def apigw_authorizer_lbd_permission_aws_object(
self) -> awslambda.Permission:
if self._apigw_authorizer_lbd_permission_aws_object_cache is NOTHING:
apigw_authorizer_lbd_permission_logic_id = "LbdPermission{}".format(
self.apigw_authorizer_logic_id)
apigw_authorizer_lbd_permission = awslambda.Permission(
title=apigw_authorizer_lbd_permission_logic_id,
Action="lambda:InvokeFunction",
FunctionName=GetAtt(self.lbd_func_aws_object, "Arn"),
Principal="apigateway.amazonaws.com",
SourceArn=Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
{
"Region": {
"Ref": "AWS::Region"
},
"AccountId": {
"Ref": "AWS::AccountId"
},
"RestApiId": Ref(self.apigw_restapi),
"AuthorizerId": Ref(self.apigw_authorizer_aws_object),
}),
DependsOn=[
self.apigw_authorizer_aws_object,
self.lbd_func_aws_object,
])
self._apigw_authorizer_lbd_permission_aws_object_cache = apigw_authorizer_lbd_permission
return self._apigw_authorizer_lbd_permission_aws_object_cache
def associate(self,
lbd_permission,
lbd_func,
api_method,
**kwargs):
lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
lbd_permission.Action = "lambda:InvokeFunction"
lbd_permission.Principal = "apigateway.amazonaws.com"
try:
lbd_permission.SourceArn = Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/*/${HttpMethod}/${ResourcePath}",
{
"Region": {"Ref": "AWS::Region"},
"AccountId": {"Ref": "AWS::AccountId"},
"RestApiId": Ref(api_method.RestApiId),
"HttpMethod": api_method.HttpMethod,
"ResourcePath": api_method.Metadata[TROPOSPHERE_METADATA_FIELD_NAME][
ResourceLevelField.ApiResource.FULL_PATH]
}
)
except:
pass
x_depends_on_y(lbd_permission, lbd_func)
x_depends_on_y(lbd_permission, api_method)
def s3_event_bucket_name_for_cf(self) -> typing.Union[str, Sub]:
"""
``s3.Bucket.BucketName`` field value. ``AWS::AccountId`` is included as
prefix.
:rtype: Sub
**中文文档**
生成存储桶的名称. 由于存储桶的名字是全球唯一的, 并且不分 Region, 所以需要加上
AWS Account Id 作为名字的前缀, 以避免冲突.
"""
if self.s3_event_bucket_basename is NOTHING:
raise TypeError
if isinstance(self.s3_event_bucket_basename, str):
return Sub(
"${AccountId}-${EnvName}-${BucketBasename}",
{
"AccountId": Ref(AWS_ACCOUNT_ID),
"EnvName": Ref(self.param_env_name),
"BucketBasename": self.s3_event_bucket_basename,
},
)
else:
raise TypeError
def associate(self,
lbd_permission,
lbd_func,
api_authorizer,
rest_api,
authorizer_type_is_token=True,
token_authorizer_header="auth",
**kwargs):
lbd_permission.FunctionName = GetAtt(lbd_func, "Arn")
lbd_permission.Action = "lambda:InvokeFunction"
lbd_permission.Principal = "apigateway.amazonaws.com"
lbd_permission.SourceArn = Sub(
"arn:aws:execute-api:${Region}:${AccountId}:${RestApiId}/authorizers/${AuthorizerId}",
{
"Region": {"Ref": "AWS::Region"},
"AccountId": {"Ref": "AWS::AccountId"},
"RestApiId": {"Ref": rest_api},
"AuthorizerId": Ref(api_authorizer),
}
)
if authorizer_type_is_token:
api_authorizer.Type = "TOKEN"
api_authorizer.IdentitySource = "method.request.header.{}".format(
token_authorizer_header
)
api_authorizer.RestApiId = Ref(rest_api)
api_authorizer.AuthorizerUri = Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
{
"Region": {"Ref": "AWS::Region"},
"AuthorizerFunctionArn": GetAtt(lbd_func, "Arn"),
}
)
x_depends_on_y(api_authorizer, lbd_func)
x_depends_on_y(api_authorizer, rest_api)
x_depends_on_y(lbd_permission, lbd_func)
x_depends_on_y(lbd_permission, api_authorizer)
x_depends_on_y(lbd_permission, rest_api)
def associate(self, api_method, lbd_func, **kwargs):
try:
api_method.Integration.Type = "AWS"
api_method.Integration.IntegrationHttpMethod = "POST"
api_method.Integration.Uri = Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"LambdaArn": GetAtt(lbd_func, "Arn"),
})
except:
pass
x_depends_on_y(api_method, lbd_func)
def apigw_authorizer_aws_object(self) -> apigateway.Authorizer:
if self._apigw_authorizer_aws_object_cache is NOTHING:
if self.apigw_authorizer_name is NOTHING:
apigw_authorizer_name = self.apigw_authorizer_logic_id
else:
apigw_authorizer_name = self.apigw_authorizer_name
if len(
set(apigw_authorizer_name).difference(
set(string.ascii_letters + string.digits))):
raise ValueError(
"{}.apigw_authorizer_name can only have letter and digits".
format(self.identifier))
apigw_authorizer = apigateway.Authorizer(
title=self.apigw_authorizer_logic_id,
Name=apigw_authorizer_name,
RestApiId=Ref(self.apigw_restapi),
AuthType="custom",
Type="TOKEN",
IdentitySource="method.request.header.{}".format(
self.apigw_authorizer_token_type_header_field),
AuthorizerResultTtlInSeconds=300,
AuthorizerUri=Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${AuthorizerFunctionArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"AuthorizerFunctionArn":
GetAtt(self.lbd_func_aws_object, "Arn"),
}),
DependsOn=[
self.lbd_func_aws_object,
self.apigw_restapi,
])
self._apigw_authorizer_aws_object_cache = apigw_authorizer
return self._apigw_authorizer_aws_object_cache
def apigw_method_aws_object(self) -> apigateway.Method:
if self._apigw_method_aws_object_cache is NOTHING:
depends_on = [
self.apigw_resource_aws_object,
self.lbd_func_aws_object,
]
# Integration Request
request_template = {"application/json": "$input.json('$')"}
# Integration Response
if self.apigw_method_int_type == self.ApiMethodIntType.html:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ResponseParameters={
"method.response.header.Access-Control-Allow-Origin":
"'*'",
"method.response.header.Content-Type": "'text/html'"
},
ResponseTemplates={"text/html": "$input.path('$')"},
)
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={
"method.response.header.Access-Control-Allow-Origin":
False,
"method.response.header.Content-Type": False,
},
ResponseModels={"application/json": "Empty"},
)
elif self.apigw_method_int_type == self.ApiMethodIntType.rpc:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ContentHandling="CONVERT_TO_TEXT",
ResponseParameters={},
ResponseTemplates={"application/json": ""})
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={},
ResponseModels={"application/json": "Empty"},
)
elif self.apigw_method_int_type == self.ApiMethodIntType.rest:
integration_response_200 = apigateway.IntegrationResponse(
StatusCode="200",
ContentHandling="CONVERT_TO_TEXT",
ResponseParameters={},
ResponseTemplates={"application/json": ""})
method_response_200 = apigateway.MethodResponse(
StatusCode="200",
ResponseParameters={},
ResponseModels={"application/json": "Empty"},
)
else:
raise TypeError
integration_responses = [
integration_response_200,
]
integration = apigateway.Integration(
Type="AWS",
IntegrationHttpMethod="POST",
Uri=Sub(
"arn:aws:apigateway:${Region}:lambda:path/2015-03-31/functions/${LambdaArn}/invocations",
{
"Region": {
"Ref": "AWS::Region"
},
"LambdaArn": GetAtt(self.lbd_func_aws_object, "Arn"),
}),
RequestTemplates=request_template,
IntegrationResponses=integration_responses,
)
if self.apigw_method_int_passthrough_behavior is not NOTHING:
integration.PassthroughBehavior = self.apigw_method_int_passthrough_behavior
if self.apigw_method_int_timeout_in_milli is not NOTHING:
integration.TimeoutInMillis = self.apigw_method_int_timeout_in_milli
# Method Response
method_responses = [
method_response_200,
]
if self.apigw_method_enable_cors_yes is True:
for integration_response in integration.IntegrationResponses:
integration_response.ResponseParameters[
"method.response.header.Access-Control-Allow-Origin"] = "'*'"
for method_response in method_responses:
method_response.ResponseParameters[
"method.response.header.Access-Control-Allow-Origin"] = False
self.check_apigw_method_authorization_type()
self.check_apigw_method_int_type()
apigw_method = apigateway.Method(
title=self.apigw_method_logic_id,
RestApiId=Ref(self.apigw_restapi),
ResourceId=Ref(self.apigw_resource_aws_object),
AuthorizationType=self.apigw_method_authorization_type,
HttpMethod=self.apigw_method_http_method,
MethodResponses=method_responses,
Integration=integration,
)
if self.apigw_method_use_authorizer_yes:
apigw_method.AuthorizerId = Ref(self.apigw_method_authorizer)
depends_on.append(self.apigw_method_authorizer)
apigw_method.DependsOn = depends_on
self._apigw_method_aws_object_cache = apigw_method
return self._apigw_method_aws_object_cache
AWSServiceName.amazon_Kinesis_Data_Firehose,
]),
ManagedPolicyArns=[
AWSManagedPolicyArn.administratorAccess,
])
kinesis_delivery_stream = firehose.DeliveryStream(
"KinesisDeliveryStream",
template=template,
DeliveryStreamName=helper_fn_sub("{}-web-event", param_env_name),
DeliveryStreamType="DirectPut",
ExtendedS3DestinationConfiguration=firehose.
ExtendedS3DestinationConfiguration(
BucketARN="arn:aws:s3:::eq-sanhe-for-everything",
Prefix=Sub(
"data/kinesis-analytics/${EnvironmentName}/year=!{timestamp:YYYY}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/minute=!{timestamp:mm}/",
{"EnvironmentName": Ref(param_env_name)}),
ErrorOutputPrefix=Sub(
"data/kinesis-analytics/${EnvironmentName}/result=!{firehose:error-output-type}/year=!{timestamp:YYYY}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/minute=!{timestamp:mm}/",
{"EnvironmentName": Ref(param_env_name)}),
BufferingHints=firehose.BufferingHints(IntervalInSeconds=60,
SizeInMBs=5),
CompressionFormat="UNCOMPRESSED",
RoleARN=kinesis_delivery_stream_role.iam_role_arn,
S3BackupMode="Disabled",
))
# Kinesis Analytics Application
kinesis_analytics_application_role = iam.Role(
"KinesisAnalyticsApplicationServiceRole",
template=template,
def create_template(self):
# ELBのログを保存する
elb_log_bucket = self.tpl.add_resource(
s3.Bucket(
'ElbLogBucket',
BucketName=f'{self.prefix}-{self.project}-lb-log-bucket',
))
# ELBの論理IDをアウトプット
self.tpl.add_output(
Output('ElbLogBucket',
Description='LoadBalancer Log Bucket',
Value=Ref(elb_log_bucket)))
# ELBのログを保存させるためのBucketPolicyを作成
self.tpl.add_resource(
s3.BucketPolicy(
'AlbLogPolicy',
Bucket=Ref(elb_log_bucket),
PolicyDocument={
'Version':
'2012-10-17',
'Statement': [{
'Effect':
'Allow',
'Principal': {
'AWS': 'arn:aws:iam::582318560864:root'
},
'Action':
's3:PutObject',
'Resource':
Sub(f'arn:aws:s3:::${{{elb_log_bucket.title}}}/AWSLogs/${{{AWS_ACCOUNT_ID}}}/*'
)
}, {
'Effect':
'Allow',
'Principal': {
'Service': 'delivery.logs.amazonaws.com'
},
'Action':
's3:PutObject',
'Resource':
Sub(f'arn:aws:s3:::${{{elb_log_bucket.title}}}/AWSLogs/${{{AWS_ACCOUNT_ID}}}/*'
),
'Condition': {
'StringEquals': {
's3:x-amz-acl': 'bucket-owner-full-control'
}
}
}, {
'Effect':
'Allow',
'Principal': {
'Service': 'delivery.logs.amazonaws.com'
},
'Action':
's3:GetBucketAcl',
'Resource':
Sub(f'arn:aws:s3:::${{{elb_log_bucket.title}}}')
}]
}))