This repository has been archived by the owner on Feb 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
template.yaml
executable file
·140 lines (128 loc) · 3.73 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
AWSTemplateFormatVersion: "2010-09-09"
Description: Fugue API Events
Transform: AWS::Serverless-2016-10-31
Parameters:
LogRetentionInDays:
Default: "30"
Description: Number of days to retain log messages
Type: String
SplunkUrl:
Description: Splunk url to publish to
Type: String
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
DisplayName: fugue-events
TopicName: fugue-events
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref Topic
PolicyDocument:
Version: "2012-10-17"
Id: "fugue_topic_policy"
Statement:
- Sid: "cross_account_allow"
Effect: "Allow"
Principal:
AWS: arn:aws:iam::370134896156:role/fugue-sns-publish
Action: "sns:Publish"
Resource: !Ref Topic
- Sid: "cross_account_deny"
Effect: "Deny"
Principal:
AWS: arn:aws:iam::370134896156:role/fugue-sns-publish
NotAction: "sns:Publish"
Resource: !Ref Topic
- Sid: "default_allow"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "sns:GetTopicAttributes"
- "sns:SetTopicAttributes"
- "sns:AddPermission"
- "sns:RemovePermission"
- "sns:DeleteTopic"
- "sns:Subscribe"
- "sns:ListSubscriptionsByTopic"
- "sns:Publish"
Resource: !Ref Topic
Condition:
StringEquals:
"AWS:SourceOwner": !Ref AWS::AccountId
EventHandler:
Type: AWS::Serverless::Function
Properties:
Description: Lambda function that processes notifications from Fugue
Runtime: nodejs12.x
Handler: src/index.handler
Role: !GetAtt LambdaRole.Arn
Events:
SNSTopicEvent:
Type: SNS
Properties:
Topic: !Ref Topic
Environment:
Variables:
SECRET_ARN: !Ref ApiCredentials
SPLUNK_URL: !Ref SplunkUrl
MemorySize: 1024
Timeout: 60
Policies:
- AWSLambdaBasicExecutionRole
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
- "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess"
Policies:
- PolicyName: get-secret
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowGetSecretValue
Effect: Allow
Action:
- "secretsmanager:GetSecretValue"
Resource: !Ref ApiCredentials
ApiCredentials:
Type: AWS::SecretsManager::Secret
Properties:
Description: Secret to contain a client ID and secret for the Fugue API
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/lambda/${EventHandler}"
RetentionInDays: !Ref LogRetentionInDays
LogStream:
Type: AWS::Logs::LogStream
Properties:
LogGroupName: !Ref LogGroup
LogStreamName: "default"
Outputs:
Function:
Description: "Lambda Function"
Value: !Ref EventHandler
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", Function ] ]
Topic:
Description: "SNS Topic"
Value: !Ref Topic
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", Topic ] ]
Secret:
Description: "Fugue API Credentials Secret"
Value: !Ref ApiCredentials
Export:
Name: !Join [ ":", [ !Ref "AWS::StackName", Secret ] ]