chore: cloudformation

seyhello · seyhello · commit c8eebbf8f559 · 2025-04-01T16:13:28.000+02:00
diff --git a/.github/workflows/deploy_cloudformation.yaml b/.github/workflows/deploy_cloudformation.yaml
@@ -0,0 +1,28 @@
+name: 'Deploy Cloudformation'
+
+on:
+  workflow_dispatch:
+
+  push:
+    paths:
+    - 'deploy/cloudformation/**'
+
+jobs:
+  get_values:
+    uses: apify/workflows/.github/workflows/get_values.yaml@v0.27.0
+
+  deploy_cloudformation:
+    needs:
+      - get_values
+    uses: apify/workflows/.github/workflows/deploy_cloudformation.yaml@v0.27.0
+    secrets:
+      awsAccessKeyId: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      awsSecretAccessKey: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      slackToken: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }}
+    with:
+      stackName: apify-docs-preview
+      templateFile: deploy/cloudformation/s3.yaml
+      cloudformationRoleArn: arn:aws:iam::031263542130:role/ApifyCloudFormationServiceRole
+      s3Bucket: apify-cf-templates-store-organization
+      capabilities: CAPABILITY_NAMED_IAM
+      revision: ${{ needs.get_values.outputs.short_commit_sha }}
diff --git a/deploy/cloudformation/s3.yaml b/deploy/cloudformation/s3.yaml
@@ -0,0 +1,42 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: This template creates an S3 bucket and access control policy for apify-docs-preview
+Metadata:
+  License: Apache-2.0
+
+Resources:
+  S3Bucket:
+    Type: AWS::S3::Bucket
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      BucketName: apify-docs-preview
+      # Maintaining your public access settings
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      # Enable encryption for data at rest
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+      Tags:
+        - Key: component
+          Value: apify-docs
+        - Key: owner
+          Value: apify-docs
+
+  # Adding a bucket policy to grant public read access
+  BucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref S3Bucket
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: PublicReadForGetBucketObjects
+            Effect: Allow
+            Principal: '*'
+            Action: 's3:GetObject'
+            Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
