AWSTemplateFormatVersion: "2010-09-09" Description: Adds users and dummy data to the databases. Parameters: VpcID: Type: AWS::EC2::VPC::Id PrivateSubnet1: Type: AWS::EC2::Subnet::Id PrivateSubnet2: Type: AWS::EC2::Subnet::Id LayerVersionArn: Type: String Endpoint: Type: String RDSSecurityGroup: Type: AWS::EC2::SecurityGroup::Id CreateRDSProxy: Type: String DBSecretArn: Type: String DBProxyName: Type: String DBProxyArn: Type: String ProxySecurityGroup: Type: String UsersToCreate: Type: Number Conditions: IsRDSProxy: !Equals [!Ref CreateRDSProxy, true] NoRDSProxy: !Equals [!Ref CreateRDSProxy, false] Transform: AWS::Serverless-2016-10-31 Resources: ProxyLambdaFunction: Type: AWS::Serverless::Function DependsOn: - XraySeviceAccessPolicy - CloudWatchLogsSeviceAccessPolicy - VPCSeviceAccessPolicy - SecretsManagerSeviceAccessPolicy - DBProxyPolicy Properties: CodeUri: ../src/functions/proxy Description: Tenant add data function. Environment: Variables: ENDPOINT: !Ref Endpoint USER: admin USERS_TO_CREATE: !Ref UsersToCreate REGION: !Ref AWS::Region SECRETARN: !Ref DBSecretArn DATABASE: main NUMBER_OF_ROWS: 1000 PROXY_NAME: !Ref DBProxyName Handler: cr_add_users_proxy.handler Layers: - !Ref LayerVersionArn Role: !GetAtt LambdaAddUsersRole.Arn Runtime: python3.8 Timeout: 900 Tracing: Active VpcConfig: SecurityGroupIds: - !Ref LambdaSecurityGroup SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 Condition: IsRDSProxy ProxyLambdaCustom: Type: Custom::ProxyAddUsers Properties: ServiceToken: !GetAtt ProxyLambdaFunction.Arn Version: "1.0" Condition: IsRDSProxy NoProxyLambdaFunction: Type: AWS::Serverless::Function DependsOn: - XraySeviceAccessPolicy - CloudWatchLogsSeviceAccessPolicy - VPCSeviceAccessPolicy - SecretsManagerSeviceAccessPolicy Properties: CodeUri: ../src/functions/noproxy Description: Tenant add data function. Environment: Variables: ENDPOINT: !Ref Endpoint USER: admin USERS_TO_CREATE: !Ref UsersToCreate NUMBER_OF_ROWS: 1000 REGION: !Ref AWS::Region DATABASE: main SECRETARN: !Ref DBSecretArn Handler: cr_add_users_noproxy.handler Layers: - !Ref LayerVersionArn Role: !GetAtt LambdaAddUsersRole.Arn Runtime: python3.8 Timeout: 900 Tracing: Active VpcConfig: SecurityGroupIds: - !Ref LambdaSecurityGroup SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 Condition: NoRDSProxy NoProxyLambdaCustom: Type: Custom::ProxyAddUsers Properties: ServiceToken: !GetAtt NoProxyLambdaFunction.Arn Version: "1.0" Condition: NoRDSProxy LambdaSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Lambda Security Group SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all https outbound traffic IpProtocol: tcp FromPort: 443 ToPort: 443 - DestinationSecurityGroupId: !Ref RDSSecurityGroup Description: Allow db outbound traffic IpProtocol: tcp FromPort: 3306 ToPort: 3306 VpcId: !Ref VpcID LambdaToRDSIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp Description: Lambda to RDS ingress rule FromPort: 3306 GroupId: !Ref RDSSecurityGroup SourceSecurityGroupId: !Ref LambdaSecurityGroup ToPort: 3306 LambdaToProxyIngress: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp Description: Lambda to Proxy ingress rule FromPort: 3306 GroupId: !Ref ProxySecurityGroup SourceSecurityGroupId: !Ref LambdaSecurityGroup ToPort: 3306 Condition: IsRDSProxy LambdaAddUsersRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole XraySeviceAccessPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub Allows the Add Users Lambda Function to access X-Ray. Stack ${AWS::StackName} PolicyDocument: Version: "2012-10-17" Statement: Effect: Allow Action: - xray:PutTraceSegments - xray:PutTelemetryRecords - xray:GetSamplingRules - xray:GetSamplingTargets - xray:GetSamplingStatisticSummaries Resource: '*' Roles: - !Ref LambdaAddUsersRole CloudWatchLogsSeviceAccessPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub Allows the Add Users Lambda Function to access CloudWatch logs. Stack ${AWS::StackName} PolicyDocument: Version: "2012-10-17" Statement: Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:* - !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:log-stream:* Roles: - !Ref LambdaAddUsersRole VPCSeviceAccessPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub Allows the Add Users Lambda Function to create and delete network interfaces, and assign and unassign private IP addresses. Stack ${AWS::StackName} PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - ec2:DescribeNetworkInterfaces Resource: '*' - Effect: Allow Action: - ec2:CreateNetworkInterface - ec2:DeleteNetworkInterface - ec2:AssignPrivateIpAddresses - ec2:UnassignPrivateIpAddresses Resource: '*' Roles: - !Ref LambdaAddUsersRole DBProxyPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub Allows the Add Users Lambda Function to modify RDS Proxy, in order to associate with it Secrets Manager secrets. Stack ${AWS::StackName} PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - rds:ModifyDBProxy Resource: !Ref DBProxyArn Roles: - !Ref LambdaAddUsersRole Condition: IsRDSProxy SecretsManagerSeviceAccessPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: !Sub Allows the Add Users Lambda Function to create, delete, and tag Secrets Manager Secrets with the correct ARN. Stack ${AWS::StackName} PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: !Ref DBSecretArn - Effect: Allow Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - secretsmanager:TagResource Resource: !Sub arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:Amazon_rds_proxy_multitenant_load_test/Proxy_secret_for_user* Roles: - !Ref LambdaAddUsersRole