11AWSTemplateFormatVersion : " 2010-09-09"
2+
3+ Parameters :
4+ LogRetentionDays :
5+ Type : Number
6+ Description : How long to keep logs for
7+ AllowedValues :
8+ [
9+ 1,
10+ 3,
11+ 5,
12+ 7,
13+ 14,
14+ 30,
15+ 60,
16+ 90,
17+ 120,
18+ 150,
19+ 180,
20+ 365,
21+ 400,
22+ 545,
23+ 731,
24+ 1096,
25+ 1827,
26+ 2192,
27+ 2557,
28+ 2922,
29+ 3288,
30+ 3653,
31+ ]
32+
233Resources :
334 # region API Gateway
435 ApiGwCloudWatchRole :
@@ -251,13 +282,22 @@ Resources:
251282 - ServerSideEncryptionByDefault :
252283 KMSMasterKeyID : !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${ArtifactsBucketKMSKeyAlias}"
253284 SSEAlgorithm : " aws:kms"
285+ LifecycleConfiguration :
286+ Rules :
287+ - Id : Artifacts-IA-30d-Expire-90d
288+ Status : Enabled
289+ Prefix : " " # apply to all objects
290+ Transitions :
291+ - StorageClass : STANDARD_IA
292+ TransitionInDays : 30
293+ ExpirationInDays : 90
254294
255295 ArtifactsBucketPolicy :
256296 Type : AWS::S3::BucketPolicy
257297 Metadata :
258298 guard :
259299 SuppressedRules :
260- - S3_BUCKET_SSL_REQUESTS_ONLY
300+ - S3_BUCKET_SSL_REQUESTS_ONLY
261301 Properties :
262302 Bucket : !Ref ArtifactsBucket
263303 PolicyDocument :
@@ -357,7 +397,7 @@ Resources:
357397 Metadata :
358398 guard :
359399 SuppressedRules :
360- - S3_BUCKET_SSL_REQUESTS_ONLY
400+ - S3_BUCKET_SSL_REQUESTS_ONLY
361401 Properties :
362402 Bucket : !Ref TrustStoreBucket
363403 PolicyDocument :
@@ -394,7 +434,7 @@ Resources:
394434 Metadata :
395435 guard :
396436 SuppressedRules :
397- - S3_BUCKET_REPLICATION_ENABLED
437+ - S3_BUCKET_REPLICATION_ENABLED
398438 - S3_BUCKET_LOGGING_ENABLED
399439 - S3_BUCKET_DEFAULT_LOCK_ENABLED
400440 Properties :
@@ -409,13 +449,22 @@ Resources:
409449 ServerSideEncryptionConfiguration :
410450 - ServerSideEncryptionByDefault :
411451 SSEAlgorithm : " AES256"
452+ LifecycleConfiguration :
453+ Rules :
454+ - Id : Audit-IA-30d
455+ Status : Enabled
456+ Prefix : " " # apply to all objects
457+ Transitions :
458+ - StorageClass : STANDARD_IA
459+ TransitionInDays : 30
460+ # no ExpirationInDays (never delete)
412461
413462 AuditLoggingBucketPolicy :
414463 Type : AWS::S3::BucketPolicy
415464 Metadata :
416465 guard :
417466 SuppressedRules :
418- - S3_BUCKET_SSL_REQUESTS_ONLY
467+ - S3_BUCKET_SSL_REQUESTS_ONLY
419468 Properties :
420469 Bucket : !Ref AuditLoggingBucket
421470 PolicyDocument :
@@ -491,7 +540,7 @@ Resources:
491540 Metadata :
492541 guard :
493542 SuppressedRules :
494- - S3_BUCKET_REPLICATION_ENABLED
543+ - S3_BUCKET_REPLICATION_ENABLED
495544 - S3_BUCKET_LOGGING_ENABLED
496545 - S3_BUCKET_DEFAULT_LOCK_ENABLED
497546 Properties :
@@ -506,13 +555,22 @@ Resources:
506555 ServerSideEncryptionConfiguration :
507556 - ServerSideEncryptionByDefault :
508557 SSEAlgorithm : " AES256"
558+ LifecycleConfiguration :
559+ Rules :
560+ - Id : ALBLogging-IA-30d-Expire-LogRetention
561+ Status : Enabled
562+ Prefix : " " # apply to all objects
563+ Transitions :
564+ - StorageClass : STANDARD_IA
565+ TransitionInDays : 30
566+ ExpirationInDays : !Ref LogRetentionDays
509567
510568 ALBLoggingBucketPolicy :
511569 Type : AWS::S3::BucketPolicy
512570 Metadata :
513571 guard :
514572 SuppressedRules :
515- - S3_BUCKET_SSL_REQUESTS_ONLY
573+ - S3_BUCKET_SSL_REQUESTS_ONLY
516574 Properties :
517575 Bucket : !Ref ALBLoggingBucket
518576 PolicyDocument :
@@ -571,7 +629,7 @@ Resources:
571629 Metadata :
572630 guard :
573631 SuppressedRules :
574- - S3_BUCKET_REPLICATION_ENABLED
632+ - S3_BUCKET_REPLICATION_ENABLED
575633 - S3_BUCKET_LOGGING_ENABLED
576634 - S3_BUCKET_DEFAULT_LOCK_ENABLED
577635 Properties :
@@ -587,13 +645,22 @@ Resources:
587645 - ServerSideEncryptionByDefault :
588646 KMSMasterKeyID : !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${AthenaResultsBucketKMSKeyKMSKeyAlias}"
589647 SSEAlgorithm : " aws:kms"
648+ LifecycleConfiguration :
649+ Rules :
650+ - Id : AthenaResults-IA-30d-Expire-90d
651+ Status : Enabled
652+ Prefix : " " # apply to all objects
653+ Transitions :
654+ - StorageClass : STANDARD_IA
655+ TransitionInDays : 30
656+ ExpirationInDays : 90
590657
591658 AthenaResultsBucketPolicy :
592659 Type : AWS::S3::BucketPolicy
593660 Metadata :
594661 guard :
595662 SuppressedRules :
596- - S3_BUCKET_SSL_REQUESTS_ONLY
663+ - S3_BUCKET_SSL_REQUESTS_ONLY
597664 Properties :
598665 Bucket : !Ref AthenaResultsBucket
599666 PolicyDocument :
@@ -685,13 +752,22 @@ Resources:
685752 ServerSideEncryptionByDefault :
686753 SSEAlgorithm : aws:kms
687754 KMSMasterKeyID : !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:${SplunkDeliveryStreamBackupKMSKeyAlias}"
755+ LifecycleConfiguration :
756+ Rules :
757+ - Id : SplunkBackup-IA-30d-Expire-90d
758+ Status : Enabled
759+ Prefix : " " # apply to all objects
760+ Transitions :
761+ - StorageClass : STANDARD_IA
762+ TransitionInDays : 30
763+ ExpirationInDays : 90
688764
689765 SplunkDeliveryStreamBackupBucketPolicy :
690766 Type : AWS::S3::BucketPolicy
691767 Metadata :
692768 guard :
693769 SuppressedRules :
694- - S3_BUCKET_SSL_REQUESTS_ONLY
770+ - S3_BUCKET_SSL_REQUESTS_ONLY
695771 Properties :
696772 Bucket : !Ref SplunkDeliveryStreamBackupBucket
697773 PolicyDocument :
@@ -752,24 +828,24 @@ Resources:
752828 # region ECR Repositories
753829 FHIRFacadeRepo :
754830 Type : AWS::ECR::Repository
755- Properties :
831+ Properties :
756832 RepositoryName : fhir-facade-repo
757- ImageScanningConfiguration :
758- ScanOnPush : true
759-
833+ ImageScanningConfiguration :
834+ ScanOnPush : true
835+
760836 ValidatorRepo :
761837 Type : AWS::ECR::Repository
762- Properties :
838+ Properties :
763839 RepositoryName : validator-repo
764- ImageScanningConfiguration :
840+ ImageScanningConfiguration :
765841 ScanOnPush : true
766842
767843 CDKUtilsBuildRepo :
768844 Type : AWS::ECR::Repository
769- Properties :
845+ Properties :
770846 RepositoryName : cdk-utils-build-repo
771- ImageScanningConfiguration :
772- ScanOnPush : true
847+ ImageScanningConfiguration :
848+ ScanOnPush : true
773849 # endregion
774850
775851 # region Secrets KMS
@@ -925,7 +1001,7 @@ Resources:
9251001 - kms:ReEncrypt*
9261002 - kms:Decrypt
9271003 Resource : " *"
928-
1004+
9291005 SqsKMSKeyKMSKeyAlias :
9301006 Type : AWS::KMS::Alias
9311007 Properties :
@@ -1319,7 +1395,7 @@ Resources:
13191395 KmsKeyId : alias/SecretsKMSKeyAlias
13201396 SecretString : ChangeMe
13211397 Name : !Sub "${AWS::StackName}-SplunkHECToken"
1322-
1398+
13231399 SlackWebHookUrl :
13241400 DependsOn : SecretsKMSKeyKMSKeyAlias
13251401 Type : AWS::SecretsManager::Secret
@@ -1328,7 +1404,7 @@ Resources:
13281404 KmsKeyId : alias/SecretsKMSKeyAlias
13291405 SecretString : ChangeMe
13301406 Name : !Sub "${AWS::StackName}-SlackWebhookUrl"
1331-
1407+
13321408 AccessSlackSecretsManagedPolicy :
13331409 Type : AWS::IAM::ManagedPolicy
13341410 Properties :
@@ -1373,7 +1449,7 @@ Resources:
13731449 - sqs:GetQueueAttributes
13741450 - sqs:GetQueueUrl
13751451 - tag:GetResources
1376- Resource :
1452+ Resource :
13771453 - !Sub " arn:aws:cloudwatch:*:${AWS::AccountId}:*"
13781454 - !Sub " arn:aws:cloudfront::${AWS::AccountId}:*"
13791455 - !Sub " arn:aws:dynamodb::${AWS::AccountId}:*"
@@ -1424,15 +1500,15 @@ Resources:
14241500 - Effect : Allow
14251501 Action :
14261502 - kms:Decrypt
1427- Resource :
1503+ Resource :
14281504 - !Sub arn:aws:kms:eu-west-2:${AWS::AccountId}:key/*
14291505 - Effect : Allow
14301506 Action :
14311507 - kms:DescribeKey
14321508 - kms:GenerateDataKey*
14331509 - kms:Encrypt
14341510 - kms:ReEncrypt*
1435- Resource :
1511+ Resource :
14361512 - !GetAtt AthenaResultsBucketKMSKey.Arn
14371513 - Effect : Allow
14381514 Action :
@@ -1583,7 +1659,7 @@ Outputs:
15831659 Name : !Join [":", [!Ref "AWS::StackName", "FHIRFacadeRepoArn"]]
15841660
15851661 FHIRFacadeRepoUri :
1586- Description : " The URI of the FHIR Facade ECR repo"
1662+ Description : " The URI of the FHIR Facade ECR repo"
15871663 Value : !GetAtt FHIRFacadeRepo.RepositoryUri
15881664 Export :
15891665 Name : !Join [":", [!Ref "AWS::StackName", "FHIRFacadeRepoUri"]]
@@ -1592,10 +1668,10 @@ Outputs:
15921668 Description : " The Arn of the Validator repo"
15931669 Value : !GetAtt ValidatorRepo.Arn
15941670 Export :
1595- Name : !Join [":", [!Ref "AWS::StackName", "ValidatorRepoArn"]]
1671+ Name : !Join [":", [!Ref "AWS::StackName", "ValidatorRepoArn"]]
15961672
15971673 ValidatorRepoUri :
1598- Description : " The URI of the Validator ECR repo"
1674+ Description : " The URI of the Validator ECR repo"
15991675 Value : !GetAtt ValidatorRepo.RepositoryUri
16001676 Export :
16011677 Name : !Join [":", [!Ref "AWS::StackName", "ValidatorRepoUri"]]
@@ -1604,10 +1680,10 @@ Outputs:
16041680 Description : " The Arn of the Validator repo"
16051681 Value : !GetAtt CDKUtilsBuildRepo.Arn
16061682 Export :
1607- Name : !Join [":", [!Ref "AWS::StackName", "CDKUtilsBuildRepoArn"]]
1683+ Name : !Join [":", [!Ref "AWS::StackName", "CDKUtilsBuildRepoArn"]]
16081684
16091685 CDKUtilsBuildRepoUri :
1610- Description : " The URI of the Validator ECR repo"
1686+ Description : " The URI of the Validator ECR repo"
16111687 Value : !GetAtt CDKUtilsBuildRepo.RepositoryUri
16121688 Export :
16131689 Name : !Join [":", [!Ref "AWS::StackName", "CDKUtilsBuildRepoUri"]]
@@ -1619,7 +1695,7 @@ Outputs:
16191695 Value : !GetAtt SecretsKMSKey.Arn
16201696 Export :
16211697 Name : !Join [":", [!Ref "AWS::StackName", "SecretsKMSKey"]]
1622-
1698+
16231699 SecretsKMSKeyAlias :
16241700 Description : SecretsKMSKeyAlias
16251701 Value : !Ref SecretsKMSKeyKMSKeyAlias
@@ -1931,13 +2007,13 @@ Outputs:
19312007 Value : !GetAtt ClinicalTrackerProxygenPublicKey.Id
19322008 Export :
19332009 Name : !Join [":", [!Ref "AWS::StackName", "ClinicalTrackerProxygenPublicKey"]]
1934-
2010+
19352011 SlackWebHookUrl :
19362012 Description : Slack webhook url
19372013 Value : !GetAtt SlackWebHookUrl.Id
19382014 Export :
19392015 Name : !Join [":", [!Ref "AWS::StackName", "SlackWebHookUrl"]]
1940-
2016+
19412017 AccessSlackSecretsManagedPolicy :
19422018 Description : " Access SNS Secrets Policy ARN"
19432019 Value : !GetAtt AccessSlackSecretsManagedPolicy.PolicyArn
0 commit comments