# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 # # Permission is hereby granted, free of charge, to any person obtaining a copy of this # software and associated documentation files (the "Software"), to deal in the Software # without restriction, including without limitation the rights to use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --- AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: This stack deploys an AWS Lambda function in existing VPC and subnets, creates a secret in AWS Secrets Manager, and a VPC Endpoint for Secrets Manager. **WARNING** This template creates billable resoruces. You will be billed for the AWS resources used if you create a stack from this template. Parameters: MyVPC: Description: Select a VPC to deploy resources. Type: String Default: vpc-xxxxxxx MySubnets: Description: Select multiple subnets from selected VPC. Type: List Default: subnet-yyyyyyyy,subnet-zzzzzzzz FileServersCIDR: AllowedPattern: ((\d{1,3})\.){3}\d{1,3}/\d{1,2} Default: 172.31.0.0/16 Description: Required for Security Groups. Enter CIDR Block (eg 172.31.0.0/16) for your file servers, You can add more entries in the prefix list resource. Type: String Resources: FileServersPrefixList: Type: AWS::EC2::PrefixList Properties: PrefixListName: FS-CIDRs AddressFamily: IPv4 MaxEntries: 10 Entries: - Cidr: !Ref 'FileServersCIDR' Description: CIDR block for File Servers Tags: - Key: Name Value: FS Prefix List LambdaSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'MyVPC' GroupDescription: SG for SMB Lambda Tags: - Key: Name Value: LambdaSMBSG LambdaSGEgress1: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt 'SecretsManagerVpceSG.GroupId' Description: HTTPS outbound to Secrets Manager VPC Endpoint GroupId: !GetAtt 'LambdaSG.GroupId' LambdaSGEgress2: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 445 ToPort: 445 DestinationPrefixListId: !Ref 'FileServersPrefixList' Description: SMB outbound access to file servers CIDRs GroupId: !GetAtt 'LambdaSG.GroupId' SecretsManagerVpceSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref 'MyVPC' GroupDescription: SG for Secrets Manager VPC endpoint Tags: - Key: Name Value: SecretsManagerVpceSG SecretsManagerVpceSGIngress1: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !GetAtt 'LambdaSG.GroupId' Description: HTTPS inbound from Lambda GroupId: !GetAtt 'SecretsManagerVpceSG.GroupId' SecretsManagerVpceSGEgress1: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 443 ToPort: 443 DestinationSecurityGroupId: !GetAtt 'LambdaSG.GroupId' Description: HTTPS outbound to Lambda GroupId: !GetAtt 'SecretsManagerVpceSG.GroupId' SecretsManagerVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - secretsmanager:GetSecretValue Resource: !Sub '${MySecret}' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.secretsmanager' SubnetIds: !Split - ',' - Fn::Join: - ',' - !Ref 'MySubnets' VpcEndpointType: Interface PrivateDnsEnabled: true SecurityGroupIds: - !Ref 'SecretsManagerVpceSG' VpcId: !Ref 'MyVPC' MySecret: Type: AWS::SecretsManager::Secret Properties: Name: FScredentials Description: This secret has a hardcoded password in SecretString, replace in Secrets Manager. SecretString: '{"username":"FS-username","password":"FS-secret-password","host":"FS-secret-hostname","share":"FS-secret-sharename"}' Tags: - Key: AppName Value: AppB MySecretResourcePolicy: Type: AWS::SecretsManager::ResourcePolicy Properties: SecretId: !Ref 'MySecret' ResourcePolicy: Version: '2012-10-17' Statement: - Sid: EnableSecretsManagerpermissions Effect: Allow Principal: AWS: !Sub '${AWS::AccountId}' Action: secretsmanager:* Resource: '*' - Sid: RestrictGetSecretValueoperation Effect: Deny Principal: '*' Action: secretsmanager:GetSecretValue Resource: '*' Condition: StringNotEquals: aws:sourceVpce: !Sub '${SecretsManagerVPCEndpoint}' SMBcopyDotNet: Type: AWS::Serverless::Function Properties: Handler: lambda-smb-dotnet::lambda_smb_dotnet.WriteFiles::FunctionHandler Runtime: dotnetcore3.1 CodeUri: src/dotNetSMB Description: DotNet function to integarte with SMB file servers MemorySize: 512 Timeout: 60 Policies: - Version: '2012-10-17' Statement: - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: !Sub '${MySecret}' VpcConfig: SecurityGroupIds: - !Ref 'LambdaSG' SubnetIds: !Split - ',' - Fn::Join: - ',' - !Ref 'MySubnets'