Added CFN templates for provisioning the package

Ryan Lohan · Ryan Lohan · commit c01687aeef75 · 2018-11-19T11:42:36.000-08:00
diff --git a/template/CloudFormationHandlerInfrastructure.yaml b/template/CloudFormationHandlerInfrastructure.yaml
@@ -0,0 +1,131 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This CloudFormation template provisions all the infrastructure and dependencies for a Java Provider on Lambda
+
+Parameters:
+  ManagementUserArn:
+    NoEcho: True
+    Type: String
+
+Resources:
+  ArtifactBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              KMSMasterKeyID: 
+                Ref: EncryptionKey
+              SSEAlgorithm: aws:kms
+
+  LogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      RetentionInDays: 30
+
+  LambdaRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - 
+            Effect: "Allow"
+            Principal:
+              Service: 
+                - "lambda.amazonaws.com"
+            Action: "sts:AssumeRole"
+      Policies:
+        - 
+          PolicyName: CloudWatchMetricsPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              -
+                Effect: "Allow"
+                Action: "cloudwatch:PutMetricData"
+                Resource: "*"
+        - 
+          PolicyName: CloudWatchLogsPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              -
+                Effect: "Allow"
+                Action: 
+                  - "logs:PutLogEvents"
+                  - "logs:CreateLogGroup"
+                  - "logs:CreateLogStream"
+                Resource: !GetAtt LogGroup.Arn
+        - 
+          PolicyName: CloudWatchEventsPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - 
+                Effect: "Allow"
+                Action:
+                  - "events:DeleteRule"
+                  - "events:PutTargets"
+                  - "events:DescribeRule"
+                  - "events:EnableRule"
+                  - "events:PutRule"
+                  - "events:RemoveTargets"
+                Resource: "*" 
+          
+
+  EncryptionKey:
+    Type: AWS::KMS::Key
+    Properties:
+      Description: KMS key used to encrypt the resource provider artifacts and API payloads
+      EnableKeyRotation: false # Can't rotate keys until we can ensure that re-invokes are not broken by rotation
+      KeyPolicy:
+        Version: "2012-10-17"
+        Id: "key-default-1"
+        Statement:
+          -
+            Sid: "Allow administration of the key"
+            Effect: "Allow"
+            Principal:
+              AWS: !Ref ManagementUserArn
+            Action:
+              - "kms:Create*"
+              - "kms:Describe*"
+              - "kms:Enable*"
+              - "kms:List*"
+              - "kms:Put*"
+              - "kms:Update*"
+              - "kms:Revoke*"
+              - "kms:Disable*"
+              - "kms:Get*"
+              - "kms:Delete*"
+              - "kms:ScheduleKeyDeletion"
+              - "kms:CancelKeyDeletion"
+            Resource: "*"
+          -
+            Sid: "Allow use of the key"
+            Effect: "Allow"
+            Principal:
+              AWS: 
+                - !GetAtt LambdaRole.Arn
+                - !Ref ManagementUserArn
+            Action:
+              - "kms:Encrypt"
+              - "kms:Decrypt"
+              - "kms:ReEncrypt*"
+              - "kms:GenerateDataKey*"
+              - "kms:DescribeKey"
+            Resource: "*"
+
+Outputs:
+  BucketName:
+    Value: !Ref ArtifactBucket
+    Export:
+      Name: ArtifactBucket
+  EncryptionKey:
+    Value: !GetAtt EncryptionKey.Arn
+    Export:
+      Name: EncryptionKey
+  LambdaRole:
+    Value: !GetAtt LambdaRole.Arn
+    Export:
+      Name: LambdaRole
diff --git a/template/Handlers.yaml b/template/Handlers.yaml
@@ -0,0 +1,31 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: This CloudFormation template provisions an S3 bucket to upload handler artifacts to
+
+Parameters:
+  ResourceType:
+    Type: String
+    AllowedPattern: "^[a-zA-Z0-9]{2,64}-[a-zA-Z0-9]{2,64}-[a-zA-Z0-9]{2,64}$"
+  PackageS3Key:
+    Type: String
+
+Resources:
+  CreateHandler:
+    Type: AWS::Lambda::Function
+    Properties:
+      Code:
+        S3Bucket: !ImportValue ArtifactBucket
+        S3Key: !Ref PackageS3Key
+      Description: !Sub "Create Handler for ${ResourceType} Resources"
+      FunctionName: !Sub "create-${ResourceType}-handler"
+      Handler: "com.aws.cfn.LambdaWrapper::handleRequest"
+      KmsKeyArn: !ImportValue EncryptionKey
+      MemorySize: 128
+      Role: !ImportValue LambdaRole
+      Runtime: "java8"
+      Timeout: 120
+
+Outputs:
+  CreateHandlerArn:
+    Value: !GetAtt CreateHandler.Arn
+    Export:
+      Name: !Sub "${ResourceType}-create-handler"
diff --git a/template/deploy.sh b/template/deploy.sh
@@ -0,0 +1,34 @@
+#!sh
+ACCOUNT=123456789012
+HANDLERS_STACK_NAME=cfn-initech-tps-report-handlers
+INFRA_STACK_NAME=cfn-handler-infra
+RESOURCE_TYPE=Initech-TPS-Report
+TEST_PAYLOAD='{"action":"Create","requestContext":{"invocation":1,"resourceType":"Initech::TPS::Report"},"resourceModel":{"author":"Peter","title":"PC Load Letter","typeName":"Initech::TPS::Report"}}'
+OUTFILE=response.out
+
+# create infra stack
+awscfn create-stack --stack-name $INFRA_STACK_NAME --template-body file://./CloudFormationHandlerInfrastructure.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=ManagementUserArn,ParameterValue="arn:aws:iam::$ACCOUNT:root"
+
+# wait til its done...
+...
+
+# make sure infra stack can't be accidentally deleted
+awscfn update-termination-protection --stack-name cfn-handler-infra --enable-termination-protection 
+
+# I am no sed/awk guru but this works...
+BUCKET=`aws cloudformation list-exports | grep ArtifactBucket -A1 | awk '/Value/ {print $0}' | sed 's/"Value": "//g' | sed 's/"//g' | sed 's/ //g'`
+
+# Upload handler pkg to S3 bucket. NOTE: Bucket is using KMS so your user needs to be able to use the KMS Key (Infra Stack should set this up automatically)
+aws s3 cp ../target/ResourceProviderExample-1.0.jar s3://$BUCKET
+
+# Create the handlers
+awscfn create-stack --stack-name $STACK_NAME --template-body file://./Handlers.yaml --parameters ParameterKey=ResourceType,ParameterValue=$RESOURCE_TYPE ParameterKey=PackageS3Key,ParameterValue=ResourceProviderExample-1.0.jar
+
+# Get handler Function ARN
+CREATE_HANDLER_ARN=`aws cloudformation list-exports | grep "$RESOURCE_TYPE-create-handler" -A1 | awk '/Value/ {print $0}' | sed 's/"Value": "//g' | sed 's/"//g' | sed 's/ //g'`
+
+
+# Test Invoke that puppy
+aws lambda invoke --function-name $CREATE_HANDLER_ARN --payload '{"action":"Create","requestContext":{"invocation":1,"resourceType":"Initech::TPS::Report"},"resourceModel":{"author":"Peter","title":"PC Load Letter","typeName":"Initech::TPS::Report"}}' $OUTFILE
+less $OUTFILE
+rm $OUTFILE
