def create_integration(self, method_config, lambda_arn):
        """
        Creates an integration object using a single provided ApiGatewayMethodConfig object.
        :param method_config: a single ApiGatewayMethodConfig object
        :param lambda_arn: the ARN of a lambda function to point this integration at.
        :return: a troposphere integration object
        """

        integration = Integration(
            '{0}Integration'.format(method_config.method_name),
            Type='AWS',
            IntegrationHttpMethod=method_config.httpmethod,
            IntegrationResponses=self.integration_responses,
            RequestTemplates=method_config.request.templates,
            Uri=Join('', [
                'arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/',
                lambda_arn, '/invocations'
            ]))

        perm = self.template.add_resource(
            Permission('{0}Permission'.format(integration.title),
                       Action='lambda:InvokeFunction',
                       FunctionName=lambda_arn,
                       Principal='apigateway.amazonaws.com'))

        self.permissions.append(perm)
        # At time of creation of this class, the PassthroughBehavior parameter is not implemented for integrations
        # in troposphere. The below assigns it for now. This can be reworked into the above troposphere object once
        # troposphere is updated.
        integration.resource['PassthroughBehavior'] = "WHEN_NO_TEMPLATES"

        return integration
    def add_resources(self):
        self.runner_terminate_rule = self.template.add_resource(
            Rule(
                "RunnerTeminateRule",
                EventPattern={
                    "source": ["aws.autoscaling"],
                    "detail-type": ["EC2 Instance-terminate Lifecycle Action"],
                },
                State="ENABLED",
                Targets=[
                    Target(
                        Arn=Ref(self.runner_unregister_function_arn),
                        Id=Ref(self.runner_terminate_target_id),
                    )
                ],
            ))

        self.runner_unregister_permission = self.template.add_resource(
            Permission(
                "RunnerUnregisterPermission",
                Action="lambda:InvokeFunction",
                FunctionName=Ref(self.runner_unregister_function),
                Principal="events.amazonaws.com",
                SourceArn=GetAtt(self.runner_terminate_rule, "Arn"),
            ))

        self.runner_terminate_lifecyclehook = self.template.add_resource(
            LifecycleHook(
                "RunnerTerminateLifecycleHook",
                AutoScalingGroupName=Ref(self.runner_autoscaling_group),
                LifecycleTransition="autoscaling:EC2_INSTANCE_TERMINATING",
            ))
Beispiel #3
0
 def get_cloudformation_template(self, lambda_filename):
     from troposphere import Template, GetAtt, Join
     from troposphere.awslambda import Environment
     from troposphere.awslambda import Permission
     from troposphere.serverless import Function
     t = Template()
     t.add_description("Built with WavyCloud's pylexbuilder")
     t.add_transform('AWS::Serverless-2016-10-31')
     lambda_func = t.add_resource(
         Function(
             self.name,
             Handler='handler.index',
             Runtime=self.runtime,
             CodeUri='s3://{}/{}'.format(self.s3_bucket_name,
                                         lambda_filename),
             Policies=['AmazonDynamoDBFullAccess', 'AmazonLexFullAccess'],
             AutoPublishAlias=self.lambda_alias,
             Environment=Environment(
                 Variables=self.environment_variables)), )
     for i, intent in enumerate(self.get_all_intents()):
         t.add_resource(
             Permission(
                 "PermissionToLex{}".format(intent.name),
                 FunctionName=GetAtt(lambda_func, "Arn"),
                 Action="lambda:InvokeFunction",
                 Principal="lex.amazonaws.com",
                 SourceArn=Join("", [
                     'arn:aws:lex:',
                     Ref(AWS_REGION), ':',
                     Ref(AWS_ACCOUNT_ID), ':intent:{}:*'.format(intent.name)
                 ])))
     return t
 def add_lambda_permission_demo(self):
     self.lambda_permission_demo = self.template.add_resource(
         Permission(
             "LambdaDemoPermission",
             Action='lambda:InvokeFunction',
             FunctionName=GetAtt(self.lambda_function, 'Arn'),
             Principal="events.amazonaws.com",
             SourceArn=GetAtt(self.rule_demo, 'Arn'),
         ))
Beispiel #5
0
 def create_invoke_permission_for_events(self,
                                         function_name,
                                         source_arn,
                                         name_prefix=''):
     return self.template.add_resource(
         Permission('{0}Permission'.format(name_prefix),
                    Action='lambda:InvokeFunction',
                    FunctionName=function_name,
                    SourceArn=source_arn,
                    Principal='events.amazonaws.com'))
def create_lambda_fn_cron(name_prefix, lambda_fn, schedule_expression):
    rule = Rule(
        '{}EventRule'.format(name_prefix),
        ScheduleExpression=schedule_expression,
        Targets=[Target(Arn=GetAtt(lambda_fn, 'Arn'), Id=lambda_fn.name)])

    permission = Permission('{}LambdaFunctionPermission'.format(name_prefix),
                            Action="lambda:InvokeFunction",
                            FunctionName=GetAtt(lambda_fn, 'Arn'),
                            Principal='events.amazonaws.com',
                            SourceArn=GetAtt(rule, 'Arn'))

    return (rule, permission)
    def add_figure_lambda(self):
        ## Now add to a lambda function:
        function = Function(
            'FigLambda',
            CodeUri='../../protocols',
            Runtime='python3.6',
            Handler='log.eventshandler',
            Description='Lambda Function logging start/stop for NCAP',
            MemorySize=128,
            Timeout=90,
            Role=
            'arn:aws:iam::739988523141:role/lambda_dataflow',  ## TODO: Create this in template
            Events={})
        figurelamb = self.template.add_resource(function)
        ## Attach specific permissions to invoke this lambda function as well.
        cwpermission = Permission('CWPermissions',
                                  Action='lambda:InvokeFunction',
                                  Principal='events.amazonaws.com',
                                  FunctionName=Ref(figurelamb))
        self.template.add_resource(cwpermission)

        ## Because this lambda function gets invoked by an unknown target, we need to take care of its log group separately.

        figloggroup = LogGroup('FignameLogGroup',
                               LogGroupName=Sub("/aws/lambda/${FigLambda}"))
        self.template.add_resource(figloggroup)

        ## Now we need to configure this function as a potential target.
        ## Initialize role to send events to cloudwatch
        with open('policies/cloudwatch_events_assume_role_doc.json', 'r') as f:
            cloudwatchassume_role_doc = json.load(f)
        ## Now get the actual policy:
        with open('policies/cloudwatch_events_policy_doc.json', 'r') as f:
            cloudwatch_policy_doc = json.load(f)
        cloudwatchpolicy = ManagedPolicy(
            "CloudwatchBusPolicy",
            Description=Join(" ", [
                "Base Policy for all lambda function roles in",
                Ref(AWS_STACK_NAME)
            ]),
            PolicyDocument=cloudwatch_policy_doc)
        self.template.add_resource(cloudwatchpolicy)
        ## create the role:
        cwrole = Role("CloudWatchBusRole",
                      AssumeRolePolicyDocument=cloudwatchassume_role_doc,
                      ManagedPolicyArns=[Ref(cloudwatchpolicy)])
        cwrole_attached = self.template.add_resource(cwrole)
        self.cwrole = cwrole_attached
        return figurelamb
    def link_resources(self):
        ## Attach specific permissions to invoke this lambda function as well.
        cwpermission = Permission('CCPermissions',
                                  Action='lambda:InvokeFunction',
                                  Principal='codecommit.amazonaws.com',
                                  FunctionName=Ref(self.commitlambda),
                                  SourceArn=GetAtt(self.repo, 'Arn'),
                                  SourceAccount=Ref(AWS_ACCOUNT_ID))
        self.template.add_resource(cwpermission)

        ## Because this lambda function gets invoked by an unknown target, we need to take care of its log group separately.

        figloggroup = LogGroup('FignameLogGroup',
                               LogGroupName=Sub("/aws/lambda/${CodeLambda}"))
        self.template.add_resource(figloggroup)
    def add_lambda_permissions(self):
        self.permission_action = self.template.add_parameter(
            Parameter("PermissionAction",
                      Description="The actions allowed",
                      Type="String"))

        self.permission_principal = self.template.add_parameter(
            Parameter("PermissionPrincipal",
                      Description="The principal to act on lambda",
                      Type="String"))

        self.template.add_resource(
            Permission("LambdaPermission",
                       FunctionName=Ref(self.function),
                       Action=Ref(self.permission_action),
                       Principal=Ref(self.permission_principal)))
def create_lambda_schedule(template, awslambda, schedule):
    """
    Create Lambda function schedule
    :param template: Cloudformation template to add to
    :param awslambda: Lambda function to be scheduled
    :param schedule: Rate at which schedule should run
    """
    trop_cw_rule = template.add_resource(
        Rule('CloudsploitRule',
             Name='CloudsploitReporter',
             ScheduleExpression=schedule,
             State='ENABLED',
             Targets=[
                 Target(Arn=GetAtt(awslambda, 'Arn'), Id='CloudsploitRule')
             ]))

    trop_cw_permission = template.add_resource(
        Permission('CloudsploitRulePermission',
                   Action='lambda:InvokeFunction',
                   FunctionName=GetAtt(awslambda, 'Arn'),
                   Principal='events.amazonaws.com',
                   SourceArn=GetAtt(trop_cw_rule, 'Arn')))
Beispiel #11
0
    def __init__(self, title, template, dependencies, network_config,
                 lambda_config):
        """
        Amazonia lambda unit definition
        http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html
        https://github.com/cloudtools/troposphere/blob/master/troposphere/awslambda.py
        :param title: Title of the autoscaling application e.g 'webApp1', 'api2' or 'dataprocessing'
        :param template: Troposphere stack to append resources to
        :param dependencies: list of unit names this unit needs access to
        :param network_config: object containing network related variables
        :param lambda_config: object containing lambda related variables
        """
        super(Lambda, self).__init__(vpc=network_config.vpc,
                                     title=title,
                                     template=template)
        self.title = title
        self.dependencies = dependencies if dependencies else []

        self.function_name = Join(
            '',
            [Ref('AWS::StackName'), '-', lambda_config.lambda_function_name])

        self.trop_lambda_function = template.add_resource(
            Function(self.title,
                     Code=Code(S3Bucket=lambda_config.lambda_s3_bucket,
                               S3Key=lambda_config.lambda_s3_key),
                     Description=lambda_config.lambda_description,
                     FunctionName=self.function_name,
                     Handler=lambda_config.lambda_handler,
                     MemorySize=lambda_config.lambda_memory_size,
                     Role=lambda_config.lambda_role_arn,
                     Runtime=lambda_config.lambda_runtime,
                     Timeout=lambda_config.lambda_timeout,
                     VpcConfig=VPCConfig(
                         SubnetIds=network_config.private_subnets,
                         SecurityGroupIds=[self.security_group])))

        self.add_egress(receiver=network_config.public_cidr,
                        port='-1')  # All Traffic to Nat gateways

        if lambda_config.lambda_schedule:
            self.cwa_name = Join('', [
                Ref('AWS::StackName'), '-',
                lambda_config.lambda_function_name + 'Rule'
            ])

            self.trop_cw_rule = template.add_resource(
                Rule(self.title + 'Rule',
                     Name=self.cwa_name,
                     ScheduleExpression=lambda_config.lambda_schedule,
                     State='ENABLED',
                     Targets=[
                         Target(Arn=GetAtt(self.trop_lambda_function, 'Arn'),
                                Id=title)
                     ]))

            self.trop_cw_permission = template.add_resource(
                Permission(self.title + 'RulePermission',
                           Action='lambda:InvokeFunction',
                           FunctionName=GetAtt(self.trop_lambda_function,
                                               'Arn'),
                           Principal='events.amazonaws.com',
                           SourceArn=GetAtt(self.trop_cw_rule, 'Arn')))
            Subscription(
                Protocol='lambda',
                Endpoint=GetAtt(request_encoding_function, 'Arn'),
            ),
            Subscription(
                Protocol='sqs',
                Endpoint=GetAtt(start_media_insights_queue, 'Arn'),
            )
        ],
    ))

template.add_resource(
    Permission(
        'InvokeRequestEncodingFunctionPermission',
        Action='lambda:InvokeFunction',
        FunctionName=Ref(request_encoding_function),
        Principal='sns.amazonaws.com',
        SourceArn=Ref(request_encoding_topic),
    ))

template.add_resource(
    EventInvokeConfig(
        'RequestEncodingInvokeConfig',
        FunctionName=Ref(request_encoding_function),
        MaximumEventAgeInSeconds=60,
        MaximumRetryAttempts=1,
        Qualifier='$LATEST',
        DestinationConfig=DestinationConfig(OnFailure=OnFailure(
            Destination=GetAtt(processing_failed_queue, 'Arn'), ), ),
    ))
Beispiel #13
0
           ResourceId=Ref(unsubscribe_resource),
           HttpMethod="POST",
           Integration=Integration(
               Type="AWS",
               IntegrationHttpMethod="POST",
               IntegrationResponses=[IntegrationResponse(StatusCode="200")],
               Uri=Join("", [
                   "arn:aws:apigateway:",
                   Ref('AWS::Region'), ":lambda:path/2015-03-31/functions/",
                   GetAtt(EmailUnsubscribeFunction, "Arn"), "/invocations"
               ])),
           MethodResponses=[MethodResponse("CatResponse", StatusCode="200")]))

resource = t.add_resource(
    Permission("SubscribePermission",
               Action="lambda:InvokeFunction",
               Principal="apigateway.amazonaws.com",
               FunctionName=GetAtt(EmailSubscribeFunction, "Arn")))

resource = t.add_resource(
    Permission("UnsubscribePermission",
               Action="lambda:InvokeFunction",
               Principal="apigateway.amazonaws.com",
               FunctionName=GetAtt(EmailUnsubscribeFunction, "Arn")))

resource = t.add_resource(
    Permission("SendEmailPermission",
               Action="lambda:InvokeFunction",
               Principal="events.amazonaws.com",
               FunctionName=GetAtt(EmailSendFunction, "Arn")))

# Deploy API
    def initiate_api_gateway_creation(self):
        self.template.set_version('2010-09-09')
        self.template.set_description('Creates a API Gateway which is '
                                      'used to get data from dynamoDB.')

        role = self.template.add_resource(
            Role('RootRole',
                 RoleName="monty-cloud-api-role",
                 Path='/',
                 AssumeRolePolicyDocument={
                     "Version":
                     "2012-10-17",
                     "Statement": [{
                         "Action": ["sts:AssumeRole"],
                         "Effect": "Allow",
                         "Principal": {
                             "Service": [
                                 "apigateway.amazonaws.com",
                                 "lambda.amazonaws.com",
                                 "dynamodb.amazonaws.com"
                             ]
                         }
                     }]
                 }))

        self.template.add_resource(
            ManagedPolicy(
                'RolePolicies',
                ManagedPolicyName='api-gw-policy',
                Description='This policy is used for the DynamoDB table ',
                PolicyDocument={
                    "Version":
                    "2012-10-17",
                    "Statement": [{
                        "Action": ["dynamodb:*", "lambda:*", "s3:*"],
                        "Resource": [
                            "arn:aws:dynamodb:*:*:table/*",
                            "arn:aws:lambda:*:*:function:*"
                        ],
                        "Effect":
                        "Allow"
                    }]
                },
                Roles=[Ref(role)]))

        name = self.template.add_resource(
            RestApi('restApiName',
                    Name='monty-cloud-get-api',
                    Description='Monty Cloud API Gateway',
                    EndpointConfiguration=EndpointConfiguration(
                        Types=['REGIONAL'])))

        self.template.add_resource(
            Permission("lambdaApiGatewayInvoke",
                       Action="lambda:InvokeFunction",
                       FunctionName="arn:aws:lambda:{}:{}:function:"
                       "get_data".format(self.region, self.account_number),
                       Principal="apigateway.amazonaws.com",
                       SourceArn="arn:aws:execute-api:{}:{}:*/*"
                       "/GET/get-details".format(self.region,
                                                 self.account_number)))

        get_api_resource = self.template.add_resource(
            Resource('restApiGetDetailsResource',
                     RestApiId=Ref(name),
                     ParentId=GetAtt(name, 'RootResourceId'),
                     PathPart='get-details',
                     DependsOn=name))

        get_api_method = self.template.add_resource(
            Method('restApiGetDetailsMethod',
                   AuthorizationType='None',
                   ApiKeyRequired=False,
                   HttpMethod='GET',
                   ResourceId=Ref(get_api_resource),
                   RestApiId=Ref(name),
                   Integration=Integration(Type='AWS_PROXY',
                                           IntegrationHttpMethod='POST',
                                           Uri=self.uri.format(
                                               self.region, self.region,
                                               self.account_number),
                                           Credentials=GetAtt(role, "Arn")),
                   MethodResponses=[
                       MethodResponse(
                           StatusCode='200',
                           ResponseModels={'application/json': 'Empty'})
                   ],
                   DependsOn=get_api_resource))

        deployment = self.template.add_resource(
            Deployment('restApiDeployment',
                       RestApiId=Ref(name),
                       DependsOn=[get_api_method]))

        self.template.add_resource(
            Stage('restApiStage',
                  DeploymentId=Ref(deployment),
                  Description='Prod Stage',
                  MethodSettings=[
                      MethodSetting(ResourcePath='/get-details',
                                    HttpMethod='GET')
                  ],
                  RestApiId=Ref(name),
                  StageName='prod'))

        return self.template.to_yaml()
    def scaffold(self):
        """ Create long lived stack resources for the cluster """
        self.t.add_resource(
            Cluster("Cluster", ClusterName=self.cluster_vars['name']))
        OUTPUT_SG = ["ALB", "DB", "Cache", "Aux"]
        for sg in OUTPUT_SG:
            tmpsg = SecurityGroup(
                "{}BadgeSg".format(sg),
                GroupDescription=
                "SG for {} to wear in order to talk to ecs instances".format(
                    sg),
                VpcId=self.cluster_vars.get('vpc'))
            self.t.add_resource(tmpsg)
            self.t.add_output(
                Output("{}BadgeSg".format(sg),
                       Description="{} Security Group Badge".format(sg),
                       Export=Export(Sub("${AWS::StackName}:%sBadgeSg" % sg)),
                       Value=GetAtt(tmpsg, "GroupId")))
        # Refactor like this
        ### removing this because it's in the agent now
        add_asg_cleanup(self.t,
                        sanitize_cfn_resource_name(self.cluster_vars['name']))

        # add metric lambda
        self.t.add_resource(
            Function("ECSMetricLambda",
                     Code=Code(S3Bucket=Sub("${S3Bucket}"),
                               S3Key=Sub("${S3Prefix}/deployment.zip")),
                     Handler="metrics.cluster_metrics.lambda_handler",
                     Role=GetAtt("CronLambdaRole", "Arn"),
                     Runtime="python3.7",
                     MemorySize=128,
                     Timeout=300,
                     Environment=Environment(
                         Variables={
                             "CLUSTER": Sub("${ClusterName}"),
                             "ASGPREFIX": Sub("${ClusterName}-asg-"),
                             "REGION": Ref("AWS::Region")
                         })))

        self.t.add_resource(
            Role("CronLambdaRole",
                 AssumeRolePolicyDocument={
                     "Statement": [{
                         "Effect": "Allow",
                         "Action": "sts:AssumeRole",
                         "Principal": {
                             "Service": "lambda.amazonaws.com"
                         },
                     }]
                 },
                 Policies=[
                     Policy(PolicyName="logs-and-stuff",
                            PolicyDocument={
                                "Statement": [{
                                    "Effect": "Allow",
                                    "Action": ["logs:*"],
                                    "Resource": "arn:aws:logs:*:*:*"
                                }, {
                                    "Effect":
                                    "Allow",
                                    "Action": [
                                        "ec2:DescribeAutoScalingGroups",
                                        "ec2:UpdateAutoScalingGroup", "ecs:*",
                                        "cloudwatch:PutMetricData"
                                    ],
                                    "Resource":
                                    "*"
                                }]
                            })
                 ]))
        # run metrics every minute
        self.t.add_resource(
            Rule(
                "CronStats",
                ScheduleExpression="rate(1 minute)",
                Description="Cron for cluster stats",
                Targets=[Target(Id="1", Arn=GetAtt("ECSMetricLambda",
                                                   "Arn"))]))
        self.t.add_resource(
            Permission("StatPerm",
                       Action="lambda:InvokeFunction",
                       FunctionName=GetAtt("ECSMetricLambda", "Arn"),
                       Principal="events.amazonaws.com",
                       SourceArn=GetAtt("CronStats", "Arn")))
Beispiel #16
0
    def add_api_gateway(self, apigateway_name):
        self.log.info('Adding API Gateway %s' % apigateway_name)
        assert (self.lambda_function is not None)
        # define all value used by api gateway
        lambda_method_name = '%sLambdaMethod' % apigateway_name
        lambda_permission_name = '%sLambdaPermission' % apigateway_name
        resource_name = '%sResource' % apigateway_name
        deployment_name = '%sDeployment' % self.stage_name
        apikey_name = '%sApiKey' % apigateway_name

        # start creating api gateway template
        self.apigateway = RestApi(apigateway_name, Name=apigateway_name)
        self.template.add_resource(self.apigateway)

        resource = Resource(resource_name,
                            RestApiId=Ref(self.apigateway),
                            PathPart='{proxy+}',
                            ParentId=GetAtt(apigateway_name, 'RootResourceId'))
        self.template.add_resource(resource)

        permission = Permission(lambda_permission_name,
                                Action='lambda:invokeFunction',
                                FunctionName=GetAtt(self.lambda_function,
                                                    'Arn'),
                                Principal='apigateway.amazonaws.com',
                                SourceArn=Join("", [
                                    'arn:aws:execute-api:',
                                    Ref('AWS::Region'), ':',
                                    Ref('AWS::AccountId'), ':',
                                    Ref(self.apigateway), '/*'
                                ]))
        self.template.add_resource(permission)

        method = Method(
            lambda_method_name,
            DependsOn=lambda_permission_name,
            RestApiId=Ref(self.apigateway),
            ResourceId=Ref(resource),
            HttpMethod='ANY',
            AuthorizationType='NONE',
            Integration=Integration(
                Type='AWS_PROXY',
                IntegrationHttpMethod='POST',
                Uri=Join("", [
                    'arn:aws:apigateway:',
                    Ref('AWS::Region'), ':lambda:path/2015-03-31/functions/',
                    GetAtt(self.lambda_function, 'Arn'), '/invocations'
                ])),
            MethodResponses=[MethodResponse(StatusCode='200')])
        self.template.add_resource(method)

        # create a deployment
        deployment = Deployment(deployment_name,
                                DependsOn=lambda_method_name,
                                RestApiId=Ref(self.apigateway))
        self.template.add_resource(deployment)

        stage = Stage('%sStage' % self.stage_name,
                      StageName=self.stage_name,
                      RestApiId=Ref(self.apigateway),
                      DeploymentId=Ref(deployment))
        self.template.add_resource(stage)

        key = ApiKey(apikey_name,
                     StageKeys=[
                         StageKey(RestApiId=Ref(self.apigateway),
                                  StageName=Ref(stage))
                     ])
        self.template.add_resource(key)
    def add_resources(self):
        """Create Resources to deploy Limit Monitor."""
        template = self.template
        variables = self.get_variables()

        path = os.path.dirname(os.path.abspath(path=__file__))
        stacker_dict = yaml.safe_load(
            open(path + '/' + '../01_limit_monitor_spoke_us-east-1.yaml'))

        service_item = ''
        for item in stacker_dict['stacks']['servicelimitmonitorspoke'][
                'variables']['SERVICES']:
            quoted_item = '"' + item + '"'
            service_item = service_item + quoted_item + ','
        """Adding Mapping for AnonymousData"""
        template.add_mapping('MetricsMap',
                             {'Send-Data': {
                                 'SendAnonymousData': 'Yes'
                             }})
        """Adding Mapping for RefreshRate."""
        template.add_mapping('RefreshRate',
                             {'CronSchedule': {
                                 'Default': 'rate(1 day)'
                             }})
        """Adding Mapping for SourceCode."""
        template.add_mapping(
            'SourceCode', {
                'General': {
                    'S3Bucket': 'solutions',
                    'KeyPrefix': 'limit-monitor/v5.1.1'
                }
            })

        # """Adding Mapping for EventsMap."""
        # template.add_mapping(
        #     'EventsMap', {
        #         'Checks': {
        #             'Services': '"AutoScaling","CloudFormation","EBS","EC2","ELB","IAM","RDS","VPC"'
        #
        #         }
        #     }
        # )

        s3_bucket = FindInMap('SourceCode', 'General', 'S3Bucket')
        s3_key = FindInMap('SourceCode', 'General', 'KeyPrefix')
        """TAOkRule Target Resource Definition."""

        ta_ok_rule_target = Target(
            'TAOkRuleTarget',
            Arn=Join(':', [
                'arn:aws:events', 'us-east-1',
                str(variables['MasterAccount'].value), 'event-bus/default'
            ]),
            Id='SpokeOkTarget',
        )
        """CWR - Rule for TA OK events'."""
        template.add_resource(
            Rule('TAOkRule',
                 Description=
                 'Limit Monitor Solution - Spoke - Rule for TA OK events',
                 EventPattern={
                     'account': [Ref('AWS::AccountId')],
                     'source': ['aws.trustedadvisor'],
                     'detail-type':
                     ['Trusted Advisor Check Item Refresh Notification'],
                     'detail': {
                         'status': ["OK"],
                         'check-item-detail': {
                             'Service': variables['SERVICES'].value
                         }
                     }
                 },
                 State='ENABLED',
                 Targets=[
                     ta_ok_rule_target,
                 ]))
        """TAWarnRule Target Resource Definition."""

        ta_warn_rule_target = Target(
            'TAWarnRuleTarget',
            Arn=Join(':', [
                'arn:aws:events', 'us-east-1',
                str(variables['MasterAccount'].value), 'event-bus/default'
            ]),
            Id='SpokeWarnTarget',
        )
        """CWR - Rule for TA WARN events'"""
        template.add_resource(
            Rule('TAWarnRule',
                 Description=
                 'Limit Monitor Solution - Spoke - Rule for TA WARN events',
                 EventPattern={
                     'account': [Ref('AWS::AccountId')],
                     'source': ['aws.trustedadvisor'],
                     'detail-type':
                     ['Trusted Advisor Check Item Refresh Notification'],
                     'detail': {
                         'status': ["WARN"],
                         'check-item-detail': {
                             'Service': variables['SERVICES'].value
                         }
                     }
                 },
                 State='ENABLED',
                 Targets=[
                     ta_warn_rule_target,
                 ]))
        """TAErrorRule Target Resource Definition."""

        ta_error_rule_target = Target(
            'TAErrorRuleTarget',
            Arn=Join(':', [
                'arn:aws:events', 'us-east-1',
                str(variables['MasterAccount'].value), 'event-bus/default'
            ]),
            Id='SpokeErrorTarget',
        )
        """CWR - Rule for TA Error events'"""
        template.add_resource(
            Rule('TAErrorRule',
                 Description=
                 'Limit Monitor Solution - Spoke - Rule for TA WARN events',
                 EventPattern={
                     'account': [Ref('AWS::AccountId')],
                     'source': ['aws.trustedadvisor'],
                     'detail-type':
                     ['Trusted Advisor Check Item Refresh Notification'],
                     'detail': {
                         'status': ["ERROR"],
                         'check-item-detail': {
                             'Service': variables['SERVICES'].value
                         }
                     }
                 },
                 State='ENABLED',
                 Targets=[
                     ta_error_rule_target,
                 ]))
        """Create the IAM role for the TA Refresher Lambda Function"""

        ta_refresher_role = template.add_resource(
            Role('TARefresherRole',
                 AssumeRolePolicyDocument=PolicyDocument(Statement=[
                     Statement(Effect=Allow,
                               Action=[awacs.sts.AssumeRole],
                               Principal=Principal('Service',
                                                   ['lambda.amazonaws.com']))
                 ]),
                 Path='/',
                 Policies=[
                     Policy(PolicyDocument=PolicyDocument(
                         Version='2012-10-17',
                         Statement=[
                             Statement(Effect=Allow,
                                       Action=[
                                           CreateLogGroup, CreateLogStream,
                                           PutLogEvents
                                       ],
                                       Resource=[
                                           Join(':', [
                                               'arn:aws:logs',
                                               Ref('AWS::Region'),
                                               Ref('AWS::AccountId'),
                                               'log-group', '/aws/lambda/*'
                                           ])
                                       ]),
                             Statement(Effect=Allow,
                                       Action=[awacs.support.Action('*')],
                                       Resource=['*']),
                         ]),
                            PolicyName=Join('-', [
                                'Limit-Monitor-Refresher-Policy',
                                Ref('AWS::StackName')
                            ]))
                 ]))
        """Create TA Refresher Lambda Function."""

        ta_refresher = template.add_resource(
            Function(
                'TARefresher',
                Description=
                'Serverless Limit Monitor - Lambda function to summarize service limits',
                Environment=Environment(
                    Variables={
                        # 'AWS_SERVICES': FindInMap('EventsMap', 'Checks', 'Services'),
                        'AWS_SERVICES': str(service_item[:-1]),
                        'LOG_LEVEL': 'ERROR'
                    }),
                Handler='index.handler',
                Role=GetAtt(ta_refresher_role, 'Arn'),
                Code=Code(S3Bucket=Join(
                    '-', [s3_bucket, Ref('AWS::Region')]),
                          S3Key=Join('/',
                                     [s3_key, 'limtr-refresh-service.zip'])),
                Runtime='nodejs8.10',
                Timeout=300,
                DependsOn=[ta_refresher_role]))
        """Create the target for Refresh Schedule."""

        ta_refresher_target = Target('TARefreshRate',
                                     Arn=GetAtt(ta_refresher, 'Arn'),
                                     Id='SqsPollRate')
        """Create the TARefreshSchedule Rule."""

        ta_refresh_schedule = template.add_resource(
            Rule('TARefreshSchedule',
                 Description=
                 'Limit Monitor Solution - Schedule to refresh TA checks',
                 ScheduleExpression=FindInMap('RefreshRate', 'CronSchedule',
                                              'Default'),
                 State='ENABLED',
                 Targets=[ta_refresher_target],
                 DependsOn=[ta_refresher]))
        """Create the Ta Refresher Lambda Permission."""

        template.add_resource(
            Permission('TARefresherInvokePermission',
                       FunctionName=Ref(ta_refresher),
                       Action='lambda:InvokeFunction',
                       Principal='events.amazonaws.com',
                       SourceArn=GetAtt(ta_refresh_schedule, 'Arn'),
                       DependsOn=[ta_refresher]))
        """Create the Limtr Helper Role."""

        limtr_helper_role = template.add_resource(
            Role('LimtrHelperRole',
                 AssumeRolePolicyDocument=PolicyDocument(
                     Version='2012-10-17',
                     Statement=[
                         Statement(Effect=Allow,
                                   Action=[awacs.sts.AssumeRole],
                                   Principal=Principal(
                                       'Service', ['lambda.amazonaws.com']))
                     ]),
                 Path='/',
                 Policies=[
                     Policy(PolicyDocument=PolicyDocument(
                         Version='2012-10-17',
                         Statement=[
                             Statement(Effect=Allow,
                                       Action=[
                                           CreateLogGroup, CreateLogStream,
                                           PutLogEvents
                                       ],
                                       Resource=[
                                           Join(':', [
                                               'arn:aws:logs',
                                               Ref('AWS::Region'),
                                               Ref('AWS::AccountId'),
                                               'log-group', '/aws/lambda/*'
                                           ])
                                       ]),
                             Statement(
                                 Effect=Allow,
                                 Action=[PutPermission, RemovePermission],
                                 Resource=[
                                     Join(':', [
                                         'arn:aws:events',
                                         Ref('AWS::Region'),
                                         Ref('AWS::AccountId'),
                                         'event-bus/default'
                                     ])
                                 ]),
                             Statement(
                                 Effect=Allow,
                                 Action=[GetParameters, PutParameter],
                                 Resource=[
                                     Join(':', [
                                         'arn:aws:ssm',
                                         Ref('AWS::Region'),
                                         Ref('AWS::AccountId'), 'parameter/*'
                                     ])
                                 ])
                         ]),
                            PolicyName='Custom_Limtr_Helper_Permissions')
                 ]))
        """Create the Lambda Function for the Limtr Helper."""

        limtr_helper = template.add_resource(
            Function(
                'LimtrHelperFunction',
                Description=
                'This function generates UUID, establishes cross account trust '
                'on CloudWatch Event Bus and sends anonymous metric',
                Handler='index.handler',
                Environment=Environment(Variables={'LOG_LEVEL': 'ERROR'}),
                Code=Code(S3Bucket=Join(
                    '-', [s3_bucket, Ref('AWS::Region')]),
                          S3Key=Join('/',
                                     [s3_key, 'limtr-helper-service.zip'])),
                Role=GetAtt(limtr_helper_role, 'Arn'),
                Runtime='nodejs8.10',
                Timeout=300,
                DependsOn=[limtr_helper_role]))
        """Create the Custom Resource UUID."""

        create_uuid = template.add_resource(
            CustomUUID('CreateUUID', ServiceToken=GetAtt(limtr_helper, 'Arn')))
        """Create the Custom Resource DeploymentData."""

        template.add_resource(
            CustomDeploymentData('DeploymentData',
                                 ServiceToken=GetAtt(limtr_helper, 'Arn'),
                                 SOLUTION='SO0005',
                                 UUID=Ref(create_uuid),
                                 VERSION='v5.1.1',
                                 ANONYMOUS_DATA=FindInMap(
                                     'MetricsMap', 'Send-Data',
                                     'SendAnonymousData')))
        """Output for Service Checks."""

        template.add_output(
            Output('ServiceChecks',
                   Description='Service limits monitored in the account',
                   Value=str(service_item[:-1])))
Beispiel #18
0
        Timeout=30,
    ))

chaos_lambda_rule = t.add_resource(
    Rule("ChaosLambdaRule",
         Description="Trigger Chaos Lambda according to a schedule",
         State="ENABLED",
         ScheduleExpression=Ref(chaos_schedule),
         Targets=[
             Target(Arn=GetAtt(lambda_function, "Arn"),
                    Id="ChaosLambdaRuleTarget")
         ]))
t.add_resource(
    Permission("ChaosLambdaRulePermission",
               FunctionName=GetAtt(lambda_function, "Arn"),
               SourceArn=GetAtt(chaos_lambda_rule, "Arn"),
               Principal="events.amazonaws.com",
               Action="lambda:InvokeFunction"))

t.add_output(
    Output("ChaosLambdaFunctionOutput",
           Value=Ref(lambda_function),
           Description="The Chaos Lambda Function"))
t.add_output(
    Output("ChaosLambdaRuleOutput",
           Value=Ref(chaos_lambda_rule),
           Description="Rule used to trigger the Chaos Lambda"))

template = t.to_json()
if len(sys.argv) > 1:
    open(sys.argv[1], "w").write(template + "\n")
Beispiel #19
0
    def __init__(self,
                 utils,
                 templatePath='./cloudformation/stage.json',
                 description='API Gateway Stage Template for {App}-{Stage}',
                 version='2010-09-09'):
        super(self.__class__, self).__init__()

        self.utils = utils
        self.templatePath = templatePath
        appName = self.utils.config['App']
        stageName = self.utils.config['Stage']
        tags = self.utils.config['Tags']

        self.add_version(version)
        self.add_description(description.format(App=appName, Stage=stageName))

        ####################
        # Lambda Functions #
        ####################

        self.lambdaFunctions = []
        self.lambdaFunctionRoles = []

        for functionId in self.utils.config['LambdaFunctions'].keys():
            f = self.utils.config['LambdaFunctions'][functionId]

            functionName = '{App}Stage{FunctionId}Function{Stage}'.format(
                App=appName, FunctionId=functionId, Stage=stageName)
            policyName = '{App}Stage{FunctionId}FunctionPolicy{Stage}'.format(
                App=appName, FunctionId=functionId, Stage=stageName)
            roleName = '{App}Stage{FunctionId}FunctionRole{Stage}'.format(
                App=appName, FunctionId=functionId, Stage=stageName)

            functionSubParams = {
                'FunctionName': functionName,
                'Api': ImportValue('{App}Api'.format(App=appName)),
                'Stage': stageName.lower(),
            }

            #################
            # Function Role #
            #################

            with open(
                    './lambda/policies/{FunctionId}.json'.format(
                        FunctionId=functionId), 'r') as functionPolicyJson:
                functionPolicyDocument = functionPolicyJson.read()

            functionPolicy = Policy(
                policyName,
                PolicyName=policyName,
                PolicyDocument=Sub(functionPolicyDocument,
                                   **functionSubParams),
            )

            functionRole = self.add_resource(
                Role(
                    roleName,
                    AssumeRolePolicyDocument=PolicyDocument(Statement=[
                        Statement(
                            Effect=Allow,
                            Action=[AssumeRole],
                            Principal=Principal('Service', [
                                'lambda.amazonaws.com',
                            ]),
                        )
                    ], ),
                    Path='/service-role/{App}/{Stage}/'.format(
                        App=appName, Stage=stageName),
                    Policies=[functionPolicy],
                    RoleName=roleName,
                ))

            lambdaFunction = self.add_resource(
                Function(
                    functionName,
                    Code=path.abspath(f['LocalCode']),
                    Description='API Proxy Function for Stage: {App}-{Stage}'.
                    format(App=appName, Stage=stageName),
                    FunctionName=functionName,
                    Handler=f['Handler'],
                    MemorySize=f['Memory'],
                    Role=GetAtt(functionRole, 'Arn'),
                    Runtime=f['Runtime'],
                    Timeout=f['Timeout'],
                    Tags=Tags(tags),
                ))

            lambdaEnvironment = {
                'APP_NAME': appName,
                'STAGE_NAME': stageName,
            }

            if f['Environment'] != None:
                lambdaEnvironment.update(f['Environment'])

            lambdaFunction.Environment = Environment(
                Variables=lambdaEnvironment, )

            if f['KmsKeyArn'] != None:
                lambdaFunction.KmsKeyArn = f['KmsKeyArn']

            if f['Vpc'] != None:
                lambdaFunction.VpcConfig = VpcConfig(
                    SecurityGroupIds=f['Vpc']['SecurityGroupIds'],
                    SubnetIds=f['Vpc']['SubnetIds'],
                )

            if f['Tracing'] != None:
                lambdaFunction.TracingConfig = TracingConfig(
                    Mode=f['Tracing'], )

            self.lambdaFunctions.append(lambdaFunction)
            self.lambdaFunctionRoles.append(functionRole)

        ##################
        # Lambda Proxies #
        ##################

        self.proxyResources = []
        self.proxyMethods = []
        self.proxyMethodTitles = []
        self.proxyPermissions = []

        for resourceName in self.utils.config['LambdaProxies'].keys():
            resource = self.utils.config['LambdaProxies'][resourceName]
            resourcePath = resource['Path'].strip()
            functionName = '{App}Stage{FunctionName}Function{Stage}'.format(
                App=appName,
                FunctionName=resource['Function'],
                Stage=stageName)

            resourceSubParams = {
                'FunctionName': functionName,
                'Api': ImportValue('{App}Api'.format(App=appName)),
                'Stage': stageName.lower(),
            }

            if resourcePath == '':
                proxyParent = ImportValue('{App}ApiRoot'.format(App=appName))
                resourceSubParams['ResourcePath'] = '*'

            else:
                resourceSubParams['ResourcePath'] = resourcePath + '/*'

                #################
                # Path Resource #
                #################

                pathResource = self.add_resource(
                    Resource(
                        '{App}Stage{ResourceName}PathResource{Stage}'.format(
                            App=appName,
                            ResourceName=resourceName,
                            Stage=stageName),
                        ParentId=ImportValue(
                            '{App}ApiRoot'.format(App=appName)),
                        PathPart=resource['Path'],
                        RestApiId=ImportValue('{App}Api'.format(App=appName)),
                    ))

                self.proxyResources.append(pathResource)
                proxyParent = Ref(pathResource)

            ###############
            # Path Method #
            ###############

            pathMethod = self.add_resource(
                self.generate_proxy_method(
                    '{App}Stage{ResourceName}PathMethod{Stage}'.format(
                        App=appName,
                        ResourceName=resourceName,
                        Stage=stageName),
                    resource['Auth'],
                    resourceSubParams,
                    proxyParent,
                    ImportValue('{App}Api'.format(App=appName)),
                ))

            self.proxyMethods.append(pathMethod)
            self.proxyMethodTitles.append(pathMethod.title)

            ##################
            # Proxy Resource #
            ##################

            proxyResource = self.add_resource(
                Resource(
                    '{App}Stage{ResourceName}ProxyResource{Stage}'.format(
                        App=appName,
                        ResourceName=resourceName,
                        Stage=stageName),
                    ParentId=proxyParent,
                    PathPart='{proxy+}',
                    RestApiId=ImportValue('{App}Api'.format(App=appName)),
                ))

            self.proxyResources.append(proxyResource)

            ################
            # Proxy Method #
            ################

            proxyMethod = self.add_resource(
                self.generate_proxy_method(
                    '{App}Stage{ResourceName}ProxyMethod{Stage}'.format(
                        App=appName,
                        ResourceName=resourceName,
                        Stage=stageName),
                    resource['Auth'],
                    resourceSubParams,
                    Ref(proxyResource),
                    ImportValue('{App}Api'.format(App=appName)),
                ))

            self.proxyMethods.append(proxyMethod)
            self.proxyMethodTitles.append(proxyMethod.title)

            ####################
            # Proxy Permission #
            ####################

            proxyPermission = self.add_resource(
                Permission(
                    '{App}Stage{ResourceName}Permission{Stage}'.format(
                        App=appName,
                        ResourceName=resourceName,
                        Stage=stageName),
                    Action='lambda:InvokeFunction',
                    FunctionName=functionName,
                    Principal='apigateway.amazonaws.com',
                    SourceArn=Sub(
                        'arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/${Stage}/*/${ResourcePath}',
                        **resourceSubParams),
                    DependsOn=[functionName],
                ))

            self.proxyPermissions.append(proxyPermission)

        #################
        # RestApi Stage #
        #################

        hashComponents = [self.proxyResources, self.proxyMethods]
        deploymentHash = md5(pickle.dumps(hashComponents)).hexdigest()

        self.deployment = self.add_resource(
            Deployment(
                '{App}StageDeployment{Stage}{Hash}'.format(
                    App=appName, Stage=stageName, Hash=deploymentHash),
                Description='Deployment for {App} {Stage} Stage'.format(
                    App=appName, Stage=stageName),
                RestApiId=ImportValue('{App}Api'.format(App=appName)),
                DependsOn=self.proxyMethodTitles,
            ))

        self.prodStage = self.add_resource(
            Stage(
                '{App}Stage'.format(App=appName),
                DeploymentId=Ref(self.deployment),
                Description='Stage for {App} {Stage} Stage.'.format(
                    App=appName, Stage=stageName, Run=self.utils.run_time),
                MethodSettings=[
                    MethodSetting(
                        DataTraceEnabled=True,
                        HttpMethod='*',
                        LoggingLevel='INFO',
                        ResourcePath='/*',
                        #MetricsEnabled=True,
                    ),
                ],
                RestApiId=ImportValue('{App}Api'.format(App=appName)),
                StageName=stageName.lower(),
            ))

        ##################
        # Write Template #
        ##################

        with open(templatePath, 'w') as templateFile:
            templateFile.write(self.to_json())
Beispiel #20
0
def create_aurora_template(region, account_id):
    template = Template()
    template.set_transform('AWS::Serverless-2016-10-31')

    api_name = template.add_parameter(parameter=Parameter(
        title='ApiName',
        Default='sample-api',
        Type='String',
    ))

    function_name = template.add_parameter(parameter=Parameter(
        title='FunctionName',
        Default='sample-lambda-function',
        Type='String',
    ))

    # swagger_path = template.add_parameter(
    #     parameter=Parameter(
    #         title='SwaggerPath',
    #         Default='./swagger.yml',
    #         Type='String',
    #     )
    # )

    stage_name = template.add_parameter(parameter=Parameter(
        title='StageName',
        Default='prod',
        Type='String',
    ))

    api = template.add_resource(resource=Api(
        title='SampleApi',
        Name=Ref(api_name),
        # DefinitionUri=Ref(swagger_path),
        DefinitionUri='./swagger.yml',
        StageName=Ref(stage_name),
    ))

    path = '/sample/'
    method = 'get'
    function = template.add_resource(
        resource=Function(title='SampleLambdaFunction',
                          AutoPublishAlias='sample',
                          CodeUri='.',
                          FunctionName=Ref(function_name),
                          Handler='lambda_function.lambda_handler',
                          Role=ImportValue('sample-lambda-service-role-arn'),
                          Runtime='python3.7',
                          Events={
                              'ApiTrigger': {
                                  'Type': 'Api',
                                  'Properties': {
                                      'Path': path,
                                      'Method': method,
                                      'RestApiId': Ref(api)
                                  }
                              }
                          }))

    template.add_resource(
        resource=Permission(title='SampleLambdaFunctionPermission',
                            Action='lambda:InvokeFunction',
                            FunctionName=Ref(function),
                            Principal='apigateway.amazonaws.com'))

    with open('swagger_template.yml') as f:
        swagger_yaml = f.read()

    uri = URI.replace('{region}', region).replace('{account_id}', account_id) \
        .replace('{function_name}', function_name.Default)  # TODO:
    swagger = swagger_yaml.replace('{path}',
                                   path).replace('{method}',
                                                 method).replace('{uri}', uri)

    with open('./api.yml', mode='w') as file:
        file.write(template.to_yaml())

    with open('./swagger.yml', mode='w') as file:
        file.write(swagger)
Beispiel #21
0
                Credentials=GetAtt("CrimeDataExecutionRole", "Arn"),
                Type="AWS_PROXY",
                IntegrationHttpMethod='POST',
                Uri=Join("", [
                    "arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/",
                    GetAtt("CrimeDataAPIFunction", "Arn"), "/invocations"
                ])),
        ))

# Allow the gateway to invoke Lambda
permission = t.add_resource(
    Permission("CrimeDataAPILambdaPermission",
               Action="lambda:InvokeFunction",
               FunctionName=GetAtt("CrimeDataAPIFunction", "Arn"),
               Principal="apigateway.amazonaws.com",
               SourceArn=Join("", [
                   "arn:aws:execute-api:",
                   Ref("AWS::Region"), ":",
                   Ref("AWS::AccountId"), ":",
                   Ref(rest_api), "/*/GET/CrimeData"
               ])))

# Create a deployment
stage_name = 'v1'

deployment = t.add_resource(
    Deployment(
        "%sDeployment" % stage_name,
        DependsOn=[
            "CrimeDataAPIMethod" + methods[0],
            "CrimeDataAPIMethod" + methods[1]
        ],
        Uri=Join("", [
            "arn:aws:apigateway:" + args.region + ":lambda:path/2015-03-31/functions/",
            GetAtt("Lambda", "Arn"),
            "/invocations"
        ])
    ),
))

# allow the API Gateway to invoke Lambda
permission = t.add_resource(Permission(
    "Permission",
    Action="lambda:InvokeFunction",
    FunctionName=GetAtt("Lambda", "Arn"),
    Principal="apigateway.amazonaws.com",
    SourceArn=Join("", [
        "arn:aws:execute-api:" + args.region + ":",
        Ref("AWS::AccountId"),
        ":",
        Ref(rest_api),
        "/*/POST/convert"
    ])
))

#
# Deploy API Gateway
#

stage_name = 'dev'

deployment = t.add_resource(Deployment(
    "Deployment",
Beispiel #23
0
             Handler='index.lambda_handler',
             MemorySize=128,
             Role=GetAtt(lambda_role, 'Arn'),
             Runtime='python2.7',
             Timeout=10))

cloudtrail_topic = t.add_resource(
    Topic("CloudtrailTopic",
          Subscription=[
              Subscription(Endpoint=GetAtt(function, "Arn"), Protocol="lambda")
          ]))

lambda_permission = t.add_resource(
    Permission("LambdaPermission",
               Action="lambda:InvokeFunction",
               FunctionName=Ref(function),
               Principal="sns.amazonaws.com",
               SourceAccount=Ref("AWS::AccountId"),
               SourceArn=Ref(cloudtrail_topic)))

t.add_resource(
    TopicPolicy("CloudtrailTopicPolicy",
                Topics=[Ref(cloudtrail_topic)],
                PolicyDocument=Policy(Statement=[
                    Statement(Sid="AWSCloudTrailSNSPolicy",
                              Effect=Allow,
                              Principal=Principal(
                                  "Service", ["cloudtrail.amazonaws.com"]),
                              Action=[Action("sns", "publish")],
                              Resource=[Ref(cloudtrail_topic)])
                ])))
Beispiel #24
0
def add_lambda_function(resources, outputs, s3bucket, s3key):
    resources.append(
        Role(
            "LambdaConfigRulesRole",
            Path="/",
            Policies=[Policy(
                PolicyName="ReadOnlyForPerformingEvaluations",
                PolicyDocument={
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Action": [
                            "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates",
                            "autoscaling:Describe*",
                            "cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*",
                            "cloudfront:Get*", "cloudfront:List*",
                            "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys",
                            "cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*",
                            "config:Deliver*", "config:Describe*", "config:Get*",
                            "dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:ListTables", "dynamodb:Query", "dynamodb:Scan",
                            "ec2:Describe*", "ec2:GetConsoleOutput",
                            "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetManifest", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage",
                            "ecs:Describe*", "ecs:List*",
                            "elasticache:Describe*", "elasticache:List*",
                            "elasticloadbalancing:Describe*",
                            "elasticmapreduce:Describe*", "elasticmapreduce:List*",
                            "es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:DescribeElasticsearchDomainConfig", "es:ListDomainNames", "es:ListTags", "es:ESHttpGet", "es:ESHttpHead",
                            "events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule", "events:TestEventPattern",
                            "firehose:Describe*", "firehose:List*",
                            "iam:GenerateCredentialReport", "iam:Get*", "iam:List*",
                            "inspector:Describe*", "inspector:Get*", "inspector:List*", "inspector:LocalizeText", "inspector:PreviewAgentsForResourceGroup",
                            "kinesis:Describe*", "kinesis:Get*", "kinesis:List*",
                            "kms:Describe*", "kms:Get*", "kms:List*",
                            "lambda:List*", "lambda:Get*",
                            "logs:Describe*", "logs:Get*", "logs:TestMetricFilter",
                            "rds:Describe*", "rds:ListTagsForResource",
                            "redshift:Describe*", "redshift:ViewQueriesInConsole",
                            "s3:Get*", "s3:List*",
                            "ses:Get*", "ses:List*",
                            "sns:Get*", "sns:List*",
                            "sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage",
                            "tag:Get*",
                            "trustedadvisor:Describe*"
                          ],
                        "Resource": "*",
                        "Effect": "Allow"
                    }]
                }), Policy(
                PolicyName="CloudWatchLogs-FullAccess",
                PolicyDocument={
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Action": ["logs:*"],
                        "Resource": "arn:aws:logs:*:*:*",
                        "Effect": "Allow"
                    }]
                }), Policy(
                PolicyName="AwsConfigRules-PutEvaluations",
                PolicyDocument={
                    "Version": "2012-10-17",
                    "Statement": [{
                        "Action": ["config:Put*"],
                        "Resource": "*",
                        "Effect": "Allow"
                    }]
                })],
            AssumeRolePolicyDocument={"Version": "2012-10-17", "Statement": [ {"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["lambda.amazonaws.com"]}}]},
        )
    )
    resources.append(
        Function(
            "LambdaConfigRulesFunction",
            Code=Code( S3Bucket=s3bucket, S3Key='%s/cf-cis-benchmarks-lambda-source.zip' % (s3key) ),
            Handler="index.handler",
            Role=GetAtt("LambdaConfigRulesRole", "Arn"),
            Runtime="nodejs6.10",
            Timeout=10
        )
    )
    resources.append(
        Permission(
            "LambdaConfigRulesPermission",
            DependsOn="LambdaConfigRulesFunction",
            Action="lambda:InvokeFunction",
            FunctionName=GetAtt("LambdaConfigRulesFunction", "Arn"),
            Principal="config.amazonaws.com",
            SourceAccount=Ref("AWS::AccountId")
        )
    )
    outputs.append(
        Output(
            "LambdaConfigRulesFunctionArn",
            Value=GetAtt("LambdaConfigRulesFunction", "Arn"),
            Description="Amazon resource identifier or ARN for the Lambda Function."
        )
    )
    return resources, outputs
Beispiel #25
0
print('  adding sns')

finish_sns = t.add_resource(Topic(
    "HyP3FinishEventSNSTopic",
    Subscription=[
        Subscription(
            Protocol="lambda",
            Endpoint=GetAtt(send_email, "Arn")
        )
    ]
))

sns_invoke_permissions = t.add_resource(Permission(
    "SNSSchedulerInvokePermissions",
    Action="lambda:InvokeFunction",
    Principal="sns.amazonaws.com",
    SourceArn=Ref(finish_sns),
    FunctionName=GetAtt(send_email, "Arn")
))

ssm_sns_arn = t.add_resource(Parameter(
    "HyP3SSMParameterFinishEventSNSArn",
    Name=Sub(
        "/${StackName}/FinishEventSNSArn",
        StackName=Ref("AWS::StackName")
    ),
    Type="String",
    Value=Ref(finish_sns)
))
Beispiel #26
0
def create_template():
    t = Template(Description="Infrastructure for routezero")
    api_key = t.add_parameter(Parameter("ZerotierApiKey", Type="String", NoEcho=True))
    network_id = t.add_parameter(Parameter("ZerotierNetworkId", Type="String"))
    role = t.add_resource(
        Role(
            "Role",
            AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
            Policies=[
                Policy(
                    PolicyName="cloudformation-route53-update",
                    PolicyDocument=PolicyDocument(
                        Statement=[
                            Statement(
                                Effect=Allow,
                                Action=[
                                    cloudformation.Action("*"),
                                    route53.Action("*"),
                                ],
                                Resource=["*"],
                            )
                        ]
                    ),
                )
            ],
            ManagedPolicyArns=[
                "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
            ],
        )
    )
    function = t.add_resource(
        CLIFunction(
            "Function",
            MemorySize=256,
            Timeout=60 * 15,
            Handler=".".join([routezero.__name__, routezero.handler.__name__]),
            Runtime="python3.6",
            Code=create_bundle(),
            Role=GetAtt(role, "Arn"),
            Environment=Environment(
                Variables={
                    "ZEROTIER_API_KEY": Ref(api_key),
                    "ZEROTIER_NETWORK_ID": Ref(network_id),
                    "ROUTE53_RECORD_STACK_NAME": Sub("${AWS::StackName}Records"),
                }
            ),
        )
    )
    log_group = t.add_resource(
        LogGroup(
            "LogGroup", LogGroupName=Sub("/aws/lambda/${Function}"), RetentionInDays=30
        )
    )
    permission = t.add_resource(
        Permission(
            "Permission",
            FunctionName=GetAtt(function, "Arn"),
            Principal="events.amazonaws.com",
            Action="lambda:InvokeFunction",
            SourceArn=Sub(
                "arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"
            ),
            DependsOn=[log_group],
        )
    )
    rule = t.add_resource(
        Rule(
            "Rule",
            ScheduleExpression="rate(15 minutes)",
            Targets=[Target(Id=Ref(function), Arn=GetAtt(function, "Arn"))],
            DependsOn=[permission],
        )
    )
    return t
        "Timeout": 60
    }
))

custom_metric_target = Target(
    "CustomMetricTarget",
    Arn=GetAtt(custom_metric, 'Arn'),
    Id="CustomMetricFunction1",
    Input=Sub(
        '{"QueueUrl":"${QueueUrl}","AutoScalingGroupName":"${AGName}","MetricName":"${MetricName}"}',
        QueueUrl=Ref(start_events),
        AGName=Ref(processing_group),
        MetricName=custom_metric_name
    )
)

custom_metric_rule = t.add_resource(Rule(
    "CustomMetricSchedule",
    ScheduleExpression="rate(1 minute)",
    State="ENABLED",
    Targets=[custom_metric_target]
))

PermissionForEventsToInvokeLambda = t.add_resource(Permission(
    "EventScheduleCustomMetricPermissions",
    FunctionName=Ref(custom_metric),
    Action="lambda:InvokeFunction",
    Principal="events.amazonaws.com",
    SourceArn=GetAtt(custom_metric_rule, "Arn")
))
                                    "SendToDiscord":
                                    Ref("SendToDiscord"),
                                    "SNSTopic":
                                    Join("", [
                                        "arn:aws:sns:",
                                        Ref("AWS::Region"), ":",
                                        Ref("AWS::AccountId"), ":",
                                        GetAtt("Civ6NotifTopic", "TopicName")
                                    ]),
                                    "DiscordWebhookURL":
                                    Ref("DiscordWebhookURL")
                                }))

Civ6Notif_LambdaPermission = Permission("Civ6LambdaPermission",
                                        Action="lambda:InvokeFunction",
                                        Principal="apigateway.amazonaws.com",
                                        FunctionName=GetAtt(
                                            "Civ6NotifFunction", "Arn"))

Civ6Notif_GW_Resource = Resource(
    "Civ6NotifResource",
    RestApiId=Ref(Civ6Notif_GW),
    PathPart="civ6",
    ParentId=GetAtt("Civ6NotifGW", "RootResourceId"),
)

Civ6Notif_PostMethod = Method(
    "Civ6NotifPostMethod",
    DependsOn='Civ6NotifFunction',
    RestApiId=Ref(Civ6Notif_GW),
    AuthorizationType="NONE",
Beispiel #29
0
snsTopic = t.add_resource(Topic(
    "snsTopic",
    DisplayName="GDACK",
    TopicName="GDACK",
    Subscription=[
        Subscription(
            Endpoint=GetAtt(lambdaFunction, "Arn"),
            Protocol="lambda"
        )
    ]
))

ApiPermission = t.add_resource(Permission(
    "ApiPermission",
    FunctionName=Ref(lambdaFunction),
    Action="lambda:InvokeFunction",
    Principal="apigateway.amazonaws.com",
    SourceArn=Join("", ["arn:aws:execute-api:us-west-2:", Ref("AWS::AccountId"), ":", Ref(restApi), "/*/*/*"])
))

# Output

WebhookUrl = t.add_output(Output(
    "WebhookUrl",
    Description="URL for Slack Endpoint",
    Value=Join("", [Ref(restApi), ".execute-api.", Ref("AWS::Region"), ".amazonaws.com/", stageName, "/slack"])
))

j = t.to_json()

with open('gdack.template', 'w') as fd:
                ],
            )
        ])))

t.add_resource(
    EventSourceMapping("FunctionEventSourceMapping",
                       EventSourceArn=GetAtt("JsonNotificationReceiveQueue",
                                             "Arn"),
                       FunctionName=Ref("LambdaFunction"),
                       BatchSize=1))

t.add_resource(
    Permission("InvokeLambdaPermission",
               FunctionName=Join(
                   ':', [GetAtt("LambdaFunction", "Arn"),
                         Ref("LambdaEnv")]),
               Action="lambda:InvokeFunction",
               SourceArn=GetAtt("JsonNotificationReceiveQueue", "Arn"),
               Principal="sqs.amazonaws.com"))

t.add_resource(
    Alias("GalileoBabelLambdaAlias",
          Description="Alias for the galileo babel lambda",
          FunctionName=Ref("LambdaFunction"),
          FunctionVersion="$LATEST",
          Name=Ref("LambdaEnv")))

t.add_resource(
    Queue("JsonNotificationReceiveQueue",
          QueueName=Sub("${LambdaEnv}-json-notification-inbound-queue"),
          RedrivePolicy=RedrivePolicy(deadLetterTargetArn=GetAtt(