AWS/CloudFormation
From r00tedvw.com wiki
(Difference between revisions)
Line 68: | Line 68: | ||
Export: | Export: | ||
Name: !Sub "${AWS::StackName}-S3WebsiteURL"</nowiki> | Name: !Sub "${AWS::StackName}-S3WebsiteURL"</nowiki> | ||
+ | </div> | ||
+ | </div> | ||
+ | ==Lambda & CloudFront== | ||
+ | Here is a CloudFormation Template (in yaml) that I used to create a 2 Lambda functions and a cloudfront distribution with the following requirements: | ||
+ | *use outputs from S3 bucket stack | ||
+ | *create lambda functions that will work with lambda edge. | ||
+ | :*setup the needed IAM roles for lambda functions to execute on lambda edge. | ||
+ | *create cloudfront distribution that uses the lambda edge functions and configures the needed behaviors to use them. | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed"> | ||
+ | AWS Template: | ||
+ | <div class="mw-collapsible-content"> | ||
+ | <nowiki>AWSTemplateFormatVersion: 2010-09-09 | ||
+ | |||
+ | Parameters: | ||
+ | BranchName: | ||
+ | Description: Branch Name | ||
+ | Type: String | ||
+ | S3BucketStack: | ||
+ | Description: S3 Bucket Stack Name | ||
+ | Type: String | ||
+ | Default: SYNC-s3-dev-ui-stack | ||
+ | Entropy: | ||
+ | Description: Random String | ||
+ | Type: String | ||
+ | |||
+ | Resources: | ||
+ | |||
+ | LambdaEdgeRoleRequest: | ||
+ | Type: AWS::IAM::Role | ||
+ | Properties: | ||
+ | AssumeRolePolicyDocument: | ||
+ | Version: '2012-10-17' | ||
+ | Statement: | ||
+ | - Effect: Allow | ||
+ | Principal: | ||
+ | Service: | ||
+ | - lambda.amazonaws.com | ||
+ | - edgelambda.amazonaws.com | ||
+ | Action: sts:AssumeRole | ||
+ | Path: "/service-role/" | ||
+ | RoleName: | ||
+ | Fn::Sub: 'LambaEdgeRoleRequest-${BranchName}-${Entropy}' | ||
+ | Policies: | ||
+ | - PolicyName: | ||
+ | Fn::Sub: 'AWSLambdaBasicExecutionRole-OriginRequest-${Entropy}' | ||
+ | PolicyDocument: | ||
+ | Version: 2012-10-17 | ||
+ | Statement: | ||
+ | - Effect: "Allow" | ||
+ | Action: | ||
+ | - "logs:CreateLogGroup" | ||
+ | Resource: | ||
+ | Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" | ||
+ | - Effect: "Allow" | ||
+ | Action: | ||
+ | - "logs:CreateLogStream" | ||
+ | - "logs:PutLogEvents" | ||
+ | Resource: | ||
+ | Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SyncUI-${BranchName}-OriginRequest-${Entropy}:*" | ||
+ | |||
+ | LambdaFunctionRequest: | ||
+ | Type: AWS::Lambda::Function | ||
+ | DependsOn: LambdaEdgeRoleRequest | ||
+ | DeletionPolicy: Retain | ||
+ | Properties: | ||
+ | Handler: "index.handler" | ||
+ | Role: | ||
+ | Fn::GetAtt: | ||
+ | - "LambdaEdgeRoleRequest" | ||
+ | - "Arn" | ||
+ | Runtime: "nodejs10.x" | ||
+ | Code: | ||
+ | S3Bucket: | ||
+ | Fn::ImportValue: | ||
+ | !Sub ${S3BucketStack}-S3BucketName | ||
+ | S3Key: !Sub "${BranchName}/OriginRequest.zip" | ||
+ | FunctionName: | ||
+ | Fn::Sub: 'SyncUI-${BranchName}-OriginRequest-${Entropy}' | ||
+ | |||
+ | LambdaFunctionRequestVersion: | ||
+ | Type: AWS::Lambda::Version | ||
+ | Properties: | ||
+ | FunctionName: | ||
+ | Ref: "LambdaFunctionRequest" | ||
+ | |||
+ | LambdaEdgeRoleResponse: | ||
+ | Type: AWS::IAM::Role | ||
+ | Properties: | ||
+ | AssumeRolePolicyDocument: | ||
+ | Version: '2012-10-17' | ||
+ | Statement: | ||
+ | - Effect: Allow | ||
+ | Principal: | ||
+ | Service: | ||
+ | - lambda.amazonaws.com | ||
+ | - edgelambda.amazonaws.com | ||
+ | Action: sts:AssumeRole | ||
+ | Path: "/service-role/" | ||
+ | RoleName: | ||
+ | Fn::Sub: 'LambaEdgeRoleResponse-${BranchName}-${Entropy}' | ||
+ | Policies: | ||
+ | - PolicyName: | ||
+ | Fn::Sub: 'AWSLambdaBasicExecutionRole-OriginResponse-${Entropy}' | ||
+ | PolicyDocument: | ||
+ | Version: 2012-10-17 | ||
+ | Statement: | ||
+ | - Effect: "Allow" | ||
+ | Action: | ||
+ | - "logs:CreateLogGroup" | ||
+ | Resource: | ||
+ | Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" | ||
+ | - Effect: "Allow" | ||
+ | Action: | ||
+ | - "logs:CreateLogStream" | ||
+ | - "logs:PutLogEvents" | ||
+ | Resource: | ||
+ | Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SyncUI-${BranchName}-OriginResponse-${Entropy}:*" | ||
+ | |||
+ | LambdaFunctionResponse: | ||
+ | Type: AWS::Lambda::Function | ||
+ | DependsOn: LambdaEdgeRoleResponse | ||
+ | DeletionPolicy: Retain | ||
+ | Properties: | ||
+ | Handler: "index.handler" | ||
+ | Role: | ||
+ | Fn::GetAtt: | ||
+ | - "LambdaEdgeRoleResponse" | ||
+ | - "Arn" | ||
+ | Runtime: "nodejs10.x" | ||
+ | Code: | ||
+ | S3Bucket: | ||
+ | Fn::ImportValue: | ||
+ | !Sub ${S3BucketStack}-S3BucketName | ||
+ | S3Key: !Sub "${BranchName}/OriginResponse.zip" | ||
+ | FunctionName: | ||
+ | Fn::Sub: 'SyncUI-${BranchName}-OriginResponse-${Entropy}' | ||
+ | |||
+ | LambdaFunctionResponseVersion: | ||
+ | Type: AWS::Lambda::Version | ||
+ | Properties: | ||
+ | FunctionName: | ||
+ | Ref: "LambdaFunctionResponse" | ||
+ | |||
+ | CloudFrontDistribution: | ||
+ | Type: AWS::CloudFront::Distribution | ||
+ | DependsOn: | ||
+ | - LambdaFunctionRequest | ||
+ | - LambdaFunctionResponse | ||
+ | Properties: | ||
+ | DistributionConfig: | ||
+ | Enabled: 'true' | ||
+ | Origins: | ||
+ | - DomainName: | ||
+ | Fn::ImportValue: | ||
+ | !Sub "${S3BucketStack}-S3WebsiteURL" | ||
+ | OriginPath: | ||
+ | Fn::Sub: '/${BranchName}' | ||
+ | CustomOriginConfig: | ||
+ | OriginProtocolPolicy: match-viewer | ||
+ | Id: !Sub "CFID-${BranchName}-${Entropy}" | ||
+ | DefaultCacheBehavior: | ||
+ | TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" | ||
+ | ForwardedValues: | ||
+ | QueryString: 'false' | ||
+ | ViewerProtocolPolicy: allow-all | ||
+ | LambdaFunctionAssociations: | ||
+ | - EventType: origin-request | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionRequestVersion | ||
+ | - EventType: origin-response | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionResponseVersion | ||
+ | |||
+ | CacheBehaviors: | ||
+ | - PathPattern: | ||
+ | Fn::Sub: '/${BranchName}' | ||
+ | ForwardedValues: | ||
+ | QueryString: false | ||
+ | TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" | ||
+ | ViewerProtocolPolicy: allow-all | ||
+ | LambdaFunctionAssociations: | ||
+ | - EventType: origin-request | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionRequestVersion | ||
+ | - EventType: origin-response | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionResponseVersion | ||
+ | - PathPattern: | ||
+ | Fn::Sub: '/${BranchName}/*' | ||
+ | ForwardedValues: | ||
+ | QueryString: false | ||
+ | TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" | ||
+ | ViewerProtocolPolicy: allow-all | ||
+ | LambdaFunctionAssociations: | ||
+ | - EventType: origin-request | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionRequestVersion | ||
+ | - EventType: origin-response | ||
+ | LambdaFunctionARN: !Ref LambdaFunctionResponseVersion</nowiki> | ||
</div> | </div> | ||
</div> | </div> |
Revision as of 18:33, 4 December 2019
Quick Reference | AWS CLI | CloudFormation
Template Examples
S3 Bucket
Here is a CloudFormation Template (in yaml) that I used to create a S3 bucket with the following requirements:
- Public Read
- 7 day retention policy
- Bucket Policy allowing access to all resources.
- Export the S3 bucket name, Secure URL, and Website URL for usage in other templates.
AWS Template:
AWSTemplateFormatVersion: 2010-09-09 Parameters: BranchName: Description: Branch Name Type: String Resources: S3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: PublicRead LifecycleConfiguration: Rules: - Status: Enabled ExpirationInDays: 7 WebsiteConfiguration: IndexDocument: index.html S3BucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: S3Bucket PolicyDocument: Statement: - Sid: AddPerm Effect: 'Allow' Principal: '*' Action: - 's3:GetObject' Resource: Fn::Join: - '' - - 'arn:aws:s3:::' - Ref: 'S3Bucket' - '/**' Outputs: S3BucketName: Value: Ref: S3Bucket Description: The S3 bucket name Export: Name: Fn::Sub: ${AWS::StackName}-S3BucketName S3BucketSecureURL: Value: Fn::Join: ['', ['http://', !GetAtt [S3Bucket, DomainName]]] Description: Name of S3 bucket to hold Tenant Management website content S3WebsiteURL: Description: Website URL of the S3 Bucket Value: !Select [1, !Split ["//", !GetAtt S3Bucket.WebsiteURL]] Export: Name: !Sub "${AWS::StackName}-S3WebsiteURL"
Lambda & CloudFront
Here is a CloudFormation Template (in yaml) that I used to create a 2 Lambda functions and a cloudfront distribution with the following requirements:
- use outputs from S3 bucket stack
- create lambda functions that will work with lambda edge.
- setup the needed IAM roles for lambda functions to execute on lambda edge.
- create cloudfront distribution that uses the lambda edge functions and configures the needed behaviors to use them.
AWS Template:
AWSTemplateFormatVersion: 2010-09-09 Parameters: BranchName: Description: Branch Name Type: String S3BucketStack: Description: S3 Bucket Stack Name Type: String Default: SYNC-s3-dev-ui-stack Entropy: Description: Random String Type: String Resources: LambdaEdgeRoleRequest: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com - edgelambda.amazonaws.com Action: sts:AssumeRole Path: "/service-role/" RoleName: Fn::Sub: 'LambaEdgeRoleRequest-${BranchName}-${Entropy}' Policies: - PolicyName: Fn::Sub: 'AWSLambdaBasicExecutionRole-OriginRequest-${Entropy}' PolicyDocument: Version: 2012-10-17 Statement: - Effect: "Allow" Action: - "logs:CreateLogGroup" Resource: Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SyncUI-${BranchName}-OriginRequest-${Entropy}:*" LambdaFunctionRequest: Type: AWS::Lambda::Function DependsOn: LambdaEdgeRoleRequest DeletionPolicy: Retain Properties: Handler: "index.handler" Role: Fn::GetAtt: - "LambdaEdgeRoleRequest" - "Arn" Runtime: "nodejs10.x" Code: S3Bucket: Fn::ImportValue: !Sub ${S3BucketStack}-S3BucketName S3Key: !Sub "${BranchName}/OriginRequest.zip" FunctionName: Fn::Sub: 'SyncUI-${BranchName}-OriginRequest-${Entropy}' LambdaFunctionRequestVersion: Type: AWS::Lambda::Version Properties: FunctionName: Ref: "LambdaFunctionRequest" LambdaEdgeRoleResponse: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com - edgelambda.amazonaws.com Action: sts:AssumeRole Path: "/service-role/" RoleName: Fn::Sub: 'LambaEdgeRoleResponse-${BranchName}-${Entropy}' Policies: - PolicyName: Fn::Sub: 'AWSLambdaBasicExecutionRole-OriginResponse-${Entropy}' PolicyDocument: Version: 2012-10-17 Statement: - Effect: "Allow" Action: - "logs:CreateLogGroup" Resource: Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*" - Effect: "Allow" Action: - "logs:CreateLogStream" - "logs:PutLogEvents" Resource: Fn::Sub: "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/SyncUI-${BranchName}-OriginResponse-${Entropy}:*" LambdaFunctionResponse: Type: AWS::Lambda::Function DependsOn: LambdaEdgeRoleResponse DeletionPolicy: Retain Properties: Handler: "index.handler" Role: Fn::GetAtt: - "LambdaEdgeRoleResponse" - "Arn" Runtime: "nodejs10.x" Code: S3Bucket: Fn::ImportValue: !Sub ${S3BucketStack}-S3BucketName S3Key: !Sub "${BranchName}/OriginResponse.zip" FunctionName: Fn::Sub: 'SyncUI-${BranchName}-OriginResponse-${Entropy}' LambdaFunctionResponseVersion: Type: AWS::Lambda::Version Properties: FunctionName: Ref: "LambdaFunctionResponse" CloudFrontDistribution: Type: AWS::CloudFront::Distribution DependsOn: - LambdaFunctionRequest - LambdaFunctionResponse Properties: DistributionConfig: Enabled: 'true' Origins: - DomainName: Fn::ImportValue: !Sub "${S3BucketStack}-S3WebsiteURL" OriginPath: Fn::Sub: '/${BranchName}' CustomOriginConfig: OriginProtocolPolicy: match-viewer Id: !Sub "CFID-${BranchName}-${Entropy}" DefaultCacheBehavior: TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" ForwardedValues: QueryString: 'false' ViewerProtocolPolicy: allow-all LambdaFunctionAssociations: - EventType: origin-request LambdaFunctionARN: !Ref LambdaFunctionRequestVersion - EventType: origin-response LambdaFunctionARN: !Ref LambdaFunctionResponseVersion CacheBehaviors: - PathPattern: Fn::Sub: '/${BranchName}' ForwardedValues: QueryString: false TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" ViewerProtocolPolicy: allow-all LambdaFunctionAssociations: - EventType: origin-request LambdaFunctionARN: !Ref LambdaFunctionRequestVersion - EventType: origin-response LambdaFunctionARN: !Ref LambdaFunctionResponseVersion - PathPattern: Fn::Sub: '/${BranchName}/*' ForwardedValues: QueryString: false TargetOriginId: !Sub "CFID-${BranchName}-${Entropy}" ViewerProtocolPolicy: allow-all LambdaFunctionAssociations: - EventType: origin-request LambdaFunctionARN: !Ref LambdaFunctionRequestVersion - EventType: origin-response LambdaFunctionARN: !Ref LambdaFunctionResponseVersion