def patch_cloudwatch_resource(resource_type_name, property_name):
# Currently, Chalice fails to prefix the names of some resources. We
# need them to be prefixed with `azul-` to allow for limiting the
# scope of certain IAM permissions for Gitlab and, more importantly,
# the deployment stage so these resources are segregated by deployment.
for resource in input_json['resource'][resource_type_name].values():
function_name, _, suffix = resource[property_name].partition('-')
assert suffix == 'event', suffix
assert function_name, function_name
resource[property_name] = config.qualified_resource_name(
function_name)
def manage_lambdas(self, enabled: bool):
paginator = self._lambda.get_paginator('list_functions')
lambda_prefixes = [
config.qualified_resource_name(lambda_infix)
for lambda_infix in config.lambda_names()
]
assert all(lambda_prefixes)
for lambda_page in paginator.paginate(FunctionVersion='ALL',
MaxItems=500):
for lambda_name in [
metadata['FunctionName']
for metadata in lambda_page['Functions']
]:
if any(
lambda_name.startswith(prefix)
for prefix in lambda_prefixes):
self.manage_lambda(lambda_name, enabled)
def _tags(resource_name: str, **overrides: str) -> Dict[str, str]:
"""
Return tags named for cloud resources based on :class:`azul.Config`.
:param resource_name: The Terraform name of the resource.
:param overrides: Additional tags that override the defaults.
>>> from azul.doctests import assert_json
>>> assert_json(_tags('service')) #doctest: +ELLIPSIS
{
"project": "dcp",
"service": "azul",
"deployment": "...",
"owner": ...,
"name": "azul-service-...",
"component": "azul-service"
}
>>> from azul.doctests import assert_json
>>> assert_json(_tags('service', project='foo')) #doctest: +ELLIPSIS
{
"project": "foo",
"service": "azul",
"deployment": "...",
"owner": ...,
"name": "azul-service-...",
"component": "azul-service"
}
"""
return {
'project': 'dcp',
'service': config.resource_prefix,
'deployment': config.deployment_stage,
'owner': config.owner,
'name': config.qualified_resource_name(resource_name),
'component': f'{config.resource_prefix}-{resource_name}',
**overrides
}
"name":
"${aws_api_gateway_domain_name.%s_%i.cloudfront_domain_name}" % (lambda_.name, i),
"zone_id":
"${aws_api_gateway_domain_name.%s_%i.cloudfront_zone_id}" % (lambda_.name, i),
"evaluate_target_health":
True,
}
}
for i, domain in enumerate(lambda_.domains)
}
},
**({
"aws_cloudwatch_log_group": {
lambda_.name: {
"name":
"/aws/apigateway/" + config.qualified_resource_name(lambda_.name),
"retention_in_days":
1827,
"provisioner": {
"local-exec": {
"command":
' '.join(
map(shlex.quote, [
"python", config.project_root + "/scripts/log_api_gateway.py",
"${module.chalice_%s.rest_api_id}" % lambda_.name, config.deployment_stage,
"${aws_cloudwatch_log_group.%s.arn}" % lambda_.name
]))
}
}
}
}
"name":
"${aws_api_gateway_domain_name.%s_%i.cloudfront_domain_name}" % (lambda_.name, i),
"zone_id":
"${aws_api_gateway_domain_name.%s_%i.cloudfront_zone_id}" % (lambda_.name, i),
"evaluate_target_health":
True,
}
}
for i, domain in enumerate(lambda_.domains)
}
},
"aws_cloudwatch_log_group": {
lambda_.name: {
"name":
"/aws/apigateway/" +
config.qualified_resource_name(lambda_.name),
"retention_in_days":
1827,
}
},
"null_resource": {
f'{lambda_.name}_log_group_provisioner': {
"triggers": {
"file_sha1":
file_sha1(config.project_root +
"/scripts/log_api_gateway.py"),
"log_group_id":
f"${{aws_cloudwatch_log_group.{lambda_.name}.id}}"
},
# FIXME: Use Terraform to configure API Gateway access logs
# https://github.com/DataBiosphere/azul/issues/3412
from azul import (
config, )
from azul.chalice import AzulChaliceApp
# This whole file only exists so that we can use Chalice to create the layer
# package and is removed from the final result.
app = AzulChaliceApp(app_name=config.qualified_resource_name('dependencies'),
unit_test=False)
@app.route('/')
def foo():
pass
}],
"Default":
"WriteBatch"
},
"SuccessState": {
"Type": "Succeed"
}
}
emit_tf({
"resource": {
"aws_iam_role": {
"states": {
"name":
config.qualified_resource_name("statemachine"),
"assume_role_policy":
json.dumps({
"Version":
"2012-10-17",
"Statement": [{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}),
**aws.permissions_boundary_tf
}
from azul import config
from azul.template import emit
emit({
"version": "2.0",
"app_name": config.qualified_resource_name("dependencies"),
"api_gateway_stage": config.deployment_stage,
"manage_iam_role": False,
"lambda_memory_size": 128,
})