Created
December 5, 2016 18:30
-
-
Save navneetkumar/65b6f84bfacf1b8b5c2762d4500b7b62 to your computer and use it in GitHub Desktop.
Lambda Infra Cloud Formation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "AWSTemplateFormatVersion": "2010-09-09", | |
| "Description": "Stack to create Infra resources for polaris", | |
| "Parameters": { | |
| "BucketName": { | |
| "Description": "Deployment S3 Bucket is where project is deployed after mvn deploy command.", | |
| "Type": "String", | |
| "MinLength": "3", | |
| "MaxLength": "63", | |
| "Default": "<BUCKETNAME>" | |
| } | |
| }, | |
| "Mappings": {}, | |
| "Resources": { | |
| "PolarisLambadaExecutionRole": { | |
| "Type": "AWS::IAM::Role", | |
| "Properties": { | |
| "RoleName": "polaris-lambda-executor-role", | |
| "AssumeRolePolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": [ | |
| "lambda.amazonaws.com", | |
| "apigateway.amazonaws.com" | |
| ] | |
| }, | |
| "Action": [ | |
| "sts:AssumeRole" | |
| ] | |
| } | |
| ] | |
| }, | |
| "Policies": [ | |
| { | |
| "PolicyName": "PolarisLambadaExecutionPolicy", | |
| "PolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "ec2:CreateNetworkInterface", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DeleteNetworkInterface" | |
| ], | |
| "Resource": "*" | |
| }, | |
| { | |
| "Action": [ | |
| "logs:CreateLogGroup", | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "arn:aws:logs:*" | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "lambda:InvokeFunction" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "apigateway:*", | |
| "iam:PassRole" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| } | |
| ] | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "PolarisInfraGroup": { | |
| "Type": "AWS::IAM::Group", | |
| "Properties": { | |
| "GroupName": "PolarisInfraGroup" | |
| } | |
| }, | |
| "PolarisInfraPolicy": { | |
| "Type": "AWS::IAM::Policy", | |
| "Properties": { | |
| "PolicyName": "PolarisInfraPolicy", | |
| "PolicyDocument": { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowCloudFormationActionsOnlyInTheSpecificUserPrefix", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "cloudformation:CancelUpdateStack", | |
| "cloudformation:ContinueUpdateRollback", | |
| "cloudformation:CreateChangeSet", | |
| "cloudformation:CreateStack", | |
| "cloudformation:DescribeAccountLimits", | |
| "cloudformation:DescribeChangeSet", | |
| "cloudformation:DescribeStackEvents", | |
| "cloudformation:DescribeStackResource", | |
| "cloudformation:DescribeStackResources", | |
| "cloudformation:DescribeStacks", | |
| "cloudformation:ExecuteChangeSet", | |
| "cloudformation:GetStackPolicy", | |
| "cloudformation:GetTemplate", | |
| "cloudformation:ListChangeSets", | |
| "cloudformation:ListStackResources", | |
| "cloudformation:PreviewStackUpdate", | |
| "cloudformation:SetStackPolicy", | |
| "cloudformation:SignalResource", | |
| "cloudformation:UpdateStack", | |
| "cloudformation:ValidateTemplate" | |
| ], | |
| "Resource": [ | |
| "arn:aws:cloudformation:<REGION>:<ACCOUNTID>:stack/${aws:username}*" | |
| ] | |
| }, | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "cloudformation:CreateUploadBucket", | |
| "cloudformation:GetTemplateSummary", | |
| "cloudformation:ListStacks" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowGroupToSeeBucketListInTheConsole", | |
| "Action": [ | |
| "s3:ListAllMyBuckets", | |
| "s3:GetBucketLocation" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "arn:aws:s3:::*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowRootLevelListingOfTheBucket", | |
| "Action": [ | |
| "s3:ListBucket" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "arn:aws:s3:::<BUCKETNAME>" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "s3:prefix": [ | |
| "" | |
| ], | |
| "s3:delimiter": [ | |
| "/" | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "AllowListBucketOfASpecificUserPrefix", | |
| "Action": [ | |
| "s3:ListBucket" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": [ | |
| "arn:aws:s3:::<BUCKETNAME>" | |
| ], | |
| "Condition": { | |
| "StringLike": { | |
| "s3:prefix": [ | |
| "${aws:username}/*" | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:*" | |
| ], | |
| "Resource": "arn:aws:s3:::<BUCKETNAME>/${aws:username}/*" | |
| }, | |
| { | |
| "Sid": "AllowLambda", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "lambda:*" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowAPIGatewayExecution", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "execute-api:*" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowAPIGatewayRestAPI", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "apigateway:*" | |
| ], | |
| "Resource": [ | |
| "*" | |
| ] | |
| }, | |
| { | |
| "Sid": "AllowPassingRole", | |
| "Effect": "Allow", | |
| "Action": "iam:PassRole", | |
| "Resource": "arn:aws:iam::<ACCOUNTID>:role/polaris-lambda-executor-role" | |
| } | |
| ] | |
| }, | |
| "Groups": [ | |
| { | |
| "Ref": "PolarisInfraGroup" | |
| } | |
| ] | |
| } | |
| }, | |
| "PolarisArtifactS3Bucket": { | |
| "Type": "AWS::S3::Bucket", | |
| "Properties": { | |
| "AccessControl": "PublicRead", | |
| "BucketName": { | |
| "Ref": "BucketName" | |
| } | |
| }, | |
| "DeletionPolicy": "Retain" | |
| } | |
| }, | |
| "Outputs": { | |
| "LambdaExecutionRoleArn": { | |
| "Description": "Lambada Execution Role ARN", | |
| "Value": { | |
| "Fn::GetAtt": [ | |
| "PolarisLambadaExecutionRole", | |
| "Arn" | |
| ] | |
| } | |
| }, | |
| "StacksRegion": { | |
| "Value": { | |
| "Ref": "AWS::Region" | |
| }, | |
| "Description": "Region where polaris Infra will be deployed" | |
| }, | |
| "S3BucketName": { | |
| "Value": { | |
| "Ref": "BucketName" | |
| }, | |
| "Description": "Name of S3 bucket to hold polaris artifacts" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment