Parameters: Env: Type: String Default: alpha Resources: RegistrationTable: UpdateReplacePolicy: Delete DeletionPolicy: Delete Type: AWS::DynamoDB::Table Metadata: Comment: | This table is created during the testing of the hook. It is also an example of the table that you need to create in order to configure the hook. The table holds a list of ARNs of Lambda functions that will be invoked in order by the hook before CREATE, UPDATE, and DELETE operations. Properties: TableName: !Sub "cep-lambda-invoker-reg-${Env}-${AWS::Region}-${AWS::AccountId}" BillingMode: PAY_PER_REQUEST AttributeDefinitions: - AttributeName: "lambda_arn" AttributeType: "S" KeySchema: - AttributeName: "lambda_arn" KeyType: "HASH" ComplianceLambdaRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "cep-lambda-invoker-setup-compl-lambda-role-${Env}-${AWS::Region}" AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSLambdaExecute Path: / ComplianceLambda1: Type: AWS::Lambda::Function Metadata: Comment: | This is an example of a Lambda function that you will create and register in the RegistrationTable, so that it can be invoked by the hook to check the compliance of resources before they are deployed. Properties: FunctionName: !Sub "cep-lambda-invoker-compl-${Env}-${AWS::Region}-${AWS::AccountId}" Runtime: python3.9 Role: !GetAtt ComplianceLambdaRole.Arn Handler: index.handler Code: ZipFile: | import boto3 def handler(event, context): print('ComplianceLambda1 was invoked') print(event) if event["type_name"] == "TEST::TEST::FAIL": raise Exception("Failed") if "FAIL" in event["resource_properties"]: raise Exception("Resource failed") RegistrationLambdaRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "cep-lambda-invoker-setup-reg-lambda-role-${Env}-${AWS::Region}" AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - lambda.amazonaws.com Version: 2012-10-17 Policies: - PolicyName: lambdaexec PolicyDocument: Version: 2012-10-17 Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: "*" - Action: - dynamodb:PutItem - dynamodb:DeleteItem Effect: Allow Resource: !GetAtt RegistrationTable.Arn Path: / RegistrationLambda: Type: AWS::Lambda::Function Metadata: Comment: | This Lambda function will be called by a custom resource when this template is deployed, in order to put the name of ComplianceLambda1 into RegistrationTable. Ideally you would use AwsCommunity::DynamoDB::Item to do this, but since we also publish that resource in the same pipeline, we can't use it here. cfn-lint: config: ignore_checks: - E3002 Properties: FunctionName: !Sub "cep-lambda-invoker-reg-${Env}-${AWS::Region}-${AWS::AccountId}" Runtime: python3.9 Code: !Rain::S3 Path: ../registration Zip: true BucketProperty: S3Bucket KeyProperty: S3Key Role: !GetAtt RegistrationLambdaRole.Arn Handler: handler.handler RegistrationCustom: Type: AWS::CloudFormation::CustomResource DependsOn: RegistrationLambda Properties: ServiceToken: !GetAtt RegistrationLambda.Arn RegistrationTableArn: !GetAtt RegistrationTable.Arn FunctionArn: !GetAtt ComplianceLambda1.Arn Serial: 2 Outputs: RegistrationTable: Export: Name: CepLambdaInvokerRegistrationTable Value: !Ref RegistrationTable