-
Notifications
You must be signed in to change notification settings - Fork 0
/
spot-stub-template.yml
144 lines (134 loc) · 4.28 KB
/
spot-stub-template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: SPOT stub
Parameters:
Environment:
Type: String
Description: The name of the environment to deploy to
CodeSigningConfigArn:
Type: String
Description: The ARN of the Code Signing Config to use, provided by the deployment pipeline
Default: none
PermissionsBoundary:
Type: String
Description: The ARN of the permissions boundary to apply when creating IAM roles
Default: none
Mappings:
EnvironmentConfiguration:
dev:
requestQueueArn: "arn:aws:sqs:eu-west-2:816047645251:dev-stub-spot-request-queue"
requestQueueUrl: "https://sqs.eu-west-2.amazonaws.com/816047645251/dev-stub-spot-request-queue"
requestQueueKeyArn: "arn:aws:kms:eu-west-2:816047645251:key/963c4abe-69e8-4160-a995-1d2b8c054e50" # This will need to change when the key is recreated
Conditions:
UseCodeSigning: !Not [!Equals [none, !Ref CodeSigningConfigArn]]
UsePermissionsBoundary: !Not [!Equals [none, !Ref PermissionsBoundary]]
Globals:
Function:
CodeSigningConfigArn: !If
- UseCodeSigning
- !Ref CodeSigningConfigArn
- !Ref AWS::NoValue
PermissionsBoundary: !If
- UsePermissionsBoundary
- !Ref PermissionsBoundary
- !Ref AWS::NoValue
Resources:
SpotLambda:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub ${Environment}-spot-stub
CodeUri: .
Handler: src/main/spot-stub/spot.handler
Runtime: nodejs20.x
Architectures:
- arm64
Events:
Request:
Type: SQS
Properties:
BatchSize: 1
Enabled: true
Queue: !FindInMap [
EnvironmentConfiguration,
!Ref Environment,
requestQueueArn,
]
FunctionResponseTypes:
- ReportBatchItemFailures
Policies:
- !Ref SpotRequestQueueConsumePolicy
- !Ref SpotResponseQueueWritePolicy
Environment:
Variables:
DESTINATION_QUEUE_URL: !GetAtt SpotResponseQueue.QueueUrl
Metadata:
BuildMethod: esbuild
BuildProperties:
EntryPoints:
- src/main/spot-stub/spot.ts
Minify: true
Sourcemap: true
Target: node20
SpotResponseQueueWritePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowSpotResponseQueueWriteAccess
Effect: Allow
Action:
- sqs:SendMessage
- sqs:ChangeMessageVisibility
- sqs:GetQueueAttributes
Resource: !GetAtt SpotResponseQueue.Arn
- Sid: AllowSpotResponseQueueKms
Effect: Allow
Action:
- kms:GenerateDataKey
- kms:Decrypt
Resource: !GetAtt SpotResponseQueueKey.Arn
SpotRequestQueueConsumePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowWriteAccessToSpotQueue
Effect: Allow
Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:ChangeMessageVisibility
Resource: !FindInMap [
EnvironmentConfiguration,
!Ref Environment,
requestQueueArn,
]
- Sid: AllowEncryptionAccessToSpotQueueKey
Effect: Allow
Action:
- kms:Decrypt
Resource: !FindInMap [
EnvironmentConfiguration,
!Ref Environment,
requestQueueKeyArn,
]
SpotResponseQueueKey:
Type: AWS::KMS::Key
Properties:
Description: "Key used to encrypt stub SPOT response queue"
KeySpec: SYMMETRIC_DEFAULT
KeyUsage: ENCRYPT_DECRYPT
EnableKeyRotation: true
SpotResponseQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: !Sub ${Environment}-stub-spot-response-queue
MaximumMessageSize: 256000
MessageRetentionPeriod: 1209600
ReceiveMessageWaitTimeSeconds: 10
VisibilityTimeout: 60
KmsMasterKeyId: !Ref SpotResponseQueueKey
KmsDataKeyReusePeriodSeconds: 300