AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: > UploadsStack Sample SAM Template for UploadsStack Parameters: VideoProcessingStateMachineArn: Type: String LoggingBucketName: Type: String VPC: Type: String PrivateSubnet1: Type: String PrivateSubnet2: Type: String PowertoolsLayer: Type: String MasterKey: Type: String VPCCidrBlock: Type: String Resources: IngestBucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True IgnorePublicAcls: True RestrictPublicBuckets: True VersioningConfiguration: Status: Enabled LoggingConfiguration: DestinationBucketName: !Ref LoggingBucketName LogFilePrefix: GraphETL/Video/Ingest IngestBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref IngestBucket PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' Effect: Deny Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref IngestBucket - /* Principal: '*' Condition: StringNotEquals: 'aws:PrincipalAccount': !Ref AWS::AccountId UploadsDeadLetterQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: !Ref MasterKey UploadsHandlerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for the uploads handler function VpcId: !Ref VPC SecurityGroupEgress: - Description: Allow all outbound traffic IpProtocol: "tcp" CidrIp: !Ref VPCCidrBlock FromPort: "443" ToPort: "443" NewUploadHandler: Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction Properties: CodeUri: upload_handler/ Handler: app.lambda_handler Runtime: python3.9 RuntimeManagementConfig: UpdateRuntimeOn: Auto Timeout: 15 ReservedConcurrentExecutions: 1 KmsKeyArn: !Ref MasterKey DeadLetterQueue: TargetArn: !GetAtt UploadsDeadLetterQueue.Arn Type: SQS Architectures: - x86_64 Events: NewVideoUpload: Type: S3 Properties: Bucket: !Ref IngestBucket Events: s3:ObjectCreated:* Filter: S3Key: Rules: - Name: suffix Value: mp4 Environment: Variables: VIDEO_PROCESSING_STEP_FUNCTION_ARN: !Ref VideoProcessingStateMachineArn Policies: - Statement: - Sid: StateMachineInlinePolicy Effect: Allow Action: - "states:CreateActivity" - "states:CreateStateMachine" - "states:DeleteActivity" - "states:DeleteStateMachine" - "states:DescribeActivity" - "states:DescribeExecution" - "states:DescribeStateMachine" - "states:GetActivityTask" - "states:GetExecutionHistory" - "states:ListActivities" - "states:ListExecutions" - "states:ListStateMachines" - "states:SendTaskFailure" - "states:SendTaskHeartbeat" - "states:SendTaskSuccess" - "states:StartExecution" - "states:StopExecution" Resource: !Ref VideoProcessingStateMachineArn VpcConfig: SecurityGroupIds: - !Ref UploadsHandlerSecurityGroup SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 Layers: - !Ref PowertoolsLayer Metadata: cfn_nag: rules_to_suppress: - id: W89 reason: False positive. This is being deployed in a VPC by specifying the VpcConfig parameters for Function under globals.