-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtemplate.yaml
339 lines (315 loc) · 13.2 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
Transform: AWS::Serverless-2016-10-31 # Mandatory declaration of SAM template
# Docs for SAM template specifically:
# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-resources-and-properties.html
# Docs for the broader and still compatible CloudFormation template:
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
# Developer guide for SAM
# https://docs.aws.amazon.com/serverless-application-model/
# Intrinsic functions
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html
Resources:
WeeklyReminder:
Type: AWS::Serverless::Function
# Guide:
# SAM guide --> https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
# dev guide --> https://docs.aws.amazon.com/lambda/
# python handler --> https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html#python-handler-how
Properties:
#checkov:skip=CKV_AWS_116: This is not mission critical, we don't need a dead letter queue
#checkov:skip=CKV_AWS_117: VPC costs money and everything is secure enough for our purposes
Description: Gives weekly reminders of upcoming medications and appointments
FunctionName: weekly_reminder
Architectures:
- x86_64
CodeUri: lambda_packages/weekly_reminder.zip
Environment:
Variables:
database_name: pet_table
sns_topic: weekly_reminder
EphemeralStorage:
Size: 512
Events:
ScheduledEvent:
Type: Schedule
Properties:
Description: Fire every Monday at 8am
Enabled: true
Schedule: cron(0 8 ? * MON *)
# The following option may need you to increase your reserved concurrent executions limit.
# Instructions on doing that https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html
# Can be commented out instead, though not as safe especially regarding DDOS attacks
ReservedConcurrentExecutions: 1 # limit on concurrency, ProvisionedConcurrencyConfig is what actually reserves a spot for your lambda and keeps it warm
Handler: lambda_weekly_reminder.lambda_weekly_reminder
KmsKeyArn: !GetAtt KMSAppKey.Arn
MemorySize: 128
PackageType: Zip
Role: !GetAtt LambdaRole.Arn
Runtime: python3.10
Timeout: 5
Layers:
- !Ref LambdaLibrariesLayer
LambdaAPI:
Type: AWS::Serverless::Function
# Guide:
# SAM guide --> https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
# dev guide --> https://docs.aws.amazon.com/lambda/
# python handler --> https://docs.aws.amazon.com/lambda/latest/dg/python-handler.html#python-handler-how
Properties:
#checkov:skip=CKV_AWS_116: This is not mission critical, we don't need a dead letter queue
#checkov:skip=CKV_AWS_117: VPC costs money and everything is secure enough for our purposes
Description: Is the REST API for our pet-diary
FunctionName: lambda_api
Architectures:
- x86_64
CodeUri: lambda_packages/lambda_api.zip
EphemeralStorage:
Size: 512
# The following option may need you to increase your reserved concurrent executions limit.
# Instructions on doing that https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html
# Can be commented out instead, though not as safe especially regarding DDOS attacks
ReservedConcurrentExecutions: 1 # limit on concurrency, ProvisionedConcurrencyConfig is what actually reserves a spot for your lambda and keeps it warm
Handler: lambda_api.lambda_api
KmsKeyArn: !GetAtt KMSAppKey.Arn
MemorySize: 128
PackageType: Zip
Role: !GetAtt LambdaRole.Arn
Runtime: python3.10
Timeout: 5
Layers:
- !Ref LambdaLibrariesLayer
APIEndpoint:
Type: AWS::Lambda::Url
# Guide:
# SAM guide --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-url.html
Properties:
#checkov:skip=CKV_AWS_258: No Authorisation... yet
# Further reading on AuthType: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
AuthType: NONE
TargetFunctionArn: !GetAtt LambdaAPI.Arn
Cors: # Cors doesn't restrict access, it's simply ensures it
# CORS guide: --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-url-cors.html
AllowMethods:
- GET
AllowOrigins:
- "*"
PermissionsToUseAPI:
Type: AWS::Lambda::Permission
# Guide:
# SAM guide --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html
Properties:
FunctionName: !Ref LambdaAPI
Action: lambda:InvokeFunctionUrl
Principal: "*"
FunctionUrlAuthType: NONE
DailyReminder:
Type: AWS::Serverless::Function
# Guide:
# SAM guide --> https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html
# dev guide --> https://docs.aws.amazon.com/lambda/
#checkov:skip=CKV_AWS_116: This is not mission critical, we don't need a dead letter queue
#checkov:skip=CKV_AWS_117: VPC costs money and everything is secure enough for our purposes
Properties:
Description: Gives daily reminders of upcoming medications and appointments if any for today
FunctionName: daily_reminder
Architectures:
- x86_64
CodeUri: lambda_packages/daily_reminder.zip
Environment:
Variables:
database_name: pet_table
sns_topic: daily_reminder
EphemeralStorage:
Size: 512
Events:
ScheduledEvent:
Type: Schedule
Properties:
Description: Fire every morning at 8am
Enabled: true
Schedule: cron(0 8 ? * * *)
# The following option may need you to increase your reserved concurrent executions limit.
# Instructions on doing that https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html
# Can be commented out instead, though not as safe especially regarding DDOS attacks
ReservedConcurrentExecutions: 1 # limit on concurrency, ProvisionedConcurrencyConfig is what actually reserves a spot for your lambda and keeps it warm
Handler: lambda_daily_reminder.lambda_daily_reminder
KmsKeyArn: !GetAtt KMSAppKey.Arn
MemorySize: 128
PackageType: Zip
Role: !GetAtt LambdaRole.Arn
Runtime: python3.10
Timeout: 5
Layers:
- !Ref LambdaLibrariesLayer
LambdaLibrariesLayer:
Type: AWS::Serverless::LayerVersion
# Guide:
# Example ----> https://docs.aws.amazon.com/lambda/latest/dg/layers-sam.html
# SAM guide --> https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-layerversion.html
Properties:
CompatibleArchitectures:
- x86_64
LayerName: lambda-libraries-layer
Description: A layer for the Lambdas containing all the pip dependencies
ContentUri: lambda_packages/lambda_libraries_layer.zip
RetentionPolicy: Delete
CompatibleRuntimes:
- python3.8
- python3.9
- python3.10
LambdaRole:
Type: AWS::IAM::Role
# Guide:
# SAM guide --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
Properties:
Description: Allows Lambdas read access to DynamoDB, and publish to SNS topics
RoleName: lambda-role
Policies:
- PolicyName: Weekly_access
PolicyDocument:
# SAM guide to policy doc --> https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
Version: "2012-10-17"
Statement:
- Sid: PetTableRestrictiveRead
Effect: Allow
Resource:
- arn:aws:dynamodb:eu-west-2:*:table/pet_table
- arn:aws:dynamodb:eu-west-2:*:table/pet_table/index/*
Action:
- dynamodb:Query
- dynamodb:GetItem
- Sid: UseKMSKey
Effect: Allow
Resource: !GetAtt KMSAppKey.Arn
Action:
- kms:Decrypt
- kms:GenerateDataKey
- Sid: PublishToSNSWeeklyReminder
Effect: Allow
Resource: !GetAtt WeeklyReminderTopic.TopicArn
Action:
- sns:Publish
- Sid: PublishToSNSDailyReminder
Effect: Allow
Resource: !GetAtt DailyReminderTopic.TopicArn
Action:
- sns:Publish
- Sid: SNSFindTopic
Effect: Allow
Resource: arn:aws:sns:eu-west-2:*
Action:
- sns:ListTopics
- sns:GetTopicAttributes
- Sid: CreateLogGroups
Effect: Allow
Action: logs:CreateLogGroup
Resource: arn:aws:logs:eu-west-2:*
- Sid: PublishLogs
Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:eu-west-2:*:log-group:*:*
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
MaxSessionDuration: 3600
WeeklyReminderTopic:
Type: AWS::SNS::Topic
# Guide
# General SNS --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SNS.html
# Topic only ---> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html
# Dev guide ----> https://docs.aws.amazon.com/sns/
Properties:
TopicName: weekly_reminder
DisplayName: PD_Weekly_Reminder
FifoTopic: false
KmsMasterKeyId: !GetAtt KMSAppKey.KeyId
DailyReminderTopic:
Type: AWS::SNS::Topic
# Guide
# General SNS --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_SNS.html
# Topic only ---> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sns-topic.html
# Dev guide ----> https://docs.aws.amazon.com/sns/
Properties:
TopicName: daily_reminder
DisplayName: PD_Daily_Reminder
FifoTopic: false
KmsMasterKeyId: !GetAtt KMSAppKey.KeyId
PetTable:
Type: AWS::DynamoDB::Table
# Guide:
# SAM Guide --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html
# Dev guide --> https://docs.aws.amazon.com/dynamodb
Properties:
TableName: pet_table
AttributeDefinitions:
- AttributeName: name
AttributeType: S
- AttributeName: sort_key
AttributeType: S
- AttributeName: medicine_type
AttributeType: S
- AttributeName: record_type
AttributeType: S
- AttributeName: date_time
AttributeType: N
- AttributeName: next_due
AttributeType: N
KeySchema:
- AttributeName: name
KeyType: HASH
- AttributeName: sort_key
KeyType: RANGE
GlobalSecondaryIndexes:
- IndexName: medicine_type
KeySchema:
- AttributeName: medicine_type
KeyType: HASH
- AttributeName: next_due
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 5 # Gives ThrottlingException
WriteCapacityUnits: 5 # if exceeded
- IndexName: record_type
KeySchema:
- AttributeName: record_type
KeyType: HASH
- AttributeName: date_time
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 5 # Gives ThrottlingException
WriteCapacityUnits: 5 # if exceeded
BillingMode: PROVISIONED
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
#!################## Anything below this point in the template file costs money ##################!#
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true # costs $0.23772 per GB-month
SSESpecification:
KMSMasterKeyId: !GetAtt KMSAppKey.Arn
SSEEnabled: true
SSEType: KMS
KMSAppKey:
Type: AWS::KMS::Key # costs $1 per creation, gets 20,000 requests a year free for encrypting/decrypting
# Guide:
# SAM guide --> https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html
Properties:
Description: For symmetric encryption of all the applications resources
Enabled: true
EnableKeyRotation: true # Creates new one every year
KeySpec: SYMMETRIC_DEFAULT
KeyUsage: ENCRYPT_DECRYPT
MultiRegion: false
Origin: AWS_KMS
PendingWindowInDays: 30