def create_integration(self, method_config, lambda_arn):
"""
Creates an integration object using a single provided ApiGatewayMethodConfig object.
:param method_config: a single ApiGatewayMethodConfig object
:param lambda_arn: the ARN of a lambda function to point this integration at.
:return: a troposphere integration object
"""
integration = Integration(
'{0}Integration'.format(method_config.method_name),
Type='AWS',
IntegrationHttpMethod=method_config.httpmethod,
IntegrationResponses=self.integration_responses,
RequestTemplates=method_config.request.templates,
Uri=Join('', [
'arn:aws:apigateway:ap-southeast-2:lambda:path/2015-03-31/functions/',
lambda_arn, '/invocations'
]))
perm = self.template.add_resource(
Permission('{0}Permission'.format(integration.title),
Action='lambda:InvokeFunction',
FunctionName=lambda_arn,
Principal='apigateway.amazonaws.com'))
self.permissions.append(perm)
# At time of creation of this class, the PassthroughBehavior parameter is not implemented for integrations
# in troposphere. The below assigns it for now. This can be reworked into the above troposphere object once
# troposphere is updated.
integration.resource['PassthroughBehavior'] = "WHEN_NO_TEMPLATES"
return integration
def add_resources(self):
self.runner_terminate_rule = self.template.add_resource(
Rule(
"RunnerTeminateRule",
EventPattern={
"source": ["aws.autoscaling"],
"detail-type": ["EC2 Instance-terminate Lifecycle Action"],
},
State="ENABLED",
Targets=[
Target(
Arn=Ref(self.runner_unregister_function_arn),
Id=Ref(self.runner_terminate_target_id),
)
],
))
self.runner_unregister_permission = self.template.add_resource(
Permission(
"RunnerUnregisterPermission",
Action="lambda:InvokeFunction",
FunctionName=Ref(self.runner_unregister_function),
Principal="events.amazonaws.com",
SourceArn=GetAtt(self.runner_terminate_rule, "Arn"),
))
self.runner_terminate_lifecyclehook = self.template.add_resource(
LifecycleHook(
"RunnerTerminateLifecycleHook",
AutoScalingGroupName=Ref(self.runner_autoscaling_group),
LifecycleTransition="autoscaling:EC2_INSTANCE_TERMINATING",
))
def get_cloudformation_template(self, lambda_filename):
from troposphere import Template, GetAtt, Join
from troposphere.awslambda import Environment
from troposphere.awslambda import Permission
from troposphere.serverless import Function
t = Template()
t.add_description("Built with WavyCloud's pylexbuilder")
t.add_transform('AWS::Serverless-2016-10-31')
lambda_func = t.add_resource(
Function(
self.name,
Handler='handler.index',
Runtime=self.runtime,
CodeUri='s3://{}/{}'.format(self.s3_bucket_name,
lambda_filename),
Policies=['AmazonDynamoDBFullAccess', 'AmazonLexFullAccess'],
AutoPublishAlias=self.lambda_alias,
Environment=Environment(
Variables=self.environment_variables)), )
for i, intent in enumerate(self.get_all_intents()):
t.add_resource(
Permission(
"PermissionToLex{}".format(intent.name),
FunctionName=GetAtt(lambda_func, "Arn"),
Action="lambda:InvokeFunction",
Principal="lex.amazonaws.com",
SourceArn=Join("", [
'arn:aws:lex:',
Ref(AWS_REGION), ':',
Ref(AWS_ACCOUNT_ID), ':intent:{}:*'.format(intent.name)
])))
return t
def add_lambda_permission_demo(self):
self.lambda_permission_demo = self.template.add_resource(
Permission(
"LambdaDemoPermission",
Action='lambda:InvokeFunction',
FunctionName=GetAtt(self.lambda_function, 'Arn'),
Principal="events.amazonaws.com",
SourceArn=GetAtt(self.rule_demo, 'Arn'),
))
def create_invoke_permission_for_events(self,
function_name,
source_arn,
name_prefix=''):
return self.template.add_resource(
Permission('{0}Permission'.format(name_prefix),
Action='lambda:InvokeFunction',
FunctionName=function_name,
SourceArn=source_arn,
Principal='events.amazonaws.com'))
def create_lambda_fn_cron(name_prefix, lambda_fn, schedule_expression):
rule = Rule(
'{}EventRule'.format(name_prefix),
ScheduleExpression=schedule_expression,
Targets=[Target(Arn=GetAtt(lambda_fn, 'Arn'), Id=lambda_fn.name)])
permission = Permission('{}LambdaFunctionPermission'.format(name_prefix),
Action="lambda:InvokeFunction",
FunctionName=GetAtt(lambda_fn, 'Arn'),
Principal='events.amazonaws.com',
SourceArn=GetAtt(rule, 'Arn'))
return (rule, permission)
def add_figure_lambda(self):
## Now add to a lambda function:
function = Function(
'FigLambda',
CodeUri='../../protocols',
Runtime='python3.6',
Handler='log.eventshandler',
Description='Lambda Function logging start/stop for NCAP',
MemorySize=128,
Timeout=90,
Role=
'arn:aws:iam::739988523141:role/lambda_dataflow', ## TODO: Create this in template
Events={})
figurelamb = self.template.add_resource(function)
## Attach specific permissions to invoke this lambda function as well.
cwpermission = Permission('CWPermissions',
Action='lambda:InvokeFunction',
Principal='events.amazonaws.com',
FunctionName=Ref(figurelamb))
self.template.add_resource(cwpermission)
## Because this lambda function gets invoked by an unknown target, we need to take care of its log group separately.
figloggroup = LogGroup('FignameLogGroup',
LogGroupName=Sub("/aws/lambda/${FigLambda}"))
self.template.add_resource(figloggroup)
## Now we need to configure this function as a potential target.
## Initialize role to send events to cloudwatch
with open('policies/cloudwatch_events_assume_role_doc.json', 'r') as f:
cloudwatchassume_role_doc = json.load(f)
## Now get the actual policy:
with open('policies/cloudwatch_events_policy_doc.json', 'r') as f:
cloudwatch_policy_doc = json.load(f)
cloudwatchpolicy = ManagedPolicy(
"CloudwatchBusPolicy",
Description=Join(" ", [
"Base Policy for all lambda function roles in",
Ref(AWS_STACK_NAME)
]),
PolicyDocument=cloudwatch_policy_doc)
self.template.add_resource(cloudwatchpolicy)
## create the role:
cwrole = Role("CloudWatchBusRole",
AssumeRolePolicyDocument=cloudwatchassume_role_doc,
ManagedPolicyArns=[Ref(cloudwatchpolicy)])
cwrole_attached = self.template.add_resource(cwrole)
self.cwrole = cwrole_attached
return figurelamb
def link_resources(self):
## Attach specific permissions to invoke this lambda function as well.
cwpermission = Permission('CCPermissions',
Action='lambda:InvokeFunction',
Principal='codecommit.amazonaws.com',
FunctionName=Ref(self.commitlambda),
SourceArn=GetAtt(self.repo, 'Arn'),
SourceAccount=Ref(AWS_ACCOUNT_ID))
self.template.add_resource(cwpermission)
## Because this lambda function gets invoked by an unknown target, we need to take care of its log group separately.
figloggroup = LogGroup('FignameLogGroup',
LogGroupName=Sub("/aws/lambda/${CodeLambda}"))
self.template.add_resource(figloggroup)
def add_lambda_permissions(self):
self.permission_action = self.template.add_parameter(
Parameter("PermissionAction",
Description="The actions allowed",
Type="String"))
self.permission_principal = self.template.add_parameter(
Parameter("PermissionPrincipal",
Description="The principal to act on lambda",
Type="String"))
self.template.add_resource(
Permission("LambdaPermission",
FunctionName=Ref(self.function),
Action=Ref(self.permission_action),
Principal=Ref(self.permission_principal)))
def create_lambda_schedule(template, awslambda, schedule):
"""
Create Lambda function schedule
:param template: Cloudformation template to add to
:param awslambda: Lambda function to be scheduled
:param schedule: Rate at which schedule should run
"""
trop_cw_rule = template.add_resource(
Rule('CloudsploitRule',
Name='CloudsploitReporter',
ScheduleExpression=schedule,
State='ENABLED',
Targets=[
Target(Arn=GetAtt(awslambda, 'Arn'), Id='CloudsploitRule')
]))
trop_cw_permission = template.add_resource(
Permission('CloudsploitRulePermission',
Action='lambda:InvokeFunction',
FunctionName=GetAtt(awslambda, 'Arn'),
Principal='events.amazonaws.com',
SourceArn=GetAtt(trop_cw_rule, 'Arn')))
def __init__(self, title, template, dependencies, network_config,
lambda_config):
"""
Amazonia lambda unit definition
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html
https://github.com/cloudtools/troposphere/blob/master/troposphere/awslambda.py
:param title: Title of the autoscaling application e.g 'webApp1', 'api2' or 'dataprocessing'
:param template: Troposphere stack to append resources to
:param dependencies: list of unit names this unit needs access to
:param network_config: object containing network related variables
:param lambda_config: object containing lambda related variables
"""
super(Lambda, self).__init__(vpc=network_config.vpc,
title=title,
template=template)
self.title = title
self.dependencies = dependencies if dependencies else []
self.function_name = Join(
'',
[Ref('AWS::StackName'), '-', lambda_config.lambda_function_name])
self.trop_lambda_function = template.add_resource(
Function(self.title,
Code=Code(S3Bucket=lambda_config.lambda_s3_bucket,
S3Key=lambda_config.lambda_s3_key),
Description=lambda_config.lambda_description,
FunctionName=self.function_name,
Handler=lambda_config.lambda_handler,
MemorySize=lambda_config.lambda_memory_size,
Role=lambda_config.lambda_role_arn,
Runtime=lambda_config.lambda_runtime,
Timeout=lambda_config.lambda_timeout,
VpcConfig=VPCConfig(
SubnetIds=network_config.private_subnets,
SecurityGroupIds=[self.security_group])))
self.add_egress(receiver=network_config.public_cidr,
port='-1') # All Traffic to Nat gateways
if lambda_config.lambda_schedule:
self.cwa_name = Join('', [
Ref('AWS::StackName'), '-',
lambda_config.lambda_function_name + 'Rule'
])
self.trop_cw_rule = template.add_resource(
Rule(self.title + 'Rule',
Name=self.cwa_name,
ScheduleExpression=lambda_config.lambda_schedule,
State='ENABLED',
Targets=[
Target(Arn=GetAtt(self.trop_lambda_function, 'Arn'),
Id=title)
]))
self.trop_cw_permission = template.add_resource(
Permission(self.title + 'RulePermission',
Action='lambda:InvokeFunction',
FunctionName=GetAtt(self.trop_lambda_function,
'Arn'),
Principal='events.amazonaws.com',
SourceArn=GetAtt(self.trop_cw_rule, 'Arn')))
Subscription(
Protocol='lambda',
Endpoint=GetAtt(request_encoding_function, 'Arn'),
),
Subscription(
Protocol='sqs',
Endpoint=GetAtt(start_media_insights_queue, 'Arn'),
)
],
))
template.add_resource(
Permission(
'InvokeRequestEncodingFunctionPermission',
Action='lambda:InvokeFunction',
FunctionName=Ref(request_encoding_function),
Principal='sns.amazonaws.com',
SourceArn=Ref(request_encoding_topic),
))
template.add_resource(
EventInvokeConfig(
'RequestEncodingInvokeConfig',
FunctionName=Ref(request_encoding_function),
MaximumEventAgeInSeconds=60,
MaximumRetryAttempts=1,
Qualifier='$LATEST',
DestinationConfig=DestinationConfig(OnFailure=OnFailure(
Destination=GetAtt(processing_failed_queue, 'Arn'), ), ),
))
ResourceId=Ref(unsubscribe_resource),
HttpMethod="POST",
Integration=Integration(
Type="AWS",
IntegrationHttpMethod="POST",
IntegrationResponses=[IntegrationResponse(StatusCode="200")],
Uri=Join("", [
"arn:aws:apigateway:",
Ref('AWS::Region'), ":lambda:path/2015-03-31/functions/",
GetAtt(EmailUnsubscribeFunction, "Arn"), "/invocations"
])),
MethodResponses=[MethodResponse("CatResponse", StatusCode="200")]))
resource = t.add_resource(
Permission("SubscribePermission",
Action="lambda:InvokeFunction",
Principal="apigateway.amazonaws.com",
FunctionName=GetAtt(EmailSubscribeFunction, "Arn")))
resource = t.add_resource(
Permission("UnsubscribePermission",
Action="lambda:InvokeFunction",
Principal="apigateway.amazonaws.com",
FunctionName=GetAtt(EmailUnsubscribeFunction, "Arn")))
resource = t.add_resource(
Permission("SendEmailPermission",
Action="lambda:InvokeFunction",
Principal="events.amazonaws.com",
FunctionName=GetAtt(EmailSendFunction, "Arn")))
# Deploy API
def initiate_api_gateway_creation(self):
self.template.set_version('2010-09-09')
self.template.set_description('Creates a API Gateway which is '
'used to get data from dynamoDB.')
role = self.template.add_resource(
Role('RootRole',
RoleName="monty-cloud-api-role",
Path='/',
AssumeRolePolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["sts:AssumeRole"],
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com",
"dynamodb.amazonaws.com"
]
}
}]
}))
self.template.add_resource(
ManagedPolicy(
'RolePolicies',
ManagedPolicyName='api-gw-policy',
Description='This policy is used for the DynamoDB table ',
PolicyDocument={
"Version":
"2012-10-17",
"Statement": [{
"Action": ["dynamodb:*", "lambda:*", "s3:*"],
"Resource": [
"arn:aws:dynamodb:*:*:table/*",
"arn:aws:lambda:*:*:function:*"
],
"Effect":
"Allow"
}]
},
Roles=[Ref(role)]))
name = self.template.add_resource(
RestApi('restApiName',
Name='monty-cloud-get-api',
Description='Monty Cloud API Gateway',
EndpointConfiguration=EndpointConfiguration(
Types=['REGIONAL'])))
self.template.add_resource(
Permission("lambdaApiGatewayInvoke",
Action="lambda:InvokeFunction",
FunctionName="arn:aws:lambda:{}:{}:function:"
"get_data".format(self.region, self.account_number),
Principal="apigateway.amazonaws.com",
SourceArn="arn:aws:execute-api:{}:{}:*/*"
"/GET/get-details".format(self.region,
self.account_number)))
get_api_resource = self.template.add_resource(
Resource('restApiGetDetailsResource',
RestApiId=Ref(name),
ParentId=GetAtt(name, 'RootResourceId'),
PathPart='get-details',
DependsOn=name))
get_api_method = self.template.add_resource(
Method('restApiGetDetailsMethod',
AuthorizationType='None',
ApiKeyRequired=False,
HttpMethod='GET',
ResourceId=Ref(get_api_resource),
RestApiId=Ref(name),
Integration=Integration(Type='AWS_PROXY',
IntegrationHttpMethod='POST',
Uri=self.uri.format(
self.region, self.region,
self.account_number),
Credentials=GetAtt(role, "Arn")),
MethodResponses=[
MethodResponse(
StatusCode='200',
ResponseModels={'application/json': 'Empty'})
],
DependsOn=get_api_resource))
deployment = self.template.add_resource(
Deployment('restApiDeployment',
RestApiId=Ref(name),
DependsOn=[get_api_method]))
self.template.add_resource(
Stage('restApiStage',
DeploymentId=Ref(deployment),
Description='Prod Stage',
MethodSettings=[
MethodSetting(ResourcePath='/get-details',
HttpMethod='GET')
],
RestApiId=Ref(name),
StageName='prod'))
return self.template.to_yaml()
def scaffold(self):
""" Create long lived stack resources for the cluster """
self.t.add_resource(
Cluster("Cluster", ClusterName=self.cluster_vars['name']))
OUTPUT_SG = ["ALB", "DB", "Cache", "Aux"]
for sg in OUTPUT_SG:
tmpsg = SecurityGroup(
"{}BadgeSg".format(sg),
GroupDescription=
"SG for {} to wear in order to talk to ecs instances".format(
sg),
VpcId=self.cluster_vars.get('vpc'))
self.t.add_resource(tmpsg)
self.t.add_output(
Output("{}BadgeSg".format(sg),
Description="{} Security Group Badge".format(sg),
Export=Export(Sub("${AWS::StackName}:%sBadgeSg" % sg)),
Value=GetAtt(tmpsg, "GroupId")))
# Refactor like this
### removing this because it's in the agent now
add_asg_cleanup(self.t,
sanitize_cfn_resource_name(self.cluster_vars['name']))
# add metric lambda
self.t.add_resource(
Function("ECSMetricLambda",
Code=Code(S3Bucket=Sub("${S3Bucket}"),
S3Key=Sub("${S3Prefix}/deployment.zip")),
Handler="metrics.cluster_metrics.lambda_handler",
Role=GetAtt("CronLambdaRole", "Arn"),
Runtime="python3.7",
MemorySize=128,
Timeout=300,
Environment=Environment(
Variables={
"CLUSTER": Sub("${ClusterName}"),
"ASGPREFIX": Sub("${ClusterName}-asg-"),
"REGION": Ref("AWS::Region")
})))
self.t.add_resource(
Role("CronLambdaRole",
AssumeRolePolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
}]
},
Policies=[
Policy(PolicyName="logs-and-stuff",
PolicyDocument={
"Statement": [{
"Effect": "Allow",
"Action": ["logs:*"],
"Resource": "arn:aws:logs:*:*:*"
}, {
"Effect":
"Allow",
"Action": [
"ec2:DescribeAutoScalingGroups",
"ec2:UpdateAutoScalingGroup", "ecs:*",
"cloudwatch:PutMetricData"
],
"Resource":
"*"
}]
})
]))
# run metrics every minute
self.t.add_resource(
Rule(
"CronStats",
ScheduleExpression="rate(1 minute)",
Description="Cron for cluster stats",
Targets=[Target(Id="1", Arn=GetAtt("ECSMetricLambda",
"Arn"))]))
self.t.add_resource(
Permission("StatPerm",
Action="lambda:InvokeFunction",
FunctionName=GetAtt("ECSMetricLambda", "Arn"),
Principal="events.amazonaws.com",
SourceArn=GetAtt("CronStats", "Arn")))
def add_api_gateway(self, apigateway_name):
self.log.info('Adding API Gateway %s' % apigateway_name)
assert (self.lambda_function is not None)
# define all value used by api gateway
lambda_method_name = '%sLambdaMethod' % apigateway_name
lambda_permission_name = '%sLambdaPermission' % apigateway_name
resource_name = '%sResource' % apigateway_name
deployment_name = '%sDeployment' % self.stage_name
apikey_name = '%sApiKey' % apigateway_name
# start creating api gateway template
self.apigateway = RestApi(apigateway_name, Name=apigateway_name)
self.template.add_resource(self.apigateway)
resource = Resource(resource_name,
RestApiId=Ref(self.apigateway),
PathPart='{proxy+}',
ParentId=GetAtt(apigateway_name, 'RootResourceId'))
self.template.add_resource(resource)
permission = Permission(lambda_permission_name,
Action='lambda:invokeFunction',
FunctionName=GetAtt(self.lambda_function,
'Arn'),
Principal='apigateway.amazonaws.com',
SourceArn=Join("", [
'arn:aws:execute-api:',
Ref('AWS::Region'), ':',
Ref('AWS::AccountId'), ':',
Ref(self.apigateway), '/*'
]))
self.template.add_resource(permission)
method = Method(
lambda_method_name,
DependsOn=lambda_permission_name,
RestApiId=Ref(self.apigateway),
ResourceId=Ref(resource),
HttpMethod='ANY',
AuthorizationType='NONE',
Integration=Integration(
Type='AWS_PROXY',
IntegrationHttpMethod='POST',
Uri=Join("", [
'arn:aws:apigateway:',
Ref('AWS::Region'), ':lambda:path/2015-03-31/functions/',
GetAtt(self.lambda_function, 'Arn'), '/invocations'
])),
MethodResponses=[MethodResponse(StatusCode='200')])
self.template.add_resource(method)
# create a deployment
deployment = Deployment(deployment_name,
DependsOn=lambda_method_name,
RestApiId=Ref(self.apigateway))
self.template.add_resource(deployment)
stage = Stage('%sStage' % self.stage_name,
StageName=self.stage_name,
RestApiId=Ref(self.apigateway),
DeploymentId=Ref(deployment))
self.template.add_resource(stage)
key = ApiKey(apikey_name,
StageKeys=[
StageKey(RestApiId=Ref(self.apigateway),
StageName=Ref(stage))
])
self.template.add_resource(key)
def add_resources(self):
"""Create Resources to deploy Limit Monitor."""
template = self.template
variables = self.get_variables()
path = os.path.dirname(os.path.abspath(path=__file__))
stacker_dict = yaml.safe_load(
open(path + '/' + '../01_limit_monitor_spoke_us-east-1.yaml'))
service_item = ''
for item in stacker_dict['stacks']['servicelimitmonitorspoke'][
'variables']['SERVICES']:
quoted_item = '"' + item + '"'
service_item = service_item + quoted_item + ','
"""Adding Mapping for AnonymousData"""
template.add_mapping('MetricsMap',
{'Send-Data': {
'SendAnonymousData': 'Yes'
}})
"""Adding Mapping for RefreshRate."""
template.add_mapping('RefreshRate',
{'CronSchedule': {
'Default': 'rate(1 day)'
}})
"""Adding Mapping for SourceCode."""
template.add_mapping(
'SourceCode', {
'General': {
'S3Bucket': 'solutions',
'KeyPrefix': 'limit-monitor/v5.1.1'
}
})
# """Adding Mapping for EventsMap."""
# template.add_mapping(
# 'EventsMap', {
# 'Checks': {
# 'Services': '"AutoScaling","CloudFormation","EBS","EC2","ELB","IAM","RDS","VPC"'
#
# }
# }
# )
s3_bucket = FindInMap('SourceCode', 'General', 'S3Bucket')
s3_key = FindInMap('SourceCode', 'General', 'KeyPrefix')
"""TAOkRule Target Resource Definition."""
ta_ok_rule_target = Target(
'TAOkRuleTarget',
Arn=Join(':', [
'arn:aws:events', 'us-east-1',
str(variables['MasterAccount'].value), 'event-bus/default'
]),
Id='SpokeOkTarget',
)
"""CWR - Rule for TA OK events'."""
template.add_resource(
Rule('TAOkRule',
Description=
'Limit Monitor Solution - Spoke - Rule for TA OK events',
EventPattern={
'account': [Ref('AWS::AccountId')],
'source': ['aws.trustedadvisor'],
'detail-type':
['Trusted Advisor Check Item Refresh Notification'],
'detail': {
'status': ["OK"],
'check-item-detail': {
'Service': variables['SERVICES'].value
}
}
},
State='ENABLED',
Targets=[
ta_ok_rule_target,
]))
"""TAWarnRule Target Resource Definition."""
ta_warn_rule_target = Target(
'TAWarnRuleTarget',
Arn=Join(':', [
'arn:aws:events', 'us-east-1',
str(variables['MasterAccount'].value), 'event-bus/default'
]),
Id='SpokeWarnTarget',
)
"""CWR - Rule for TA WARN events'"""
template.add_resource(
Rule('TAWarnRule',
Description=
'Limit Monitor Solution - Spoke - Rule for TA WARN events',
EventPattern={
'account': [Ref('AWS::AccountId')],
'source': ['aws.trustedadvisor'],
'detail-type':
['Trusted Advisor Check Item Refresh Notification'],
'detail': {
'status': ["WARN"],
'check-item-detail': {
'Service': variables['SERVICES'].value
}
}
},
State='ENABLED',
Targets=[
ta_warn_rule_target,
]))
"""TAErrorRule Target Resource Definition."""
ta_error_rule_target = Target(
'TAErrorRuleTarget',
Arn=Join(':', [
'arn:aws:events', 'us-east-1',
str(variables['MasterAccount'].value), 'event-bus/default'
]),
Id='SpokeErrorTarget',
)
"""CWR - Rule for TA Error events'"""
template.add_resource(
Rule('TAErrorRule',
Description=
'Limit Monitor Solution - Spoke - Rule for TA WARN events',
EventPattern={
'account': [Ref('AWS::AccountId')],
'source': ['aws.trustedadvisor'],
'detail-type':
['Trusted Advisor Check Item Refresh Notification'],
'detail': {
'status': ["ERROR"],
'check-item-detail': {
'Service': variables['SERVICES'].value
}
}
},
State='ENABLED',
Targets=[
ta_error_rule_target,
]))
"""Create the IAM role for the TA Refresher Lambda Function"""
ta_refresher_role = template.add_resource(
Role('TARefresherRole',
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal('Service',
['lambda.amazonaws.com']))
]),
Path='/',
Policies=[
Policy(PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Action=[
CreateLogGroup, CreateLogStream,
PutLogEvents
],
Resource=[
Join(':', [
'arn:aws:logs',
Ref('AWS::Region'),
Ref('AWS::AccountId'),
'log-group', '/aws/lambda/*'
])
]),
Statement(Effect=Allow,
Action=[awacs.support.Action('*')],
Resource=['*']),
]),
PolicyName=Join('-', [
'Limit-Monitor-Refresher-Policy',
Ref('AWS::StackName')
]))
]))
"""Create TA Refresher Lambda Function."""
ta_refresher = template.add_resource(
Function(
'TARefresher',
Description=
'Serverless Limit Monitor - Lambda function to summarize service limits',
Environment=Environment(
Variables={
# 'AWS_SERVICES': FindInMap('EventsMap', 'Checks', 'Services'),
'AWS_SERVICES': str(service_item[:-1]),
'LOG_LEVEL': 'ERROR'
}),
Handler='index.handler',
Role=GetAtt(ta_refresher_role, 'Arn'),
Code=Code(S3Bucket=Join(
'-', [s3_bucket, Ref('AWS::Region')]),
S3Key=Join('/',
[s3_key, 'limtr-refresh-service.zip'])),
Runtime='nodejs8.10',
Timeout=300,
DependsOn=[ta_refresher_role]))
"""Create the target for Refresh Schedule."""
ta_refresher_target = Target('TARefreshRate',
Arn=GetAtt(ta_refresher, 'Arn'),
Id='SqsPollRate')
"""Create the TARefreshSchedule Rule."""
ta_refresh_schedule = template.add_resource(
Rule('TARefreshSchedule',
Description=
'Limit Monitor Solution - Schedule to refresh TA checks',
ScheduleExpression=FindInMap('RefreshRate', 'CronSchedule',
'Default'),
State='ENABLED',
Targets=[ta_refresher_target],
DependsOn=[ta_refresher]))
"""Create the Ta Refresher Lambda Permission."""
template.add_resource(
Permission('TARefresherInvokePermission',
FunctionName=Ref(ta_refresher),
Action='lambda:InvokeFunction',
Principal='events.amazonaws.com',
SourceArn=GetAtt(ta_refresh_schedule, 'Arn'),
DependsOn=[ta_refresher]))
"""Create the Limtr Helper Role."""
limtr_helper_role = template.add_resource(
Role('LimtrHelperRole',
AssumeRolePolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Action=[awacs.sts.AssumeRole],
Principal=Principal(
'Service', ['lambda.amazonaws.com']))
]),
Path='/',
Policies=[
Policy(PolicyDocument=PolicyDocument(
Version='2012-10-17',
Statement=[
Statement(Effect=Allow,
Action=[
CreateLogGroup, CreateLogStream,
PutLogEvents
],
Resource=[
Join(':', [
'arn:aws:logs',
Ref('AWS::Region'),
Ref('AWS::AccountId'),
'log-group', '/aws/lambda/*'
])
]),
Statement(
Effect=Allow,
Action=[PutPermission, RemovePermission],
Resource=[
Join(':', [
'arn:aws:events',
Ref('AWS::Region'),
Ref('AWS::AccountId'),
'event-bus/default'
])
]),
Statement(
Effect=Allow,
Action=[GetParameters, PutParameter],
Resource=[
Join(':', [
'arn:aws:ssm',
Ref('AWS::Region'),
Ref('AWS::AccountId'), 'parameter/*'
])
])
]),
PolicyName='Custom_Limtr_Helper_Permissions')
]))
"""Create the Lambda Function for the Limtr Helper."""
limtr_helper = template.add_resource(
Function(
'LimtrHelperFunction',
Description=
'This function generates UUID, establishes cross account trust '
'on CloudWatch Event Bus and sends anonymous metric',
Handler='index.handler',
Environment=Environment(Variables={'LOG_LEVEL': 'ERROR'}),
Code=Code(S3Bucket=Join(
'-', [s3_bucket, Ref('AWS::Region')]),
S3Key=Join('/',
[s3_key, 'limtr-helper-service.zip'])),
Role=GetAtt(limtr_helper_role, 'Arn'),
Runtime='nodejs8.10',
Timeout=300,
DependsOn=[limtr_helper_role]))
"""Create the Custom Resource UUID."""
create_uuid = template.add_resource(
CustomUUID('CreateUUID', ServiceToken=GetAtt(limtr_helper, 'Arn')))
"""Create the Custom Resource DeploymentData."""
template.add_resource(
CustomDeploymentData('DeploymentData',
ServiceToken=GetAtt(limtr_helper, 'Arn'),
SOLUTION='SO0005',
UUID=Ref(create_uuid),
VERSION='v5.1.1',
ANONYMOUS_DATA=FindInMap(
'MetricsMap', 'Send-Data',
'SendAnonymousData')))
"""Output for Service Checks."""
template.add_output(
Output('ServiceChecks',
Description='Service limits monitored in the account',
Value=str(service_item[:-1])))
Timeout=30,
))
chaos_lambda_rule = t.add_resource(
Rule("ChaosLambdaRule",
Description="Trigger Chaos Lambda according to a schedule",
State="ENABLED",
ScheduleExpression=Ref(chaos_schedule),
Targets=[
Target(Arn=GetAtt(lambda_function, "Arn"),
Id="ChaosLambdaRuleTarget")
]))
t.add_resource(
Permission("ChaosLambdaRulePermission",
FunctionName=GetAtt(lambda_function, "Arn"),
SourceArn=GetAtt(chaos_lambda_rule, "Arn"),
Principal="events.amazonaws.com",
Action="lambda:InvokeFunction"))
t.add_output(
Output("ChaosLambdaFunctionOutput",
Value=Ref(lambda_function),
Description="The Chaos Lambda Function"))
t.add_output(
Output("ChaosLambdaRuleOutput",
Value=Ref(chaos_lambda_rule),
Description="Rule used to trigger the Chaos Lambda"))
template = t.to_json()
if len(sys.argv) > 1:
open(sys.argv[1], "w").write(template + "\n")
def __init__(self,
utils,
templatePath='./cloudformation/stage.json',
description='API Gateway Stage Template for {App}-{Stage}',
version='2010-09-09'):
super(self.__class__, self).__init__()
self.utils = utils
self.templatePath = templatePath
appName = self.utils.config['App']
stageName = self.utils.config['Stage']
tags = self.utils.config['Tags']
self.add_version(version)
self.add_description(description.format(App=appName, Stage=stageName))
####################
# Lambda Functions #
####################
self.lambdaFunctions = []
self.lambdaFunctionRoles = []
for functionId in self.utils.config['LambdaFunctions'].keys():
f = self.utils.config['LambdaFunctions'][functionId]
functionName = '{App}Stage{FunctionId}Function{Stage}'.format(
App=appName, FunctionId=functionId, Stage=stageName)
policyName = '{App}Stage{FunctionId}FunctionPolicy{Stage}'.format(
App=appName, FunctionId=functionId, Stage=stageName)
roleName = '{App}Stage{FunctionId}FunctionRole{Stage}'.format(
App=appName, FunctionId=functionId, Stage=stageName)
functionSubParams = {
'FunctionName': functionName,
'Api': ImportValue('{App}Api'.format(App=appName)),
'Stage': stageName.lower(),
}
#################
# Function Role #
#################
with open(
'./lambda/policies/{FunctionId}.json'.format(
FunctionId=functionId), 'r') as functionPolicyJson:
functionPolicyDocument = functionPolicyJson.read()
functionPolicy = Policy(
policyName,
PolicyName=policyName,
PolicyDocument=Sub(functionPolicyDocument,
**functionSubParams),
)
functionRole = self.add_resource(
Role(
roleName,
AssumeRolePolicyDocument=PolicyDocument(Statement=[
Statement(
Effect=Allow,
Action=[AssumeRole],
Principal=Principal('Service', [
'lambda.amazonaws.com',
]),
)
], ),
Path='/service-role/{App}/{Stage}/'.format(
App=appName, Stage=stageName),
Policies=[functionPolicy],
RoleName=roleName,
))
lambdaFunction = self.add_resource(
Function(
functionName,
Code=path.abspath(f['LocalCode']),
Description='API Proxy Function for Stage: {App}-{Stage}'.
format(App=appName, Stage=stageName),
FunctionName=functionName,
Handler=f['Handler'],
MemorySize=f['Memory'],
Role=GetAtt(functionRole, 'Arn'),
Runtime=f['Runtime'],
Timeout=f['Timeout'],
Tags=Tags(tags),
))
lambdaEnvironment = {
'APP_NAME': appName,
'STAGE_NAME': stageName,
}
if f['Environment'] != None:
lambdaEnvironment.update(f['Environment'])
lambdaFunction.Environment = Environment(
Variables=lambdaEnvironment, )
if f['KmsKeyArn'] != None:
lambdaFunction.KmsKeyArn = f['KmsKeyArn']
if f['Vpc'] != None:
lambdaFunction.VpcConfig = VpcConfig(
SecurityGroupIds=f['Vpc']['SecurityGroupIds'],
SubnetIds=f['Vpc']['SubnetIds'],
)
if f['Tracing'] != None:
lambdaFunction.TracingConfig = TracingConfig(
Mode=f['Tracing'], )
self.lambdaFunctions.append(lambdaFunction)
self.lambdaFunctionRoles.append(functionRole)
##################
# Lambda Proxies #
##################
self.proxyResources = []
self.proxyMethods = []
self.proxyMethodTitles = []
self.proxyPermissions = []
for resourceName in self.utils.config['LambdaProxies'].keys():
resource = self.utils.config['LambdaProxies'][resourceName]
resourcePath = resource['Path'].strip()
functionName = '{App}Stage{FunctionName}Function{Stage}'.format(
App=appName,
FunctionName=resource['Function'],
Stage=stageName)
resourceSubParams = {
'FunctionName': functionName,
'Api': ImportValue('{App}Api'.format(App=appName)),
'Stage': stageName.lower(),
}
if resourcePath == '':
proxyParent = ImportValue('{App}ApiRoot'.format(App=appName))
resourceSubParams['ResourcePath'] = '*'
else:
resourceSubParams['ResourcePath'] = resourcePath + '/*'
#################
# Path Resource #
#################
pathResource = self.add_resource(
Resource(
'{App}Stage{ResourceName}PathResource{Stage}'.format(
App=appName,
ResourceName=resourceName,
Stage=stageName),
ParentId=ImportValue(
'{App}ApiRoot'.format(App=appName)),
PathPart=resource['Path'],
RestApiId=ImportValue('{App}Api'.format(App=appName)),
))
self.proxyResources.append(pathResource)
proxyParent = Ref(pathResource)
###############
# Path Method #
###############
pathMethod = self.add_resource(
self.generate_proxy_method(
'{App}Stage{ResourceName}PathMethod{Stage}'.format(
App=appName,
ResourceName=resourceName,
Stage=stageName),
resource['Auth'],
resourceSubParams,
proxyParent,
ImportValue('{App}Api'.format(App=appName)),
))
self.proxyMethods.append(pathMethod)
self.proxyMethodTitles.append(pathMethod.title)
##################
# Proxy Resource #
##################
proxyResource = self.add_resource(
Resource(
'{App}Stage{ResourceName}ProxyResource{Stage}'.format(
App=appName,
ResourceName=resourceName,
Stage=stageName),
ParentId=proxyParent,
PathPart='{proxy+}',
RestApiId=ImportValue('{App}Api'.format(App=appName)),
))
self.proxyResources.append(proxyResource)
################
# Proxy Method #
################
proxyMethod = self.add_resource(
self.generate_proxy_method(
'{App}Stage{ResourceName}ProxyMethod{Stage}'.format(
App=appName,
ResourceName=resourceName,
Stage=stageName),
resource['Auth'],
resourceSubParams,
Ref(proxyResource),
ImportValue('{App}Api'.format(App=appName)),
))
self.proxyMethods.append(proxyMethod)
self.proxyMethodTitles.append(proxyMethod.title)
####################
# Proxy Permission #
####################
proxyPermission = self.add_resource(
Permission(
'{App}Stage{ResourceName}Permission{Stage}'.format(
App=appName,
ResourceName=resourceName,
Stage=stageName),
Action='lambda:InvokeFunction',
FunctionName=functionName,
Principal='apigateway.amazonaws.com',
SourceArn=Sub(
'arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/${Stage}/*/${ResourcePath}',
**resourceSubParams),
DependsOn=[functionName],
))
self.proxyPermissions.append(proxyPermission)
#################
# RestApi Stage #
#################
hashComponents = [self.proxyResources, self.proxyMethods]
deploymentHash = md5(pickle.dumps(hashComponents)).hexdigest()
self.deployment = self.add_resource(
Deployment(
'{App}StageDeployment{Stage}{Hash}'.format(
App=appName, Stage=stageName, Hash=deploymentHash),
Description='Deployment for {App} {Stage} Stage'.format(
App=appName, Stage=stageName),
RestApiId=ImportValue('{App}Api'.format(App=appName)),
DependsOn=self.proxyMethodTitles,
))
self.prodStage = self.add_resource(
Stage(
'{App}Stage'.format(App=appName),
DeploymentId=Ref(self.deployment),
Description='Stage for {App} {Stage} Stage.'.format(
App=appName, Stage=stageName, Run=self.utils.run_time),
MethodSettings=[
MethodSetting(
DataTraceEnabled=True,
HttpMethod='*',
LoggingLevel='INFO',
ResourcePath='/*',
#MetricsEnabled=True,
),
],
RestApiId=ImportValue('{App}Api'.format(App=appName)),
StageName=stageName.lower(),
))
##################
# Write Template #
##################
with open(templatePath, 'w') as templateFile:
templateFile.write(self.to_json())
def create_aurora_template(region, account_id):
template = Template()
template.set_transform('AWS::Serverless-2016-10-31')
api_name = template.add_parameter(parameter=Parameter(
title='ApiName',
Default='sample-api',
Type='String',
))
function_name = template.add_parameter(parameter=Parameter(
title='FunctionName',
Default='sample-lambda-function',
Type='String',
))
# swagger_path = template.add_parameter(
# parameter=Parameter(
# title='SwaggerPath',
# Default='./swagger.yml',
# Type='String',
# )
# )
stage_name = template.add_parameter(parameter=Parameter(
title='StageName',
Default='prod',
Type='String',
))
api = template.add_resource(resource=Api(
title='SampleApi',
Name=Ref(api_name),
# DefinitionUri=Ref(swagger_path),
DefinitionUri='./swagger.yml',
StageName=Ref(stage_name),
))
path = '/sample/'
method = 'get'
function = template.add_resource(
resource=Function(title='SampleLambdaFunction',
AutoPublishAlias='sample',
CodeUri='.',
FunctionName=Ref(function_name),
Handler='lambda_function.lambda_handler',
Role=ImportValue('sample-lambda-service-role-arn'),
Runtime='python3.7',
Events={
'ApiTrigger': {
'Type': 'Api',
'Properties': {
'Path': path,
'Method': method,
'RestApiId': Ref(api)
}
}
}))
template.add_resource(
resource=Permission(title='SampleLambdaFunctionPermission',
Action='lambda:InvokeFunction',
FunctionName=Ref(function),
Principal='apigateway.amazonaws.com'))
with open('swagger_template.yml') as f:
swagger_yaml = f.read()
uri = URI.replace('{region}', region).replace('{account_id}', account_id) \
.replace('{function_name}', function_name.Default) # TODO:
swagger = swagger_yaml.replace('{path}',
path).replace('{method}',
method).replace('{uri}', uri)
with open('./api.yml', mode='w') as file:
file.write(template.to_yaml())
with open('./swagger.yml', mode='w') as file:
file.write(swagger)
Credentials=GetAtt("CrimeDataExecutionRole", "Arn"),
Type="AWS_PROXY",
IntegrationHttpMethod='POST',
Uri=Join("", [
"arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/",
GetAtt("CrimeDataAPIFunction", "Arn"), "/invocations"
])),
))
# Allow the gateway to invoke Lambda
permission = t.add_resource(
Permission("CrimeDataAPILambdaPermission",
Action="lambda:InvokeFunction",
FunctionName=GetAtt("CrimeDataAPIFunction", "Arn"),
Principal="apigateway.amazonaws.com",
SourceArn=Join("", [
"arn:aws:execute-api:",
Ref("AWS::Region"), ":",
Ref("AWS::AccountId"), ":",
Ref(rest_api), "/*/GET/CrimeData"
])))
# Create a deployment
stage_name = 'v1'
deployment = t.add_resource(
Deployment(
"%sDeployment" % stage_name,
DependsOn=[
"CrimeDataAPIMethod" + methods[0],
"CrimeDataAPIMethod" + methods[1]
],
Uri=Join("", [
"arn:aws:apigateway:" + args.region + ":lambda:path/2015-03-31/functions/",
GetAtt("Lambda", "Arn"),
"/invocations"
])
),
))
# allow the API Gateway to invoke Lambda
permission = t.add_resource(Permission(
"Permission",
Action="lambda:InvokeFunction",
FunctionName=GetAtt("Lambda", "Arn"),
Principal="apigateway.amazonaws.com",
SourceArn=Join("", [
"arn:aws:execute-api:" + args.region + ":",
Ref("AWS::AccountId"),
":",
Ref(rest_api),
"/*/POST/convert"
])
))
#
# Deploy API Gateway
#
stage_name = 'dev'
deployment = t.add_resource(Deployment(
"Deployment",
Handler='index.lambda_handler',
MemorySize=128,
Role=GetAtt(lambda_role, 'Arn'),
Runtime='python2.7',
Timeout=10))
cloudtrail_topic = t.add_resource(
Topic("CloudtrailTopic",
Subscription=[
Subscription(Endpoint=GetAtt(function, "Arn"), Protocol="lambda")
]))
lambda_permission = t.add_resource(
Permission("LambdaPermission",
Action="lambda:InvokeFunction",
FunctionName=Ref(function),
Principal="sns.amazonaws.com",
SourceAccount=Ref("AWS::AccountId"),
SourceArn=Ref(cloudtrail_topic)))
t.add_resource(
TopicPolicy("CloudtrailTopicPolicy",
Topics=[Ref(cloudtrail_topic)],
PolicyDocument=Policy(Statement=[
Statement(Sid="AWSCloudTrailSNSPolicy",
Effect=Allow,
Principal=Principal(
"Service", ["cloudtrail.amazonaws.com"]),
Action=[Action("sns", "publish")],
Resource=[Ref(cloudtrail_topic)])
])))
def add_lambda_function(resources, outputs, s3bucket, s3key):
resources.append(
Role(
"LambdaConfigRulesRole",
Path="/",
Policies=[Policy(
PolicyName="ReadOnlyForPerformingEvaluations",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": [
"acm:DescribeCertificate", "acm:GetCertificate", "acm:ListCertificates",
"autoscaling:Describe*",
"cloudformation:Describe*", "cloudformation:Get*", "cloudformation:List*",
"cloudfront:Get*", "cloudfront:List*",
"cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys",
"cloudwatch:Describe*", "cloudwatch:Get*", "cloudwatch:List*",
"config:Deliver*", "config:Describe*", "config:Get*",
"dynamodb:BatchGetItem", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:ListTables", "dynamodb:Query", "dynamodb:Scan",
"ec2:Describe*", "ec2:GetConsoleOutput",
"ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetManifest", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage",
"ecs:Describe*", "ecs:List*",
"elasticache:Describe*", "elasticache:List*",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*", "elasticmapreduce:List*",
"es:DescribeElasticsearchDomain", "es:DescribeElasticsearchDomains", "es:DescribeElasticsearchDomainConfig", "es:ListDomainNames", "es:ListTags", "es:ESHttpGet", "es:ESHttpHead",
"events:DescribeRule", "events:ListRuleNamesByTarget", "events:ListRules", "events:ListTargetsByRule", "events:TestEventPattern",
"firehose:Describe*", "firehose:List*",
"iam:GenerateCredentialReport", "iam:Get*", "iam:List*",
"inspector:Describe*", "inspector:Get*", "inspector:List*", "inspector:LocalizeText", "inspector:PreviewAgentsForResourceGroup",
"kinesis:Describe*", "kinesis:Get*", "kinesis:List*",
"kms:Describe*", "kms:Get*", "kms:List*",
"lambda:List*", "lambda:Get*",
"logs:Describe*", "logs:Get*", "logs:TestMetricFilter",
"rds:Describe*", "rds:ListTagsForResource",
"redshift:Describe*", "redshift:ViewQueriesInConsole",
"s3:Get*", "s3:List*",
"ses:Get*", "ses:List*",
"sns:Get*", "sns:List*",
"sqs:GetQueueAttributes", "sqs:ListQueues", "sqs:ReceiveMessage",
"tag:Get*",
"trustedadvisor:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}]
}), Policy(
PolicyName="CloudWatchLogs-FullAccess",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": ["logs:*"],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}]
}), Policy(
PolicyName="AwsConfigRules-PutEvaluations",
PolicyDocument={
"Version": "2012-10-17",
"Statement": [{
"Action": ["config:Put*"],
"Resource": "*",
"Effect": "Allow"
}]
})],
AssumeRolePolicyDocument={"Version": "2012-10-17", "Statement": [ {"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"Service": ["lambda.amazonaws.com"]}}]},
)
)
resources.append(
Function(
"LambdaConfigRulesFunction",
Code=Code( S3Bucket=s3bucket, S3Key='%s/cf-cis-benchmarks-lambda-source.zip' % (s3key) ),
Handler="index.handler",
Role=GetAtt("LambdaConfigRulesRole", "Arn"),
Runtime="nodejs6.10",
Timeout=10
)
)
resources.append(
Permission(
"LambdaConfigRulesPermission",
DependsOn="LambdaConfigRulesFunction",
Action="lambda:InvokeFunction",
FunctionName=GetAtt("LambdaConfigRulesFunction", "Arn"),
Principal="config.amazonaws.com",
SourceAccount=Ref("AWS::AccountId")
)
)
outputs.append(
Output(
"LambdaConfigRulesFunctionArn",
Value=GetAtt("LambdaConfigRulesFunction", "Arn"),
Description="Amazon resource identifier or ARN for the Lambda Function."
)
)
return resources, outputs
print(' adding sns')
finish_sns = t.add_resource(Topic(
"HyP3FinishEventSNSTopic",
Subscription=[
Subscription(
Protocol="lambda",
Endpoint=GetAtt(send_email, "Arn")
)
]
))
sns_invoke_permissions = t.add_resource(Permission(
"SNSSchedulerInvokePermissions",
Action="lambda:InvokeFunction",
Principal="sns.amazonaws.com",
SourceArn=Ref(finish_sns),
FunctionName=GetAtt(send_email, "Arn")
))
ssm_sns_arn = t.add_resource(Parameter(
"HyP3SSMParameterFinishEventSNSArn",
Name=Sub(
"/${StackName}/FinishEventSNSArn",
StackName=Ref("AWS::StackName")
),
Type="String",
Value=Ref(finish_sns)
))
def create_template():
t = Template(Description="Infrastructure for routezero")
api_key = t.add_parameter(Parameter("ZerotierApiKey", Type="String", NoEcho=True))
network_id = t.add_parameter(Parameter("ZerotierNetworkId", Type="String"))
role = t.add_resource(
Role(
"Role",
AssumeRolePolicyDocument=get_lambda_assumerole_policy(),
Policies=[
Policy(
PolicyName="cloudformation-route53-update",
PolicyDocument=PolicyDocument(
Statement=[
Statement(
Effect=Allow,
Action=[
cloudformation.Action("*"),
route53.Action("*"),
],
Resource=["*"],
)
]
),
)
],
ManagedPolicyArns=[
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
)
)
function = t.add_resource(
CLIFunction(
"Function",
MemorySize=256,
Timeout=60 * 15,
Handler=".".join([routezero.__name__, routezero.handler.__name__]),
Runtime="python3.6",
Code=create_bundle(),
Role=GetAtt(role, "Arn"),
Environment=Environment(
Variables={
"ZEROTIER_API_KEY": Ref(api_key),
"ZEROTIER_NETWORK_ID": Ref(network_id),
"ROUTE53_RECORD_STACK_NAME": Sub("${AWS::StackName}Records"),
}
),
)
)
log_group = t.add_resource(
LogGroup(
"LogGroup", LogGroupName=Sub("/aws/lambda/${Function}"), RetentionInDays=30
)
)
permission = t.add_resource(
Permission(
"Permission",
FunctionName=GetAtt(function, "Arn"),
Principal="events.amazonaws.com",
Action="lambda:InvokeFunction",
SourceArn=Sub(
"arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/*"
),
DependsOn=[log_group],
)
)
rule = t.add_resource(
Rule(
"Rule",
ScheduleExpression="rate(15 minutes)",
Targets=[Target(Id=Ref(function), Arn=GetAtt(function, "Arn"))],
DependsOn=[permission],
)
)
return t
"Timeout": 60
}
))
custom_metric_target = Target(
"CustomMetricTarget",
Arn=GetAtt(custom_metric, 'Arn'),
Id="CustomMetricFunction1",
Input=Sub(
'{"QueueUrl":"${QueueUrl}","AutoScalingGroupName":"${AGName}","MetricName":"${MetricName}"}',
QueueUrl=Ref(start_events),
AGName=Ref(processing_group),
MetricName=custom_metric_name
)
)
custom_metric_rule = t.add_resource(Rule(
"CustomMetricSchedule",
ScheduleExpression="rate(1 minute)",
State="ENABLED",
Targets=[custom_metric_target]
))
PermissionForEventsToInvokeLambda = t.add_resource(Permission(
"EventScheduleCustomMetricPermissions",
FunctionName=Ref(custom_metric),
Action="lambda:InvokeFunction",
Principal="events.amazonaws.com",
SourceArn=GetAtt(custom_metric_rule, "Arn")
))
"SendToDiscord":
Ref("SendToDiscord"),
"SNSTopic":
Join("", [
"arn:aws:sns:",
Ref("AWS::Region"), ":",
Ref("AWS::AccountId"), ":",
GetAtt("Civ6NotifTopic", "TopicName")
]),
"DiscordWebhookURL":
Ref("DiscordWebhookURL")
}))
Civ6Notif_LambdaPermission = Permission("Civ6LambdaPermission",
Action="lambda:InvokeFunction",
Principal="apigateway.amazonaws.com",
FunctionName=GetAtt(
"Civ6NotifFunction", "Arn"))
Civ6Notif_GW_Resource = Resource(
"Civ6NotifResource",
RestApiId=Ref(Civ6Notif_GW),
PathPart="civ6",
ParentId=GetAtt("Civ6NotifGW", "RootResourceId"),
)
Civ6Notif_PostMethod = Method(
"Civ6NotifPostMethod",
DependsOn='Civ6NotifFunction',
RestApiId=Ref(Civ6Notif_GW),
AuthorizationType="NONE",
snsTopic = t.add_resource(Topic(
"snsTopic",
DisplayName="GDACK",
TopicName="GDACK",
Subscription=[
Subscription(
Endpoint=GetAtt(lambdaFunction, "Arn"),
Protocol="lambda"
)
]
))
ApiPermission = t.add_resource(Permission(
"ApiPermission",
FunctionName=Ref(lambdaFunction),
Action="lambda:InvokeFunction",
Principal="apigateway.amazonaws.com",
SourceArn=Join("", ["arn:aws:execute-api:us-west-2:", Ref("AWS::AccountId"), ":", Ref(restApi), "/*/*/*"])
))
# Output
WebhookUrl = t.add_output(Output(
"WebhookUrl",
Description="URL for Slack Endpoint",
Value=Join("", [Ref(restApi), ".execute-api.", Ref("AWS::Region"), ".amazonaws.com/", stageName, "/slack"])
))
j = t.to_json()
with open('gdack.template', 'w') as fd:
],
)
])))
t.add_resource(
EventSourceMapping("FunctionEventSourceMapping",
EventSourceArn=GetAtt("JsonNotificationReceiveQueue",
"Arn"),
FunctionName=Ref("LambdaFunction"),
BatchSize=1))
t.add_resource(
Permission("InvokeLambdaPermission",
FunctionName=Join(
':', [GetAtt("LambdaFunction", "Arn"),
Ref("LambdaEnv")]),
Action="lambda:InvokeFunction",
SourceArn=GetAtt("JsonNotificationReceiveQueue", "Arn"),
Principal="sqs.amazonaws.com"))
t.add_resource(
Alias("GalileoBabelLambdaAlias",
Description="Alias for the galileo babel lambda",
FunctionName=Ref("LambdaFunction"),
FunctionVersion="$LATEST",
Name=Ref("LambdaEnv")))
t.add_resource(
Queue("JsonNotificationReceiveQueue",
QueueName=Sub("${LambdaEnv}-json-notification-inbound-queue"),
RedrivePolicy=RedrivePolicy(deadLetterTargetArn=GetAtt(