--- #----------------------------------------------------------------------------------------------------------------------- # Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance # with the License. A copy of the License is located at # # http://www.apache.org/licenses/LICENSE-2.0 # # or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions # and limitations under the License. #----------------------------------------------------------------------------------------------------------------------- AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: CDF Events (Alerts) Service Parameters: ApplicationConfigurationOverride: Description: This allows you to override any application configuration. It should consists of a text-based content with a structure and syntax comprising key–value pairs for properties. Any configurations contained in this will override the configurations found and merged from the default .env files. Type: String Environment: Description: Name of environment. Used to name the created resources. Type: String MinLength: 1 CDFSecurityGroupId: Description: ID of an existing CDF security group to deploy the API into. Only required if AuthType = 'Private'. Type: String PrivateSubNetIds: Description: Comma delimited list of private subnetIds to deploy the API into. Only required if AuthType = 'Private'. Type: CommaDelimitedList EventNotificationsTable: Type: String MinLength: 1 EventNotificationsTableArn: Type: String MinLength: 1 EventConfigTable: Type: String MinLength: 1 EventConfigTableArn: Type: String MinLength: 1 DAXClusterArn: Type: String Default: '' DAXClusterEndpoint: Type: String Default: '' EventNotificationsStreamArn: Type: String MinLength: 1 KmsKeyId: Description: The KMS key ID used to decrypt DynamoDB stream. Type: String LoggingLevel: Description: Application logging level Type: String Default: info AllowedValues: - error - warn - info - debug - silly Conditions: KmsKeyIdProvided: !Not [!Equals [!Ref KmsKeyId, '']] DAXClusterEndpointProvided: !Not [!Equals [!Ref DAXClusterEndpoint, '']] DAXClusterArnProvided: !Not [!Equals [!Ref DAXClusterArn, '']] LoggingLevelProvided: !Not [!Equals [!Ref LoggingLevel, '']] Resources: KmsPolicy: Type: AWS::IAM::ManagedPolicy Condition: KmsKeyIdProvided Properties: Description: 'cdf-events-processor policy for accessing KMS' Path: '/cdf/events-processor/' PolicyDocument: Version: '2012-10-17' Statement: - Action: - 'kms:Decrypt' Effect: Allow Resource: !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KmsKeyId}' DynamoDBStreamLambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Principal: Service: - lambda.amazonaws.com - iot.amazonaws.com Action: sts:AssumeRole Path: '/' ManagedPolicyArns: - !Ref ApplicationPolicies - arn:aws:iam::aws:policy/AWSLambdaExecute - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole - !If [KmsKeyIdProvided, !Ref KmsPolicy, !Ref 'AWS::NoValue'] ApplicationPolicies: Type: 'AWS::IAM::ManagedPolicy' Properties: Description: 'cdf-events-processor application policies' Path: '/' PolicyDocument: Version: '2012-10-17' Statement: - Sid: 'iampassrole' Action: - 'iam:PassRole' Effect: Allow Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/cdf-events-*' - Sid: 'sns' Action: sns:publish Effect: Allow Resource: !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:cdf-events-*' - Sid: 'dynamodbStreams' Action: - dynamodb:DescribeStream - dynamodb:GetRecords - dynamodb:GetShardIterator - dynamodb:ListStreams Effect: Allow Resource: - !Sub '${EventNotificationsTableArn}/stream/*' - Sid: 'dynamodb' Action: - dynamodb:Query - dynamodb:DescribeTable Effect: Allow Resource: - !Sub '${EventNotificationsTableArn}/index/*' - !Sub '${EventConfigTableArn}/index/*' - !If - DAXClusterArnProvided - Sid: 'DAX' Action: - 'dax:BatchGetItem' - 'dax:BatchWriteItem' - 'dax:ConditionCheckItem' - 'dax:DeleteItem' - 'dax:PutItem' - 'dax:GetItem' - 'dax:Query' - 'dax:Scan' - 'dax:UpdateItem' Effect: Allow Resource: !Ref DAXClusterArn - !Ref 'AWS::NoValue' DynamoDBStreamLambdaFunction: Type: AWS::Serverless::Function Properties: FunctionName: !Sub 'cdf-eventAlerts-${Environment}' CodeUri: ../bundle.zip Handler: lambda_proxy_ddbstream.handler MemorySize: 512 Role: !GetAtt DynamoDBStreamLambdaExecutionRole.Arn Runtime: nodejs16.x Timeout: 30 Environment: Variables: APP_CONFIG_DIR: 'config' APP_CONFIG: !Ref ApplicationConfigurationOverride AWS_ACCOUNTID: !Ref AWS::AccountId AWS_DYNAMODB_TABLES_EVENTCONFIG_NAME: !Ref EventConfigTable AWS_DYNAMODB_DAX_ENDPOINTS: !If [DAXClusterEndpointProvided, !Ref DAXClusterEndpoint, !Ref 'AWS::NoValue'] Tracing: Active VpcConfig: Fn::If: - DAXClusterEndpointProvided - SubnetIds: !Ref PrivateSubNetIds SecurityGroupIds: - !Ref CDFSecurityGroupId - Ref: AWS::NoValue EventNotificationsSourceMapping: Type: AWS::Lambda::EventSourceMapping Properties: EventSourceArn: !Ref EventNotificationsStreamArn FunctionName: !Ref DynamoDBStreamLambdaFunction StartingPosition: LATEST Outputs: DynamoDBStreamLambdaArn: Description: DynamoDB Stream Lambda Arn Value: !Sub '${DynamoDBStreamLambdaFunction.Arn}' DynamoDBStreamLambdaConsoleUrl: Description: Console URL for the Lambda Function. Value: !Sub 'https://${AWS::Region}.console.aws.amazon.com/lambda/home?region=${AWS::Region}#/functions/${DynamoDBStreamLambdaFunction}'