-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtemplate.yaml
148 lines (140 loc) · 4.53 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
light-function
Sample SAM Template for Light Function
Globals:
Function:
Timeout: 20
Parameters:
ParamVpceId:
Type: String
Description: VPC Private API Endpoint
Default: vpce-00deadbeef00
ParamSecurityGroups:
Type: List<String>
Description: Security Group for account
Default: sg-00deadbeef00
ParamSubnetIds:
Type: List<String>
Description: Subnets for use
Default: subnet-00deadbeef00, subnet-00deadbeef01
ParamBackendFunctionHandler:
Type: String
Description: classpath of your handler function
Default: helloworld.App::handleRequest
ParamStage:
Type: String
Description: Deployment stage.
Default: Prod
ParamServiceId:
Type: String
Description: Unique Service Id for you application
Default: eadp-petstore-0.0.1-SNAPSHOT
Resources:
ProxyIAMRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub '${ParamServiceId}-iam-role'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: logs:CreateLogGroup
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS:AccountId}:*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${ParamServiceId}-proxy-function:*'
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeNetworkInterfaces
Resource: "*"
- Effect: Allow
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${ParamServiceId}-function'
- !Ref SecretsManagerReadWrite
- Effect: Deny
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${ParamServiceId}-function'
Condition:
StringNotEquals:
aws:SourceVpce:
!Ref ParamVpceId
APIEndpoint:
Type: AWS::Serverless::Api
Properties:
EndpointConfiguration:
Type: PRIVATE
VPCEndpointIds:
- !Ref ParamVpceId
StageName: !Ref ParamStage
Auth:
ResourcePolicy:
CustomStatements:
- Effect: Allow
Principal: '*'
Action: execute-api:Invoke
Resource:
!Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/*'
- Effect: Deny
Principal: '*'
Action: execute-api:Invoke
Resource:
!Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:*/*'
Condition:
StringNotEquals:
aws:SourceVpce:
!Ref ParamVpceId
ProxyFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub '${ParamServiceId}-proxy-function'
CodeUri: ProxyFunction
Handler: com.networknt.aws.lambda.proxy.LambdaProxy::handleRequest
Environment:
Variables:
JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
Events:
Backend:
Type: Api
Properties:
RestApiId: !Ref APIEndpoint
Path: /
Method: post
VpcConfig:
SecurityGroupIds:
!Ref ParamSecurityGroups
SubnetIds:
!Ref ParamSubnetIds
BackendFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub '${ParamServiceId}-function'
CodeUri: BackendFunction
Handler: !Ref ParamBackendFunctionHandler
VpcConfig:
SecurityGroupIds:
!Ref ParamSecurityGroups
SubnetIds:
!Ref ParamSubnetIds
Outputs:
APIEndpoint:
Description: !Sub 'API Gateway endpoint URL for ${ParamStage} stage for Hello World function'
Value: !Sub "https://${APIEndpoint}-${ParamVpceId}.execute-api.${AWS::Region}.amazonaws.com/${ParamStage}/"
ProxyFunction:
Description: "ProxyFunction ARN"
Value: !GetAtt ProxyFunction.Arn
BackendFunction:
Description: "Backend business function ARN"
Value: BackendFunction.Arn
ProxyIAMRole:
Description: "Implicit IAM Role created for the proxy function"
Value: !GetAtt ProxyIAMRole.Arn