AWSTemplateFormatVersion: '2010-09-09'
Description: >-
stack-sftp-connector: SFTP Connector(サービスマネージドエグレス)、S3_SFTPバケット、
IAMロール、Secrets Manager、CloudWatch Logs
for the Closed VPC project.
# ---------------------------------------------------------------------------
# Parameters
# ---------------------------------------------------------------------------
Parameters:
ProjectName:
Type: String
Description: リソース命名に使用するプロジェクト名
Env:
Type: String
AllowedValues: [prod, stg, dev]
Description: 環境識別子
S3Suffix:
Type: String
Description: S3バケット名のグローバル一意サフィックス
SftpServerHost:
Type: String
Description: 外部SFTPサーバーのホスト名
SftpPrivateKey:
Type: String
NoEcho: true
Description: 外部SFTPサーバー接続用SSH秘密鍵(PEM形式)
SftpTrustedHostKey:
Type: String
Description: 外部SFTPサーバーのホストキー
LogRetentionDays:
Type: Number
Default: 30
Description: CloudWatch Logsロググループの保持日数
S3LifecycleDays:
Type: Number
Default: 365
Description: S3オブジェクトの有効期限(日数)
# ---------------------------------------------------------------------------
# Resources
# ---------------------------------------------------------------------------
Resources:
# =========================================================================
# SFTP_Connector_Role - SFTP ConnectorがS3/SecretsManager/KMSにアクセスするためのIAMロール
# =========================================================================
SftpConnectorRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${ProjectName}-${Env}-role-sftp-connector'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: transfer.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: SftpConnectorS3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowS3BucketAccess
Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:ListBucket'
- 's3:DeleteObject'
- 's3:GetBucketLocation'
Resource:
- !GetAtt S3Sftp.Arn
- !Sub '${S3Sftp.Arn}/*'
- PolicyName: SftpConnectorSecretAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowSecretAccess
Effect: Allow
Action:
- 'secretsmanager:GetSecretValue'
Resource:
- !Ref SftpSecret
- PolicyName: SftpConnectorKmsAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowKmsAccess
Effect: Allow
Action:
- 'kms:Decrypt'
- 'kms:GenerateDataKey'
Resource:
- !ImportValue
Fn::Sub: '${ProjectName}-${Env}-KmsKeyS3Arn'
Tags:
- Key: Name
Value: !Sub '${ProjectName}-${Env}-iam-role-sftp-connector'
- Key: Project
Value: !Ref ProjectName
- Key: Environment
Value: !Ref Env
- Key: ManagedBy
Value: cloudformation
- Key: Stack
Value: stack-sftp-connector
# =========================================================================
# SFTP_Secret - 外部SFTPサーバー接続用SSH秘密鍵を格納するSecrets Managerシークレット
# =========================================================================
SftpSecret:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub '${ProjectName}-${Env}-secret-sftp-connector'
Description: !Sub '${ProjectName}-${Env} SFTP Connector用SSH秘密鍵(Transfer Family Connector要求形式)'
SecretString: !Sub '{"PrivateKey": "${SftpPrivateKey}"}'
Tags:
- Key: Name
Value: !Sub '${ProjectName}-${Env}-secret-sftp-connector'
- Key: Project
Value: !Ref ProjectName
- Key: Environment
Value: !Ref Env
- Key: ManagedBy
Value: cloudformation
- Key: Stack
Value: stack-sftp-connector
# =========================================================================
# SFTP Connector - サービスマネージドエグレスで外部SFTPサーバーに接続
# =========================================================================
SftpConnector:
Type: AWS::Transfer::Connector
Properties:
Url: !Sub 'sftp://${SftpServerHost}'
AccessRole: !GetAtt SftpConnectorRole.Arn
LoggingRole: !GetAtt SftpConnectorLoggingRole.Arn
SftpConfig:
UserSecretId: !Ref SftpSecret
TrustedHostKeys:
- !Ref SftpTrustedHostKey
Tags:
- Key: Name
Value: !Sub '${ProjectName}-${Env}-sftp-connector'
- Key: Project
Value: !Ref ProjectName
- Key: Environment
Value: !Ref Env
- Key: ManagedBy
Value: cloudformation
- Key: Stack
Value: stack-sftp-connector
# ---------------------------------------------------------------------------
# Outputs
# ---------------------------------------------------------------------------
Outputs:
S3SftpBucketName:
Description: S3_SFTPバケット名
Value: !Ref S3Sftp
Export:
Name: !Sub '${ProjectName}-${Env}-S3SftpBucketName'
S3SftpBucketArn:
Description: S3_SFTPバケットARN
Value: !GetAtt S3Sftp.Arn
Export:
Name: !Sub '${ProjectName}-${Env}-S3SftpBucketArn'
SftpConnectorId:
Description: SFTP Connector ID
Value: !GetAtt SftpConnector.ConnectorId
Export:
Name: !Sub '${ProjectName}-${Env}-SftpConnectorId'
SftpConnectorArn:
Description: SFTP Connector ARN
Value: !GetAtt SftpConnector.Arn
Export:
Name: !Sub '${ProjectName}-${Env}-SftpConnectorArn'
SftpConnectorLogGroupName:
Description: SFTP Connector CloudWatch Logsロググループ名
Value: !Ref SftpConnectorLogGroup
Export:
Name: !Sub '${ProjectName}-${Env}-SftpConnectorLogGroupName'
Register as a new user and use Qiita more conveniently
- You get articles that match your needs
- You can efficiently read back useful information
- You can use dark theme