# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: > Template to deploy lambda functions as part of bootstrap Parameters: CognitoOperationUsersUserPoolId: Type: String CognitoOperationUsersUserPoolClientId: Type: String CognitoUserPoolId: Type: String CognitoUserPoolClientId: Type: String TenantDetailsTableArn: Type: String TenantStackMappingTableArn: Type: String TenantUserMappingTableArn: Type: String TenantStackMappingTableName: Type: String TenantDetailsTableName: Type: String SettingsTableArn: Type: String SettingsTableName: Type: String Globals: Function: Timeout: 29 Layers: - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:14" Environment: Variables: LOG_LEVEL: DEBUG POWERTOOLS_METRICS_NAMESPACE: "MLaaS" Resources: MLaaSLayers: Type: AWS::Serverless::LayerVersion Properties: LayerName: mlaas-dependencies Description: Utilities for project ContentUri: ../../layers/ CompatibleRuntimes: - python3.9 LicenseInfo: "MIT" RetentionPolicy: Retain Metadata: BuildMethod: python3.9 #Tenant Authorizer AuthorizerExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-authorizer-execution-role-${AWS::Region} Path: '/' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess Policies: - PolicyName: authorizer-execution-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cognito-idp:List* Resource: - !Sub arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* - Effect: Allow Action: - dynamodb:GetItem Resource: - !Ref TenantDetailsTableArn AuthorizerAccessRole: Type: AWS::IAM::Role DependsOn: AuthorizerExecutionRole Properties: RoleName: !Sub mlaas-authorizer-access-role-${AWS::Region} Path: '/' AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: AWS: - !GetAtt 'AuthorizerExecutionRole.Arn' Action: - sts:AssumeRole Policies: - PolicyName: authorizer-access-role-policy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:BatchGetItem - dynamodb:GetItem - dynamodb:PutItem - dynamodb:DeleteItem - dynamodb:UpdateItem - dynamodb:Query - dynamodb:Scan Resource: - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/* SharedServicesAuthorizerFunction: Type: AWS::Serverless::Function DependsOn: AuthorizerAccessRole Properties: CodeUri: ../../Resources/ Handler: shared_service_authorizer.lambda_handler Runtime: python3.9 Role: !GetAtt AuthorizerExecutionRole.Arn MemorySize: 256 Tracing: Active Layers: - !Ref MLaaSLayers Environment: Variables: OPERATION_USERS_USER_POOL: !Ref CognitoOperationUsersUserPoolId OPERATION_USERS_APP_CLIENT: !Ref CognitoOperationUsersUserPoolClientId CreateUserLambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-create-user-lambda-execution-role-${AWS::Region} Path: "/" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess Policies: - PolicyName: !Sub create-user-lambda-execution-policy-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - cognito-idp:* Resource: "*" - Effect: Allow Action: - dynamodb:PutItem Resource: - !Ref TenantUserMappingTableArn - Effect: Allow Action: - dynamodb:GetItem Resource: - !Ref TenantDetailsTableArn CreateTenantAdminUserFunction: Type: AWS::Serverless::Function DependsOn: CreateUserLambdaExecutionRole Properties: CodeUri: ../../SharedServices/ Handler: user-management.create_tenant_admin_user Runtime: python3.9 Role: !GetAtt CreateUserLambdaExecutionRole.Arn Tracing: Active Layers: - !Ref MLaaSLayers Environment: Variables: TENANT_USER_POOL_ID: !Ref CognitoUserPoolId TENANT_APP_CLIENT_ID: !Ref CognitoUserPoolClientId POWERTOOLS_SERVICE_NAME: "UserManagement.CreateTenantAdmin" #Tenant Management TenantManagementLambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-tenant-management-lambda-execution-role-${AWS::Region} Path: "/" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess Policies: - PolicyName: !Sub create-tenant-execution-policy-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:PutItem - dynamodb:GetItem - dynamodb:UpdateItem - dynamodb:Scan - dynamodb:Query Resource: - !Ref TenantDetailsTableArn - !Join ["", [!Ref TenantDetailsTableArn, '/index/*']] CreateTenantFunction: Type: AWS::Serverless::Function DependsOn: TenantManagementLambdaExecutionRole Properties: CodeUri: ../../SharedServices/ Handler: tenant-management.create_tenant Runtime: python3.9 Role: !GetAtt TenantManagementLambdaExecutionRole.Arn Tracing: Active Layers: - !Ref MLaaSLayers Environment: Variables: POWERTOOLS_SERVICE_NAME: "TenantManagement.CreateTenant" GetTenantsFunction: Type: AWS::Serverless::Function DependsOn: TenantManagementLambdaExecutionRole Properties: CodeUri: ../../SharedServices/ Handler: tenant-management.get_tenants Runtime: python3.9 Role: !GetAtt TenantManagementLambdaExecutionRole.Arn Tracing: Active Layers: - !Ref MLaaSLayers #Tenant Registration RegisterTenantLambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-tenant-registration-lambda-execution-role-${AWS::Region} Path: "/" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess RegisterTenantFunction: Type: AWS::Serverless::Function DependsOn: RegisterTenantLambdaExecutionRole Properties: CodeUri: ../../SharedServices/ Handler: tenant-registration.register_tenant Runtime: python3.9 Role: !GetAtt RegisterTenantLambdaExecutionRole.Arn Tracing: Active Layers: - !Ref MLaaSLayers Environment: Variables: # Need to find a better way than hard coding resource paths CREATE_TENANT_ADMIN_USER_RESOURCE_PATH: "/user/tenant-admin" CREATE_TENANT_RESOURCE_PATH: "/tenant" PROVISION_TENANT_RESOURCE_PATH: "/provisioning" POWERTOOLS_SERVICE_NAME: "TenantRegistration.RegisterTenant" #Tenant Provisioning ProvisionTenantLambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-tenant-provisioning-lambda-execution-role-${AWS::Region} Path: "/" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess - arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess Policies: - PolicyName: !Sub tenant-provisioning-lambda-execution-policy-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:PutItem - dynamodb:DeleteItem Resource: - !Ref TenantStackMappingTableArn - Effect: Allow Action: - dynamodb:UpdateItem Resource: - !Ref TenantDetailsTableArn - Effect: Allow Action: - dynamodb:GetItem Resource: - !Ref SettingsTableArn - Effect: Allow Action: - s3:PutObject Resource: "*" - Effect: Allow Action: - iam:CreateRole - iam:PutRolePolicy - iam:AttachRolePolicy Resource: "*" - Effect: Allow Action: - codepipeline:StartPipelineExecution Resource: - !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:ml-saas-pipeline ProvisionTenantFunction: Type: AWS::Serverless::Function DependsOn: ProvisionTenantLambdaExecutionRole Properties: CodeUri: ../../SharedServices/ Handler: tenant-provisioning.provision_tenant Runtime: python3.9 Role: !GetAtt ProvisionTenantLambdaExecutionRole.Arn Tracing: Active Layers: - !Ref MLaaSLayers Environment: Variables: TENANT_STACK_MAPPING_TABLE_NAME: !Ref TenantStackMappingTableName SYSTEM_SETTINGS_TABLE_NAME: !Ref SettingsTableName TENANT_DETAILS_TABLE_NAME: !Ref TenantDetailsTableName UpdateTenantStackMapTableLambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub mlaas-update-tenantstackmap-lambda-execution-role-${AWS::Region} Path: "/" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess Policies: - PolicyName: !Sub update-tenantstackmap-lambda-execution-policy-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:PutItem Resource: !Ref TenantStackMappingTableArn UpdateTenantStackMapTableFunction: Type: AWS::Serverless::Function DependsOn: UpdateTenantStackMapTableLambdaExecutionRole Properties: CodeUri: ../../custom_resources/ Handler: update_tenantstackmap_table.handler Runtime: python3.9 Role: !GetAtt UpdateTenantStackMapTableLambdaExecutionRole.Arn Layers: - !Ref MLaaSLayers Outputs: RegisterTenantLambdaExecutionRoleArn: Value: !GetAtt RegisterTenantLambdaExecutionRole.Arn TenantManagementLambdaExecutionRoleArn: Value: !GetAtt TenantManagementLambdaExecutionRole.Arn RegisterTenantFunctionArn: Value: !GetAtt RegisterTenantFunction.Arn ProvisionTenantFunctionArn: Value: !GetAtt ProvisionTenantFunction.Arn GetTenantsFunctionArn: Value: !GetAtt GetTenantsFunction.Arn CreateTenantFunctionArn: Value: !GetAtt CreateTenantFunction.Arn CreateTenantAdminUserFunctionArn: Value: !GetAtt CreateTenantAdminUserFunction.Arn SharedServicesAuthorizerFunctionArn: Value: !GetAtt SharedServicesAuthorizerFunction.Arn UpdateTenantStackMapTableFunctionArn: Value: !GetAtt UpdateTenantStackMapTableFunction.Arn