AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: > VideoProcessing Sample SAM Template for VideoProcessing Parameters: GraphLoadStagingBucket: Type: String GraphLoadQueueName: Type: String GraphLoadQueueArn: Type: String LoggingBucketName: Type: String VPC: Type: String PrivateSubnet1: Type: String PrivateSubnet2: Type: String PowertoolsLayer: Type: String MasterKey: Type: String VPCCidrBlock: Type: String EndpointsSecurityGroup: Type: String Globals: Function: Timeout: 3 Tracing: Active Runtime: python3.9 Architectures: - x86_64 VpcConfig: SecurityGroupIds: - !Ref ProcessingSecurityGroup SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 RuntimeManagementConfig: UpdateRuntimeOn: Auto Mappings: PrefixListMap: us-east-1: "S3PrefixListId": "pl-63a5400a" us-west-1: "S3PrefixListId": "pl-6ba54002" us-west-2: "S3PrefixListId": "pl-68a54001" us-east-2: "S3PrefixListId": "pl-7ba54012" Resources: GraphLoadProcessingBucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: True BlockPublicPolicy: True IgnorePublicAcls: True RestrictPublicBuckets: True VersioningConfiguration: Status: Enabled LoggingConfiguration: DestinationBucketName: !Ref LoggingBucketName LogFilePrefix: GraphETL/Video/Processing GraphLoadBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref GraphLoadProcessingBucket PolicyDocument: Version: 2012-10-17 Statement: - Action: - 's3:GetObject' Effect: Deny Resource: !Join - '' - - 'arn:aws:s3:::' - !Ref GraphLoadProcessingBucket - /* Principal: '*' Condition: StringNotEquals: 'aws:PrincipalAccount': !Ref AWS::AccountId VideoProcessingStateMachine: Type: AWS::Serverless::StateMachine # More info about State Machine Resource: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html Properties: DefinitionUri: statemachine/video_processing.asl.json DefinitionSubstitutions: StartRekognitionJobFunctionArn: !GetAtt StartRekognitionJobFunction.Arn CheckRekognitionResultsFunctionArn: !GetAtt CheckRekognitionResultsFunction.Arn CreateGraphLoadFilesFunctionArn: !GetAtt CreateGraphLoadFilesFunction.Arn Policies: # Find out more about SAM policy templates: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html - LambdaInvokePolicy: FunctionName: !Ref StartRekognitionJobFunction - LambdaInvokePolicy: FunctionName: !Ref CheckRekognitionResultsFunction - LambdaInvokePolicy: FunctionName: !Ref CreateGraphLoadFilesFunction VideoProcessingQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: !Ref MasterKey VideoProcessingDeadLetterQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: !Ref MasterKey ProcessingSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for the processing handler function SecurityGroupEgress: - IpProtocol: tcp FromPort: "443" ToPort: "443" CidrIp: !Ref VPCCidrBlock Description: Allow outbound HTTPS traffic - IpProtocol: tcp FromPort: "443" ToPort: "443" Description: Allow outbound HTTPS traffic DestinationPrefixListId: !FindInMap [PrefixListMap, !Ref "AWS::Region", S3PrefixListId] VpcId: !Ref VPC StartRekognitionJobFunction: Type: AWS::Serverless::Function # More info about Function Resource: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html Properties: CodeUri: functions/start_label_detection/ Handler: app.lambda_handler DeadLetterQueue: TargetArn: !GetAtt VideoProcessingDeadLetterQueue.Arn Type: SQS ReservedConcurrentExecutions: 1 KmsKeyArn: !Ref MasterKey Timeout: 15 Environment: Variables: SNS_ROLE: !GetAtt RekognitionRole.Arn Policies: - AmazonRekognitionFullAccess - S3ReadPolicy: BucketName: !Ref GraphLoadProcessingBucket - S3WritePolicy: BucketName: !Ref GraphLoadProcessingBucket - Statement: - Sid: KmsInlinePolicy Effect: Allow Action: - "kms:GenerateDataKey" - "kms:Decrypt" - "kms:DescribeKey" Resource: !Ref MasterKey - Sid: SqsInlinePolicy Effect: Allow Action: - "sqs:DeleteMessage" - "sqs:ReceiveMessage" - "sqs:SendMessage" - "sqs:GetQueueAttributes" - "sqs:ChangeMessageVisibility" - "sqs:SetQueueAttributes" Resource: !GetAtt VideoProcessingQueue.Arn - Sid: S3InlinePolicy Effect: Allow Action: - "s3:Get*" Resource: !Sub 'arn:${AWS::Partition}:s3:::*' Layers: - !Ref PowertoolsLayer Metadata: cfn_nag: rules_to_suppress: - id: W89 reason: False positive. This is being deployed in a VPC by specifying the VpcConfig parameters. CheckRekognitionResultsFunction: Type: AWS::Serverless::Function Properties: CodeUri: functions/check_rek_results/ Handler: app.lambda_handler DeadLetterQueue: TargetArn: !GetAtt VideoProcessingDeadLetterQueue.Arn Type: SQS ReservedConcurrentExecutions: 1 KmsKeyArn: !Ref MasterKey Timeout: 15 Policies: - AmazonRekognitionFullAccess - S3WritePolicy: BucketName: !Ref GraphLoadProcessingBucket - Statement: - Sid: KmsInlinePolicy Effect: Allow Action: - "kms:GenerateDataKey" - "kms:Decrypt" - "kms:DescribeKey" Resource: !Ref MasterKey - Sid: SqsInlinePolicy Effect: Allow Action: - "sqs:DeleteMessage" - "sqs:ReceiveMessage" - "sqs:SendMessage" - "sqs:GetQueueAttributes" - "sqs:ChangeMessageVisibility" - "sqs:SetQueueAttributes" Resource: !GetAtt VideoProcessingQueue.Arn Environment: Variables: GRAPH_LOAD_PROCESSING_BUCKET: !Ref GraphLoadProcessingBucket Layers: - !Ref PowertoolsLayer Metadata: cfn_nag: rules_to_suppress: - id: W89 reason: False positive. This is being deployed in a VPC by specifying the VpcConfig parameters. CreateGraphLoadFilesFunction: Type: AWS::Serverless::Function Properties: CodeUri: functions/create_graph_load_files/ Handler: app.lambda_handler ReservedConcurrentExecutions: 1 KmsKeyArn: !Ref MasterKey DeadLetterQueue: TargetArn: !GetAtt VideoProcessingDeadLetterQueue.Arn Type: SQS Timeout: 600 Policies: - S3ReadPolicy: BucketName: !Ref GraphLoadProcessingBucket - S3WritePolicy: BucketName: !Ref GraphLoadStagingBucket - Statement: - Sid: KmsInlinePolicy Effect: Allow Action: - "kms:GenerateDataKey" - "kms:Decrypt" - "kms:DescribeKey" Resource: !Ref MasterKey - Sid: SqsInlinePolicy Effect: Allow Action: - "sqs:DeleteMessage" - "sqs:ReceiveMessage" - "sqs:SendMessage" - "sqs:GetQueueAttributes" - "sqs:ChangeMessageVisibility" - "sqs:SetQueueAttributes" Resource: !Ref GraphLoadQueueArn Environment: Variables: GRAPH_LOAD_STAGING_BUCKET: !Ref GraphLoadStagingBucket GRAPH_LOAD_PROCESSING_BUCKET: !Ref GraphLoadProcessingBucket GRAPH_LOAD_QUEUE: !Ref GraphLoadQueueName AWS_ACCOUNT_ID: !Ref AWS::AccountId Layers: - !Ref PowertoolsLayer Metadata: cfn_nag: rules_to_suppress: - id: W89 reason: False positive. This is being deployed in a VPC by specifying the VpcConfig parameters. RekognitionRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonS3FullAccess AssumeRolePolicyDocument: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "rekognition.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] } Outputs: VideoProcessingStateMachineArn: Description: "ETL State machine ARN" Value: !Ref VideoProcessingStateMachine