generated from Sage-Bionetworks-IT/lambda-template
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtemplate.yaml
255 lines (242 loc) · 8.79 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
MIPS transform and cache API
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 60
Parameters:
AcmCertificateArn:
Description: The Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
Type: String
Default: ""
DnsNames:
Type: CommaDelimitedList
Description: List of role ARNs to manage the encryption key
Default: ""
MipsOrganization:
Type: String
Description: Log in to this organization in the finance system
SsmParamPrefix:
Type: String
Description: Path prefix for secure parameters in SSM
Default: '/lambda/mipsSecret'
SsmKeyAdminArns:
Type: CommaDelimitedList
Description: List of role ARNs to manage the encryption key
SsmAliasPrefix:
Type: String
Default: lambda-mips-api
Description: Prefix used in the KMS Key Alias name
CacheTTL:
Type: Number
Default: 86400
Description: Maximum number of seconds until cached responses expire; default 86400 (1 day)
CodesToOmit:
Type: String
Description: Comma-delimited list of numeric codes to ignore (treat as inactive).
Default: '999900,999800,999700,990500'
NoProgramCode:
Type: String
Description: Numeric code for the "No Program" meta-program
Default: '000000'
OtherCode:
Type: String
Description: Numeric code for the "Other" meta-program
Default: '000001'
Conditions:
HasAcmCertificateArn: !Not [ !Equals [ !Ref AcmCertificateArn, "" ] ]
# Join on an empty string because DnsNames is a comma-delimited list, not a string
HasDnsNames: !Not [ !Equals [ !Join [ "", !Ref DnsNames ], "" ] ]
Resources:
CacheBucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Enabled
LifecycleConfiguration:
Rules:
- Id: IntelligentTieringClassTransitionRule
Status: Enabled
Transitions:
- TransitionInDays: 3
StorageClass: INTELLIGENT_TIERING
CacheBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CacheBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Principal:
AWS: !GetAtt FunctionRole.Arn
Resource: !Sub "${CacheBucket.Arn}/*"
Function:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: .
Handler: mips_api.lambda_handler
Runtime: python3.12
Environment:
Variables:
ApiChartOfAccounts: '/accounts'
ApiValidTags: '/tags'
MipsOrg: !Ref MipsOrganization
SsmPath: !Ref SsmParamPrefix
CodesToOmit: !Ref CodesToOmit
NoProgramCode: !Ref NoProgramCode
OtherCode: !Ref OtherCode
CacheBucket: !Ref CacheBucket
CacheBucketPath: 'mip/coa.json'
Role: !GetAtt FunctionRole.Arn
Events:
ChartOfAccounts:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: '/accounts'
Method: get
ValidTags:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: '/tags'
Method: get
FunctionRole: # execute lambda function with this role
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: LambdaAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${SsmParamPrefix}'
Action:
- 'ssm:GetParameter*'
Effect: Allow
CloudFrontCache:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
DefaultCacheBehavior:
CachePolicyId: !Ref CloudFrontCachePolicy
TargetOriginId: LambdaOrigin
ViewerProtocolPolicy: 'redirect-to-https'
Origins:
- Id: LambdaOrigin
DomainName: !Sub "${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com"
OriginPath: /Prod
CustomOriginConfig:
OriginProtocolPolicy: https-only
OriginReadTimeout: 60
HttpVersion: http2
Aliases: !If [ HasDnsNames, !Ref DnsNames, !Ref "AWS::NoValue" ]
ViewerCertificate:
CloudFrontDefaultCertificate: !If [ HasAcmCertificateArn, !Ref "AWS::NoValue", True ]
AcmCertificateArn: !If [ HasAcmCertificateArn, !Ref AcmCertificateArn, !Ref "AWS::NoValue" ]
MinimumProtocolVersion: !If [ HasAcmCertificateArn, "TLSv1.2_2021", !Ref "AWS::NoValue" ]
SslSupportMethod: !If [ HasAcmCertificateArn, "sni-only", !Ref "AWS::NoValue" ]
CloudFrontCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: !Sub "LambdaCache-${ServerlessRestApi}"
MinTTL: 0
MaxTTL: !Ref CacheTTL
DefaultTTL: !Ref CacheTTL
ParametersInCacheKeyAndForwardedToOrigin:
EnableAcceptEncodingGzip: true
# Don't pass any client cookies, headers, or query strings
# to the lambda because we don't need them
CookiesConfig:
CookieBehavior: none
HeadersConfig:
HeaderBehavior: none
QueryStringsConfig:
QueryStringBehavior: all
# Key for encrypting our secret parameter
# The secret parameter will need to be created manually in SSM
# https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/
SsmKey:
Type: AWS::KMS::Key
Properties:
Enabled: True
EnableKeyRotation: True
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: Lambda Access
Principal:
AWS: !GetAtt FunctionRole.Arn
Resource: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Effect: Allow
- Sid: Admin Access
Principal:
AWS: !Ref SsmKeyAdminArns
Resource: '*'
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Effect: Allow
SsmKeyAlias: # A friendly name used in the console
Type: AWS::KMS::Alias
Properties:
TargetKeyId: !Ref SsmKey
AliasName: !Sub 'alias/${SsmAliasPrefix}-ssm-key'
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
ApiRouteChartOfAccounts:
Description: "CloudFront URL for the full chart of accounts"
Value: !Sub "https://${CloudFrontCache.DomainName}/accounts"
ApiRouteValidTags:
Description: "CloudFront URL for listing valid CostCenter tag values"
Value: !Sub "https://${CloudFrontCache.DomainName}/tags"
OriginUrl:
Description: "API Gateway origin URL with stage (for debugging)"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
FunctionArn:
Description: "Lambda Function ARN"
Value: !GetAtt Function.Arn
FunctionRoleArn:
Description: "Implicit IAM Role created for function"
Value: !GetAtt FunctionRole.Arn
CloudfrontDomain:
Description: "Domain name for the Cloudfront distribution"
Value: !GetAtt CloudFrontCache.DomainName
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-CloudfrontDomain'