pcmoritz · December 4, 2021 06:18
diff --git a/jobs-setup-cloud-formation-template.yaml b/jobs-setup-cloud-formation-template.yaml
 AWSTemplateFormatVersion: 2010-09-09
 Description: >-
  This template creates a bucket in your account for use with Jobs on your Anyscale cloud. Contact Anyscale if you run into any issues at [email protected] if you have any questions.

 Parameters:
  CloudID:
    Description: "The identifier for the Ansycale Cloud that'll be using this role. *Please lowercase the value before using it here.* You can grab your ID from here: https://console.anyscale.com/admin/clouds"
    AllowedPattern: 'cld_[a-z0-9]+'
    ConstraintDescription: must contain only lowercase letters or numbers. Please lowercase your cloud ID.
    Type: String
  ClusterRole:
    Description: "The ARN of the Role that will be used when running jobs"
    Type: String
    AllowedPattern: 'arn:.+'
    MinLength: '1'
    MaxLength: '128'
  AWSRegion:
    Description: 'AWS Region where your jobs will be run.'
    MinLength: '9'
    AllowedValues:
      - ap-northeast-1
      - ap-south-1
      - ap-southeast-1
      - ap-southeast-2
      - ca-central-1
      - eu-central-1
      - eu-west-1
      - eu-west-2
      - us-east-1
      - us-east-2
      - us-west-1
      - us-west-2
    Type: String


 Outputs:
  AnyscaleJobsBucket:
    Description: ARN of the Jobs Bucket
    Value: !GetAtt
      - assetsS3Bucket
      - Arn

 Rules:
  # Validate the selected Region from the drop-down matches the Region from the Console
  RunningTemplateFromDifferentRegionThanDropDown:
    Assertions:
      - Assert: !Equals [!Ref AWSRegion, !Ref 'AWS::Region']
        AssertDescription: 'The region from the AWS Management Console MUST be the same as the selected region from the drop-down.'

 Resources:
  # S3 jobs bucket requirements
  assetsS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: 
        Fn::Join:
          - "-"
          - - anyscale
            - jobs
            - Fn::Join:
              - '-'
              - Fn::Split:
                - '_'
                - !Ref CloudID
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  bucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: Grant Jobs Clusters Access
            Effect: Allow
            Principal:
              AWS: !Ref ClusterRole
            Action:
              - 's3:GetObject'
              - 's3:GetObjectVersion'
              - 's3:PutObject'
              - 's3:DeleteObject'
              - 's3:ListBucket'
              - 's3:GetBucketLocation'
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${assetsS3Bucket}/*'
              - !Sub 'arn:${AWS::Partition}:s3:::${assetsS3Bucket}'
      Bucket: !Ref assetsS3Bucket
	AWSTemplateFormatVersion: 2010-09-09
	Description: >-
	This template creates a bucket in your account for use with Jobs on your Anyscale cloud. Contact Anyscale if you run into any issues at [email protected] if you have any questions.

	Parameters:
	CloudID:
	Description: "The identifier for the Ansycale Cloud that'll be using this role. Please lowercase the value before using it here. You can grab your ID from here: https://console.anyscale.com/admin/clouds"
	AllowedPattern: 'cld_[a-z0-9]+'
	ConstraintDescription: must contain only lowercase letters or numbers. Please lowercase your cloud ID.
	Type: String
	ClusterRole:
	Description: "The ARN of the Role that will be used when running jobs"
	Type: String
	AllowedPattern: 'arn:.+'
	MinLength: '1'
	MaxLength: '128'
	AWSRegion:
	Description: 'AWS Region where your jobs will be run.'
	MinLength: '9'
	AllowedValues:
	- ap-northeast-1
	- ap-south-1
	- ap-southeast-1
	- ap-southeast-2
	- ca-central-1
	- eu-central-1
	- eu-west-1
	- eu-west-2
	- us-east-1
	- us-east-2
	- us-west-1
	- us-west-2
	Type: String


	Outputs:
	AnyscaleJobsBucket:
	Description: ARN of the Jobs Bucket
	Value: !GetAtt
	- assetsS3Bucket
	- Arn

	Rules:
	# Validate the selected Region from the drop-down matches the Region from the Console
	RunningTemplateFromDifferentRegionThanDropDown:
	Assertions:
	- Assert: !Equals [!Ref AWSRegion, !Ref 'AWS::Region']
	AssertDescription: 'The region from the AWS Management Console MUST be the same as the selected region from the drop-down.'

	Resources:
	# S3 jobs bucket requirements
	assetsS3Bucket:
	Type: AWS::S3::Bucket
	Properties:
	BucketName:
	Fn::Join:
	- "-"
	- - anyscale
	- jobs
	- Fn::Join:
	- '-'
	- Fn::Split:
	- '_'
	- !Ref CloudID
	PublicAccessBlockConfiguration:
	BlockPublicAcls: true
	BlockPublicPolicy: true
	IgnorePublicAcls: true
	RestrictPublicBuckets: true
	bucketPolicy:
	Type: 'AWS::S3::BucketPolicy'
	Properties:
	PolicyDocument:
	Id: MyPolicy
	Version: 2012-10-17
	Statement:
	- Sid: Grant Jobs Clusters Access
	Effect: Allow
	Principal:
	AWS: !Ref ClusterRole
	Action:
	- 's3:GetObject'
	- 's3:GetObjectVersion'
	- 's3:PutObject'
	- 's3:DeleteObject'
	- 's3:ListBucket'
	- 's3:GetBucketLocation'
	Resource:
	- !Sub 'arn:${AWS::Partition}:s3:::${assetsS3Bucket}/*'
	- !Sub 'arn:${AWS::Partition}:s3:::${assetsS3Bucket}'
	Bucket: !Ref assetsS3Bucket