--- #----------------------------------------------------------------------------------------------------------------------- #----------------------------------------------------------------------------------------------------------------------- # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # with the License. A copy of the License is located at # # http://www.apache.org/licenses/LICENSE-2.0 # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # and limitations under the License. AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: CDF Deployment Helper (AWS Connected Device Framework) Parameters: Environment: Description: Name of environment. Used to name the created resources. Type: String MinLength: 1 ArtifactsBucket: Description: Name of environment. Used to name the created resources. Type: String VpcId: Description: | ID of an existing VPC to deploy CDF (if using AuthType = 'Private') and/or AssetLibrary (if AssetLibraryMode = 'full') into. A new VPC will be created if not provided. Type: String Default: 'N/A' Conditions: UseExistingVpc: !Not [!Equals [!Ref VpcId, 'N/A']] Resources: CheckS3VpcEndpoint: Condition: UseExistingVpc Type: Custom::VpcEndpointCheck Version: 1.0 Properties: ServiceToken: !GetAtt CustomResourceLambda.Arn VpcId: !Ref VpcId Region: !Sub '${AWS::Region}' ServiceName: 's3' CheckDynamoDBVpcEndpoint: Condition: UseExistingVpc Type: Custom::VpcEndpointCheck Version: 1.0 Properties: ServiceToken: !GetAtt CustomResourceLambda.Arn VpcId: !Ref VpcId Region: !Sub '${AWS::Region}' ServiceName: 'dynamodb' CheckPrivateApiGatewayVPCEndpoint: Condition: UseExistingVpc Type: Custom::VpcEndpointCheck Version: 1.0 Properties: ServiceToken: !GetAtt CustomResourceLambda.Arn VpcId: !Ref VpcId Region: !Sub '${AWS::Region}' ServiceName: 'execute-api' CustomResourceLambda: Type: AWS::Serverless::Function Properties: FunctionName: !Sub 'cdf-cfnCustomResources-${Environment}' CodeUri: ../bundle.zip Handler: lambda_custom_resource_proxy.handler MemorySize: 512 Role: !GetAtt CustomResourceLambdaRole.Arn Runtime: nodejs16.x Timeout: 60 Tracing: Active Environment: Variables: APP_CONFIG_DIR: 'config' COMMANDANDCONTROL_API_FUNCTION_NAME: !Sub 'cdf-commandandcontrol-rest-${Environment}' COMMANDANDCONTROL_MODE: lambda CustomResourceLambdaRole: Type: AWS::IAM::Role Properties: Description: 'CDF Core application configuration override' AssumeRolePolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Path: '/' ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSLambdaExecute - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess - arn:aws:iam::aws:policy/AWSIoTFullAccess - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole - !Ref CustomResourceLambdaPolicies CustomResourceLambdaPolicies: Type: 'AWS::IAM::ManagedPolicy' Metadata: cfn_nag: rules_to_suppress: - id: W13 reason: 'EC2 full access on resources is to manage unnamed resources' Properties: Description: 'CDF Core application configuration override' Path: '/' PolicyDocument: Version: '2012-10-17' Statement: - Sid: 'iot' Action: - 'iot:*' Effect: Allow Resource: '*' - Sid: 'sts' Action: - 'sts:*' Effect: Allow Resource: '*' - Sid: 'eventbridge' Action: - 'events:PutEvents' Effect: Allow Resource: '*' - Sid: 'iampassrole' Action: - 'iam:PassRole' Effect: Allow Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/cdf-*' - Effect: Allow Action: - 's3:ListBucket' - 's3:GetObject' Resource: - !Sub 'arn:aws:s3:::${ArtifactsBucket}' - Action: - 'ec2:DescribeVpcEndpoints' Effect: Allow Resource: '*' - Sid: 'lambda' Action: - 'lambda:AddPermission' - 'lambda:CreateEventSourceMapping' - 'lambda:DeleteEventSourceMapping' - 'lambda:ListEventSourceMappings' Effect: Allow Resource: '*' - Action: - 'lambda:Invoke*' Effect: Allow Resource: - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cdf-*' - Action: - 'ec2:CreateVpcEndpoint' - 'ec2:DescribeVpcEndpoints' Effect: Allow Resource: '*' CustomResourceLambdaArnSsmParameter: Type: 'AWS::SSM::Parameter' Properties: Description: Custom Resource Lambda ARN Name: !Sub '/cdf/deployment-helper/${Environment}/CustomResourceLambdaArn' Type: String Value: !GetAtt CustomResourceLambda.Arn NotAvailableSsmParameter: Type: 'AWS::SSM::Parameter' Properties: Description: Store Emptry string in SSM parameter to be used for optional parameter Name: !Sub '/cdf/deployment-helper/${Environment}/NotAvailable' Type: String Value: 'N/A' Outputs: CustomResourceLambdaArn: Value: !GetAtt CustomResourceLambda.Arn Export: Name: !Sub 'cdf-deployment-helper-${Environment}-customResourceLambdaArn' IsS3VpcEndpointEnabled: Condition: UseExistingVpc Value: !GetAtt CheckS3VpcEndpoint.isNotEnabled Export: Name: !Sub 'cdf-deployment-helper-${Environment}-isS3VpcEndpointEnabled' IsDynamoDBVpcEndpointEnabled: Condition: UseExistingVpc Value: !GetAtt CheckDynamoDBVpcEndpoint.isNotEnabled Export: Name: !Sub 'cdf-deployment-helper-${Environment}-isDynamoDBVpcEndpointEnabled' IsPrivateApiGatewayVPCEndpointEnabled: Condition: UseExistingVpc Value: !GetAtt CheckPrivateApiGatewayVPCEndpoint.isNotEnabled Export: Name: !Sub 'cdf-deployment-helper-${Environment}-isPrivateApiGatewayVPCEndpointEnabled'