-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.yaml
198 lines (187 loc) · 5.8 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Parameters:
Environment:
Type: String
Description: The environment where the resources are deployed.
Default: staging
AllowedValues:
- staging
- production
Version:
Type: String
Description: Version number we wish to pass on to tags, etc.
Default: 0.0.1
Conditions:
IsProduction: !Equals [ !Ref Environment, production ]
Globals:
Function:
Runtime: nodejs12.x
MemorySize: 128
Timeout: 5
Resources:
# Cognito User Pool
NewUsersPool:
Type: 'AWS::Cognito::UserPool'
Properties:
UserPoolName: !Sub '${AWS::StackName}'
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
AutoVerifiedAttributes:
- email
AliasAttributes:
- email
Schema:
- Name: email
AttributeDataType: String
Mutable: false
Required: true
- Name: organization
AttributeDataType: String
Mutable: true
UserPoolTags:
version: !Ref Version
UserPoolClient:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: !Sub '${AWS::StackName}-client'
ExplicitAuthFlows:
- 'ALLOW_ADMIN_USER_PASSWORD_AUTH'
- 'ALLOW_REFRESH_TOKEN_AUTH'
UserPoolId: !Ref NewUsersPool
WriteAttributes:
- 'email'
- 'custom:organization'
UserPoolGroup:
Type: 'AWS::Cognito::UserPoolGroup'
Properties:
GroupName: 'SuperAdmin'
Precedence: 0
UserPoolId: !Ref NewUsersPool
# S3 Bucket
NewUserLogsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub 'new-user-service-user-logs-${Environment}'
AccessControl: Private
NotificationConfiguration:
TopicConfigurations:
- Topic: !Ref NewUserAddedTopic
Event: s3:ObjectCreated:Put
# SNS Topic
NewUserAddedTopic:
Type: AWS::SNS::Topic
NewUserAddedTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Sid: NewUserAddedTopicPolicyStatement
Effect: Allow
Action: sns:Publish
Principal: "*"
Resource: !Ref NewUserAddedTopic
Topics:
- !Ref NewUserAddedTopic
# Lambdas
LogNewUserToS3:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub 'log-new-user-to-s3-${Environment}'
CodeUri: ./src/log-new-user-to-s3/
Handler: index.handler
AutoPublishAlias: !Ref Environment
DeploymentPreference:
Type: !If [IsProduction, Canary10Percent5Minutes, AllAtOnce]
Alarms:
- !Ref AliasErrorMetricGreaterThanZeroAlarm
Hooks:
PreTraffic: !Ref PreTrafficCheckFunction
Environment:
Variables:
BUCKET_NAME: !Sub 'new-user-service-user-logs-${Environment}'
Tags:
project: !Sub ${AWS::StackName}
environment: !Ref Environment
Policies:
- S3CrudPolicy:
BucketName: !Sub 'new-user-service-user-logs-${Environment}'
Events:
ConfirmNewUserEvent:
Type: Cognito
Properties:
UserPool:
Ref: NewUsersPool
Trigger: PostConfirmation
PreTrafficCheckFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: !Sub 'CodeDeployHook_log-new-user-to-s3-${Environment}-pre-traffic-check'
CodeUri: ./src/log-new-user-to-s3/
Handler: pre-traffic-check.handler
Environment:
Variables:
BUCKET_NAME: !Sub 'new-user-service-user-logs-${Environment}'
FN_NEW_VERSION: !Ref LogNewUserToS3.Version
Tags:
project: !Sub ${AWS::StackName}
environment: !Ref Environment
Policies:
- S3CrudPolicy:
BucketName: !Sub 'new-user-service-user-logs-${Environment}'
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- codedeploy:PutLifecycleEventHookExecutionStatus
Resource:
!Sub 'arn:${AWS::Partition}:codedeploy:${AWS::Region}:${AWS::AccountId}:deploymentgroup:${ServerlessDeploymentApplication}/*'
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: !Ref LogNewUserToS3.Version
# CloudWatch
AliasErrorMetricGreaterThanZeroAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmDescription: Lambda Function Error > 0
ComparisonOperator: GreaterThanThreshold
Dimensions:
- Name: Resource
Value: !Sub '${LogNewUserToS3}:${Environment}'
- Name: FunctionName
Value: !Ref LogNewUserToS3
EvaluationPeriods: 2
MetricName: Errors
Namespace: AWS/Lambda
Period: 60
Statistic: Sum
Threshold: 0
Outputs:
NewUserAddedTopicArn:
Description: SNS Topic arn for subscriptions from other services
Value: !Ref NewUserAddedTopic
Export:
Name: !Sub "${AWS::StackName}-NewUserAdded"
LogNewUserToS3Arn:
Description: arn from log-new-user-to-s3 function
Value: !GetAtt LogNewUserToS3.Arn
LogNewUserToS3IamRole:
Description: IAM role arn for log-new-user-to-s3 function
Value: !GetAtt LogNewUserToS3Role.Arn
NewUserLogs:
Description: New user logs S3 url
Value: !GetAtt NewUserLogsBucket.WebsiteURL
PreTrafficCheckFunctionArn:
Description: Pre Traffic check function arn
Value: !GetAtt PreTrafficCheckFunction.Arn
PreTrafficCheckFunctionIamRole:
Description: IAM role arn for PreTrafficCheckFunctionRole
Value: !GetAtt PreTrafficCheckFunctionRole.Arn