· 6 years ago · Nov 03, 2019, 07:12 AM
1AWSTemplateFormatVersion: "2010-09-09"
2Transform: AWS::Serverless-2016-10-31
3Description: >
4 api.makariri.XYZthing.com
5
6#----------
7Parameters:
8#----------
9 Author:
10 Type: String
11 Description: Who wrote this project
12 MinLength: 4
13 MaxLength: 50
14 Default: 'Andrew Frazer'
15 ConstraintDescription: 'Required parameter.'
16
17 Team:
18 Type: String
19 Description: Which Team do they belong to ( Author )
20 MinLength: 4
21 MaxLength: 50
22 Default: 'ISOPS'
23 ConstraintDescription: 'Required parameter.'
24
25 Owner:
26 Type: String
27 Description: Who Owns this resource - For billing
28 MinLength: 3
29 MaxLength: 50
30 Default: 'ISG'
31 ConstraintDescription: 'Required parameter.'
32
33 Project:
34 Type: String
35 Description: Name for this project
36 MinLength: 3
37 MaxLength: 50
38 Default: 'Snowmaker'
39 ConstraintDescription: 'Required parameter.'
40
41 SnowmakerEmail:
42 Type: String
43 Default: 'snowmaker@makariri.XYZthing.com'
44
45 ServiceDeskEmail:
46 Type: String
47 Default: 'servicedesk.monitoring@XYZthing.com'
48
49 HOSTSTABLENAME:
50 Type: String
51 Description: The DynamoDB Table for Storing the list of hostnames to check for SSL
52 MinLength: 4
53 MaxLength: 50
54 Default: 'SnowmakerSSLCheckHosts'
55 ConstraintDescription: 'Required parameter.'
56
57 SNOWMAKEREVENTTABLE:
58 Type: String
59 Description: The DynamoDB Table for Storing the list of Hosts
60 MinLength: 4
61 MaxLength: 50
62 Default: 'SnowmakerEventTable'
63 ConstraintDescription: 'Required parameter.'
64
65 SNOWMAKERNEWINCIDENTQUEUE:
66 Type: String
67 Description: Name of the Queue for sending new incidents to.
68 Default: 'snowmakerCreateIncident'
69
70 SSLCHERTCHECKQUEUE:
71 Type: String
72 Description: Name of the Queue for checking certs to.
73 Default: 'snowmakerSSLCertCheck'
74
75#------
76Globals:
77#------
78 Function:
79 Timeout: 20
80 Runtime: python3.7
81 Environment:
82 Variables:
83 HOSTSTABLENAME: !Ref HOSTSTABLENAME
84 SNOWMAKERNEWINCIDENTQUEUE: !Ref SNOWMAKERNEWINCIDENTQUEUE
85 SSLCHERTCHECKQUEUE: !Ref SSLCHERTCHECKQUEUE
86 SNOWMAKEREVENTTABLE: !Ref SNOWMAKEREVENTTABLE
87 ServiceDeskEmail: !Ref ServiceDeskEmail
88 SnowmakerEmail: !Ref SnowmakerEmail
89
90#---------
91Resources:
92#---------
93 #-------------------------------------------------
94 #API Gateway @ https://api.makariri.XYZthing.com
95 #-------------------------------------------------
96 XYZthingAwsUserApi:
97 Type: AWS::Serverless::Api
98 Properties:
99 EndpointConfiguration: REGIONAL
100 #Cors:
101 # AllowHeaders: "'Content-Type'"
102 # AllowOrigin: "'*'"
103 StageName: Prod
104 Tags:
105 Author: !Ref Author
106 Team: !Ref Team
107 Owner: !Ref Owner
108 Project: !Ref Project
109
110 #----------------
111 #Lambda Functions
112 #----------------
113
114 Getroles:
115 Type: AWS::Serverless::Function
116 Properties:
117 Description: Provides the switch account roles avaialble to a user in ISOPS
118 Policies:
119 - AWSLambdaBasicExecutionRole # AWS Managed Policy
120 - IAMReadOnlyAccess # AWS Managed Policy
121 CodeUri: getroles/
122 Handler: xarRoles.lambda_handler
123 Events:
124 makariri:
125 Type: Api
126 Properties:
127 Path: /xarRoles
128 Method: POST
129 RestApiId: !Ref XYZthingAwsUserApi
130 Tags:
131 Author: !Ref Author
132 Team: !Ref Team
133 Owner: !Ref Owner
134 Project: !Ref Project
135
136 snowmakerDailyTasks:
137 Type: AWS::Serverless::Function
138 Properties:
139 Description: Runs The Daily Tasks / checks
140 Policies:
141 - AWSLambdaBasicExecutionRole # AWS Managed Policy
142 - AmazonDynamoDBFullAccess # AWS Managed Poliucy: Reduce to CRUD Policy, just needs access to the Taskdatabase
143 - AmazonSQSFullAccess
144 # Need to be able to write an event onto the various worker queues.
145 CodeUri: snowmaker/snowmakerDailyTasks
146 Handler: snowmakerDailyTasks.lambda_handler
147 #Events: Want to run this as a scheduled task
148 Tags:
149 Author: !Ref Author
150 Team: !Ref Team
151 Owner: !Ref Owner
152 Project: !Ref Project
153
154 snowmakerCreateincident:
155 Type: AWS::Serverless::Function
156 Properties:
157 Description: Creates new event after checking for duplicate, and emails cherwell.
158 Policies:
159 - AWSLambdaBasicExecutionRole # AWS Managed Policy
160 - IAMReadOnlyAccess # AWS Managed Policy **** ToDo ***** Does this need to be there?
161 - AmazonSESFullAccess # AWS Managted Policy **** ToDo **** This is to open
162 - AmazonDynamoDBFullAccess # AWS Managed Poliucy: Reduce to CRUD Policy?
163 - AmazonSQSFullAccess # Too open?
164 CodeUri: snowmaker/createincident
165 Handler: createincident.lambda_handler
166 Events:
167 HelloWorld:
168 Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
169 Properties:
170 Path: /snowmaker/createincident
171 Method: POST
172 RestApiId: !Ref XYZthingAwsUserApi
173 Tags:
174 Author: !Ref Author
175 Team: !Ref Team
176 Owner: !Ref Owner
177 Project: !Ref Project
178
179 SSLCertCheckFromAWS:
180 Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
181 Properties:
182 Description: Looks up a SSL certificate for Validity and Expiry Resources from Amazon to the 'world'
183 Policies:
184 - AWSLambdaBasicExecutionRole
185 - AmazonSQSFullAccess
186 # Need to be able to write an event onto the IncidentQue.
187 CodeUri: sslcerts/
188 Handler: checkcert.lambda_handler
189 Tags:
190 Author: !Ref Author
191 Team: !Ref Team
192 Owner: !Ref Owner
193 Project: !Ref Project
194
195
196 # ------------
197 # SQS Queues #
198 # ------------
199
200 IncidentSQSQueue:
201 Type: AWS::SQS::Queue
202 Properties:
203 #Description: Event due for placing incidents that need to logged to Cherwell
204 QueueName: !Ref SNOWMAKERNEWINCIDENTQUEUE
205 VisibilityTimeout: 120
206 Tags:
207 - Key: Author
208 Value: !Ref Author
209 - Key: Team
210 Value: !Ref Team
211 - Key: Owner
212 Value: !Ref Owner
213 - Key: Project
214 Value: !Ref Project
215
216 SSLSQSQueue:
217 Type: AWS::SQS::Queue
218 Properties:
219 #Description: Queue for requesting Hostname checks.
220 QueueName: !Ref SSLCHERTCHECKQUEUE
221 VisibilityTimeout: 120
222 Tags:
223 - Key: Author
224 Value: !Ref Author
225 - Key: Team
226 Value: !Ref Team
227 - Key: Owner
228 Value: !Ref Owner
229 - Key: Project
230 Value: !Ref Project
231
232 #------------------
233 # EVent Source Mappings ( no tags)
234 #------------------
235
236 IncidentEventSource:
237 Type: AWS::Lambda::EventSourceMapping
238 Properties:
239 FunctionName: !Ref snowmakerCreateincident
240 BatchSize: 10
241 Enabled: true
242 EventSourceArn: !GetAtt
243 - IncidentSQSQueue
244 - Arn
245
246
247 SSLCheckEventSource:
248 Type: AWS::Lambda::EventSourceMapping
249 Properties:
250 FunctionName: !Ref SSLCertCheckFromAWS
251 BatchSize: 10
252 Enabled: true
253 EventSourceArn: !GetAtt
254 - SSLSQSQueue
255 - Arn
256
257
258 # ------------
259 # Databases - DynamoDB
260 # ------------
261
262 HostTable:
263 Type: AWS::DynamoDB::Table
264 Properties:
265 #Description: Contains the hostnames that need to be checked for SSL
266 TableName: !Ref HOSTSTABLENAME
267 AttributeDefinitions:
268 -
269 AttributeName: name
270 AttributeType: S
271 -
272 AttributeName: type
273 AttributeType: S
274 KeySchema:
275 -
276 AttributeName: name
277 KeyType: HASH
278 -
279 AttributeName: type
280 KeyType: RANGE
281 BillingMode: PAY_PER_REQUEST
282 #ProvisionedThroughput:
283 # ReadCapacityUnits: 5
284 # WriteCapacityUnits: 5
285 Tags:
286 - Key: Author
287 Value: !Ref Author
288 - Key: Team
289 Value: !Ref Team
290 - Key: Owner
291 Value: !Ref Owner
292 - Key: Project
293 Value: !Ref Project
294
295
296 EventTable:
297 Type: AWS::DynamoDB::Table
298 Properties:
299 #Description: Contains the event information that snowmaker makes.
300 TableName: !Ref SNOWMAKEREVENTTABLE
301 AttributeDefinitions:
302 -
303 AttributeName: eventID
304 AttributeType: S
305 -
306 AttributeName: timestamp
307 AttributeType: N
308 KeySchema:
309 -
310 AttributeName: eventID
311 KeyType: HASH
312 -
313 AttributeName: timestamp
314 KeyType: RANGE
315 BillingMode: PAY_PER_REQUEST
316 #ProvisionedThroughput:
317 # ReadCapacityUnits: 5
318 # WriteCapacityUnits: 5
319 Tags:
320 - Key: Author
321 Value: !Ref Author
322 - Key: Team
323 Value: !Ref Team
324 - Key: Owner
325 Value: !Ref Owner
326 - Key: Project
327 Value: !Ref Project
328
329
330#--------------------------------------------------------------------------------------------------------
331
332Outputs:
333 XYZthingAwsUserApiURL:
334 Description: "XYZthing Internal AWS User API"
335 Value: !Sub "https://${defaultAwsUserApi}.execute-api.${AWS::Region}.amazonaws.com/"