This repository has been archived by the owner on Dec 12, 2024. It is now read-only.
generated from communitiesuk/funding-service-design-TEMPLATE
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b090811
commit 6a1b8c0
Showing
3 changed files
with
193 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| Parameters: | ||
| App: | ||
| Type: String | ||
| Description: Your application's name. | ||
| Env: | ||
| Type: String | ||
| Description: The environment name your service, job, or workflow is being deployed to. | ||
| FifoQueueName: | ||
| Type: String | ||
| Description: Fifo Queue Name | ||
| Default: assessment-import-queue | ||
|
|
||
| Resources: | ||
| AssessmentImportQueue: | ||
| Type: AWS::SQS::Queue | ||
| Properties: | ||
| QueueName: !Sub ${FifoQueueName}.fifo | ||
| FifoQueue: true | ||
| RedrivePolicy: | ||
| deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn | ||
| maxReceiveCount: 3 | ||
| DeadLetterQueue: | ||
| Type: AWS::SQS::Queue | ||
| Properties: | ||
| FifoQueue: true | ||
|
|
||
|
|
||
| Outputs: | ||
| AssessmentImportQueueURL: | ||
| Description: Queue URL for Fifo queue | ||
| Value: !Ref AssessmentImportQueue | ||
| AssessmentImportQueueArn: | ||
| Description: Queue Arn for FIFO queue | ||
| Value: !GetAtt AssessmentImportQueue.Arn | ||
| DeadLetterQueueURL: | ||
| Description: "URL of dead-letter queue" | ||
| Value: !Ref DeadLetterQueue | ||
| DeadLetterQueueARN: | ||
| Description: "ARN of dead-letter queue" | ||
| Value: !GetAtt DeadLetterQueue.Arn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| Parameters: | ||
| App: | ||
| Type: String | ||
| Description: Your application's name. | ||
| Env: | ||
| Type: String | ||
| Description: The environment name your service, job, or workflow is being deployed to. | ||
|
|
||
| Resources: | ||
| FormUploadsBucket: | ||
| Metadata: | ||
| 'aws:copilot:description': 'An Amazon S3 bucket, form-uploads, for storing and retrieving objects' | ||
| Type: AWS::S3::Bucket | ||
| Properties: | ||
| AccessControl: Private | ||
| BucketEncryption: | ||
| ServerSideEncryptionConfiguration: | ||
| - ServerSideEncryptionByDefault: | ||
| SSEAlgorithm: AES256 | ||
| PublicAccessBlockConfiguration: | ||
| BlockPublicAcls: true | ||
| BlockPublicPolicy: true | ||
| IgnorePublicAcls: true | ||
| RestrictPublicBuckets: true | ||
| OwnershipControls: | ||
| Rules: | ||
| - ObjectOwnership: BucketOwnerEnforced | ||
|
|
||
| FormUploadsBucketPolicy: | ||
| Metadata: | ||
| 'aws:copilot:description': 'A bucket policy to deny unencrypted access to the bucket and its contents' | ||
| Type: AWS::S3::BucketPolicy | ||
| DeletionPolicy: Retain | ||
| Properties: | ||
| PolicyDocument: | ||
| Version: '2012-10-17' | ||
| Statement: | ||
| - Sid: ForceHTTPS | ||
| Effect: Deny | ||
| Principal: '*' | ||
| Action: 's3:*' | ||
| Resource: | ||
| - !Sub ${ FormUploadsBucket.Arn}/* | ||
| - !Sub ${ FormUploadsBucket.Arn} | ||
| Condition: | ||
| Bool: | ||
| "aws:SecureTransport": false | ||
| Bucket: !Ref FormUploadsBucket | ||
|
|
||
| Outputs: | ||
| FormUploadsName: | ||
| Description: "The name of a user-defined bucket." | ||
| Value: !Ref FormUploadsBucket | ||
| Export: | ||
| Name: !Sub fsd-form-uploads-${Env} | ||
| FormUploadsBucketARN: | ||
| Description: "The ARN of the form-uploads bucket." | ||
| Value: !GetAtt FormUploadsBucket.Arn | ||
| Export: | ||
| Name: !Sub ${App}-${Env}-FormUploadsBucketARN |
93 changes: 93 additions & 0 deletions
93
copilot/environments/addons/funding-service-magic-links.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| Parameters: | ||
| App: | ||
| Type: String | ||
| Description: Your application's name. | ||
| Env: | ||
| Type: String | ||
| Description: The environment name your service, job, or workflow is being deployed to. | ||
|
|
||
| Resources: | ||
| # Subnet group to control where the Redis gets placed | ||
| RedisSubnetGroup: | ||
| Type: AWS::ElastiCache::SubnetGroup | ||
| Properties: | ||
| Description: Group of subnets to place Redis into | ||
| SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ] | ||
|
|
||
| RedisSourceSecurityGroup: | ||
| Metadata: | ||
| 'aws:copilot:description': 'An EC2 Security Group to add to our ECS Service, in order to consume Redis' | ||
| Type: AWS::EC2::SecurityGroup | ||
| Properties: | ||
| GroupDescription: "Redis Consumer Security Group" | ||
| VpcId: | ||
| Fn::ImportValue: | ||
| !Sub '${App}-${Env}-VpcId' | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub 'copilot-${App}-${Env}-Redis' | ||
|
|
||
| # Security group to add the Redis cluster to the VPC, | ||
| # and to allow the Fargate containers to talk to Redis on port 6379 | ||
| RedisSecurityGroup: | ||
| Type: AWS::EC2::SecurityGroup | ||
| Properties: | ||
| GroupDescription: "Redis Security Group" | ||
| VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' } | ||
|
|
||
| # Enable ingress from other ECS services created within the environment. | ||
| RedisIngress: | ||
| Type: AWS::EC2::SecurityGroupIngress | ||
| Properties: | ||
| Description: Ingress from Fargate containers | ||
| GroupId: !Ref 'RedisSecurityGroup' | ||
| IpProtocol: tcp | ||
| FromPort: 6379 | ||
| ToPort: 6379 | ||
| SourceSecurityGroupId: !GetAtt 'RedisSourceSecurityGroup.GroupId' | ||
|
|
||
| RedisSecret: | ||
| Metadata: | ||
| 'aws:copilot:description': 'A Secrets Manager secret to store your DB credentials' | ||
| Type: AWS::SecretsManager::Secret | ||
| Properties: | ||
| Description: !Sub 'Redis main user secret for ${AWS::StackName}' | ||
| GenerateSecretString: | ||
| SecretStringTemplate: '{"username": "redis"}' | ||
| GenerateStringKey: "password" | ||
| ExcludePunctuation: true | ||
| IncludeSpace: false | ||
| PasswordLength: 16 | ||
|
|
||
| # The cluster itself. | ||
| Redis: | ||
| Type: AWS::ElastiCache::CacheCluster | ||
| Properties: | ||
| ClusterName: !Sub 'funding-service-magic-links-${Env}' | ||
| Engine: redis | ||
| CacheNodeType: cache.m5.large | ||
| NumCacheNodes: 1 | ||
| CacheSubnetGroupName: !Ref 'RedisSubnetGroup' | ||
| VpcSecurityGroupIds: | ||
| - !GetAtt 'RedisSecurityGroup.GroupId' | ||
|
|
||
| # Redis endpoint stored in SSM so that other services can retrieve the endpoint. | ||
| RedisEndpointAddressParam: | ||
| Type: AWS::SSM::Parameter | ||
| Properties: | ||
| Name: !Sub '/${App}/${Env}/redis' # Other services can retrieve the endpoint from this path. | ||
| Type: String | ||
| Value: !GetAtt 'Redis.RedisEndpoint.Address' | ||
|
|
||
| Outputs: | ||
| RedisEndpoint: | ||
| Description: The endpoint of the redis cluster | ||
| Value: !GetAtt 'Redis.RedisEndpoint.Address' | ||
| RedisInstanceURI: | ||
| Description: "The URI of the redis cluster." | ||
| Value: | ||
| !Sub | ||
| - "rediss://:${PASSWORD}@${HOSTNAME}:${PORT}" | ||
| - PASSWORD: !Join [ "", [ '{{resolve:secretsmanager:', !Ref 'RedisSecret', ":SecretString:password}}" ]] | ||
| HOSTNAME: !GetAtt 'Redis.RedisEndpoint.Address' | ||
| PORT: !GetAtt 'Redis.RedisEndpoint.Port' |