AWSTemplateFormatVersion: 2010-09-09 Description: >- Template that uses existing S3 bucket as an event source for a Lambda function to transform squid proxy rules Parameters: S3Bucket: Type: String Description: S3 bucket name that's used for uploading the squid domain list config file Default: test-squid-fw S3ObjectFile: Type: String Description: S3 file name that stores squid domain lists for squid Default: domain.txt RuleGroupName: Type: String Description: Provide the rule group name for the squid Default: squid-conversion-test DomainListKind: Type: String Description: Provide the type of domain list for the squid AllowedValues: - DENYLIST - ALLOWLIST Resources: SquidLambdaFunction: Type: 'AWS::Lambda::Function' Properties: Code: S3Bucket: !Ref S3Bucket S3Key: squid.zip Handler: index.lambda_handler Role: !GetAtt LambdaIAMRole.Arn Runtime: python3.7 Timeout: 5 Environment: Variables: bucket: !Ref S3Bucket key: !Ref S3ObjectFile rg_name: !Ref RuleGroupName gen_rule_type: !Ref DomainListKind LambdaInvokePermission: Type: 'AWS::Lambda::Permission' Properties: FunctionName: !GetAtt SquidLambdaFunction.Arn Action: 'lambda:InvokeFunction' Principal: s3.amazonaws.com SourceAccount: !Ref 'AWS::AccountId' SourceArn: !Sub 'arn:aws:s3:::${S3Bucket}' LambdaIAMRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: root PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:*' - 'logs:CreateLogGroup' - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: - !Sub 'arn:aws:s3:::${S3Bucket}' - 'arn:aws:logs:*:*:*' - !Sub 'arn:aws:s3:::${S3Bucket}/*' - PolicyName: ec2 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'ec2:*' Resource: '*' - PolicyName: network-firewall PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'network-firewall:*' Resource: '*' CustomSquidResourceLambdaFunction: Type: 'AWS::Lambda::Function' Properties: Handler: index.lambda_handler Role: !GetAtt LambdaIAMRole.Arn Code: ZipFile: | from __future__ import print_function import json import boto3 import cfnresponse SUCCESS = "SUCCESS" FAILED = "FAILED" print('Loading function') s3 = boto3.resource('s3') def lambda_handler(event, context): print("Received event: " + json.dumps(event, indent=2)) responseData={} try: if event['RequestType'] == 'Delete': print("Request Type:",event['RequestType']) Bucket=event['ResourceProperties']['Bucket'] delete_notification(Bucket) print("Sending response to custom resource after Delete") elif event['RequestType'] == 'Create' or event['RequestType'] == 'Update': print("Request Type:",event['RequestType']) LambdaArn=event['ResourceProperties']['LambdaArn'] Bucket=event['ResourceProperties']['Bucket'] add_notification(LambdaArn, Bucket) responseData={'Bucket':Bucket} print("Sending response to custom resource") responseStatus = 'SUCCESS' except Exception as e: print('Failed to process:', e) responseStatus = 'FAILURE' responseData = {'Failure': 'Something bad happened.'} cfnresponse.send(event, context, responseStatus, responseData) def add_notification(LambdaArn, Bucket): bucket_notification = s3.BucketNotification(Bucket) response = bucket_notification.put( NotificationConfiguration={ 'LambdaFunctionConfigurations': [ { 'LambdaFunctionArn': LambdaArn, 'Events': [ 's3:ObjectCreated:*' ] } ] } ) print("Put request completed....") def delete_notification(Bucket): bucket_notification = s3.BucketNotification(Bucket) response = bucket_notification.put( NotificationConfiguration={} ) print("Delete request completed....") Runtime: python3.7 Timeout: 50 LambdaTrigger: Type: 'Custom::LambdaTrigger' DependsOn: LambdaInvokePermission Properties: ServiceToken: !GetAtt CustomSquidResourceLambdaFunction.Arn LambdaArn: !GetAtt SquidLambdaFunction.Arn Bucket: !Ref S3Bucket