupName: !Sub '${Prefix}-setupUserGroup'
      Users:
        - !Ref SetupUser
  SetupUserAccessKeys:
    Type: 'AWS::IAM::AccessKey'
    DependsOn: SetupUser
    Properties:
      UserName:
        Ref: SetupUser
  SetupUserPolicy:
    Type: 'AWS::IAM::Policy'
    DependsOn:
      - SetupUserGroup
      - SetupUser
    Properties:
      PolicyName: !Sub '${Prefix}-SetupUserPolicy'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - sts:AssumeRole
              - secretsmanager:* # test
              - acm:RequestCertificate # for ACM certificate creation
              - acm:DescribeCertificate
              - acm:DeleteCertificate # important for cleanup of certificates
              - route53:*
              - ecr:*
            Resource: '*'
      Groups:
        - !Sub '${Prefix}-setupUserGroup'


  #
  # S3 Bucket as a preparation for CFN deployments with nested stacks
  #
  S3Bucket:
    Type: AWS::S3::Bucket
    Description: S3 Bucket as a preparation for CFN deployments with nested stacks.
    #DeletionPolicy: Retain
    Properties:
      AccessControl: Private
      BucketName: !Sub '${S3BucketName}'
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true

  S3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    #DeletionPolicy: Retain
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: ForceHTTPS
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Resource:
              - !Sub ${S3Bucket.Arn}/*
              - !Sub ${S3Bucket.Arn}
            Condition:
              Bool:
                "aws:SecureTransport": false
          - Sid: UploadUserAccess
            Effect: Allow
            Principal:
              AWS: !GetAtt SetupUser.Arn
            Action: 's3:*'
            Resource:
              - !Sub ${S3Bucket.Arn}/*
              - !Sub ${S3Bucket.Arn}
          - Sid: SetupUserAccess
            Effect: Allow
            Principal:
              AWS: !GetAtt SetupUser.Arn
            Action: 's3:*'
            Resource:
              - !Sub ${S3Bucket.Arn}/*
              - !Sub ${S3Bucket.Arn}
      Bucket: !Ref S3Bucket

  S3BucketAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: !Sub 'Grants CRUD access to the S3 bucket ${S3Bucket}'
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: S3ObjectActions
            Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectACL
              - s3:PutObjectTagging
              - s3:DeleteObject
              - s3:RestoreObject
            Resource:
              - !Sub ${S3Bucket.Arn}/*
              - !Sub ${S3Bucket.Arn}
          - Sid: S3ListAction
            Effect: Allow
            Action: s3:ListBucket
            Resource:
              - !Sub ${S3Bucket.Arn}/*
              - !Sub ${S3Bucket.Arn}

  #
  # ECR | Docker Image Repository for continuous ECS deployments.
  #
  EcrRepository:
    Type: AWS::ECR::Repository
    Condition: CreateEcr
    Properties:
      RepositoryName: !Ref EcrRepositoryName

  #
  # Domain wildcard certificate creation. The certificate can be used as an input for other Pimcore stacks.
  #
  DomainWildcardCertificate:
    Condition: CreateWildcardCertificate
    Type: AWS::CertificateManager::Certificate
    Description: Create a wildcard certificate. Do not forget to visit the Certificate Manager (https://eu-central-1.console.aws.amazon.com/acm/home to manually)
      and manually trigger the validatio confirmation.
    Properties:
      DomainName: !Sub '*.${WildcardCertificateDomainName}'
      DomainValidationOptions:
        - DomainName: !Sub '*.${WildcardCertificateDomainName}'
          ValidationDomain: !Sub '*.${WildcardCertificateDomainName}'
      ValidationMethod: DNS

Outputs:
  SetupUserAccessKey:
    Description: "Setup User Access Key"
    Value: !Ref SetupUserAccessKeys
  SetupUserAccessToken:
    Description: "Setup User Access token"
    Value: 'Please create an access token using the AWS console (IAM).'
  SetupUserArn:
    Description: "Setup User ARN"
    Value: !GetAtt SetupUser.Arn
  AwsRegion:
    Description : AWS Region
    Value: !Ref AWS::Region
  S3BucketName:
    Description: S3 Bucket Name for Cloudformation Deployments etc.
    Value: !Ref S3BucketName
  EcrRepository:
    Description: ECR Repository
    Value: !Ref EcrRepository
  DomainWildcardCertificate:
    Description: "Wildcard Certificate that can be used across various applications within one domain range.
    Particularly useful as AWS has a default limit of 20 contingents a year per account. If you are using
    a wildcard certificate, switch to Resources, copy the ARN of the certificate, and use it as an input
    for the creation of your Pimcore stack."
    Value: !Ref WildcardCertificateDomainName